syft icon indicating copy to clipboard operation
syft copied to clipboard

Published 20 hours ago verified publisher icon anchore

Forks in use

Open wagoodman opened this issue 1 year ago • 0 comments

This is a list of forks of original projects that have been incorporated into syft. This tends to happen when there is some new functionality that we need upstream that we can't adapt easily in the codebase in syft. Usually a PR is opened upstream and in the meantime the fork is used in syft. We try not to get into this state, but when we do we should track which dependencies we are using that are in this state.

Ultimately the goal is to stop using these forks. This can be done a few different ways:

  1. Try and get the upstream PR merged and remove any usage of the fork from syft
  2. Find an alternative library to use

Forks

  • [ ] github.com/kastenhq/goversion introduced in https://github.com/anchore/syft/pull/2021 which incorporates the upstream PR https://github.com/rsc/goversion/pull/25
  • [ ] github.com/anchore/go-version which incorporates several PRs from upstream
  • [ ] github.com/anchore/packageurl-go - Upstream was not very active, but seems to be much more so now - we should probably re-evaluate what differences exist between ours and theirs.
  • [ ] https://github.com/anchore/archiver which incorporates a fix for CVE-2024-0406.

wagoodman avatar Aug 24 '23 13:08 wagoodman