Open wagoodman opened 3 days ago
Should we move this functionality to Syft, as part of the family of --enrich
ments? Looking up package info via archive hash seems like something that would benefit both tools.
I think we should do this in both places, since there are multiple avenues. That is, agreed, this should be in syft as an opt in enrichment option. But in case you're using an non-syft SBOM or otherwise different input source with grype then we should still allow for looking up this information.
This seems like one of the things that could be done strictly during an "enhancement" phase in Syft, which Grype also runs. In other words:
First, Syft scans, finds JAR files, attempts to identify using bytes available, surfaces packages with all info including SHA-1 hashes for JARs -- OR -- Syft imports an SBOM into the internal Syft data model
Then, Syft passes found packages to enhancement
This would have to happen before compliance rules are applied.
I think this would allow Grype to essentially operate the same as it does today and allow Syft to get the benefit of updating the certain incomplete Java records.
Today when you enable searching for artifact and group ID from maven central with a sha1 then this is done for all java artifacts, not just ones missing artifact and group ID https://github.com/anchore/grype/blob/9b7d752a7901bdd54f5bbda1b19028d571fa3a4f/grype/matcher/java/matcher.go#L79-L83 . This condition should be tightened -- instead of always searching, we should only search if there is missing pom data.