Comments (5)
Hi @Naranthiran, thanks for the report. Can you attach a copy of sbom.050524.json to this issue? It looks like there are a bunch of errors related to symlinks in the scan output. It would be helpful if we could also see the contents of the tar file. Could we have access to the tar file itself? If not, a complete file listing from the tar archive would be a good start. Thanks!
from syft.
Hi Tim,
I have attached the SBOM. The tar file is a filesystem which was created using the image builder tool.
If you have subscribed, you can generate the tar file from the RedHat console.
I will not be able to upload as the files size in huge..
Regards
Naranthiran Duraisamy
from syft.
Hi @Naranthiran, I checked out the SBOM and I see over 600 entries, about what I would expect. Running Grype against it reports a bunch of possible vulnerabilities. Can you explain in more detail the problem on the Syft side here? I am not familiar with Blackduck's scanning software and you might need to contact them for information about their tool. Thanks!
from syft.
Hi Tim,
Thanks for your response.
While importing the SBOM in the Blackduck I found only 58 components out of 650.
I wanted to check with you, if the way I create the SBOM with its parameters is correct or if I am missing something.
From the BlackDuck side, I understand that the package name and referenceLocator files were not matching.
Regards
Naranthiran Duraisamy
from syft.
Hi Naranthiran, as far as I can tell, your method of calling Syft is fine, and I don't see anything out of the ordinary in the generated SBOM. It does look like Blackduck is expecting something different. It might be some sort of incompatibility between the tools but we would be happy to look. Would you be able to contact Blackduck and open a support ticket there? We would be happy to explore the problem. Thanks,
Tim
from syft.
Related Issues (20)
- Syft incorrectly identifying jruby jar files HOT 1
- Parameter confirmation of docker _registry scanning HOT 1
- install.sh: check checksums file's signature HOT 2
- Reverse conversion of metadata mode is broken HOT 4
- syft does not find anything in archives if /tmp is a tmpfs HOT 1
- Support cataloging dlopen ELF metadata
- Syft Directory Source: Git Tag and Metadata Information
- syft outputs incorrect license LicenseRef-AND HOT 1
- Detect fluent-bit binaries
- Binary detection workflow enhancements
- SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false is not working HOT 3
- syft-table option adds escape chars at the end of each row HOT 2
- python cataloger: adding a support additionally to classify licenses by `License-File` field in metadata file HOT 2
- Add additional image tags to source metadata
- Very High Memory Usage Using Syft HOT 1
- Poetry's multiple constraints seems to break the parser
- Add ability to use distributed ruleset HOT 1
- Show dependencies for Github Actions
- Issue scanning Poetry Project with Syft 1.6 and cataloger=python-package-cataloger HOT 5
- The ability to extract the contents of the license file (LICENSE.txt) itself HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.