syft
syft copied to clipboard
anchore
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
There are a couple of fields that feel like they should be renamed to better represent what they contain: - `artifacts` -> `packages`: the original idea is that this field...
**Please provide a set of steps on how to reproduce the issue** 1. Built a container with a base image including debian scripts: ``` FROM debian:bullseye-slim as final ARG BUILD_ARCH...
**What would you like to be added**: Consider enabling the `dotnet-deps-cataloger` by default for images and show the relationship to artifacts discovered by the `dotnet-portable-executable-cataloger`. This is important because the...
This is a list of forks of original projects that have been incorporated into syft. This tends to happen when there is some new functionality that we need upstream that...
When determining originator we only consider select ecosystems: https://github.com/anchore/syft/blob/25ae7bf55f36fc8bf786b3eb79639b8af9539fee/syft/format/internal/spdxutil/helpers/origintor.go#L17-L40 Ideally we should expand this to fill in an answer in as many ecosystems as possible. There have been suggestions to...
**What would you like to be added**: Right now the syft --help shows all configuration options, which is great, but it's fairly verbose. Ideally the configuration information could be rendered...
**What happened**: Syft generates the following SPDX (tag:value): ``` FileName: /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt SPDXID: SPDXRef-File-...Actalis-Authentication-Root-CA.crt-b2e28e6876228bbb FileType: TEXT FileChecksum: SHA1: 511ca95607022a99ed8e68bd63f136c4854cefcb LicenseConcluded: NOASSERTION FileComment: layerID: sha256:3f946b95045046b182ad195bfdb24fe56dd6ea12d34e35a0995218d22c05102a ``` [tools-python](https://github.com/spdx/tools-python) complains that it is invalid...
Fixes #1527 Addresses two problems: - cosign output is not shown to the terminal when the logger is used - when no tty is present all logs are suppressed
implements the same functionality desired by https://github.com/anchore/syft/issues/2020 This PR implements a new cataloger called javascript-cataloger that collects full dependency trees and packages with for javascript ecosystem pkg managers -- [pnpm,...
**What happened**: Syft has started to hard-code some groupIds for maven artefacts which leads to misleading PURLs when related artefacts are used as embedded instrumentation JARs. Ultimately this yields many...
