Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can you control the internal format used by Syft when scanning a directory? #1938

Open
tomasr opened this issue Jun 12, 2024 · 3 comments
Open

Can you control the internal format used by Syft when scanning a directory? #1938

tomasr opened this issue Jun 12, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@tomasr
Copy link

tomasr commented Jun 12, 2024

What would you like to be added:

This is probably a weird question, but when running grype dir:<somedir>, I understand grype is essentially running syft under the hood to produce the source SBOM (or similar). Can you control what format is used for this intermediate representation?

Why is this needed:

My reason for asking is this: I have some dependencies in a folder.

If I run:

grype dir:.

I get:

 ✔ Vulnerability DB                [no update available]
 ✔ Indexed file system                                                                                                                                               .
 ✔ Cataloged contents                                                                                 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
   ├── ✔ Packages                        [18 packages]
   └── ✔ Executables                     [0 executables]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored

If I first generate an SBOM using syft in cyclonedx-json format, then ingest it with grype sbom:.\sbom.json I get the exact same result.

However, if I first generate an SBOM using syft in SPDX format, then ingest it with grype I get:

 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [1 vulnerability matches]
   ├── by severity: 1 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 1 not-fixed, 0 ignored

NAME  INSTALLED  FIXED-IN  TYPE            VULNERABILITY   SEVERITY
zlib  1.2.13               UnknownPackage  CVE-2023-45853  Critical

So obviously the source SBOM format (or whatever the internal syft is producing over it) is somehow relevant to getting usable results?

Additional context:
@tomasr tomasr added the enhancement New feature or request label Jun 12, 2024
@kzantow
Copy link
Contributor

kzantow commented Jun 12, 2024

Hi @tomasr -- Grype is always going to use the internal Syft representation. If you ingest an SBOM, this gets converted to that representation anyway.

What versions of Syft and Grype are you using?

@tomasr
Copy link
Author

tomasr commented Jun 12, 2024

Grype 0.78.0
Syft 1.6.0

@tomasr
Copy link
Author

tomasr commented Jun 13, 2024

Might help if I offer a repro. Here's an easy one:

  • Download this package from nuget.
  • Rename the .nuget file to .zip and expand it on a folder, let's say c:\temp\librdkafka
  • Now run grype dir:C:\temp\librdkafka\runtimes

Output here looks like this:

image

Now first run syft to generate an SPDX SBOM of the exact same files, and scan it with grype:

image

Output is clearly different.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tomasr @kzantow