search

anchore / scan-action

Anchore container analysis and scan provided as a GitHub Action
MIT License
201 stars 75 forks source link

Syft upgrade causes SPDX format specVersion mismatch #342

Open hermankruger opened 1 month ago

hermankruger commented 1 month ago

With release https://github.com/anchore/sbom-action/releases/tag/v0.17.0 on the https://github.com/anchore/sbom-action the Syft version was updated, which in turn updated the SPDX format specVersion from 1.5 to 1.6.

If you then invoke the https://github.com/anchore/scan-action with the generated sbom, the scan-action then downloads the grype DB for version 1.5 which is incompatible with 1.6 and an error is thrown.

The https://github.com/anchore/scan-action#scanning-an-sbom-file step in the readme won't succeed currently.

spiffcs commented 1 month ago

@hermankruger do you mean CycloneDX from 1.5 --> 1.6?

SPDX is currently 2.x

Let me try and get this reproduced on my local and see where the error might be occuring for SBOM --> Scan Action with the new releases.

It might be as easy as updating the config to specify the version of the document you want, but I agree the default flow should "just work"

There would be an issue if you did not update both actions to the latest versions and had pinned scan-action back to v3

Is it possible to update scan action as well? If not is it possible to update the sbom-action config to generate the correct version of cyclone-dx the scan action expects (1.5) rather than consuming the new default of 1.6?

hermankruger commented 1 month ago

@spiffcs, thanks for the timely feedback :)

What has happened is a combination of anchore/sbom-action@v0 and anchore/scan-action@v3 failing due to the release introducing an incompatibility between the two (1.5 -> 1.6).

I will now update to anchore/sbom-action@v0 and anchore/scan-action@v4 (4 for emphasis) and this should then solve the issue?

From a https://semver.org/ point of view it would be good to bump breaking changes on both, however I do realize bumping 0 (zero) has implications. This has been a breaking change that no one would have expected using v0 with v3.

spiffcs commented 1 month ago

@hermankruger Yep! Give those two actions an upgrade to their latest versions.

If you run into any issues still let me know by filling and tagging me on an issue on either repo and I'll take a look