Git Product home page Git Product logo

sbom-cli-plugin's Introduction

sbom-cli-plugin

Plugin for Docker CLI to support viewing and creating SBOMs for Docker images using Syft.

Getting started

# install the docker-sbom plugin
curl -sSfL https://raw.githubusercontent.com/docker/sbom-cli-plugin/main/install.sh | sh -s --

# use the sbom plugin
docker sbom <my-image>

sbom-cli-plugin's People

Contributors

chris-crone avatar jonasagx avatar wagoodman avatar zhill avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

sbom-cli-plugin's Issues

docker sbom leaves large files in /tmp

What happened:
Ran

docker sbom my-image

and file left in /tmp/sbom-cli-plugin-..../docker-daemon-image....

What you expected to happen:

SBOM output on STDOUT, and no files left on device

How to reproduce it (as minimally and precisely as possible):

ls /tmp/sbom* > before.txt 2>/dev/null
docker sbom my-image
ls /tmp/sbom* > after.txt 2>/dev/null
diff before.txt after.txt

Anything else we need to know?:

Confirmed on two machines (see below)

Environment:

  • Output of docker version:

Machine 1:

Client: Docker Engine - Community
 Version:           24.0.2
 API version:       1.43
 Go version:        go1.20.4
 Git commit:        cb74dfc
 Built:             Thu May 25 21:52:13 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.2
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.4
  Git commit:       659604f
  Built:            Thu May 25 21:52:13 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.21
  GitCommit:        3dce8eb055cbb6872793272b4f20ed16117344f8
 runc:
  Version:          1.1.7
  GitCommit:        v1.1.7-0-g860f061
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Machine 2:

docker version
Client:
 Version:           19.03.6
 API version:       1.40
 Go version:        go1.12.17
 Git commit:        369ce74a3c
 Built:             Wed Oct 14 19:03:30 2020
 OS/Arch:           linux/arm64
 Experimental:      false

Server:
 Engine:
  Version:          19.03.6
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.17
  Git commit:       369ce74a3c
  Built:            Wed Oct 14 16:52:50 2020
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.3.3-0ubuntu1~18.04.3
  GitCommit:        
 runc:
  Version:          spec: 1.0.1-dev
  GitCommit:        
 docker-init:
  Version:          0.18.0
  GitCommit:        
  • Output of docker sbom version:

Machine 1:

Application:        docker-sbom (0.6.1)
Provider:           syft (v0.46.3)
GitCommit:          02cf1c888ad6662109ac6e3be618392514a56316
GitDescription:     v0.6.1
Platform:           linux/amd64

Machine 2:

Application:        docker-sbom (0.6.1)
Provider:           syft (v0.46.3)
GitCommit:          02cf1c888ad6662109ac6e3be618392514a56316
GitDescription:     v0.6.1
Platform:           linux/arm64

Running SBOM as gitlab-runner fails with 'permission denied'

What happened: When running, docker sbom as root, the command works fine. When su-ing over to our 'gitlab-runner' user, installing the plugin for that user, docker reports it as an an "invalid plugin" with a "permission denied":

Invalid Plugins:
sbom failed to fetch metadata: fork/exec /home/gitlab-runner/.docker/cli-plugins/docker-sbom: permission denied

What you expected to happen: docker sbom to work for my 'gitlab-runner' user so I can integrate it into our CI/CD processes.

How to reproduce it (as minimally and precisely as possible): Run the install script for docker-sbom as the gitlab-runner user and once installed, just run docker [enter] to see the error.

Anything else we need to know?: Things I've tried or additional outputs:

  • verified permissions on docker-sbom between working instance (root) and non-working instance (gitlab-runner)
  • verified owner was properly set as root for root and gitlab-runner for gitlab-runner
    • but also tried changing gitlab-runner's docker-sbom's owner to 'root' and received the same error
  • all of these tests were run with SELinux off (for testing)
    • /var/log/audit/audit.log was additionally not showing any block/deny actions for docker sbom or sbom prior to being disabled for testing (setenforce 0)
  • output of id as gitlab-runner: uid=1002(gitlab-runner) gid=1002(gitlab-runner) groups=1002(gitlab-runner),979(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
  • gitlab-runner can successfully run other docker commands, e.g.: build, tag, push, images, ps, etc. (all other commands we use in our pipeline)

Environment:

  • OS: RHEL 8.9
  • Output of docker version: Docker version 24.0.7, build afdd53b
  • Output of docker sbom version: sbom-cli-plugin 0.6.1, build 02cf1c8

Support of build-time generation

Hello,

What would you like to be added:

Have you thought about adding build time support?

Why is this needed:

With post-build scanning it's still possible to miss some detail, like changes done by the compiler or other tools used during building an image.

Only few sbom generation tools already support build-time generation (like Salus or pkgconf bomtool for example), but non of them is universal and complete to capture various docker builds.

The only option for the moment is implementing a build-time sbom generation tool that fits for building docker images and making it part of the build process, which is a fully valid and well-working option. Still, as there is already an experimental docker sbom feature, it would be great to have generic build time configuration.

layer results?

will the output describe the layer in which the software was first introduced?

Temporary directories are left on disk eating up /tmp fast

After running docker sbom on the same image 4 times I'm left with this in my /tmp folder.

$ du -hs /tmp/sbom-cli-plugin-*
279M    /tmp/sbom-cli-plugin-1458332103
279M    /tmp/sbom-cli-plugin-2556891745
279M    /tmp/sbom-cli-plugin-2823905553
279M    /tmp/sbom-cli-plugin-4236198233

I would rather that the command clean up after itself since doing docker sbom on larger images quickly fills up /tmp. And in some cases the content doesn't even fit into the default 2G /tmp size.

Installing plugin without Docker Desktop

What would you like to be added:
When trying to install the plugin without Docker Desktop I was seeing the error "docker is not installed; refusing to install to '~/.docker/cli-plugins". After some investigation I realised that Docker Desktop creates the .docker folder, and that if I create the .docker folder manually the plugin can then be installed. Can the install script be updated to create the .docker folder if the user is not using Docker Desktop?

Why is this needed:
Allows for installation of the plugin without Docker Desktop.

TestAllFormatsExpressible/format:syft-table fails when building sbom-cli-plugin

What happened:

The TestAllFormatsExpressible test fails due, I believe, to syft related issue: -

cd /root/go/src/github.com/docker/sbom-cli-plugin/test/cli

go test -v ./... --run TestAllFormatsExpressible

=== RUN   TestAllFormatsExpressible
    utils_test.go:56: obtaining fixture image for image-pkg-coverage
=== RUN   TestAllFormatsExpressible/format:syft-3-json
=== RUN   TestAllFormatsExpressible/format:cyclonedx-1-xml
=== RUN   TestAllFormatsExpressible/format:cyclonedx-1-json
=== RUN   TestAllFormatsExpressible/format:github-0-json
=== RUN   TestAllFormatsExpressible/format:spdx-2-tag-value
=== RUN   TestAllFormatsExpressible/format:spdx-2-json
=== RUN   TestAllFormatsExpressible/format:syft-table
    all_formats_expressible_test.go:28: there may not be any report output (len=747)
    all_formats_expressible_test.go:31: STDOUT:
         NAME              VERSION    TYPE
        Pygments          2.6.1      python
        apt               1.8.2      deb
        bundler           2.1.4      gem
        dash              0.5.8-2.4  deb
        dive              0.9.2-1    rpm
        libc-utils        0.7.2-r0   apk
        musl-utils        1.1.24-r2  apk
        netbase           5.4        deb
        nikic/fast-route  v1.3.0     php-composer
        npm               6.14.6     npm
        psr/container     2.0.2      php-composer
        psr/http-factory  1.0.1      php-composer
        requests          2.22.0     python
        someotherpkg      3.19.0     python
        somerequests      3.22.0     python
        unbundler         3.1.4      gem

    all_formats_expressible_test.go:32: STDERR:
         [0000]  WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=5 RealPath="/java/example-jenkins-plugin.hpi" VirtualPath="/java/example-jenkins-plugin.hpi" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-1598349393/archive-example-jenkins-plugin.hpi): cannot find beginning of zip archive="/tmp/syft-archive-contents-1598349393/archive-example-jenkins-plugin.hpi" : zip: not a valid zip file
        [0000]  WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=4 RealPath="/java/example-java-app-maven-0.1.0.jar" VirtualPath="/java/example-java-app-maven-0.1.0.jar" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-1355980804/archive-example-java-app-maven-0.1.0.jar): cannot find beginning of zip archive="/tmp/syft-archive-contents-1355980804/archive-example-java-app-maven-0.1.0.jar" : zip: not a valid zip file

    all_formats_expressible_test.go:33: COMMAND: /root/go/src/github.com/docker/sbom-cli-plugin/snapshot/sbom-cli-plugin_linux_amd64/docker-sbom sbom stereoscope-fixture-image-pkg-coverage:c531ccd41ba451da7aa4700ba89e889b9109c2841710bb0c80af91d10705b6d6 --format syft-table
=== RUN   TestAllFormatsExpressible/format:syft-text
--- FAIL: TestAllFormatsExpressible (1.49s)
    --- PASS: TestAllFormatsExpressible/format:syft-3-json (0.15s)
    --- PASS: TestAllFormatsExpressible/format:cyclonedx-1-xml (0.14s)
    --- PASS: TestAllFormatsExpressible/format:cyclonedx-1-json (0.17s)
    --- PASS: TestAllFormatsExpressible/format:github-0-json (0.16s)
    --- PASS: TestAllFormatsExpressible/format:spdx-2-tag-value (0.17s)
    --- PASS: TestAllFormatsExpressible/format:spdx-2-json (0.16s)
    --- FAIL: TestAllFormatsExpressible/format:syft-table (0.13s)
    --- PASS: TestAllFormatsExpressible/format:syft-text (0.15s)
FAIL
FAIL	github.com/docker/sbom-cli-plugin/test/cli	1.867s
FAIL

I see the same if I run the bundled docker-sbom binary, which includes syft v0.46.3 : -

/root/go/src/github.com/docker/sbom-cli-plugin/snapshot/sbom-cli-plugin_linux_amd64/docker-sbom sbom stereoscope-fixture-image-pkg-coverage:c531ccd41ba451da7aa4700ba89e889b9109c2841710bb0c80af91d10705b6d6 --format syft-table

Syft v0.46.3
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [16 packages]
[0000]  WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=4 RealPath="/java/example-java-app-maven-0.1.0.jar" VirtualPath="/java/example-java-app-maven-0.1.0.jar" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-3960168755/archive-example-java-app-maven-0.1.0.jar): cannot find beginning of zip archive="/tmp/syft-archive-contents-3960168755/archive-example-java-app-maven-0.1.0.jar" : zip: not a valid zip file
[0000]  WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=5 RealPath="/java/example-jenkins-plugin.hpi" VirtualPath="/java/example-jenkins-plugin.hpi" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-2985024269/archive-example-jenkins-plugin.hpi): cannot find beginning of zip archive="/tmp/syft-archive-contents-2985024269/archive-example-jenkins-plugin.hpi" : zip: not a valid zip file
NAME              VERSION    TYPE
Pygments          2.6.1      python
apt               1.8.2      deb
bundler           2.1.4      gem
dash              0.5.8-2.4  deb
dive              0.9.2-1    rpm
libc-utils        0.7.2-r0   apk
musl-utils        1.1.24-r2  apk
netbase           5.4        deb
nikic/fast-route  v1.3.0     php-composer
npm               6.14.6     npm
psr/container     2.0.2      php-composer
psr/http-factory  1.0.1      php-composer
requests          2.22.0     python
someotherpkg      3.19.0     python
somerequests      3.22.0     python
unbundler         3.1.4      gem

ls -al /root/go/src/github.com/docker/sbom-cli-plugin/snapshot/sbom-cli-plugin_linux_amd64/docker-sbom

-rwxr-xr-x 1 root root 21733376 Jun 23  2022 /root/go/src/github.com/docker/sbom-cli-plugin/snapshot/sbom-cli-plugin_linux_amd64/docker-sbom

/root/go/src/github.com/docker/sbom-cli-plugin/snapshot/sbom-cli-plugin_linux_amd64/docker-sbom sbom --version

sbom-cli-plugin 0.6.1-SNAPSHOT-b17d47d, build b17d47dc0b20061e7924e835716caef3c6cc6a46

Debug shows a little more: -

/root/go/src/github.com/docker/sbom-cli-plugin/snapshot/sbom-cli-plugin_linux_amd64/docker-sbom sbom --debug stereoscope-fixture-image-pkg-coverage:c531ccd41ba451da7aa4700ba89e889b9109c2841710bb0c80af91d10705b6d6 --format syft-table

[0000] DEBUG application config:
package:
  cataloger:
    enabled: true
    scope: squashed
  search-unindexed-archives: false
  search-indexed-archives: true
exclude: []
platform: ""
output: ""
format: syft-table
quiet: false
log:
  structured: false
  level: ""
  file: ""
debug: true

[0000]  INFO syft version: v0.46.3
[0000] DEBUG   ├── compiler: gc
[0000] DEBUG   ├── gitCommit: b17d47dc0b20061e7924e835716caef3c6cc6a46
[0000] DEBUG   ├── gitDescription: v0.6.1-2-gb17d47d-dirty
[0000] DEBUG   ├── goVersion: go1.19.4
[0000] DEBUG   ├── platform: linux/amd64
[0000] DEBUG   ├── syftVersion: v0.46.3
[0000] DEBUG   └── version: 0.6.1-SNAPSHOT-b17d47d
[0000] DEBUG image metadata: digest=sha256:22391dca0d1a510d5fcc9f4295848ce72bff55994ef808cbdfeeabfdc1d43843 mediaType=application/vnd.docker.distribution.manifest.v2+json tags=[stereoscope-fixture-image-pkg-coverage:c531ccd41ba451da7aa4700ba89e889b9109c2841710bb0c80af91d10705b6d6 stereoscope-fixture-image-pkg-coverage:latest] from-lib=stereoscope
[0000] DEBUG layer metadata: index=0 digest=sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip from-lib=stereoscope
[0000] DEBUG layer metadata: index=1 digest=sha256:cb90c02c204e8f97351fc204f67e5f432f733179629cc59215648e8c35520276 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip from-lib=stereoscope
[0000] DEBUG layer metadata: index=2 digest=sha256:aee5ab65d15f551ee339b0e75c1a732d2a59cc6e0bfd301139b454d8069b2b00 mediaType=application/vnd.docker.image.rootfs.diff.tar.gzip from-lib=stereoscope
[0000]  INFO could not identify distro
[0000]  INFO cataloging image
[0000] DEBUG cataloging with "ruby-gemspec-cataloger"
[0000] DEBUG discovered 2 packages
[0000] DEBUG cataloging with "python-package-cataloger"
[0000] DEBUG discovered 4 packages
[0000] DEBUG cataloging with "php-composer-installed-cataloger"
[0000] DEBUG discovered 3 packages
[0000] DEBUG cataloging with "javascript-package-cataloger"
[0000] DEBUG discovered 1 packages
[0000] DEBUG cataloging with "dpkgdb-cataloger"
[0000] DEBUG discovered 3 packages
[0000] DEBUG cataloging with "rpmdb-cataloger"
[0000] DEBUG discovered 1 packages
[0000] DEBUG cataloging with "java-cataloger"
[0000]  WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=4 RealPath="/java/example-java-app-maven-0.1.0.jar" VirtualPath="/java/example-java-app-maven-0.1.0.jar" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-3683551109/archive-example-java-app-maven-0.1.0.jar): cannot find beginning of zip archive="/tmp/syft-archive-contents-3683551109/archive-example-java-app-maven-0.1.0.jar" : zip: not a valid zip file
[0000]  WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=5 RealPath="/java/example-jenkins-plugin.hpi" VirtualPath="/java/example-jenkins-plugin.hpi" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-701429832/archive-example-jenkins-plugin.hpi): cannot find beginning of zip archive="/tmp/syft-archive-contents-701429832/archive-example-jenkins-plugin.hpi" : zip: not a valid zip file
[0000] DEBUG discovered 0 packages
[0000] DEBUG cataloging with "apkdb-cataloger"
[0000] DEBUG discovered 2 packages
[0000] DEBUG cataloging with "go-module-binary-cataloger"
[0000] DEBUG discovered 0 packages
[0000] DEBUG cataloging with "dotnet-deps-cataloger"
[0000] DEBUG discovered 0 packages
NAME              VERSION    TYPE
Pygments          2.6.1      python
apt               1.8.2      deb
bundler           2.1.4      gem
dash              0.5.8-2.4  deb
dive              0.9.2-1    rpm
libc-utils        0.7.2-r0   apk
musl-utils        1.1.24-r2  apk
netbase           5.4        deb
nikic/fast-route  v1.3.0     php-composer
npm               6.14.6     npm
psr/container     2.0.2      php-composer
psr/http-factory  1.0.1      php-composer
requests          2.22.0     python
someotherpkg      3.19.0     python
somerequests      3.22.0     python
unbundler         3.1.4      gem

I can reproduce this by installing the same version of syft : -

wget https://github.com/anchore/syft/releases/download/v0.46.3/syft_0.46.3_linux_amd64.deb

dpkg --install syft_0.46.3_linux_amd64.deb

syft --version

syft 0.46.3

syft stereoscope-fixture-image-pkg-coverage:c531ccd41ba451da7aa4700ba89e889b9109c2841710bb0c80af91d10705b6d6

 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [16 packages]
[0000]  WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=5 RealPath="/java/example-jenkins-plugin.hpi" VirtualPath="/java/example-jenkins-plugin.hpi" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-1650874893/archive-example-jenkins-plugin.hpi): cannot find beginning of zip archive="/tmp/syft-archive-contents-1650874893/archive-example-jenkins-plugin.hpi" : zip: not a valid zip file
[0000]  WARN cataloger 'java-cataloger' failed to parse entries at location=Location<id=4 RealPath="/java/example-java-app-maven-0.1.0.jar" VirtualPath="/java/example-java-app-maven-0.1.0.jar" Layer="sha256:a908332de3f8ebb4f7c95fb6869b745325f8fe96bb4d1c472b263fba6b173529">: unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-582683570/archive-example-java-app-maven-0.1.0.jar): cannot find beginning of zip archive="/tmp/syft-archive-contents-582683570/archive-example-java-app-maven-0.1.0.jar" : zip: not a valid zip file
NAME              VERSION    TYPE
Pygments          2.6.1      python
apt               1.8.2      deb
bundler           2.1.4      gem
dash              0.5.8-2.4  deb
dive              0.9.2-1    rpm
libc-utils        0.7.2-r0   apk
musl-utils        1.1.24-r2  apk
netbase           5.4        deb
nikic/fast-route  v1.3.0     php-composer
npm               6.14.6     npm
psr/container     2.0.2      php-composer
psr/http-factory  1.0.1      php-composer
requests          2.22.0     python
someotherpkg      3.19.0     python
somerequests      3.22.0     python
unbundler         3.1.4      gem

If I instead download/install the latest version of syft : -

dpkg --remove syft

wget https://github.com/anchore/syft/releases/download/v0.64.0/syft_0.64.0_linux_amd64.deb

dpkg --install syft_0.64.0_linux_amd64.deb

syft --version

syft 0.64.0

I don't see the same issue: -

syft stereoscope-fixture-image-pkg-coverage:c531ccd41ba451da7aa4700ba89e889b9109c2841710bb0c80af91d10705b6d6

 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [16 packages]
NAME              VERSION    TYPE
Pygments          2.6.1      python
apt               1.8.2      deb
bundler           2.1.4      gem
dash              0.5.8-2.4  deb
dive              0.9.2-1    rpm
libc-utils        0.7.2-r0   apk
musl-utils        1.1.24-r2  apk
netbase           5.4        deb
nikic/fast-route  v1.3.0     php-composer
npm               6.14.6     npm
psr/container     2.0.2      php-composer
psr/http-factory  1.0.1      php-composer
requests          2.22.0     python
someotherpkg      3.19.0     python
somerequests      3.22.0     python
unbundler         3.1.4      gem

What you expected to happen:

The TestAllFormatsExpressible test should pass

How to reproduce it (as minimally and precisely as possible):

See above

Anything else we need to know?:

This only appears to fail thusly on Ubuntu Linux; testing syft v0.46.3 on macOS doesn't exhibit the same issue: -

wget https://github.com/anchore/syft/releases/download/v0.46.3/syft_0.46.3_darwin_arm64.tar.gz

tar xvzf syft_0.46.3_darwin_arm64.tar.gz

./syft --version

syft 0.46.3

syft stereoscope-fixture-image-pkg-coverage:latest

 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [20 packages]

NAME                    VERSION       TYPE
Pygments                2.6.1         python
apt                     1.8.2         deb
bundler                 2.1.4         gem
dash                    0.5.8-2.4     deb
dive                    0.9.2-1       rpm
example-java-app-maven  0.1.0         java-archive
example-jenkins-plugin  1.0-SNAPSHOT  jenkins-plugin
joda-time               2.9.2         java-archive
libc-utils              0.7.2-r0      apk
musl-utils              1.1.24-r2     apk
netbase                 5.4           deb
nikic/fast-route        v1.3.0        php-composer
npm                     6.14.6        npm
psr/container           2.0.2         php-composer
psr/http-factory        1.0.1         php-composer
requests                2.22.0        python
someotherpkg            3.19.0        python
somerequests            3.22.0        python
unbundler               3.1.4         gem

Failing Ubuntu

lsb_release -a

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.5 LTS
Release:	20.04
Codename:	focal

Working macOS

sw_vers

ProductName:		macOS
ProductVersion:		13.1
BuildVersion:		22C65

Environment:

  • Output of docker version:

docker version

Client:
 Version:           20.10.12
 API version:       1.41
 Go version:        go1.16.2
 Git commit:        20.10.12-0ubuntu2~20.04.1
 Built:             Wed Apr  6 02:14:38 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server:
 Engine:
  Version:          20.10.12
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.2
  Git commit:       20.10.12-0ubuntu2~20.04.1
  Built:            Thu Feb 10 15:03:35 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.5.9-0ubuntu1~20.04.6
  GitCommit:
 runc:
  Version:          1.1.0-0ubuntu1~20.04.2
  GitCommit:
 docker-init:
  Version:          0.19.0
  GitCommit:
  • Output of docker sbom version:

N/A

golangci-lint 1.45.0 - as referenced in Makefile - panics

What happened:

Having run make bootstrap-tools to install the requisite version of golangci-lint - 1.45.0 - into .tmp/golangci-lint other make commands lead to a panic from golangci-lint : -

panic: load embedded ruleguard rules: rules/rules.go:13: can't load fmt

goroutine 1 [running]:
github.com/go-critic/go-critic/checkers.init.22()
        github.com/go-critic/[email protected]/checkers/embedded_rules.go:46 +0x494

In fact, merely running .tmp/golangci-lint results in the same panic.

This is due to an issue with golangci-lint itself, as per this - go-critic/ruleguard: load embedded ruleguard rules: rules/rules.go:13: can't load fmt #3107 - and occurs with versions 1.45.0, 1.46.0 and 1.47.0.

Later versions from 1.48.0 through the current latest - 1.50.1 - work OK

What you expected to happen:
make etc. that leverages golangci-lint should run to completion; also golangci-lint commands such .tmp/golangci-lint --version should just work: -

golangci-lint has version 1.50.1 built from 8926a95f on 2022-10-22T10:50:47Z

How to reproduce it (as minimally and precisely as possible):

  1. Clone the sbom-cli-plugin repo
  2. Run make bootstrap-tools
  3. Test the downloaded/installed version of golangci-lint via .tmp/golangci-lint --version or just run make
  4. Watch the panic

Anything else we need to know?:

Environment:
go version

go version go1.19.4 darwin/arm64

sw_vers

ProductName:            macOS
ProductVersion:         13.1
BuildVersion:           22C65

I've also reproduced the same on Ubuntu

I'll create a PR from my own fork, updating golangci-lint to the (current) latest - 1.50.1 - as per that project's releases page

Syft version is [not provided] in most formats

Most formats do not record the version of Syft used. The version is reported as [not provided].

For instance, with cyclonedx-json:

$ docker sbom --version
sbom-cli-plugin 0.6.0, build 741c56e0db8c65d853f18e0a9b23287d33b30e05

$ docker sbom alpine:latest --format cyclonedx-json | jq -r .metadata.tools
[
  {
    "vendor": "anchore",
    "name": "syft",
    "version": "[not provided]"
  }
]

Looking at the upstream code, I think this is down to the fact that some/most formats don't respect the Descriptor.Version field in the SBOM and just use version.FromBuild().Version which won't be populated when using syft as a library.

Here's a table comparing all the formats. A 🟢 indicates that it reports the expected version; a 🔴 indicates a missing version.

Format Pass/Fail Notes
syft-json 🟢
cyclonedx-xml 🔴
cyclonedx-json 🔴
github-0-json 🔴 Reports 0.0.0-dev
spdx-tag-value 🔴
spdx-json 🔴
table 🟢 N/A
text 🟢 N/A

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.