Alex Goodman

>> Today, there's not a precedent in Syft for dynamic dependency look-ups via network calls. > I might have to implement this since the build.gradle file only includes dependency names...

The go stdlib already has the capability of listing out shared libs from all formats we'd be interested in supporting (including elf)

The content hash in the attestation should be addressable in practical sense, otherwise users of the attestation would not be able to check if the payload they are validating is...

The `trimpath` and `buildid` changes look great 👍 , but same question as https://github.com/anchore/grype/pull/642#issuecomment-1050014381 , why change `GOPATH` here?

@tgerla it looks like there may be more things that were not originally in scope that need to be considered as part of this PR. It looks like the https://wiki.alpinelinux.org/wiki/Apk_spec...

The specific struct in question is https://github.com/anchore/syft/pull/943/files#diff-11846c0455726b6119b5b2e0fb893a6a56af1ed0fd2549e97ab65b0322c05cbbR15

@sophiewigmore there are some thoughts on the next evolution of the API tracked in a previously opened issue: https://github.com/anchore/syft/issues/558 . Feel free to take a look -- feedback is more...

Also got this issue, here is a gist to reproduce (fails on the second run): https://gist.github.com/wagoodman/371c446fbde051f94d8eac1cddc3bf73

IMO, this issue is the second highest priority issue (probably just behind the CI ticket). I think the most generic way to deal with this is to allow a more...

Should this issue be closed? Or is there a bit more work to tidy up on this issue?