Closed mykaul closed 1 year ago
@yaronkaikov can your team take as they do it for the core ?
By using the tool, the following sbom report was generated:
annamikhlin@annamikhlin ~/Downloads/sbom/sbom $ ./syft dir:scylla-cqlsh/ --scope all-layers
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
✔ Indexed file system scylla-cqlsh
✔ Cataloged packages [4 packages]
NAME VERSION TYPE
PyYAML 6.0 python
click 8.1.3 python
geomet 0.2.1.post1 python
scylla-driver 3.26.0 python
The license field is empty also here (tool limitation):
annamikhlin@annamikhlin ~/Downloads/sbom/sbom $ ./syft dir:scylla-cqlsh/ --scope all-layers --output template -t sbom.tmpl
✔ Indexed file system scylla-cqlsh
✔ Cataloged packages [4 packages]
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
SBOM Report:
=============================
Package Name: PyYAML
Version: 6.0
Type: python
License: []
=============================
Package Name: click
Version: 8.1.3
Type: python
License: []
=============================
Package Name: geomet
Version: 0.2.1.post1
Type: python
License: []
=============================
Package Name: scylla-driver
Version: 3.26.0
Type: python
License: []
I'm not sure we have here any added value by using this tool, we have all the same info in requirements.txt
file
https://github.com/scylladb/scylla-cqlsh/blob/e651e12e36262a800c67f6f6d17538e84cd09286/requirements.txt#L1-L4
By using the tool, the following sbom report was generated:
annamikhlin@annamikhlin ~/Downloads/sbom/sbom $ ./syft dir:scylla-cqlsh/ --scope all-layers [0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) ✔ Indexed file system scylla-cqlsh ✔ Cataloged packages [4 packages] NAME VERSION TYPE PyYAML 6.0 python click 8.1.3 python geomet 0.2.1.post1 python scylla-driver 3.26.0 python
The license field is empty also here (tool limitation):
annamikhlin@annamikhlin ~/Downloads/sbom/sbom $ ./syft dir:scylla-cqlsh/ --scope all-layers --output template -t sbom.tmpl ✔ Indexed file system scylla-cqlsh ✔ Cataloged packages [4 packages] [0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) SBOM Report: ============================= Package Name: PyYAML Version: 6.0 Type: python License: [] ============================= Package Name: click Version: 8.1.3 Type: python License: [] ============================= Package Name: geomet Version: 0.2.1.post1 Type: python License: [] ============================= Package Name: scylla-driver Version: 3.26.0 Type: python License: []
I'm not sure we have here any added value by using this tool, we have all the same info in
requirements.txt
file
@mykaul ^^
That's OK - if that's what we get, it's good enough for now - we'll use this, as it is a standard format. It is a bit strange it doesn't go the extra mile for Python packages...
Ok, we can use json format also here, the output will be we following:
{
"artifacts": [
{
"id": "c9f8a6fdb5568416",
"name": "PyYAML",
"version": "6.0",
"type": "python",
"foundBy": "python-index-cataloger",
"locations": [
{
"path": "/requirements.txt",
"annotations": {
"evidence": "primary"
}
}
],
"licenses": [],
"language": "python",
"cpes": [
"cpe:2.3:a:python-PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:python-PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:python_PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:python_PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:python-PyYAML:PyYAML:6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:python:python-PyYAML:6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:python:python_PyYAML:6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:python_PyYAML:PyYAML:6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:PyYAML:PyYAML:6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:python:PyYAML:6.0:*:*:*:*:*:*:*"
],
"purl": "pkg:pypi/PyYAML@6.0",
"metadataType": "PythonRequirementsMetadata",
"metadata": {
"name": "PyYAML",
"versionConstraint": "==6.0"
}
},
The license is missing but there is some additional info.
Full report: cqlsh_json_report.txt
maybe https://github.com/ninoseki/pycomponents is a bit better for python packages ?
maybe https://github.com/ninoseki/pycomponents is a bit better for python packages ?
Single maintainer, unmaintained, ...
I'm happy with staying with what we have right now. It'll improve in time. There's a benefit of having a single tool for all languages (and we have enough of those).
As part of the release process, we should provide a SBOM (Software Bill of materials) for the release. See https://github.com/scylladb/scylla-pkg/issues/3202#issuecomment-1619753664 for an example. (Unless it is covered as part of ScyllaDB build?)