Can you control the internal format used by Syft when scanning a directory?

[tomasr]

What would you like to be added:

This is probably a weird question, but when running grype dir:<somedir>, I understand grype is essentially running syft under the hood to produce the source SBOM (or similar). Can you control what format is used for this intermediate representation?

Why is this needed:

My reason for asking is this: I have some dependencies in a folder.

If I run:

grype dir:.

I get:

 ✔ Vulnerability DB                [no update available]
 ✔ Indexed file system                                                                                                                                               .
 ✔ Cataloged contents                                                                                 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
   ├── ✔ Packages                        [18 packages]
   └── ✔ Executables                     [0 executables]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored

If I first generate an SBOM using syft in cyclonedx-json format, then ingest it with grype sbom:.\sbom.json I get the exact same result.

However, if I first generate an SBOM using syft in SPDX format, then ingest it with grype I get:

 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [1 vulnerability matches]
   ├── by severity: 1 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 1 not-fixed, 0 ignored

NAME  INSTALLED  FIXED-IN  TYPE            VULNERABILITY   SEVERITY
zlib  1.2.13               UnknownPackage  CVE-2023-45853  Critical

So obviously the source SBOM format (or whatever the internal syft is producing over it) is somehow relevant to getting usable results?

Additional context:

[kzantow]

Hi @tomasr -- Grype is always going to use the internal Syft representation. If you ingest an SBOM, this gets converted to that representation anyway.

What versions of Syft and Grype are you using?

[tomasr]

Grype 0.78.0 Syft 1.6.0

[tomasr]

Might help if I offer a repro. Here's an easy one:

• Download this package from nuget.
• Rename the .nuget file to .zip and expand it on a folder, let's say c:\temp\librdkafka
• Now run grype dir:C:\temp\librdkafka\runtimes

Output here looks like this:

Now first run syft to generate an SPDX SBOM of the exact same files, and scan it with grype:

Output is clearly different.