SBOM files for some artifacts are almost empty #488
Assignees
Comments
|
@cpanato, do you have an idea on what's going on? @cartersocha, this is the issue we talked about during the SIG Security call. |
|
hum looks like it is doing working well with the .tar.gz, i think that is better only with the binary, i can change that |
|
seems we need to pass some config options run locally (with the correct version now) |
|
i run the gorelease locally and the sboms was created with data |
|
we need to make sure we have the latest syft, checking that |
|
was able to reproduce the issue with |
|
we need to wait for anchore/sbom-action#456 |
|
Thank you for the investigation! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have SBOMs since v0.95.0, but some artifacts seem to be missing the actual contents of the package, like the one for otelcol-contrib_0.95.0_darwin_amd64.tar.gz.sbom:
{ "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "otelcol-contrib_0.95.0_darwin_amd64.tar.gz", "documentNamespace": "https://anchore.com/syft/file/otelcol-contrib_0.95.0_darwin_amd64.tar.gz-2e3641ac-13d0-4b31-a9f2-025169cf944c", "creationInfo": { "licenseListVersion": "3.22", "creators": ["Organization: Anchore, Inc", "Tool: syft-0.103.1"], "created": "2024-02-21T16:25:34Z", }, "packages": [ { "name": "otelcol-contrib_0.95.0_darwin_amd64.tar.gz", "SPDXID": "SPDXRef-DocumentRoot-File-otelcol-contrib-0.95.0-darwin-amd64.tar.gz", "versionInfo": "sha256:d380af1301fd318be75af009543cb7abeb1aca8ce12dd25f60529085a7c6417f", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "checksums": [ { "algorithm": "SHA256", "checksumValue": "d380af1301fd318be75af009543cb7abeb1aca8ce12dd25f60529085a7c6417f", }, ], "primaryPackagePurpose": "FILE", }, ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-DocumentRoot-File-otelcol-contrib-0.95.0-darwin-amd64.tar.gz", "relationshipType": "DESCRIBES", }, ], }Some other entries, like otelcol_0.95.0_windows_amd64.tar.gz.sbom , seem to have an appropriate content, containing things like:
{ "name": "golang.org/x/oauth2", "SPDXID": "SPDXRef-Package-go-module-golang.org-x-oauth2-80fd63a362642b94", "versionInfo": "v0.16.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "checksums": [ { "algorithm": "SHA256", "checksumValue": "683906301498c4495aa0ff35369a14a33da8a36476c07759a464e85317f242b4" } ], "sourceInfo": "acquired package info from go module information: otelcol.exe", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [ { "referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:golang:x\\/oauth2:v0.16.0:*:*:*:*:*:*:*" }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/golang.org/x/oauth2@v0.16.0" } ] },We need to investigate what's the difference, and how we can get the packages to be like the SBOMs for Windows.
The text was updated successfully, but these errors were encountered: