search

docker-library / postgres

Docker Official Image packaging for Postgres
http://www.postgresql.org
MIT License
2.14k stars 1.11k forks source link

Revert "Added inline SBOM for binaries downloaded outside package manager #1164

Closed LaurentGoderre closed 7 months ago

LaurentGoderre commented 7 months ago

This reverts commit 6f4ae836406b010948f01fbcb400a31dca4fdf52.

This is now supported by the Syft Scanner

LaurentGoderre commented 7 months ago

@whalelines I tested with version 1.2.2 of the scanner.

whalelines commented 7 months ago

That response does not seem to address all the questions.

  1. Do we want to remove the templating too?
  2. Has that change been merged into syft
  3. Has the updated version of syft been released?
  4. Has the scout-sbom-indexer been updated to the updated version of syft?
  5. Has the updated scout-sbom-indexer been released
  6. Has the build scout-sbom-indexer pin bee updated to use the updated scout-sbom-indexer?

You response may address 2–5 if the "scanner" you refer to is scout-sbom-indexer. 1 and 6 still need clarification.

tianon commented 7 months ago

(sorry, I also made a merge conflict by bringing in https://github.com/docker-library/postgres/pull/1162 :see_no_evil:)

LaurentGoderre commented 7 months ago

1) It's not removing templating, just a helper that only does SBOM for now. 6) Scanner is pinned to sha256:c2c2236a08a5e4efdc0a983ffcf0971911d22ed5238db4be40dadb6078286c10 which yields:

{
        "SPDXID": "SPDXRef-Package-d8ec3db3016d597f6b5ae1762b17941a",
        "downloadLocation": "",
        "externalRefs": [
          {
            "referenceCategory": "PACKAGE-MANAGER",
            "referenceLocator": "pkg:generic/postgres@16.1?os_name=alpine\u0026os_version=3.18",
            "referenceType": "purl"
          }
        ],
        "filesAnalyzed": false,
        "licenseConcluded": "NOASSERTION",
        "licenseDeclared": "PostgreSQL",
        "name": "postgres",
        "originator": "NOASSERTION",
        "supplier": "NOASSERTION",
        "versionInfo": "16.1"
      },
      {
        "SPDXID": "SPDXRef-Package-d8e661289d7235557bdd9d4aa2446929",
        "downloadLocation": "",
        "externalRefs": [
          {
            "referenceCategory": "PACKAGE-MANAGER",
            "referenceLocator": "pkg:generic/postgresql@16.1",
            "referenceType": "purl"
          }
        ],
        "filesAnalyzed": false,
        "licenseConcluded": "NOASSERTION",
        "name": "postgresql",
        "originator": "NOASSERTION",
        "supplier": "NOASSERTION",
        "versionInfo": "16.1"
      }
LaurentGoderre commented 7 months ago

@tianon merge conflicts happens :)