syft icon indicating copy to clipboard operation
syft copied to clipboard
verified publisher icon anchore

Syft Directory Source: Git Tag and Metadata Information

Open spiffcs opened this issue 1 year ago • 0 comments

What would you like to be added: When syft runs a directory scan it should be able to intuition when it is in a git repository.

This would then lead for commit sha, tag and other git metadata to be amended to the source object of the SBOM.

Why is this needed: This information can be carried forward into grype scanning and other templates/vulnerability reports to provide more accurate labeling and pinpointing of which version of a software project and SBOM was generated against.

Additional context: Picking this issue up means editing the Source object and adding a specific Metadata surrounding the new git data points: https://github.com/anchore/syft/blob/1c37bab2b2b45f59ab7a9b70e3a200206771996e/syft/format/syftjson/model/source.go#L15

spiffcs avatar May 23 '24 20:05 spiffcs