Plugin for Docker CLI to support SBOM creation using Syft
License: Apache License 2.0
Plugin for Docker CLI to support viewing and creating SBOMs for Docker images using Syft.
# install the docker-sbom plugin
curl -sSfL https://raw.githubusercontent.com/docker/sbom-cli-plugin/main/install.sh | sh -s --
# use the sbom plugin
docker sbom <my-image>
I'm trying to install the plugin, but i get the following error when I run curl.
[error] docker is not installed; refusing to install to '/root/.docker/cli-plugins
I have docker installed.
Docker version 20.10.16, build aa7e414
What happened:
Ran
docker sbom my-image
and file left in /tmp/sbom-cli-plugin-..../docker-daemon-image....
What you expected to happen:
SBOM output on STDOUT, and no files left on device
How to reproduce it (as minimally and precisely as possible):
ls /tmp/sbom* > before.txt 2>/dev/null
docker sbom my-image
ls /tmp/sbom* > after.txt 2>/dev/null
diff before.txt after.txt
Anything else we need to know?:
Confirmed on two machines (see below)
Environment:
docker version:Machine 1:
Client: Docker Engine - Community
Version: 24.0.2
API version: 1.43
Go version: go1.20.4
Git commit: cb74dfc
Built: Thu May 25 21:52:13 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.2
API version: 1.43 (minimum version 1.12)
Go version: go1.20.4
Git commit: 659604f
Built: Thu May 25 21:52:13 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.21
GitCommit: 3dce8eb055cbb6872793272b4f20ed16117344f8
runc:
Version: 1.1.7
GitCommit: v1.1.7-0-g860f061
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Machine 2:
docker version
Client:
Version: 19.03.6
API version: 1.40
Go version: go1.12.17
Git commit: 369ce74a3c
Built: Wed Oct 14 19:03:30 2020
OS/Arch: linux/arm64
Experimental: false
Server:
Engine:
Version: 19.03.6
API version: 1.40 (minimum version 1.12)
Go version: go1.12.17
Git commit: 369ce74a3c
Built: Wed Oct 14 16:52:50 2020
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.3.3-0ubuntu1~18.04.3
GitCommit:
runc:
Version: spec: 1.0.1-dev
GitCommit:
docker-init:
Version: 0.18.0
GitCommit:
docker sbom version:Machine 1:
Application: docker-sbom (0.6.1)
Provider: syft (v0.46.3)
GitCommit: 02cf1c888ad6662109ac6e3be618392514a56316
GitDescription: v0.6.1
Platform: linux/amd64
Machine 2:
Application: docker-sbom (0.6.1)
Provider: syft (v0.46.3)
GitCommit: 02cf1c888ad6662109ac6e3be618392514a56316
GitDescription: v0.6.1
Platform: linux/arm64
What happened: When running, docker sbom as root, the command works fine. When su-ing over to our 'gitlab-runner' user, installing the plugin for that user, docker reports it as an an "invalid plugin" with a "permission denied":
Invalid Plugins:
sbom failed to fetch metadata: fork/exec /home/gitlab-runner/.docker/cli-plugins/docker-sbom: permission denied
What you expected to happen: docker sbom to work for my 'gitlab-runner' user so I can integrate it into our CI/CD processes.
How to reproduce it (as minimally and precisely as possible): Run the install script for docker-sbom as the gitlab-runner user and once installed, just run docker [enter] to see the error.
Anything else we need to know?: Things I've tried or additional outputs:
docker sbom or sbom prior to being disabled for testing (setenforce 0)id as gitlab-runner: uid=1002(gitlab-runner) gid=1002(gitlab-runner) groups=1002(gitlab-runner),979(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Environment:
docker version: Docker version 24.0.7, build afdd53bdocker sbom version: sbom-cli-plugin 0.6.1, build 02cf1c8Will it be possible to filter by package type ?
Hello,
What would you like to be added:
Have you thought about adding build time support?
Why is this needed:
With post-build scanning it's still possible to miss some detail, like changes done by the compiler or other tools used during building an image.
Only few sbom generation tools already support build-time generation (like Salus or pkgconf bomtool for example), but non of them is universal and complete to capture various docker builds.
The only option for the moment is implementing a build-time sbom generation tool that fits for building docker images and making it part of the build process, which is a fully valid and well-working option. Still, as there is already an experimental docker sbom feature, it would be great to have generic build time configuration.
will the output describe the layer in which the software was first introduced?
Will it be possible to find-
After running docker sbom on the same image 4 times I'm left with this in my /tmp folder.
$ du -hs /tmp/sbom-cli-plugin-*
279M /tmp/sbom-cli-plugin-1458332103
279M /tmp/sbom-cli-plugin-2556891745
279M /tmp/sbom-cli-plugin-2823905553
279M /tmp/sbom-cli-plugin-4236198233
I would rather that the command clean up after itself since doing docker sbom on larger images quickly fills up /tmp. And in some cases the content doesn't even fit into the default 2G /tmp size.
What would you like to be added:
When trying to install the plugin without Docker Desktop I was seeing the error "docker is not installed; refusing to install to '~/.docker/cli-plugins". After some investigation I realised that Docker Desktop creates the .docker folder, and that if I create the .docker folder manually the plugin can then be installed. Can the install script be updated to create the .docker folder if the user is not using Docker Desktop?
Why is this needed:
Allows for installation of the plugin without Docker Desktop.
What would you like to be added:
support for https://github.com/anchore/syft/releases/tag/v0.73.0
Why is this needed:
want to use a actual version
Additional context:
What happened:
The TestAllFormatsExpressible test fails due, I believe, to syft related issue: -
cd /root/go/src/github.com/docker/sbom-cli-plugin/test/cli
go test -v ./... --run TestAllFormatsExpressible
=== RUN TestAllFormatsExpressible
utils_test.go:56: obtaining fixture image for image-pkg-coverage
=== RUN TestAllFormatsExpressible/format:syft-3-json
=== RUN TestAllFormatsExpressible/format:cyclonedx-1-xml
=== RUN TestAllFormatsExpressible/format:cyclonedx-1-json
=== RUN TestAllFormatsExpressible/format:github-0-json
=== RUN TestAllFormatsExpressible/format:spdx-2-tag-value
=== RUN TestAllFormatsExpressible/format:spdx-2-json
=== RUN TestAllFormatsExpressible/format:syft-table
all_formats_expressible_test.go:28: there may not be any report output (len=747)
all_formats_expressible_test.go:31: STDOUT:
NAME VERSION TYPE
Pygments 2.6.1 python
apt 1.8.2 deb
bundler 2.1.4 gem
dash 0.5.8-2.4 deb
dive 0.9.2-1 rpm
libc-utils 0.7.2-r0 apk
musl-utils 1.1.24-r2 apk
netbase 5.4 deb
nikic/fast-route v1.3.0 php-composer
npm 6.14.6 npm
psr/container 2.0.2 php-composer
psr/http-factory 1.0.1 php-composer
requests 2.22.0 python
someotherpkg 3.19.0 python
somerequests 3.22.0 python
unbundler 3.1.4 gem
all_formats_expressible_test.go:32: STDERR:
[0000] WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=5 RealPath="/java/example-jenkins-plugin.hpi" VirtualPath="/java/example-jenkins-plugin.hpi" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-1598349393/archive-example-jenkins-plugin.hpi): cannot find beginning of zip archive="/tmp/syft-archive-contents-1598349393/archive-example-jenkins-plugin.hpi" : zip: not a valid zip file
[0000] WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=4 RealPath="/java/example-java-app-maven-0.1.0.jar" VirtualPath="/java/example-java-app-maven-0.1.0.jar" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-1355980804/archive-example-java-app-maven-0.1.0.jar): cannot find beginning of zip archive="/tmp/syft-archive-contents-1355980804/archive-example-java-app-maven-0.1.0.jar" : zip: not a valid zip file
all_formats_expressible_test.go:33: COMMAND: /root/go/src/github.com/docker/sbom-cli-plugin/snapshot/sbom-cli-plugin_linux_amd64/docker-sbom sbom stereoscope-fixture-image-pkg-coverage:c531ccd41ba451da7aa4700ba89e889b9109c2841710bb0c80af91d10705b6d6 --format syft-table
=== RUN TestAllFormatsExpressible/format:syft-text
--- FAIL: TestAllFormatsExpressible (1.49s)
--- PASS: TestAllFormatsExpressible/format:syft-3-json (0.15s)
--- PASS: TestAllFormatsExpressible/format:cyclonedx-1-xml (0.14s)
--- PASS: TestAllFormatsExpressible/format:cyclonedx-1-json (0.17s)
--- PASS: TestAllFormatsExpressible/format:github-0-json (0.16s)
--- PASS: TestAllFormatsExpressible/format:spdx-2-tag-value (0.17s)
--- PASS: TestAllFormatsExpressible/format:spdx-2-json (0.16s)
--- FAIL: TestAllFormatsExpressible/format:syft-table (0.13s)
--- PASS: TestAllFormatsExpressible/format:syft-text (0.15s)
FAIL
FAIL github.com/docker/sbom-cli-plugin/test/cli 1.867s
FAIL
I see the same if I run the bundled docker-sbom binary, which includes syft v0.46.3 : -
/root/go/src/github.com/docker/sbom-cli-plugin/snapshot/sbom-cli-plugin_linux_amd64/docker-sbom sbom stereoscope-fixture-image-pkg-coverage:c531ccd41ba451da7aa4700ba89e889b9109c2841710bb0c80af91d10705b6d6 --format syft-table
Syft v0.46.3
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [16 packages]
[0000] WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=4 RealPath="/java/example-java-app-maven-0.1.0.jar" VirtualPath="/java/example-java-app-maven-0.1.0.jar" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-3960168755/archive-example-java-app-maven-0.1.0.jar): cannot find beginning of zip archive="/tmp/syft-archive-contents-3960168755/archive-example-java-app-maven-0.1.0.jar" : zip: not a valid zip file
[0000] WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=5 RealPath="/java/example-jenkins-plugin.hpi" VirtualPath="/java/example-jenkins-plugin.hpi" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-2985024269/archive-example-jenkins-plugin.hpi): cannot find beginning of zip archive="/tmp/syft-archive-contents-2985024269/archive-example-jenkins-plugin.hpi" : zip: not a valid zip file
NAME VERSION TYPE
Pygments 2.6.1 python
apt 1.8.2 deb
bundler 2.1.4 gem
dash 0.5.8-2.4 deb
dive 0.9.2-1 rpm
libc-utils 0.7.2-r0 apk
musl-utils 1.1.24-r2 apk
netbase 5.4 deb
nikic/fast-route v1.3.0 php-composer
npm 6.14.6 npm
psr/container 2.0.2 php-composer
psr/http-factory 1.0.1 php-composer
requests 2.22.0 python
someotherpkg 3.19.0 python
somerequests 3.22.0 python
unbundler 3.1.4 gem
ls -al /root/go/src/github.com/docker/sbom-cli-plugin/snapshot/sbom-cli-plugin_linux_amd64/docker-sbom
-rwxr-xr-x 1 root root 21733376 Jun 23 2022 /root/go/src/github.com/docker/sbom-cli-plugin/snapshot/sbom-cli-plugin_linux_amd64/docker-sbom
/root/go/src/github.com/docker/sbom-cli-plugin/snapshot/sbom-cli-plugin_linux_amd64/docker-sbom sbom --version
sbom-cli-plugin 0.6.1-SNAPSHOT-b17d47d, build b17d47dc0b20061e7924e835716caef3c6cc6a46
Debug shows a little more: -
/root/go/src/github.com/docker/sbom-cli-plugin/snapshot/sbom-cli-plugin_linux_amd64/docker-sbom sbom --debug stereoscope-fixture-image-pkg-coverage:c531ccd41ba451da7aa4700ba89e889b9109c2841710bb0c80af91d10705b6d6 --format syft-table
[0000] DEBUG application config:
package:
cataloger:
enabled: true
scope: squashed
search-unindexed-archives: false
search-indexed-archives: true
exclude: []
platform: ""
output: ""
format: syft-table
quiet: false
log:
structured: false
level: ""
file: ""
debug: true
[0000] INFO syft version: v0.46.3
[0000] DEBUG ├── compiler: gc
[0000] DEBUG ├── gitCommit: b17d47dc0b20061e7924e835716caef3c6cc6a46
[0000] DEBUG ├── gitDescription: v0.6.1-2-gb17d47d-dirty
[0000] DEBUG ├── goVersion: go1.19.4
[0000] DEBUG ├── platform: linux/amd64
[0000] DEBUG ├── syftVersion: v0.46.3
[0000] DEBUG └── version: 0.6.1-SNAPSHOT-b17d47d
[0000] DEBUG image metadata: digest=sha256:22391dca0d1a510d5fcc9f4295848ce72bff55994ef808cbdfeeabfdc1d43843 mediaType=application/vnd.docker.distribution.manifest.v2+json tags=[stereoscope-fixture-image-pkg-coverage:c531ccd41ba451da7aa4700ba89e889b9109c2841710bb0c80af91d10705b6d6 stereoscope-fixture-image-pkg-coverage:latest] from-lib=stereoscope
[0000] DEBUG layer metadata: index=0 digest=sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip from-lib=stereoscope
[0000] DEBUG layer metadata: index=1 digest=sha256:cb90c02c204e8f97351fc204f67e5f432f733179629cc59215648e8c35520276 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip from-lib=stereoscope
[0000] DEBUG layer metadata: index=2 digest=sha256:aee5ab65d15f551ee339b0e75c1a732d2a59cc6e0bfd301139b454d8069b2b00 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip from-lib=stereoscope
[0000] INFO could not identify distro
[0000] INFO cataloging image
[0000] DEBUG cataloging with "ruby-gemspec-cataloger"
[0000] DEBUG discovered 2 packages
[0000] DEBUG cataloging with "python-package-cataloger"
[0000] DEBUG discovered 4 packages
[0000] DEBUG cataloging with "php-composer-installed-cataloger"
[0000] DEBUG discovered 3 packages
[0000] DEBUG cataloging with "javascript-package-cataloger"
[0000] DEBUG discovered 1 packages
[0000] DEBUG cataloging with "dpkgdb-cataloger"
[0000] DEBUG discovered 3 packages
[0000] DEBUG cataloging with "rpmdb-cataloger"
[0000] DEBUG discovered 1 packages
[0000] DEBUG cataloging with "java-cataloger"
[0000] WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=4 RealPath="/java/example-java-app-maven-0.1.0.jar" VirtualPath="/java/example-java-app-maven-0.1.0.jar" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-3683551109/archive-example-java-app-maven-0.1.0.jar): cannot find beginning of zip archive="/tmp/syft-archive-contents-3683551109/archive-example-java-app-maven-0.1.0.jar" : zip: not a valid zip file
[0000] WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=5 RealPath="/java/example-jenkins-plugin.hpi" VirtualPath="/java/example-jenkins-plugin.hpi" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-701429832/archive-example-jenkins-plugin.hpi): cannot find beginning of zip archive="/tmp/syft-archive-contents-701429832/archive-example-jenkins-plugin.hpi" : zip: not a valid zip file
[0000] DEBUG discovered 0 packages
[0000] DEBUG cataloging with "apkdb-cataloger"
[0000] DEBUG discovered 2 packages
[0000] DEBUG cataloging with "go-module-binary-cataloger"
[0000] DEBUG discovered 0 packages
[0000] DEBUG cataloging with "dotnet-deps-cataloger"
[0000] DEBUG discovered 0 packages
NAME VERSION TYPE
Pygments 2.6.1 python
apt 1.8.2 deb
bundler 2.1.4 gem
dash 0.5.8-2.4 deb
dive 0.9.2-1 rpm
libc-utils 0.7.2-r0 apk
musl-utils 1.1.24-r2 apk
netbase 5.4 deb
nikic/fast-route v1.3.0 php-composer
npm 6.14.6 npm
psr/container 2.0.2 php-composer
psr/http-factory 1.0.1 php-composer
requests 2.22.0 python
someotherpkg 3.19.0 python
somerequests 3.22.0 python
unbundler 3.1.4 gem
I can reproduce this by installing the same version of syft : -
wget https://github.com/anchore/syft/releases/download/v0.46.3/syft_0.46.3_linux_amd64.deb
dpkg --install syft_0.46.3_linux_amd64.deb
syft --version
syft 0.46.3
syft stereoscope-fixture-image-pkg-coverage:c531ccd41ba451da7aa4700ba89e889b9109c2841710bb0c80af91d10705b6d6
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [16 packages]
[0000] WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=5 RealPath="/java/example-jenkins-plugin.hpi" VirtualPath="/java/example-jenkins-plugin.hpi" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-1650874893/archive-example-jenkins-plugin.hpi): cannot find beginning of zip archive="/tmp/syft-archive-contents-1650874893/archive-example-jenkins-plugin.hpi" : zip: not a valid zip file
[0000] WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=4 RealPath="/java/example-java-app-maven-0.1.0.jar" VirtualPath="/java/example-java-app-maven-0.1.0.jar" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-582683570/archive-example-java-app-maven-0.1.0.jar): cannot find beginning of zip archive="/tmp/syft-archive-contents-582683570/archive-example-java-app-maven-0.1.0.jar" : zip: not a valid zip file
NAME VERSION TYPE
Pygments 2.6.1 python
apt 1.8.2 deb
bundler 2.1.4 gem
dash 0.5.8-2.4 deb
dive 0.9.2-1 rpm
libc-utils 0.7.2-r0 apk
musl-utils 1.1.24-r2 apk
netbase 5.4 deb
nikic/fast-route v1.3.0 php-composer
npm 6.14.6 npm
psr/container 2.0.2 php-composer
psr/http-factory 1.0.1 php-composer
requests 2.22.0 python
someotherpkg 3.19.0 python
somerequests 3.22.0 python
unbundler 3.1.4 gem
If I instead download/install the latest version of syft : -
dpkg --remove syft
wget https://github.com/anchore/syft/releases/download/v0.64.0/syft_0.64.0_linux_amd64.deb
dpkg --install syft_0.64.0_linux_amd64.deb
syft --version
syft 0.64.0
I don't see the same issue: -
syft stereoscope-fixture-image-pkg-coverage:c531ccd41ba451da7aa4700ba89e889b9109c2841710bb0c80af91d10705b6d6
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [16 packages]
NAME VERSION TYPE
Pygments 2.6.1 python
apt 1.8.2 deb
bundler 2.1.4 gem
dash 0.5.8-2.4 deb
dive 0.9.2-1 rpm
libc-utils 0.7.2-r0 apk
musl-utils 1.1.24-r2 apk
netbase 5.4 deb
nikic/fast-route v1.3.0 php-composer
npm 6.14.6 npm
psr/container 2.0.2 php-composer
psr/http-factory 1.0.1 php-composer
requests 2.22.0 python
someotherpkg 3.19.0 python
somerequests 3.22.0 python
unbundler 3.1.4 gem
What you expected to happen:
The TestAllFormatsExpressible test should pass
How to reproduce it (as minimally and precisely as possible):
See above
Anything else we need to know?:
This only appears to fail thusly on Ubuntu Linux; testing syft v0.46.3 on macOS doesn't exhibit the same issue: -
wget https://github.com/anchore/syft/releases/download/v0.46.3/syft_0.46.3_darwin_arm64.tar.gz
tar xvzf syft_0.46.3_darwin_arm64.tar.gz
./syft --version
syft 0.46.3
syft stereoscope-fixture-image-pkg-coverage:latest
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [20 packages]
NAME VERSION TYPE
Pygments 2.6.1 python
apt 1.8.2 deb
bundler 2.1.4 gem
dash 0.5.8-2.4 deb
dive 0.9.2-1 rpm
example-java-app-maven 0.1.0 java-archive
example-jenkins-plugin 1.0-SNAPSHOT jenkins-plugin
joda-time 2.9.2 java-archive
libc-utils 0.7.2-r0 apk
musl-utils 1.1.24-r2 apk
netbase 5.4 deb
nikic/fast-route v1.3.0 php-composer
npm 6.14.6 npm
psr/container 2.0.2 php-composer
psr/http-factory 1.0.1 php-composer
requests 2.22.0 python
someotherpkg 3.19.0 python
somerequests 3.22.0 python
unbundler 3.1.4 gem
Failing Ubuntu
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal
Working macOS
sw_vers
ProductName: macOS
ProductVersion: 13.1
BuildVersion: 22C65
Environment:
docker version:docker version
Client:
Version: 20.10.12
API version: 1.41
Go version: go1.16.2
Git commit: 20.10.12-0ubuntu2~20.04.1
Built: Wed Apr 6 02:14:38 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server:
Engine:
Version: 20.10.12
API version: 1.41 (minimum version 1.12)
Go version: go1.16.2
Git commit: 20.10.12-0ubuntu2~20.04.1
Built: Thu Feb 10 15:03:35 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.5.9-0ubuntu1~20.04.6
GitCommit:
runc:
Version: 1.1.0-0ubuntu1~20.04.2
GitCommit:
docker-init:
Version: 0.19.0
GitCommit:
docker sbom version:N/A
What happened:
Having run make bootstrap-tools to install the requisite version of golangci-lint - 1.45.0 - into .tmp/golangci-lint other make commands lead to a panic from golangci-lint : -
panic: load embedded ruleguard rules: rules/rules.go:13: can't load fmt
goroutine 1 [running]:
github.com/go-critic/go-critic/checkers.init.22()
github.com/go-critic/[email protected]/checkers/embedded_rules.go:46 +0x494
In fact, merely running .tmp/golangci-lint results in the same panic.
This is due to an issue with golangci-lint itself, as per this - go-critic/ruleguard: load embedded ruleguard rules: rules/rules.go:13: can't load fmt #3107 - and occurs with versions 1.45.0, 1.46.0 and 1.47.0.
Later versions from 1.48.0 through the current latest - 1.50.1 - work OK
What you expected to happen:
make etc. that leverages golangci-lint should run to completion; also golangci-lint commands such .tmp/golangci-lint --version should just work: -
golangci-lint has version 1.50.1 built from 8926a95f on 2022-10-22T10:50:47Z
How to reproduce it (as minimally and precisely as possible):
make bootstrap-toolsgolangci-lint via .tmp/golangci-lint --version or just run makeAnything else we need to know?:
Environment:
go version
go version go1.19.4 darwin/arm64
sw_vers
ProductName: macOS
ProductVersion: 13.1
BuildVersion: 22C65
I've also reproduced the same on Ubuntu
I'll create a PR from my own fork, updating golangci-lint to the (current) latest - 1.50.1 - as per that project's releases page
Most formats do not record the version of Syft used. The version is reported as [not provided].
For instance, with cyclonedx-json:
$ docker sbom --version
sbom-cli-plugin 0.6.0, build 741c56e0db8c65d853f18e0a9b23287d33b30e05
$ docker sbom alpine:latest --format cyclonedx-json | jq -r .metadata.tools
[
{
"vendor": "anchore",
"name": "syft",
"version": "[not provided]"
}
]
Looking at the upstream code, I think this is down to the fact that some/most formats don't respect the Descriptor.Version field in the SBOM and just use version.FromBuild().Version which won't be populated when using syft as a library.
Here's a table comparing all the formats. A 🟢 indicates that it reports the expected version; a 🔴 indicates a missing version.
| Format | Pass/Fail | Notes |
|---|---|---|
| syft-json | 🟢 | |
| cyclonedx-xml | 🔴 | |
| cyclonedx-json | 🔴 | |
| github-0-json | 🔴 | Reports 0.0.0-dev |
| spdx-tag-value | 🔴 | |
| spdx-json | 🔴 | |
| table | 🟢 | N/A |
| text | 🟢 | N/A |
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.