-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Syft command restructure #516
Comments
To add on to this, this implies that we need better ways to express cataloging configurability. That is, today we catalog "packages" under the packages command, and this allows us to catalog more than packages under the "create" command (e.g. file metadata, file digests, etc). We could leave all catalogers on by default, however, it would be more ideal to allow for enabling catalogers selectively. Today we change the set of catalogers based on what the source type is (image vs filesystem). When the input is an image we use catalogers that look specifically for installed packages (e.g. RPM dbs, python wheel and egg metadata files, etc). When the input is a filesystem we use catalogers that look for any ecosystem index files even if it's not indicative of an installation (e.g. python Here's a possible path forward for this:
Where
In which case our current set of catalogers would be named:
And you can specify partial names to select on:
Some example usage:
We could add semantics that allow for keeping the default catalogers and adding or removing a few:
One problem I see with this approach is that it's really easy to want to specify plurals for items here, but that would be more difficult to parse. Another thing: if we go with this idea (or some variant of this idea) that implies that we should remove the Open to thoughts/comments/suggestions on this! |
( Relates to #465 ) |
I like this direction a lot! Re: moving from syft [noun] to syft [verb]I love it. Very excited about this! Re: adding to cataloger configurationWe've known for a while that we'd need to allow for more granular configuration of cataloging, and it's exciting to see us begin to tackle this challenge 🎉 🎉 🎉 Here's my two cents...
|
responding about the cataloger configuration (tackling in a odd order here):
With the above list I still left organization prefixes so you could still specify
2. Agreed! I think the configuration we have today is mostly alright --the main alteration is swapping "switches" for "lists". For instance, take todays (amended) config:
...
package:
cataloger:
# enable/disable cataloging of packages
# SYFT_PACKAGE_CATALOGER_ENABLED env var
enabled: true
# the search space to look for packages (options: all-layers, squashed)
# same as -s ; SYFT_PACKAGE_CATALOGER_SCOPE env var
scope: "squashed"
# cataloging file classifications is exposed through the power-user subcommand
file-classification:
cataloger:
# enable/disable cataloging of file classifications
# SYFT_FILE_CLASSIFICATION_CATALOGER_ENABLED env var
enabled: true
# the search space to look for file classifications (options: all-layers, squashed)
# SYFT_FILE_CLASSIFICATION_CATALOGER_SCOPE env var
scope: "squashed"
# cataloging file contents is exposed through the power-user subcommand
file-contents:
cataloger:
# enable/disable cataloging of secrets
# SYFT_FILE_CONTENTS_CATALOGER_ENABLED env var
enabled: true
# the search space to look for secrets (options: all-layers, squashed)
# SYFT_FILE_CONTENTS_CATALOGER_SCOPE env var
scope: "squashed"
# skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes)
# SYFT_FILE_CONTENTS_SKIP_FILES_ABOVE_SIZE env var
skip-files-above-size: 1048576
# file globs for the cataloger to match on
# SYFT_FILE_CONTENTS_GLOBS env var
globs: []
... Here's the same config selection, but with the suggested alterations: ...
##### this is the new section
catalogers:
enabled:
- package
- file-classification
- file-contents
##### below is mostly the same, but a little smaller and flatter...
package:
# the search space to look for packages (options: all-layers, squashed)
# same as -s ; SYFT_PACKAGE_SCOPE env var
scope: "squashed"
# cataloging file classifications is exposed through the power-user subcommand
file-classification:
# the search space to look for file classifications (options: all-layers, squashed)
# SYFT_FILE_CLASSIFICATION_SCOPE env var
scope: "squashed"
# cataloging file contents is exposed through the power-user subcommand
file-contents:
# the search space to look for secrets (options: all-layers, squashed)
# SYFT_FILE_CONTENTS_SCOPE env var
scope: "squashed"
# skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes)
# SYFT_FILE_CONTENTS_SKIP_FILES_ABOVE_SIZE env var
skip-files-above-size: 1048576
# file globs for the cataloger to match on
# SYFT_FILE_CONTENTS_GLOBS env var
globs: []
... Note: I'm only illustrating the config changes idea, so I'm leaving todays cataloger names in this example (e.g. A list of enabled catalogers seems to be the simplest approach to start with, but I also think this would be a small but meaningful lift to add: cataloger:
# could take cataloger names or group names
enabled:
- my-awesome-group-name
# allow for user-defined groups.
groups:
my-awesome-group-name:
- file-metadata
- file-classification
- package Adding back in fine-grained control over the individual package catalogers... We could encode our "image" and "directory" distinctions as cataloger groups: cataloger:
# empty list (the default) = auto... syft selects for me
enabled: []
groups:
# a default group...
image:
- ruby-gem-spec
- python-package
- ...
# a default group...
directory:
- ruby-gem-file-lock
- python-requirements
- python-poetry-lock
- ... Note: this is mixing the feedback from point 1 (package cataloger names) , but is attempting to illustrate the usefulness of cataloger groups as a config option in general. |
@luhring , I think you're right for the meantime if we exposed per-cataloger enable/disable functionality it's probably a good idea to keep that to configuration for the meantime and discover the CLI expression later. |
A note that wasn't mentioned in this comment thread explicitly was what commands would be added to the syft CLI and which would be removed.
Commands that will be removed:
|
I'm going to split out the configuration suggestions into it's own issue. That means this issue is only about deprecating the Suggested work:
This implies that |
I've been following this issue since I use the power-user command. Do you have a proposed set of config settings that mimic the output currently generated by syft power-user? What I was looking for was something along the lines of: I looked in https://github.com/anchore/syft#configuration based on the output of "syft power-user --help". A search there for "power-user" did give me some possible pointers, but it wasn't clear to me that setting those config items to true would be all that was needed. The settings I saw that seemed to related to the output produced by the power-user command were:
I really just want to be ready for when power-user is deprecated, so no rush here (unless v1.0 is coming out tomorrow 😄 ). |
What would you like to be added:
Currently syft's root and packages commands produce the same
package
specific output:syft packages node:latest > /dev/null
syft node:latest > /dev/null
syft also has a
power-user
command which produces a more verbose output concerningpackages
,secrets
,file metadata
file-digests
:syft power-use node:latest > /dev/null
I believe the
syft [noun]
pattern is not the space where we want to be focusing development moving forward.Given that syft is concerned with sbom generation, I propose we look to move our command structure towards
syft [verb]
, starting withsyft create
orsyft describe
in order to generate an sbom.The goal of this command API change follows improving a few key points.
Our current path of coupling
presenter/noun
logic and structures will lead to a good bit of unmanageable code sprawl. We can already see here that thepoweruser
config struct has a host of VERY specific and useful information that only it has access to. Rather than reimplement/confuse these structures for eachnoun
we should look to shift them lower in the program so presenters interpret all possible SBOM entities the same way.syft/internal/presenter/poweruser/json_document_config.go
Lines 11 to 21 in e5caba0
As we move into wanting to describe more SBOM entities, code paths like
presenter/secrets
presenter/files
presenter/relationships
just do not scale into the user behavior or usefulness we want for the tool.syft create
should already do analysis for the different entities with sane defaults and a config input that can increase/decrease the entities analyzed for the command.Refocus presenter to be
presenter/spdx
presenter/json
presenter/cyclonedx
. Formats as described previously should not be children of nouns likepackages
. The current program architecture does just thissyft/internal/presenter/packages/spdx.go,json_pacakge.go,table,etc
. Refactoring tosyft [verb] -o [presenter]
allows us much more space to design common logic/structures when dealing with different SBOM entities.Why is this needed:
Remove formal sbom entity semantics from command API to refocus program on its main directive of generating sbom.
Additional context:
TODO
The text was updated successfully, but these errors were encountered: