Re-enable scanning for SBOM records in Docker image #111
Assignees
Labels
kind/bug
Something isn't working
Comments
|
Hm, we should also have had tests for this case. |
|
Tried to create a PR but hit a ton of issues (as I'm not a GoLang expert) with Syft and case of "microsoft" vs "Microsoft" in Syft dependencies. Since this project pulls in both github.com/Microsoft and github.com/microsoft, it picks capitalized version and fails on syft dependencies. |
|
Similar issue to anchore/syft#2026 |
cdupuis
added a commit
that referenced
this issue
Dec 9, 2024
Closed
cdupuis
added a commit
that referenced
this issue
Dec 9, 2024
cdupuis
added a commit
that referenced
this issue
Dec 9, 2024
cdupuis
added a commit
that referenced
this issue
Dec 9, 2024
|
This is now fixed in master via #115. |
crazy-max
pushed a commit
to crazy-max/buildkit-syft-scanner
that referenced
this issue
Dec 10, 2024
fixes docker#111 Signed-off-by: CrazyMax <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In a slightly dated Docker Blog post, it was highlighted that you could add SBOM details for any binaries added manually to a Docker image:
https://www.docker.com/blog/generate-sboms-with-buildkit/
This was broken some time back apparently and the blog also references a snippet that does not work (need to be a full SBOM package record).
Syft maintainers suggested a minor fix to re-enable this feature:
buildkit-syft-scanner/internal/target.go
Line 49 in f22f986
syft.CreateSBOM(context.Background(), nil, syft.DefaultCreateSBOMConfig().
WithCatalogerSelection(pkgcataloging.NewSelectionRequest().
WithDefaults(pkgcataloging.ImageTag).
)
Full discussion with Syft is here:
anchore/syft#3490 (comment)
The text was updated successfully, but these errors were encountered: