Comments (6)
Yeah, that's right. They will be cataloged in the SBOM but as far as I know there aren't any current sources of vulnerability data for them.
from syft.
Hey @aerabi, take a look at https://github.com/anchore/sbom-action/ -- this is our Action designed for calling Syft and generating SBOMs as part of a CI pipeline. Hope this helps!
from syft.
Thanks for your comment, @tgerla! This GitHub action that you just mentioned might have vulnerabilities, as can the Docker build action, etc. Can we generate an SBOM for a GitHub workflow to include the dependencies of the actions used in them?
from syft.
Oh, I'm sorry, I misunderstood your request. We actually do have a cataloger for scanning GitHub actions: #2140 -- I'm not sure if those catalogers are enabled by default so you may need to enable it specifically: https://github.com/anchore/syft/?tab=readme-ov-file#package-cataloger-selection
from syft.
Awesome, thanks for mentioning the PR.
I believe that's all Syft can support the matter with. As mentioned in the issue (#1896), the Actions recorded using the cataloger won't be matched to any CVEs, as no one has a database for CVEs in GitHub Actions (right?).
from syft.
I'll go ahead and close this issue because I don't think there is any action to take--but please let me know if you need anything else!
from syft.
Related Issues (20)
- Syft reports some fw* pckages, which are nowhere to find HOT 4
- Add support for dnf packages HOT 1
- Support Swift Package Manager Package.resolved schema version 3 HOT 2
- Catalog TiDB binary
- Redis not listed in the artifact lists of the bitnami/redis image HOT 2
- License not pickedup for binaries like java (openjdk), node (nodejs) HOT 4
- Ignore Go compiler affecting CVE when Docker image only contains a binary compiled with Go HOT 2
- Pom parser not resolving all dependency versions
- SBOM is generated with empty name HOT 4
- components inside tar.gz / tgz not picked up HOT 2
- Golang: Search remote licenses not working in a CI pipeline when scanning Docker image HOT 4
- Clearly document the fact that CPE strings could be made up HOT 1
- Recognition of files in a folder works inconsistently between Linux distributions. HOT 1
- New version 1.3.0 leads to "too many open files" while scanning bigger images HOT 1
- Add `bun-lock-cataloger` & `bun-binary-cataloger` catalogers HOT 1
- Improve linting for `defer Close` type issues HOT 2
- Binary copied to image omitted from SBOM HOT 4
- Relationships / Dependencies are present in Syft json and SPDX json files but not in Cyclonedx json file format HOT 3
- Not all the packages are getting imported in Blackduck scanner HOT 5
- Scanning a git repository folder present in /tmp produce an empty sbom HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.