search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.15k stars 568 forks source link

Adding download location support for other ecosystems (for image-based SBOM) #2087

Open Auston-Zhang opened 1 year ago

Auston-Zhang commented 1 year ago

What would you like to be added:

Add code for 'downloadlocation' for other ecosystems.

Why is this needed: Right now, only NPM(JavaScript) and Apk(Alpine) are supported for download location. Source code: https://github.com/anchore/syft/blob/007b034ee38063fd5b41c82741e7561448dc817d/syft/formats/common/spdxhelpers/download_location.go#L17

It would be really helpful if we could add code for other ecosystems (like Python and Java). So the generated SBOM (image-based) for Python packages can have the download location values.

Additional context:

Steps to reproduce (we are using the official node docker image https://hub.docker.com/_/node/ ):

  1. run syft: syft node -o spdx-json > node_image.json
  2. open the generated SBOM file
  3. for a NPM package, we can see the download location 
    
"packages": [
{
"name": "@colors/colors",
"SPDXID": "SPDXRef-Package-npm--colors-colors-07f71a6a6289ef27",
"versionInfo": "1.5.0",
"supplier": "Person: DABH",
"originator": "Person: DABH",
"downloadLocation": "http://github.com/DABH/colors.js.git",
"filesAnalyzed": false,
"homepage": "https://github.com/DABH/colors.js",
"sourceInfo": "acquired package info from installed node module manifest file: /usr/local/lib/node_modules/npm/node_modules/@colors/colors/package.json",
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "MIT",
"copyrightText": "NOASSERTION",
"description": "get colors in your node.js console",

for a debian package (just for example, it also applies to Python, Java, Go... packages), we cannot see the download location

{ "name": "adduser", "SPDXID": "SPDXRef-Package-deb-adduser-d92ced51b4a5cd89", "versionInfo": "3.134", "supplier": "Person: Debian Adduser Developers \u003cadduser@packages.debian.org\u003e", "originator": "Person: Debian Adduser Developers \u003cadduser@packages.debian.org\u003e", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from DPKG DB: /usr/share/doc/adduser/copyright, /var/lib/dpkg/status", "licenseConcluded": "NOASSERTION", "licenseDeclared": "GPL-2.0-only AND GPL-2.0-or-later", "copyrightText": "NOASSERTION",



The full generated SBOM file is here
https://drive.google.com/file/d/1EQA8eneOwLuqOeu3yCU7OMYyxmQ6MMj8/view?usp=sharing
tgerla commented 1 year ago

Hi @Auston-Zhang, thanks for the suggestion. We agree that it would be nice to add the downloadlocation field to other ecosystems where available. We will go ahead and put this in our backlog. If you are interested in implementing this for other ecosystems, please let us know and we can help get you started.