Closed jansu76 closed 1 year ago
AFAIK bt currently finds dependency versions using buildpack.toml from buildpack's main branch: https://raw.githubusercontent.com/{buildpack}/main/buildpack.toml
bt
https://raw.githubusercontent.com/{buildpack}/main/buildpack.toml
https://github.com/dmikusa/binding-tool/blob/main/src/deps.rs#L85
This has some problems:
For example, currently latest released version of syft is 1.24.2
===> DETECTING 6 of 24 buildpacks participating paketo-buildpacks/ca-certificates 3.5.1 paketo-buildpacks/bellsoft-liberica 9.10.3 paketo-buildpacks/syft 1.24.2 paketo-buildpacks/executable-jar 6.6.0 paketo-buildpacks/dist-zip 5.5.0 paketo-buildpacks/spring-boot 5.22.1
This release https://github.com/paketo-buildpacks/syft/releases/tag/v1.24.2 lists Syft 0.69.1 as dependency
Syft | 0.69.1 | 71296b3d87b2837aeb7e55b2ca98dc69f92c7274ae3d968698da5887b7462ad2
However, current buildpack.toml uses Syft 0.72.0, so the dependency-mapping created by bt will not be used
https://github.com/paketo-buildpacks/syft/blob/28a1493f294ce79b145a10440b839a2f118ace04/buildpack.toml
sha256 = "3bdddb3c79d2f223d574366ca2ef5fbc03f627a3e7502d011bfe630671732173" uri = "https://github.com/anchore/syft/releases/download/v0.72.0/syft_0.72.0_linux_amd64.tar.gz"
AFAIK
btcurrently finds dependency versions using buildpack.toml from buildpack's main branch:https://raw.githubusercontent.com/{buildpack}/main/buildpack.tomlhttps://github.com/dmikusa/binding-tool/blob/main/src/deps.rs#L85
This has some problems:
For example, currently latest released version of syft is 1.24.2
This release https://github.com/paketo-buildpacks/syft/releases/tag/v1.24.2 lists Syft 0.69.1 as dependency
Syft | 0.69.1 | 71296b3d87b2837aeb7e55b2ca98dc69f92c7274ae3d968698da5887b7462ad2
However, current buildpack.toml uses Syft 0.72.0, so the dependency-mapping created by
btwill not be usedhttps://github.com/paketo-buildpacks/syft/blob/28a1493f294ce79b145a10440b839a2f118ace04/buildpack.toml