Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

feat: report unknowns in sbom #2998

Merged
merged 71 commits into from
Oct 7, 2024

Conversation

kzantow
Copy link
Contributor

@kzantow kzantow commented Jun 26, 2024

This PR adds information to the file model which allows surfacing "unknowns". Previously, when scanning a source, Syft runs a number of catalogers which create packages from the files found. If an error happens, packages simply would not be created, and some logging about the error would occur. With this change, many of these errors are returned and added as context to the files output in the SBOM. Examples of "unknowns" included by this PR:

  • executable files which did not result in identified packages
  • archives which were not scanned, or did not result in packages identified
  • errors when reading information such as invalid JSON, or corrupted binary ELF data
  • ...

This PR has a set of post-cataloging steps that perform the following:

  • identify archives in the scan target which do not have packages reported, and label them as unknowns
  • remove all unknowns from files which have locations present in packages (in other words: only leave files labeled as unknowns which have no packages)

NOTE: if you would like to experiment with this, you can select the locations and unknowns from the Syft JSON like this:

go run ./cmd/syft maven:latest -o json | jq '.files.[]|select(.unknowns)|{location,unknowns}'

TODO:

  • configuration
  • assess if the unknowns in this PR are useful
  • add test coverage

Fixes: #518

kzantow added 2 commits June 26, 2024 01:52
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@github-actions github-actions bot added the json-schema Changes the json schema label Jun 26, 2024
kzantow added 9 commits June 26, 2024 09:47
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow force-pushed the feat/known-unknowns branch from f9a4e4d to 9359810 Compare July 8, 2024 13:35

This comment has been minimized.

Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@github-actions github-actions bot removed the json-schema Changes the json schema label Sep 13, 2024
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@github-actions github-actions bot added the json-schema Changes the json schema label Sep 13, 2024
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@github-actions github-actions bot removed the json-schema Changes the json schema label Oct 4, 2024
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@github-actions github-actions bot added the json-schema Changes the json schema label Oct 4, 2024
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@kzantow kzantow merged commit ccbee94 into anchore:main Oct 7, 2024
12 checks passed
@kzantow kzantow deleted the feat/known-unknowns branch October 7, 2024 21:28
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
json-schema Changes the json schema
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Report known unknowns directly in the output SBOM
2 participants