Will Murphy
Will Murphy
It sounds like consensus is to move startup code from https://github.com/anchore/sbom-action/blob/72370e18af3add17e587ca8533fab7d28d2b0bee/.github/workflows/test.yml#L68-L73 to a target in https://github.com/anchore/sbom-action/blob/72370e18af3add17e587ca8533fab7d28d2b0bee/package.json#L7 It might be nice to go further and make `npm test` call the new...
> I strongly favor just pushing these images to GHCR and updating the tests to point to them. This is the way, but that's a totally different approach, so just...
Thanks for the detailed report @akpsgit! Here's how the profile looks now:  I think this was fixed by https://github.com/anchore/syft/pull/2814. Please let us know if we've missed something.
Hi @arkajnag23, Could you help us understand this problem a little bit more specifically? The JSON you included isn't enough information for me to understand what the problem is. Which...
Notes to whoever picks this up: The scope here is to add structured logging to syft (if it doesn't already exist) so that log lines can be JSON documents, for...
Hi @tomersein, thanks for the report! I was able to reproduce this issue. I appreciate the inclusion of a Dockerfile - it makes reproducing the issue a lot easier. 1....
Hi @t-k-u thanks for the issue! We'll try to discuss this at an upcoming community meeting. In general, Syft doesn't guarantee that there will always be a root package because...
@t-k-u when scanning `alpine:latest` as you did here, what would you expect the root of the dependency graph to be?
Hi @m4nch0t - thanks for the ping! It seems like @kzantow 's comment resolves the remaining friction. This is in our ready column and anyone is welcome to work on...
We discussed this at a [recent livestream](https://anchorecommunity.discourse.group/t/september-25th-open-source-gardening-live-stream/569?u=willmurphy). The conclusion is that we need to try some things out and see how they look in DependencyTrack.