syft
syft copied to clipboard
anchore
Dart: Syft incorrectly generates SBOM with version 0.0.0 for SDK dependencies
What happened:
Trivy tool had the same issue which was raised here.
We are using syft to generate SBOMs for our Dart/Flutter project. Syft incorrectly generates a dependency for [email protected], ignoring the sdk setting.
Corresponding part of the pubspec.lock:
…
flutter:
dependency: "direct main"
description: flutter
source: sdk
version: "0.0.0"
…
As you can see it specifies source as sdk.
Further down in the pubspec.lock file there is more information on the sdk version:
sdks:
dart: ">=2.15.1 <3.0.0"
flutter: ">=2.8.0"
What you expected to happen:
The generated SBOM should not contain the incorrect (but unfortunately valid) version 0.0.0.
Steps to reproduce the issue:
Our project code is private, but the problem exists in any Flutter project.
You can reproduce the problem easily by running syft scan dir:./ -o spdx-json=sbom.spdx.json on this project:
https://github.com/KhoaSuperman/findseat/
Anything else we need to know?:
One more thing, dart ain't been added to the SBOM either. So it is not only flutter that fails due to the actuall version been in the sdks zone but also dart is not being captured.
Environment:
- Output of
syft version: 1.11.1 - OS (e.g:
cat /etc/os-releaseor similar): Sonoma 14.1
