Open Naranthiran opened 3 months ago
It looks like we are pulling vendor info https://github.com/anchore/syft/blob/034a98f02972e94cbf3dddfdd116b94176a9d56e/syft/pkg/cataloger/redhat/parse_rpm_archive.go#L29-L34 and we're mapping that into the SPDX supplier https://github.com/anchore/syft/blob/034a98f02972e94cbf3dddfdd116b94176a9d56e/syft/format/internal/spdxutil/helpers/originator_supplier.go#L94-L101 it might be that we're not correctly getting the vendor in the cataloger.
We should at the very list start capturing errors to a trace log (they are currently being thrown away) so we can get more visibility into this.
Hi Alex,
If we could have a fix, it would be helpful for us.
Regards Naranthiran Duraisamy
Hi @Naranthiran -- are you able to provide a public image or other steps to reproduce this problem?
We have test RPMs that include the vendor information and this information gets properly output as SPDX suppliers, so there may be something else going on here.
Example (from this repo):
cd syft/pkg/cataloger/redhat/test-fixtures
make rpm
syft . -o spdx-json
... includes:
"supplier": "Organization: Fedora Project",
I've added a PR that logs errors when parsing these, it would need debug logging enabled (-vv
): https://github.com/anchore/syft/pull/3051
It's possible the RPMs you are scanning simply may be missing this information, but there could be something else going on here. Without more information it will be hard to make any more changes to improve this, though.
HI Keith Zantow,
I am trying to generate the SBOM with RedHat 7.9 packages.
Steps to reproduce: 1)Mount the RedHat 7.9 ISO and copy the rpm files to the folder.
2)Run the below command to generate the SBOM.
3)Import the SBOM generated in the SBOM editor and check the supplier info against the package.
Regards Naranthiran Duraisamy
Hi Keith Zantow,
Were you able to reproduce the issue?
Please let me know if any inputs are required from my side..
Regards Naranthiran Duraisamy
Since BlackDuck team does not have a separate to analyze the SBOM I was not able to give you an update.
But I have one more query regarding the SBOM generated using the syft tool.
I am using the below command to generate the SBOM. I have also attached the SBOM for your reference.
syft dir:/home/RHEL7WORK/ -o spdx-json=071724minimalos.spdx.json
We have not able to get the supplier information in the SBOM generated. We are using SBOM editor for reviewing the SBOM.
Can you check SBOM and confirm what could be the issue with supplier information or it's available in SBOM and not visible only in the SBOM editor. And are there any tools to check the supplier information?
071724minimalos.spdx.json
Regards Naranthiran Duraisamy
Originally posted by @Naranthiran in https://github.com/anchore/syft/issues/2840#issuecomment-2232586735