jpkrohling
commented
9 months ago @cpanato, do you have an idea on what's going on?
@cartersocha, this is the issue we talked about during the SIG Security call.
Open jpkrohling opened 9 months ago
jpkrohling
commented
9 months ago @cpanato, do you have an idea on what's going on?
@cartersocha, this is the issue we talked about during the SIG Security call.
cpanato
commented
9 months ago hum looks like it is doing working well with the .tar.gz, i think that is better only with the binary, i can change that
cpanato
commented
7 months ago seems we need to pass some config options
run locally (with the correct version now)
syft scan otelcol-contrib_0.98.0_darwin_amd64.tar.gz -o spdx-json ✔ Indexed file system /private/var/folders/kl/q9mydw095ln5s7wj971qcrx40000gn/T/syft-archive-contents-177865781 ✔ Cataloged contents f2d873bf5f6127ce965934c5ee10665f83195ae3264690a496e63b895f996567 ├── ✔ Packages [675 packages] └── ✔ Executables [1 executables]
{"spdxVersion":"SPDX-2.3","dataLicense":"CC0-1.0","SPDXID":"SPDXRef-DOCUMENT","name":"otelcol-contrib_0.98.0_darwin_amd64.tar.gz","documentNamespace":"https://anchore.com/syft/file/otelcol-contrib_0.98.0_darwin_amd64.tar.gz-0605e1c6-a055-45ad-bb22-611d8ad283b8","creationInfo":{"licenseListVersion":"3.23","creators":["Organization: Anchore, Inc","Tool: syft-1.1.1"],"created":"2024-04-12T08:27:15Z"},"packages":[{"name":"bitbucket.org/atlassian/go-asap/v2","SPDXID":"SPDXRef-Package-go-mod
ule-bitbucket.org-atlassian-go-asap-v2-249ebae86b40f5df","versionInfo":"v2.8.0","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"checksums":[{"algorithm":"SHA256","checksumValue":"24be2392dad94f71fc187924789d5109d849e5870ec9571c03fd9327869edc8d"}],"sourceInfo":"acquired package info from go module information: otelcol-contrib","licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategor
y":"SECURITY","referenceType":"cpe23Type","referenceLocator":"cpe:2.3:a:atlassian:go-asap\\/v2:v2.8.0:*:*:*:*:*:*:*"},{"referenceCategory":"SECURITY","referenceType":"cpe23Type","referenceLocator":"cpe:2.3:a:atlassian:go_asap\\/v2:v2.8.0:*:*:*:*:*:*:*"},{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:golang/bitbucket.org/atlassian/go-asap@v2.8.0#v2"}]},{"name":"cloud.google.com/go","SPDXID":"SPDXRef-Package-go-module-cloud.google.com-go-c5a7793790f
1ea74","versionInfo":"v0.112.2","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"checksums":[{"algorithm":"SHA256","checksumValue":"65a193e8b886edd0738baccd3af559c1a71a5e599fde546a9c2e03433ab2450c"}],"sourceInfo":"acquired package info from go module information: otelcol-contrib","licenseConcluded":"NOASSERTION","licenseDeclared":"NOASSERTION","copyrightText":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","ref
erenceLocator":"pkg:golang/cloud.google.com/go@v0.112.2"}]},{"name":"cloud.google.com/go/compute/metadata","SPDXID":"SPDXRef-Package-go-module-cloud.google.com-go-compute-metadata-e4175b7b6cf1e683","versionInfo":"v0.2.4-0.20230617002413-005d2dfb6b68","supplier":"NOASSERTION","downloadLocation":"NOASSERTION","filesAnalyzed":false,"checksums":[{"algorithm":"SHA256","checksumValue":"69156a635a76209681192b5632c40ca6401af3770f9020cb97cd1e3a3d116f3e"}],"sourceInfo":"acquired package info fro
m go module information: otelcol-contrib","licenseConc
...i run the gorelease locally and the sboms was created with data
cpanato
commented
7 months ago we need to make sure we have the latest syft, checking that
cpanato
commented
7 months ago ~seems ok~
was able to reproduce the issue with syft v1.1.0 with v1.1.1 was ok
cpanato
commented
7 months ago we need to wait for https://github.com/anchore/sbom-action/pull/456
jpkrohling
commented
7 months ago Thank you for the investigation!
We have SBOMs since v0.95.0, but some artifacts seem to be missing the actual contents of the package, like the one for otelcol-contrib_0.95.0_darwin_amd64.tar.gz.sbom:
Some other entries, like otelcol_0.95.0_windows_amd64.tar.gz.sbom , seem to have an appropriate content, containing things like:
We need to investigate what's the difference, and how we can get the packages to be like the SBOMs for Windows.