Unable to Install Syft

[nblack-er]

Please provide a set of steps on how to reproduce the issue

Starting a few hours ago, it was noticed that installation of Syft is no longer working with the install.sh script.

What happened:

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
[info] checking github for the current release tag 
[error] unable to find tag='' 
[error] do not specify a version or select a valid version from https://github.com/anchore/syft/releases 

What you expected to happen:

No errors

Anything else we need to know?:

Environment:

• Output of syft version:
• OS (e.g: cat /etc/os-release or similar): 22.04.1 LTS (Jammy Jellyfish)

[edtan-caseware]

Seems like github may have changed the endpoint format? I turned trace level debugging on to find the curl command, and see:

curl -w '%{http_code}' -sL -H "Accept: application/json"  "https://github.com/anchore/syft/releases/latest"

<!DOCTYPE html>
<html lang="en" ....

I'm guessing that this used to return json instead of html.

[nblack-er]

Ah, right!

https://github.com/orgs/community/discussions/45590

[kzantow]

Hi @nkreiger I've just tried this out again for macOS and Linux and it seems to be working fine for me at this point, could you retry?

NOTE I also saw a failure yesterday where https://github.com/anchore/grype/releases/download/v0.56.0/grype_0.56.0_linux_arm64.deb was returning 403 for some reason, but seems to be fine now.

Similar to Grype, as @jdolitsky noted, it might be good to add a fallback to the API call here: https://api.github.com/repos/{org}/{repo}/releases/latest

[cw-alexcroteau]

Hi @nkreiger I've just tried this out again for macOS and Linux and it seems to be working fine for me at this point, could you retry?

NOTE I also saw a failure yesterday where https://github.com/anchore/grype/releases/download/v0.56.0/grype_0.56.0_linux_arm64.deb was returning 403 for some reason, but seems to be fine now.

Similar to Grype, as @jdolitsky noted, it might be good to add a fallback to the API call here: https://api.github.com/repos/{org}/{repo}/releases/latest

I would agree with the benefits of a fallback, as long as it doesn't become the only option.

Sadly, the API requires a GitHub token even for public repositories. The default GitHub token provided in GitHub Actions doesn't work for this purpose, so repositories might have to use a PAT/application token. This might not be feasible for public repositories and would pose a security risk for something that should be public.

[kzantow]

I finally got around to trying this, and curl -s https://api.github.com/repos/anchore/syft/releases/latest seems to work fine without any token specified...

[nblack-er]

GitHub reverted the change, and I am able to use the install.sh script again.

[tgerla]

We'll close this one out but if GitHub makes any more changes we will definitely follow up. Thanks!