Incorrect warnings received while scanning dotnet core sdk 8.0 cbl_mariner image about syft HOT 5 CLOSED

Changes to documentation are already done as mentioned in your previous post. I just re-posted my response using the github id that was used for reporting the bug initially. Just for your information anchore/grype#1693 was raised as default scanning options were unable to report a high and critical severity GHSA vulnerability for the docker image in question.

from syft.

Hi @vishwesh-sharma, I've tried scanning that image and I see the warnings but they do not seem to prevent an SBOM from being generated. Are you seeing an actual failure, or just warnings? I am only seeing warnings.

You can also disable the SBOM cataloger with this option on the command line:

--catalogers "-sbom-cataloger"

Hope this helps!

from syft.

In Syft 103.1, the sbom cataloger is disabled by default, running Syft on the image without --select-catalogers produces no warning:

❯ syft mcr.microsoft.com/dotnet/sdk:8.0-cbl-mariner2.0-arm64v8 -o json=/tmp/foo.json
 ✔ Loaded image                                                                                                                                     mcr.microsoft.com/dotnet/sdk:8.0-cbl-mariner2.0-arm64v8
 ✔ Parsed image                                                                                                                     sha256:8249b04474832cac13b88a4125340ced3ec97916e230192bdf5c8a9c417abc0a
 ✔ Cataloged contents                                                                                                                      3a5fc6da133508de4e35e2271b43f9dbdce1eca5eae07c084ffad545e7dd515b
   ├── ✔ Packages                        [3,996 packages]
   ├── ✔ File digests                    [10,874 files]
   └── ✔ File metadata                   [10,874 locations]

https://github.com/anchore/syft?tab=readme-ov-file#package-cataloger-selection has been updated to references --select-catalogers instead of --catalogers.

I'm going to close this as fixed by #2527, but please let us know if we're missing something.

from syft.

Re-posting earlier comment from correct account,
Issue has been addressed in 0.103.1 , suggested option
--catalogers "-sbom-cataloger"
does not work as it is deprecated, documentation needs to be updated to reflect usage of --select-catalogers
syft mcr.microsoft.com/dotnet/sdk:8.0-cbl-mariner2.0-arm64v8 --select-catalogers "-sbom-cataloger"

from syft.

Hi @vishwesh-sharma - I think https://github.com/anchore/syft?tab=readme-ov-file#package-cataloger-selection has been updated. Could you let me know where else the documentation needs to be updated? Thanks!

from syft.