Open kzantow opened 1 year ago
We could attempt to get the type if the SBOM has a PURL or if we're decoding a Syft SBOM and there is type information.
Looks in syft version: 0.71.0 all good
syft cgr.dev/chainguard/wolfi-base:latest
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [23 packages]
NAME VERSION TYPE
apk-tools 2.12.11-r2 apk
busybox 1.36.0 binary
busybox 1.36.0-r0 apk
ca-certificates-bundle 20220614-r4 apk
glibc 2.36-r6 apk
glibc-locale-posix 2.36-r6 apk
libcrypto3 3.0.8-r0 apk
libssl3 3.0.8-r0 apk
wolfi-base 1-r3 apk
wolfi-baselayout 20230201-r0 apk
wolfi-keys 1-r5 apk
zlib 1.2.13-r3 apk
Thanks for following up @dautovri! I had a look at the latest wolfi image and I think this may still be an issue. It looks like the SBOMs being included have corrected versions that match APK, e.g. with -r#
suffixes. This definitely needs a bit more investigation.
@kzantow I think we have the same issue here as well
syft lfedge/eve
A lot of alpine packages don't have a right type.
Please provide a set of steps on how to reproduce the issue
What happened: Reported in the community slack, scanning an image with an SBOM results in the package type being empty.
What you expected to happen: The package type is set if there is enough information to determine an accurate type.
Environment:
syft version
:v0.63.0
cat /etc/os-release
or similar): macOS / all