syft
syft copied to clipboard
anchore
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
**What would you like to be added**: File sources with line numbers **Why is this needed**: A number of tools, including Visual Studio Code and [Github](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#example-with-minimum-required-properties), require or otherwise need...
**What would you like to be added**: In addition to file paths, line numbers are crucial for some integrations like IDEs. Ideally, in the JSON presenter in the same place...
When running syft on a directory containing Eclipse plugins (JARs) the detected component names and versions are wrong. **Example:** org.eclipse.osgi_3.18.0.v20220516-2155.jar --> name: org.eclipse.osgi_3.18.0.v20220516 --> version: 2155 It seems that name...
**What would you like to be added**: I'd like to be able to use individual fields from the CPE when providing a custom template. **Why is this needed**: I am...
**What happened**: Docker official images are highly used across the ecosystem, but since these images involve a lot of custom source-installed software, instead of package managers, a lot of these...
**What would you like to be added**: Add support for parsing `package-lock.json` version 3. **Why is this needed**: There is an incompatible change from version 1 and 2 which Syft...
This is based on research with @wurstbrot. It might be an issue with syft, or the CycloneDX library. By taking a look at the output of the javascript cataloger, it...
**What would you like to be added**: A simple docker image with the following Dockerfile: ``` FROM php:7.4-cli COPY scan.php / ``` should result in a SBOM that includes the...
**What would you like to be added**: cli option that will be used to set scan timeout, so once timeout expires the scan will exists, output relevant log and return...
From the README: ``` bash $ curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin ``` **Expected** Installs. **Actual** Doesn't install. ``` [info] fetching release script for tag='v0.55.0' [info] using...
