Open hazcod opened 3 years ago
Did anyone ever look at this? How can we achieve that?
I understand syft already generates SPDX docs. This project is focused on generating SPDX docs during development or ci build.
Generating a docker container and scanning it as part of development and CI sounds like what I'm trying to do. I don't only have sources, I develop, and run, in CI and locally, and also build - containers.
Why scanning images form SPDX is oos?
I want to use the same generator (this one has the best results for spdx regarding dependency hierarchy). The more generally accepted is blown with features.
I merge those SBOMs (container and filesystem) and get a more holistic view of my codebase.
Now using a mix of syft and this generator spdx files is possible but yields poor results. Mostly because you use the spec differently then Syft does.
Sounds like what you need is interoperability with Syft? Maybe @kzantow has some insights into why merging a project SBOM and the container SBOM doesn't work well.
Could you expand on:
this one has the best results for spdx regarding dependency hierarchy
How are you merging SBOMs from the container and filesystem?
I'd also like to know why:
using a mix of syft and this generator spdx files is possible but yields poor results
Is this because you are looking for a dependency hierarchy? You are unlikely to find this when scanning a container -- most of the information has been flattened or removed, so you are likely going to see a different graph between the two scans.
Is there some sort of public project / build you could point us to that exhibits the behavior you are seeing (bad or good)?
Merging with https://github.com/opensbom-generator/sbom-composer
Im looking at the dependency hierarchy of merged sboms because of the container flattening. Merging with a filesystem SBOM will provide missing data. However, SSG output differs greatly from syft/trivy/etc, so merging gives zero value. This is why I wish the "same" format/method of generating SPDX will be align between Image and Filesystem
Summary
Ref https://github.com/anchore/syft