You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened: syft running with sudo yields different results than without sudo.
What you expected to happen:
Both runs should have same output.
Anything else we need to know?:
When run with sudo, docker daemon is available and is used. Without sudo, syft uses OCI registry via stereoscope.
Stereoscope takes the following approach while determining image pull methodology:
// DetermineDefaultImagePullSource takes an image reference string as input, and// determines a Source to use to pull the image. If the input doesn't specify an// image reference (i.e. an image that can be _pulled_), UnknownSource is// returned. Otherwise, if the Docker daemon is available, DockerDaemonSource is// returned, and if not, OciRegistrySource is returned.funcDetermineDefaultImagePullSource(userInputstring) Source {
and because there are inconsistencies between OCI source and docker daemon in stereoscope when respective Providers are run without supplying a platform, it bubbles out to syft yielding different images (one x86 and other arm) and thus different SBOMs.
See:
Please provide a set of steps on how to reproduce the issue
On an
arm
machine (Technically, any machine other than x86 will do).What happened:
syft
running withsudo
yields different results than without sudo.What you expected to happen:
Both runs should have same output.
Anything else we need to know?:
When run with
sudo
, docker daemon is available and is used. Without sudo, syft uses OCI registry via stereoscope.Stereoscope takes the following approach while determining image pull methodology:
Source: https://github.com/anchore/stereoscope/blob/3b80d983223f6e6fc2d33b0ffa003d30268418e9/pkg/image/source.go#L134-L139
and because there are inconsistencies between OCI source and docker daemon in stereoscope when respective
Providers
are run without supplying aplatform
, it bubbles out to syft yielding different images (one x86 and other arm) and thus different SBOMs.See:
docker:
vsregistry:
from multi-platform images stereoscope#149This can be avoided by having a correct default value for
platform
Environment:
syft version
:cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: