Dmitrii Sharshakov

Maybe the test should be a separate PR going in before refactoring. If so, will do later today

https://github.com/siderolabs/talos/actions/runs/11515928408/job/32057560561?pr=9489#step:18:6799 there's a chance this process just completes before cgroup code kicks in. What can we do? Qualify `no such process` as a warning?

/m

> How are those unscanned paths(from the detected sbom in the sbom-catalgoer) going to be represented in the larger composite document after we merge the results found from the SBOM...

Also, well, I could consider a subset of this issue (get source info from child SPDX, modify locators, encode in parent SBOM) to be implemented downstream by wrapping Syft in...

Okay, thanks, I'll watch the replay in some days when I have time. Yes, this needs careful consideration, since Syft is generally a scanner that finds evidence of a package...

> Perhaps a stop-gap solution is to add a flag to opt-in to SBOM cataloger behavior to include the files it reads as if they were part of the normal...

> Keep the changes minimal. Move the socketcan files back to where they belong, remove zstd and all other unrelated changes. Add test data and documentation (see file_io.rst) I abstracted...

> you could just import from socketcan without moving the files Is this a correct pattern for an IO module to import an interface module? That felt a bit counter-logical

I tried source-name and source-version. Actually no difference other than what's generated by these two lines: 1. https://github.com/anchore/syft/blob/7bfb4c86a6d7e5343c45c2844a232b6c7ba4c51c/syft/format/common/spdxhelpers/to_format_model.go#L148 2. https://github.com/anchore/syft/blob/7bfb4c86a6d7e5343c45c2844a232b6c7ba4c51c/syft/format/internal/spdxutil/helpers/document_namespace.go#L38 `SYFT_FORMAT_PRETTY=1 /tmp/syft/main scan . --from dir -o spdx-json --select-catalogers "+sbom-cataloger,go"...