sbom-action icon indicating copy to clipboard operation
sbom-action copied to clipboard
verified publisher icon anchore

file option not working

Open devinrsmith opened this issue 3 years ago • 7 comments

I've got an action defined:

      - name: Create SBOMs
        uses: anchore/sbom-action@v0
        with:
          file: ./server/jetty-app/build/distributions/server-jetty-0.20.0.tar
          upload-release-assets: false

Unfortunately, it looks like it's running with path instead of file.

2022-12-13T20:56:09.6180813Z ##[group]Run anchore/sbom-action@v0
2022-12-13T20:56:09.6181622Z with:
2022-12-13T20:56:09.6182429Z   file: ./server/jetty-app/build/distributions/server-jetty-0.20.0.tar
2022-12-13T20:56:09.6183453Z   upload-release-assets: false
2022-12-13T20:56:09.6184185Z   path: .
2022-12-13T20:56:09.6184877Z   format: spdx-json
2022-12-13T20:56:09.6185775Z   github-token: ***
2022-12-13T20:56:09.6186510Z   dependency-snapshot: false
2022-12-13T20:56:09.6187251Z   upload-artifact: true
2022-12-13T20:56:09.6187965Z env:
2022-12-13T20:56:09.6188746Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/11.0.17-8/x64
2022-12-13T20:56:09.6189666Z   JAVA_HOME_11_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/11.0.17-8/x64
2022-12-13T20:56:09.6190582Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.5-8/x64
2022-12-13T20:56:09.6191378Z ##[endgroup]
...
2022-12-13T20:56:13.5970942Z ␛[0;90m[0000]␛[0m ␛[0;34mDEBUG␛[0m indexing filesystem path="."
...

Related to https://github.com/anchore/sbom-action/pull/385?

devinrsmith avatar Dec 13 '22 21:12 devinrsmith

Is there something to indicate the scan itself is using path instead of file? The path default is ., which means it will always get that path value by default...

kzantow avatar Dec 13 '22 21:12 kzantow

I'm new to the SBOM / syft scene, so maybe my expectations are wrong, but I expected the SBOM to only be related to the file I specified, somewhat analogous to if I had run

syft file:./server/jetty-app/build/distributions/server-jetty-0.20.0.tar

but everything in my working directory is being scanned. I can add the full action logs, or the resulting SBOM, if it would be helpful.

devinrsmith avatar Dec 13 '22 21:12 devinrsmith

indexing filesystem path="."

devinrsmith avatar Dec 13 '22 21:12 devinrsmith

Could you extract the tar in a prior step and then run the scan-action on the directory?

kzantow avatar Jan 05 '23 21:01 kzantow

FWIW, I'm seeing this same behavior.

GitHub Actions run:

  • https://github.com/felddy/foundryvtt-docker/actions/runs/4600601595/jobs/8128005604#step:6:1

Calling step:

      - name: Generate SBOM
        uses: anchore/sbom-action@422cb34a0f8b599678c41b21163ea6088edb2624
        with:
          artifact-name: ${{ steps.clean.outputs.image_archive_name_stem }}-sbom.spdx.json
          file: ${{ steps.clean.outputs.image_archive_name_stem }}.tar
          upload-artifact-retention: ${{ inputs.artifact_retention_days }}

felddy avatar Apr 03 '23 20:04 felddy

It looks like file and path should be mutually exclusive here (one clobbering the other if provided). I added the bug label to this and put it into our backlog to take a look at when we have some team cycles.

If anyone on this issue has already investigated and knows the specific fix I am happy to take a look at the PR for review and help approve / work to make it into main =)

spiffcs avatar May 18 '23 20:05 spiffcs

This is seems to be a problem with the defaults and input parsing. This helps:

with:
  path: null
  file: ...

dn0 avatar Jul 24 '23 08:07 dn0