Comments (6)
note: package de-dup is done, so this should be unblocked 🥳
from syft.
In order to continue with these package de duplication needs to be concluded first (or concurrently) (see #32)
from syft.
There is an extra vote for some of these via #1035
from syft.
Some other related asks:
I believe if we included each layer that a component is present in the locations, in order, that matches the order the container was built, we could be able to answer both of the questions posed:
- Remove all packages with layer X (e.g. the base layer; this could be removed and re-added, though)
- Determine all packages which are on the final layer
There would have to be a change somewhere or possibly a new scope to do this (which seems like all-layers might work like this by default -- some aspect of this may actually be done already) such that we don't include layers where we see files introduced but rather we include all layers where files are present.
from syft.
I think there is one unsolved problem with this that needs to be addressed early in the design: how will we deal with multiple packages stored in a single file? It could look like that large sets of packages were introduced together in a single layer, when in fact they were introduced across layers. (e.g. RPMs and the RPM DB)
from syft.
can be a very useful feature!
from syft.
Related Issues (20)
- Extract full license text HOT 5
- Scan images in Kubernetes manifest(s) HOT 3
- fix panic scanning binaries without symtab HOT 2
- layers attribute in image is sorted from upper layer to base layer
- Syft panics when scanning OCI image that contains packaged helm chart HOT 5
- Add support for GitHub Actions HOT 6
- Regression in 1.1 cataloging openjdk: generates version containing a null byte HOT 13
- Syft reports some fw* pckages, which are nowhere to find HOT 4
- Add support for dnf packages HOT 1
- Support Swift Package Manager Package.resolved schema version 3 HOT 2
- Catalog TiDB binary
- Redis not listed in the artifact lists of the bitnami/redis image HOT 2
- License not pickedup for binaries like java (openjdk), node (nodejs) HOT 4
- Ignore Go compiler affecting CVE when Docker image only contains a binary compiled with Go HOT 2
- Pom parser not resolving all dependency versions
- SBOM is generated with empty name HOT 4
- components inside tar.gz / tgz not picked up HOT 2
- Golang: Search remote licenses not working in a CI pipeline when scanning Docker image HOT 4
- Clearly document the fact that CPE strings could be made up HOT 1
- Recognition of files in a folder works inconsistently between Linux distributions. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.