Feature: add Docker input support

opensbom-generator / spdx-sbom-generator

Support CI generation of SBOMs via golang tooling.

396 stars 109 forks source link

Feature: add Docker input support #194

Open hazcod opened 3 years ago

hazcod commented 3 years ago

Summary

Ref https://github.com/anchore/syft

manifestori commented 1 year ago

Did anyone ever look at this? How can we achieve that?

nishakm commented 1 year ago

I understand syft already generates SPDX docs. This project is focused on generating SPDX docs during development or ci build.

manifestori commented 1 year ago

Generating a docker container and scanning it as part of development and CI sounds like what I'm trying to do. I don't only have sources, I develop, and run, in CI and locally, and also build - containers.

Why scanning images form SPDX is oos?

nishakm commented 1 year ago

@manifestori There are plenty of projects that already address containers. Tern and Syft generate SPDX SBOMs for container images. Could you help me understand why neither of these tools suit your use case?

manifestori commented 1 year ago

I want to use the same generator (this one has the best results for spdx regarding dependency hierarchy). The more generally accepted is blown with features.

I merge those SBOMs (container and filesystem) and get a more holistic view of my codebase.

Now using a mix of syft and this generator spdx files is possible but yields poor results. Mostly because you use the spec differently then Syft does.

nishakm commented 1 year ago

Sounds like what you need is interoperability with Syft? Maybe @kzantow has some insights into why merging a project SBOM and the container SBOM doesn't work well.

kzantow commented 1 year ago

Could you expand on:

this one has the best results for spdx regarding dependency hierarchy

How are you merging SBOMs from the container and filesystem?

I'd also like to know why:

using a mix of syft and this generator spdx files is possible but yields poor results

Is this because you are looking for a dependency hierarchy? You are unlikely to find this when scanning a container -- most of the information has been flattened or removed, so you are likely going to see a different graph between the two scans.

kzantow commented 1 year ago

Is there some sort of public project / build you could point us to that exhibits the behavior you are seeing (bad or good)?

manifestori commented 1 year ago

Merging with https://github.com/opensbom-generator/sbom-composer

Im looking at the dependency hierarchy of merged sboms because of the container flattening. Merging with a filesystem SBOM will provide missing data. However, SSG output differs greatly from syft/trivy/etc, so merging gives zero value. This is why I wish the "same" format/method of generating SPDX will be align between Image and Filesystem