[FEATURE] - Image Name as Project Name in DTrack Integration

[cloudmatt]

First off - thank you so much for this, stumbled upon this repo while I was researching how to add syft into our CI pipeline to do some SBOM generation and you might've just saved me a few weeks of banging my head against the keyboard.

It would be nice if instead of using the entire image name + repo as the project name in creation, just the image name was used. When images are pulled from places like ECR/GAR/GHCR it makes the project names pretty long so it would be a 'nice-to-have' if it just set the project name as the container name when creating the project in Dependency Track.

so my-cool-app vs https://{acct_id}.dkr.ecr.{region}.amazonaws.com/my-cool-app:{tag} as an ECR example.

Or maybe even some regex to pass in to override the default behavior so you don't have to maintain a list of regexes to parse image names.

[ckotzbauer]

Hi @cloudmatt, from the dtrack-logic inside the operator, I think it should work to use another part of the full image-name. Dependency-Track has two fields for this: ProjectName (which is typically the repository e.g. https://{acct_id}.dkr.ecr.{region}.amazonaws.com/my-cool-app) and the ProjectVersion which is the Tag or Digest. When you say you only want to report the last part of the image-name, which version do you want to report? Still the concrete tag or digest?

Be aware, that the risk for naming conflicts if pretty high.

[github-actions[bot]]

This issue is stale because it has been open 90 days with no activity. Remove stale label with /remove-lifecycle stale or comment or this will be closed in 5 days.

[github-actions[bot]]

This issue is stale because it has been open 90 days with no activity. Remove stale label with /remove-lifecycle stale or comment or this will be closed in 5 days.