kzantow
commented
1 year ago We could attempt to get the type if the SBOM has a PURL or if we're decoding a Syft SBOM and there is type information.
Open kzantow opened 1 year ago
kzantow
commented
1 year ago We could attempt to get the type if the SBOM has a PURL or if we're decoding a Syft SBOM and there is type information.
dautovri
commented
1 year ago Looks in syft version: 0.71.0 all good
syft cgr.dev/chainguard/wolfi-base:latest
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [23 packages]
NAME VERSION TYPE
apk-tools 2.12.11-r2 apk
busybox 1.36.0 binary
busybox 1.36.0-r0 apk
ca-certificates-bundle 20220614-r4 apk
glibc 2.36-r6 apk
glibc-locale-posix 2.36-r6 apk
libcrypto3 3.0.8-r0 apk
libssl3 3.0.8-r0 apk
wolfi-base 1-r3 apk
wolfi-baselayout 20230201-r0 apk
wolfi-keys 1-r5 apk
zlib 1.2.13-r3 apkThanks for following up @dautovri! I had a look at the latest wolfi image and I think this may still be an issue. It looks like the SBOMs being included have corrected versions that match APK, e.g. with -r# suffixes. This definitely needs a bit more investigation.
dautovri
commented
1 year ago @kzantow I think we have the same issue here as well
syft lfedge/eve
A lot of alpine packages don't have a right type.
Please provide a set of steps on how to reproduce the issue
What happened: Reported in the community slack, scanning an image with an SBOM results in the package type being empty.
What you expected to happen: The package type is set if there is enough information to determine an accurate type.
Environment:
syft version:v0.63.0cat /etc/os-releaseor similar): macOS / all