-
Notifications
You must be signed in to change notification settings - Fork 511
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question on custom binaries #1178
Comments
👋 Thanks for filing the issue @vsoch. You are correct that random one-off binaries might not be listed if we don't have a cataloger for that specific package manager. A possible solution here is to add this functionality where syft is aware of the It's not something we have as a priority at this exact moment, but patches are welcome and we can take a look at adding it when more bandwidth opens up =) |
I could definitely give a shot to contribute that - I love go! How do you handle package managers that have non-deterministic locations? E.g., you can install spack mostly anywhere - and sometimes in containers there are environment variables to give hint about it, but it's not required. There also can be a full spack install and just a view, which would be harder to detect. There is, however a fairly predictable structure for both of those things. Are there current package managers that have a similar design already added to Syft I could take a look at? |
Hey @vsoch, sorry we never replied to your questions above. We now have some good information about implementing new catalogers in the DEVELOPING document: https://github.com/anchore/syft/blob/main/DEVELOPING.md#syft-catalogers -- please take a look if you're still interested. I'll go ahead and close this ticket out, but if you're interested in digging in, please let us know, we are happy to help either here or in our Slack channel. Thanks! |
Thanks! I'll take a look and can ping again if I have questions. |
Hiya!
I was testing syft on a container, and I had a custom binary (created via a spack view, so spack is gone) and I noticed that syft didn't report / find it. Are random / one off binaries not find-able because they have to be linked to a known package manager? Thank you!
The text was updated successfully, but these errors were encountered: