syft Scanning a git repository folder present in /tmp produce an empty sbom

Scanning a git repository folder present in /tmp produce an empty sbom

Open m4nch0t opened this issue 9 months ago • 0 comments

Hello !

What happened: Scanning a git repository folder present in /tmp produce an empty sbom.

What you expected to happen: I expect same result, no matter the parent path. I don't find in documentation this limitation. Is it normal?

Steps to reproduce the issue:

$ git clone [email protected]:anchore/syft.git /tmp/syft
$ syft scan dir:/tmp/syft --source-name syft --source-version "v1.3.0" -o cyclonedx-json                                                                                                  
 ✔ Indexed file system                                                                                                                                                                                  /tmp/syft
 ✔ Cataloged contents                                                                                                                            f889822d7ce98e1a871a914d7749ebcaa7cc502bad903a47c99293135a510018
   ├── ✔ Packages                        [0 packages]  
   └── ✔ Executables                     [0 executables]  
{"$schema":"http://cyclonedx.org/schema/bom-1.5.schema.json","bomFormat":"CycloneDX","specVersion":"1.5","serialNumber":"urn:uuid:dcf8363e-f836-47ae-8e39-b70ab49f656c","version":1,"metadata":{"timestamp":"2024-05-06T21:32:49+02:00","tools":{"components":[{"type":"application","author":"anchore","name":"syft","version":"1.3.0"}]},"component":{"bom-ref":"22576995f0b79f4c","type":"file","name":"syft","version":"v1.3.0"}}} 

$ git clone [email protected]:anchore/syft.git ~/syft
$ syft scan dir:~/syft --source-name syft --source-version "v1.3.0" -o cyclonedx-json                                                                                                         
 ✔ Indexed file system                                                                                                                                                                         /home/user/syft
 ✔ Cataloged contents                                                                                                                            f889822d7ce98e1a871a914d7749ebcaa7cc502bad903a47c99293135a510018
   ├── ✔ Packages                        [869 packages]  
   ├── ✔ File digests                    [3 files]  
   ├── ✔ File metadata                   [3 locations]  
   └── ✔ Executables                     [1 executables]  
{"$schema":"http://cyclonedx.org/schema/bom-1.5.schema.json","bomFormat":"CycloneDX","specVersion":"1.5","serialNumber":"urn:uuid:b94903cc-1697-4232-8171-6af1217e4bf1","version":1,"metadata":{"timestamp":"2024-05-06T21:34:22+02:00","tools":{"components":[{"type":"application","author":"anchore","name":"syft","version":"1.3.0"}]},"component":{"bom-ref":"f60be7f39b7b1cbd","type":"file","name":"syft","version":"v1.3.0"}},"components":[{"bom-ref":"cd49351a0c14e9ee","type":"library","name":"","purl":"pkg:gem/","properties":[{"name":"syft:package:foundBy","value":"ruby-gemspec-cataloger"},{"name":"syft:package:language","value":"ruby"},{"name":"syft:package:type","value":"gem"},{"name":"syft:package:metadataType","value":"ruby-gemspec"},{"name":"syft:location:0:path","value":"/syft/pkg/cataloger/ruby/test-fixtures/glob-paths/specifications/pkg/nested.gemspec"}]},{"bom-ref":"746f85750835e2df","type":"library","name":"","purl":"pkg:gem/","properties":[{"name":"syft:package:foundBy","value":"ruby-gemspec-cataloger"},{"name":"syft:package:language","value":"ruby"},{"name":"syft:package:type","value":"gem"},{"name":"syft:package:metadataType","value":"ruby-gemspec"},{"name":"syft:location:0:path","value":"/syft/pkg/cataloger/ruby/test-fixtures/glob-paths/specifications/root.gemspec"}]},{"bom-ref":"cc7fd08d2e893e18","type":"library","name":"./.github/actions/bootstrap","cpe":"cpe:2.3:a:.\\/.github\\/actions\\/bootstrap:.\\/.github\\/actions\\/bootstrap:*:*:*:*:*:*:*:*","properties":[{"name":"syft:package:foundBy","value":"github-actions-usage-cataloger"},{"name":"syft:package:type","value":"github-action"},{"name":"syft:location:0:path","value":"/.github/workflows/benchmark-testing.yaml"}]},{"bom-......

Anything else we need to know?:

Environment:

Output of syft version:

syft --version
syft 1.3.0

OS (e.g: cat /etc/os-release or similar):
- Ubuntu 22.04.4 LTS
- Manjaro Linux
- Arch Linux

May 06 '24 19:05 m4nch0t

syft syft copied to clipboard

Scanning a git repository folder present in /tmp produce an empty sbom

syft
syft copied to clipboard