You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When running syft against a project using Swift Package Manager and a version 3 Package.resolved file, an error occured (error=unknown swift package manager version, 3.000000 location=/Package.resolved) and the sbom output was incomplete:
swift-embedded-examples(main*)$ syft scan ./stm32-neopixel -o cyclonedx-json=sbom.json
✔ Indexed file system stm32-neopixel
✔ Cataloged contents 6ba85f929a0d558c5687b1245352e16c6ee8aa429acbdff263954992966a54e8
├── ✔ Packages [0 packages]
└── ✔ Executables [0 executables]
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
[0000] WARN cataloger failed cataloger=swift-package-manager-cataloger error=unknown swift package manager version, 3.000000 location=/Package.resolved
swift-embedded-examples(main*)$ cat sbom.json | jq
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:75f909ea-e5a5-49d9-9e9e-73bb23a611a7",
{
"version": 1,
"metadata": {
"timestamp": "2024-04-08T10:23:55-04:00",
"tools": {
"components": [
{
"type": "application",
"author": "anchore",
"name": "syft",
"version": "1.1.1"
}
]
},
"component": {
"bom-ref": "06497d32a1d71b4c",
"type": "file",
"name": "./stm32-neopixel"
}
}
}
What you expected to happen:
No error, and syft to output similar to how it does for version 2 schemas:
Hi @maxgip, thanks for the report! We'll put this in the backlog for the future. If you're interested in working on it, please let us know and we can help get you started.
What happened:
When running
syft
against a project using Swift Package Manager and a version 3 Package.resolved file, an error occured (error=unknown swift package manager version, 3.000000 location=/Package.resolved
) and the sbom output was incomplete:What you expected to happen:
No error, and syft to output similar to how it does for version 2 schemas:
Steps to reproduce the issue:
From a repo using SPM and Package.resolved version 3 (I used
stm32-neopixel
folder inhttps://github.com/apple/swift-embedded-examples
), runsyft
:git clone https://github.com/apple/swift-embedded-examples.git cd swift-embedded-examples syft scan ./stm32-neopixel -o cyclonedx-json=sbom.json
Anything else we need to know?:
The V3 schema looks like a superset of V2, just has an additional (optional)
originHash
key:https://github.com/apple/swift-package-manager/blob/f4ab9a43f3cfbb8f184043435f925b67b0070f36/Sources/PackageGraph/PinsStore.swift#L386-L484
Environment:
Output of
syft version
:OS (e.g:
cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: