-
Notifications
You must be signed in to change notification settings - Fork 542
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SBOM from a source code repos have missing or repetitive component inventory #1260
Comments
Hi @sprathod369, to answer your specific questions:
Having said that, it looks like Do you have any specific repositories that you could point to where you've run |
Thanks @kzantow - appreciate your inputs. Yes, I'll run a scan against WebGoat (java-pom based repo) and share my findings. Thanks again!! |
@kzantow - I generated an SBOM using Syft and Cdxgen against the same code base and branch of WebGoat source repo and here are some observations.
Your above comment confirms that Syft's cycloneDX is structured differently and not designed to integrate with other tools (points 2 and 3 confirm that) but the inventory and missing components (points 1 & 4) may be an issue to investigate further. |
Hi @sprathod369 -- I've looked into this a bit further. It seems I think this may be a bit of a duplicate of #1251 -- would you agree? |
NOTE: this is referring to WebGoat: https://github.com/WebGoat/WebGoat |
I'll go ahead and close this ticket, but please feel free to let us know if you have any more questions or concerns. Thanks! |
Although Syft focuses on container image scans, it can also create an SBOM for arbitrary filesystem paths. My understanding is that one can use Syft to index host’s packages by scanning directories that commonly contain software binaries and libraries.
However, it's not clear to me if Syft can generate a reasonable and accurate SBOM against a source-code repository. I tested it against a Java repository that had a pom.xml (WebGoat), a Typescript repository that has package.xml and a reference Python repository that has requirements.txt. The generated SBOM from Syft in CycloneDX format when ingested in Dependency-Track does not give a component inventory that is close to something that say a cdxgen tool generates for the same source-code repositories.
My questions are (other than container image scans)
The text was updated successfully, but these errors were encountered: