Attest fails on container images after Syft v1.19.0

[daniel-porsche]

When I run the scan on my container image using Syft v1.19.0, the json file generated is ~1.4Mb
and when I do the scan on the same container image with a Syft version later than v1.19.0 the generated file is ~24Mb

I'm using the anchore/sbom-action@v0 github action to generate the cyclonedx-json file

Problem here, is that if I later want to attest the scan I'm now getting:

Error: Error: predicate file exceeds maximum allowed size: 16777216 bytes

Do you have any information on the support for Syft versions later to v1.19.0?

[bdehamer]

Wow, that's a pretty big increase in size! I don't have any insight into why the size of the generated SBOM has jumped so much between Syft v1.19.0 and v1.20.0 (I see that 1.20.0 has an option to include license information, so maybe that's it 🤷 ).

When you use the actions/attest-sbom action we store a copy of the generated attestation within GitHub and currently enforce a max size of 16MB -- that's the error message you're seeing.

At the moment, the only work-around would be to trim the size of the SBOM. The 20x increase in size suggests that you may be capturing info in the SBOM that you may not need. There are probably some configuration options available for Syft that you could play with to control the SBOM size.

On our side, there are some things we're considering which might help in the longer term:

• Increase the limit on attestation size.
• Provide an option to generate the attestation without storing it (this would give you the ability to generate an attestation of any size as long as you're willing to take responsibility for persisting it).

Would be interested to hear your thoughts on either of the above options, or other ideas you may have.

[daniel-porsche]

Hi, it seems the issue is related to the default addition of the "file" cataloger for the containers. I use the cyclonedx-json format and when running the scan without it I get the same behavior from the v1.19.0.
From the release: https://github.com/anchore/syft/releases/tag/v1.20.0
It seems cyclonedx-json was dropping files and outputting only packages. If that's the default configuration for all formats, I'd day is better to increase the limit to the attestation size would make more sense here.

[daniel-porsche]

Although, unaware of that behavior regarding the default configs of the catalogers, I now find myself in the need of configuring the catalogers for the scan.
I'm guessing the best way to go around it is by passing the syft config file.