anchore / grant

Search an SBOM for licenses and the packages they belong to
Apache License 2.0
68 stars 7 forks source link

Add layerID to package struct in report #52

Open tomerse-sg opened 8 months ago

tomerse-sg commented 8 months ago

Hello,

When I want to check the licenses of a given images, it is important to me to understand in which layer the package exists. This information is already provided by syft, is it possible to display it in grant as well?

Thanks for your time!

limaonet commented 3 months ago

I also really need this feature

spiffcs commented 3 months ago

Nice! Thanks for the feedback on this.

https://github.com/anchore/syft/issues/15 ^ This is blocked since grant uses syft and would need 15 to be fulfilled

This would allow files to be associated to the individual layers and then we could disqualify base image layer licenses and ONLY find licenses added by our own software

tomersein commented 1 month ago

what about it? https://github.com/anchore/syft/pull/3138

this PR will provide a resolver which can find out which file \ package exists in each layer @spiffcs