syft icon indicating copy to clipboard operation
syft copied to clipboard
verified publisher icon anchore

Unable to find encoder for "spdx-json=spdx.json"

Open wieringen opened this issue 1 year ago • 3 comments

What happened:

What you expected to happen: I'm trying to sign and generate a SBOM and output it to a file. One of the options syft attest --help tells me exist is:

-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-json])

But when I try this option, it outputs the following error: ERROR unable to write SBOM to file: unable to find encoder for "spdx-json=spdx.json"

I looked in the source and this behavior doesn't seem to be implemented. Any thoughts?

Steps to reproduce the issue: go run cmd/syft/main.go attest DIGEST --key=KEY -o spdx-json=spdx.json

or

syft attest DIGEST --key=KEY -o spdx-json=spdx.json

wieringen avatar Dec 10 '24 17:12 wieringen

As I understand it, when you use the syft attest command, it invokes cosign and pushes the signed SBOM w/attestation alongside the image using the same OCI registry. This means there really aren't files on the filesystem that get produced, so outputting to a file isn't implemented today. But it seems like a reasonable request to output the contents that would otherwise get pushed to the registry to a specified file -- is this what you are hoping to do?

kzantow avatar Dec 10 '24 17:12 kzantow

Version: syft 1.31.0

I see this as well following the documentation with syft attest --key cosign.key -o syft-json=sbom.syft.json -o spdx-json=sbom.spdx.json <private_registry>/<image>@<digest>

ERROR unable to write SBOM to file: unable to find encoder for "syft-json=sbom.syft.json"

Using multiple outputs with scan does work.

If you use SYFT_ATTEST_PASSWORD='<cosign key passphrase' syft attest --key cosign.key -o spdx-json <private_registry>/<image>@<digest> that will automatically create and push the in-toto attestation in one step using cosign.

jhg03a avatar Aug 27 '25 20:08 jhg03a

We could execute multiple cosign calls in the event of multiple -o options, and execute cosign multiple times, passing the --no-upload option, capturing the output, and writing the output to the file. We should either improve this error message to indicate that attested file output is not supported, or implement handling for multiple outputs, I think. Happy to have PRs!

kzantow avatar Sep 10 '25 15:09 kzantow