syft
syft copied to clipboard
anchore
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
**What happened**: Running Grype to a local development directory. Variable not interpreting correctly in multiple level configuration file. See the following example with ${version.h2.database} variable, $ grype ./My_project : guava...
**What happened**: When running syft version 0.105.0 against a dynamically linked go binary on my system, I do not get any output. Output from `syft /usr/bin/dnscrypt-proxy` on version 0.105.0: ```...
**What would you like to be added**: I would like to see the go-mod/cache added as release artifact next to the source and the compiled binaries. Please extend the Release...
**What happened**: ```sh syft -o cyclonedx-json python:3.10-slim-bookworm | jq '.components[] | select(.name == "wheel")' ``` Syft detects wheel 0.42.0 but fails to detect the license (MIT). When you look into...
Previously, the file resolver was created from incorrect calls (path.Join instead of filepath.Join) which resulted Go license searches always missing on Windows. Use filepath.* functions when initializing the Go config,...
Today when we cannot find a version for a pacakge, we end up not including it in the SBOM at all. This is consistent with the NTIA minimum requirements, however,...
**What happened**: Syft is at least not working properly on Windows analyzing a project in a directory (syft scan dir:...). I used variations of SYFT_GOLANG... env variables to enable module...
**What happened**: bom.metadata.component object is missing in output json bom, syft\format\internal\cyclonedxutil\helpers\decoder.go Line 207 func extractComponents(meta *cyclonedx.Metadata) source.Description {... Getting the component is only implemented for "container" and "file". **What you...
**What happened**: Syft creates two entries in the SBOM for the local dependency, one of which doesn't have the details like version or license **What you expected to happen**: For...
**What happened**: When I try to validate the spdx-2.2 json file using python-tools command `pyspdxtools`, it outputs a number of different issues one of them being for each File, it...
