Comments (5)
Changes to documentation are already done as mentioned in your previous post. I just re-posted my response using the github id that was used for reporting the bug initially. Just for your information anchore/grype#1693 was raised as default scanning options were unable to report a high and critical severity GHSA vulnerability for the docker image in question.
from syft.
Hi @vishwesh-sharma, I've tried scanning that image and I see the warnings but they do not seem to prevent an SBOM from being generated. Are you seeing an actual failure, or just warnings? I am only seeing warnings.
You can also disable the SBOM cataloger with this option on the command line:
--catalogers "-sbom-cataloger"
Hope this helps!
from syft.
In Syft 103.1, the sbom cataloger is disabled by default, running Syft on the image without --select-catalogers
produces no warning:
❯ syft mcr.microsoft.com/dotnet/sdk:8.0-cbl-mariner2.0-arm64v8 -o json=/tmp/foo.json
✔ Loaded image mcr.microsoft.com/dotnet/sdk:8.0-cbl-mariner2.0-arm64v8
✔ Parsed image sha256:8249b04474832cac13b88a4125340ced3ec97916e230192bdf5c8a9c417abc0a
✔ Cataloged contents 3a5fc6da133508de4e35e2271b43f9dbdce1eca5eae07c084ffad545e7dd515b
├── ✔ Packages [3,996 packages]
├── ✔ File digests [10,874 files]
└── ✔ File metadata [10,874 locations]
https://github.com/anchore/syft?tab=readme-ov-file#package-cataloger-selection has been updated to references --select-catalogers
instead of --catalogers
.
I'm going to close this as fixed by #2527, but please let us know if we're missing something.
from syft.
Re-posting earlier comment from correct account,
Issue has been addressed in 0.103.1 , suggested option
--catalogers "-sbom-cataloger"
does not work as it is deprecated, documentation needs to be updated to reflect usage of --select-catalogers
syft mcr.microsoft.com/dotnet/sdk:8.0-cbl-mariner2.0-arm64v8 --select-catalogers "-sbom-cataloger"
from syft.
Hi @vishwesh-sharma - I think https://github.com/anchore/syft?tab=readme-ov-file#package-cataloger-selection has been updated. Could you let me know where else the documentation needs to be updated? Thanks!
from syft.
Related Issues (20)
- Syft reports some fw* packages, which are nowhere to find HOT 4
- Add support for dnf packages HOT 1
- Support Swift Package Manager Package.resolved schema version 3 HOT 2
- Catalog TiDB binary
- Redis not listed in the artifact lists of the bitnami/redis image HOT 2
- License not pickedup for binaries like java (openjdk), node (nodejs) HOT 4
- Ignore Go compiler affecting CVE when Docker image only contains a binary compiled with Go HOT 2
- Pom parser not resolving all dependency versions
- SBOM is generated with empty name HOT 4
- components inside tar.gz / tgz not picked up HOT 2
- Golang: Search remote licenses not working in a CI pipeline when scanning Docker image HOT 5
- Clearly document the fact that CPE strings could be made up HOT 1
- Recognition of files in a folder works inconsistently between Linux distributions. HOT 1
- New version 1.3.0 leads to "too many open files" while scanning bigger images HOT 1
- Add `bun-lock-cataloger` & `bun-binary-cataloger` catalogers HOT 1
- Improve linting for `defer Close` type issues HOT 2
- Binary copied to image omitted from SBOM HOT 4
- Relationships / Dependencies are present in Syft json and SPDX json files but sometimes not in Cyclonedx json file format HOT 6
- Not all the packages are getting imported in Blackduck scanner HOT 5
- Scanning a git repository folder present in /tmp produce an empty sbom HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.