Giters

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Image tag not contain all specified catalogers

yogevhenig89 opened this issue · comments

commented

What happened:
Using syft latest version 0.105.0, when running syft catalogers list I get the table and there are 19 catalogers containing the image tag

alpm-db-cataloger
binary-cataloger
cargo-auditable-binary-cataloger
conan-info-cataloger
dotnet-portable-executable-cataloger
dpkg-db-cataloger
go-module-binary-cataloger
graalvm-native-image-cataloger
java-archive-cataloger
javascript-package-cataloger
linux-kernel-cataloger
nix-store-cataloger
php-composer-installed-cataloger
portage-cataloger
python-installed-package-cataloger
r-package-cataloger
rpm-db-cataloger
ruby-installed-gemspec-cataloger
wordpress-plugins-cataloger

But when trying to use the tag with the following command on some random folder
./syft dir:~/Desktop/test -vv --select-catalogers image

I only get that 14 catalogers were used:

alpm-db-cataloger
apk-db-cataloger
dpkg-db-cataloger
portage-cataloger
rpm-db-cataloger
dotnet-portable-executable-cataloger
python-installed-package-cataloger
go-module-binary-cataloger
java-archive-cataloger
graalvm-native-image-cataloger
nix-store-cataloger
binary-cataloger
linux-kernel-cataloger
wordpress-plugins-cataloger

What you expected to happen:
Syft use all the catalogers with the image tag

Steps to reproduce the issue:

Anything else we need to know?:

Environment:

  • Output of syft version: 0.105.0
  • OS (e.g: cat /etc/os-release or similar): MacOs
commented

Hi @yogevhenig89, the option you want to use is: --override-default-catalogers. The --select-catalogers flag filters the default set of catalogers when specifying tags (or removes based on tag/name when prefixed with - and adds individually named catalogers when prefixed with +).

$ syft --override-default-catalogers image dir:. -o json | jq '.descriptor.configuration.catalogers.used'
[
  "alpm-db-cataloger",
  "apk-db-cataloger",
  "binary-cataloger",
  "cargo-auditable-binary-cataloger",
  "conan-info-cataloger",
  "dotnet-portable-executable-cataloger",
  "dpkg-db-cataloger",
  "go-module-binary-cataloger",
  "graalvm-native-image-cataloger",
  "java-archive-cataloger",
  "javascript-package-cataloger",
  "linux-kernel-cataloger",
  "nix-store-cataloger",
  "php-composer-installed-cataloger",
  "portage-cataloger",
  "python-installed-package-cataloger",
  "r-package-cataloger",
  "rpm-db-cataloger",
  "ruby-installed-gemspec-cataloger",
  "wordpress-plugins-cataloger"
]

$ syft cataloger list --select-catalogers image                                                                  
Default selections:
  - "all"
Selected by expressions:
  - "image"
┌──────────────────────────────────────┬───────────────────────────────────────────────────────────────────────────┐
│ CATALOGER                            │ TAGS                                                                      │
├──────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────┤
│ alpm-db-cataloger                    │ alpm, archlinux, directory, image, installed, linux, os, package          │
│ apk-db-cataloger                     │ alpine, apk, directory, image, installed, linux, os, package              │
│ binary-cataloger                     │ binary, declared, directory, image, installed, package                    │
│ cargo-auditable-binary-cataloger     │ binary, image, installed, language, package, rust                         │
│ conan-info-cataloger                 │ conan, cpp, image, installed, language, package                           │
│ dotnet-portable-executable-cataloger │ binary, c#, directory, dotnet, image, installed, language, package        │
│ dpkg-db-cataloger                    │ debian, directory, dpkg, image, installed, linux, os, package             │
│ go-module-binary-cataloger           │ binary, directory, go, golang, gomod, image, installed, language, package │
│ graalvm-native-image-cataloger       │ directory, image, installed, java, language, package                      │
│ java-archive-cataloger               │ directory, image, installed, java, language, maven, package               │
│ javascript-package-cataloger         │ image, installed, javascript, language, node, package                     │
│ linux-kernel-cataloger               │ declared, directory, image, installed, kernel, linux, package             │
│ nix-store-cataloger                  │ directory, image, installed, language, nix, package                       │
│ php-composer-installed-cataloger     │ composer, image, installed, language, package, php                        │
│ portage-cataloger                    │ directory, gentoo, image, installed, linux, os, package, portage          │
│ python-installed-package-cataloger   │ directory, image, installed, language, package, python                    │
│ r-package-cataloger                  │ image, installed, language, package, r                                    │
│ rpm-db-cataloger                     │ directory, image, installed, linux, os, package, redhat, rpm              │
│ ruby-installed-gemspec-cataloger     │ gem, gemspec, image, installed, language, package, ruby                   │
│ wordpress-plugins-cataloger          │ directory, image, package, wordpress                                      │
└──────────────────────────────────────┴───────────────────────────────────────────────────────────────────────────┘

The reason for this is there are different default sets of catalogers depending if you run an image scan or a directory scan. Generally speaking, things like selecting the "javascript" catalogers based on the default set rather than all catalogers is the more correct thing to do. The --override-default-catalogers flag allows the default set to be altered, which I believe is what you are looking to do. Does this help?

commented

We'll go ahead and close this issue, but please let us know if you need anything else.