Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include container information in SPDX #1518

Closed
kzantow opened this issue Jan 25, 2023 · 4 comments
Closed

Include container information in SPDX #1518

kzantow opened this issue Jan 25, 2023 · 4 comments
Assignees
Labels
enhancement New feature or request

Comments

@kzantow
Copy link
Contributor

kzantow commented Jan 25, 2023

What would you like to be added:
For container scans, SPDX output should contain a container package (with Primary Package Purpose set to CONTAINER), which is what the SPDXRef-DOCUMENT DESCRIBES relationship should point to.

Packages found within the container should have CONTAINS relationships from the container.

While investigating this, it would be good to understand if packages for each layer within the container should be added in between. It seems both tern and the k8s bom tool generate SPDX from containers in this fashion: e.g. the SPDX relationships build a graph like: container -> layer -> package

Why is this needed:
More closely align with other tools and standards.

@kzantow kzantow added the enhancement New feature or request label Jan 25, 2023
@kzantow kzantow self-assigned this Jan 25, 2023
@kzantow
Copy link
Contributor Author

kzantow commented Feb 15, 2023

Discussion resulted in this initial change will not include layer information for a number of reasons, primarily:

  • Syft by default uses a squashed scope, so it will not necessarily include all the layer information
  • Syft currently results in packages showing up only in the last layer they are located in
  • This makes dir/file scans result in the same document structure as container scans

@eliaslevy
Copy link

#1241 appears to be a duplicate of this issue.

@lumjjb
Copy link

lumjjb commented Apr 10, 2023

👋, just checking in and wondering what the status of these discussions are if there are any updates!

@kzantow
Copy link
Contributor Author

kzantow commented Jul 13, 2023

Closing this as a duplicate of #1241

@kzantow kzantow closed this as not planned Won't fix, can't repro, duplicate, stale Jul 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants