Closed snooyen closed 2 weeks ago
Hello, thank you for reaching out. We are confirming receipt of your issue. We will begin to triage the problem, and will report back when we have pertinent updates.
We have triaged problem.
Of the action inputs you provided, this is correct:
skip_files: "/usr/local/lib/node_modules/npm/package.json"
However, we have determined the panic is caused by an issue in our inventory agent, inspector-sbomgen, meaning the action will continue to fail until the issue is resolved.
We are presently working on a hotfix to address this issue.
I will report back with an ETA and any workarounds once we're confident in the solution.
Than you for your patience and apologies for the inconvenience.
Update: we have a fix in place to resolve this issue. We are planning on deploying the fix early next week. I will let you know when the fix is available for your use.
@snooyen We have fixed the issue in inspector-sbomgen that was causing the panic when using the skip_files
argument.
I was able to successfully execute the GitHub Action against node:latest
while using this line:
skip_files: "/usr/local/lib/node_modules/npm/package.json"
Please update your workflows to point to sbomgen v1.3.1 or latest
to resolve the skip-files panic:
# from your GitHub Actions workflow files
sbomgen_version: "1.3.1"
Keep in mind these changes only resolve the panic - I do not know whether this will resolve the 2,000+ component count issue because it depends on your image's configuration.
inspector-sbomgen does not presently support splitting the Inspector scan into multiple requests. If this is functionality you would like, you are welcome to open a issue ticket requesting this feature. Doing so helps us prioritize which features to implement.
Alternatively, you may consider writing your own CI/CD integration on top of inspector-sbomgen to handle splitting / chunking the SBOM into multiple Inspector requests. You can find general documentation on custom CI/CD integrations on our official docs: https://docs.aws.amazon.com/inspector/latest/user/cicd-custom.html
I am marking this issue as resolved.
Please reach out to us again if you need further support.
Thanks for the prompt response and resolution! The component limit actually pointed us to some optimizations we were able to make with respect to our NodeJS containers!
Description
Attempting to workaround the 2000 component limit by leveraging the
--skip-files
argument ininspector-sbomgen
, but it results in a runtime panic.Expected Behavior
Expect the action to succeed with components skipped.
Actual Behavior
Steps to Reproduce
Specify
skip-files
input in action call. I've tried several variants such asOther Information
Running on self-hosted GHA runners via actions-runner-controller.