We should extend this to the core packages we commonly use in Docker projects so we can check this works :tada:
Go packages
Debian/Ubuntu packages
Alpine packages
We should also ideally rework the structures to be unique for each package, since packages of type X may allow different fields than packages of type Y. They should have a common base though, since many fields are shared.
If we can, it would be good to capture the graph-relationships between packages, which syft/other scanners have the potential to generate.
tonistiigi
commented
1 year ago
We have basic support for typed packages:
https://github.com/docker/go-imageinspect/blob/94b94790b91291306d892dd032b08f5c0d4c9e38/sbom.go#L33-L36
We should extend this to the core packages we commonly use in Docker projects so we can check this works :tada:
We should also ideally rework the structures to be unique for each package, since packages of type X may allow different fields than packages of type Y. They should have a common base though, since many fields are shared.
If we can, it would be good to capture the graph-relationships between packages, which syft/other scanners have the potential to generate.