syft
syft copied to clipboard
anchore
Add package description/summary to json output
What would you like to be added:
Add rpm/gem/npm package description to json output
Why is this needed: It's a required field for our company's internal SBOM. It might be required by other companies as well.
Additional context:
It would be similar to dnf/yum repoquery -queryformat "%{summary}"
I think this would be a relatively low lift and add value here 👍 . The goal would be to add these for each ecosystem under the package metadata section (there is a struct type under each syft/pkg/*_metadata.go file that can capture these).
We've added this issue as a good first issue for anyone to come in and contribute. If you do pick up this issue I think it's important to have the discussion here on if there is a length limitation to this field, whether it should be on by default, and what are the bounds of implementation so we don't blow up people's outputs by a 10x magnitude in case of a verbose description.
Thanks again for the issue @yudong! We hope we can get this supported in a meaningful way for your company.
