Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"none" under file selection in configuration doesn't work as expected #2989

Open
tomersein opened this issue Jun 25, 2024 · 1 comment
Open

"none" under file selection in configuration doesn't work as expected #2989

tomersein opened this issue Jun 25, 2024 · 1 comment
Labels
bug Something isn't working files relating to file nodes in the SBOM

Comments

@tomersein
Copy link
Contributor

What happened:
When I use "none" I still get "files" entry in the final json.
What you expected to happen:
If I use "none" remove the "files" entry.
Steps to reproduce the issue:
use this config.yaml:

file:

   metadata: 
      # select which files should be captured by the file-metadata cataloger and included in the SBOM. 
      # Options include:
      #  - "all": capture all files from the search space
      #  - "owned-by-package": capture only files owned by packages
      #  - "none", "": do not capture any files
      # SYFT_FILE_METADATA_SELECTION env var
      selection: "none"

scan an image\directory
Anything else we need to know?:
did a little check and the issue is this function:
func toFile(s sbom.SBOM) []model.File
I think that in case of none it shouldn't enter this function or use skip (if all variables like metadata, digest, etc.) are empty.

Environment:

  • Output of syft version: 1.8.0
  • OS (e.g: cat /etc/os-release or similar): macOS
@tomersein tomersein added the bug Something isn't working label Jun 25, 2024
@kzantow
Copy link
Contributor

kzantow commented Jun 25, 2024

I can confirm there seems to be something unexpected happening here:

SYFT_FILE_METADATA_SELECTION=none syft alpine:latest -o json

It results in a files section with no metadata or any other information such as digests:

  "files": [
    {
      "id": "a74cadfe8cda7a82",
      "location": {
        "path": "/bin/busybox",
        "layerID": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72"
      }
    },
   ...

For what it's worth: I think it might make sense for this flag to prevent metadata from being captured, rather than preventing files from being captured, and perhaps we should think about introducing a new configuration for the entire file section to disable all file data collection, e.g.:

file:
  # enable file cataloging
  enabled: true
  - or -
  selection: ...

  metadata:
    # select which files should be captured by the file-metadata cataloger and included in the SBOM. 
    # Options include:
    #  - "all": capture all files from the search space
    #  - "owned-by-package": capture only files owned by packages
    #  - "none", "": do not capture any files (env: SYFT_FILE_METADATA_SELECTION)
    selection: 'owned-by-package'
    
    # the file digest algorithms to use when cataloging files (options: "md5", "sha1", "sha224", "sha256", "sha384", "sha512") (env: SYFT_FILE_METADATA_DIGESTS)
    digests: 
      - 'sha1'
      - 'sha256'    
   ...

@wagoodman wagoodman added the files relating to file nodes in the SBOM label Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working files relating to file nodes in the SBOM
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wagoodman @kzantow @tomersein