Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: syft 3435 - add file components to cyclonedx bom output when file metadata is available #3539

Merged
merged 8 commits into from
Jan 31, 2025
Merged

feat: syft 3435 - add file components to cyclonedx bom output when file metadata is available #3539

merged 8 commits into from
Jan 31, 2025

Conversation

spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Dec 18, 2024
edited
Loading

Description

This change updates syft to add cyclone-dx components with the type file when the underlying SBOM has coordinates that are mapped to their respective file metadata.

Example

export SYFT_FILE_METADATA_SELECTION="all"
go run cmd/syft/main.go -o cyclonedx-json dir:../stereoscope/ > sbom.json

Slice of new file types from output

    {
      "bom-ref": "7a9779339fe3868f",
      "type": "file",
      "name": "/Users/hal/development/stereoscope/.DS_Store",
      "hashes": [
        {
          "alg": "SHA-1",
          "content": "c918669c6ac5631bee00ceaef5f2e8a023945697"
        },
        {
          "alg": "SHA-256",
          "content": "3617159d3c3333bda8497d3c60fdda46f5ce0ab72bf3ba772dbb9128e0aca2d5"
        }
      ]
    },
    {
      "bom-ref": "ec6f846aad26adea",
      "type": "file",
      "name": "/Users/hal/development/stereoscope/.binny.yaml",
      "hashes": [
        {
          "alg": "SHA-1",
          "content": "41928b763c5478f3bc3ddde1135b0ece1536ff86"
        },
        {
          "alg": "SHA-256",
          "content": "fb6962a7f181dd5bb3e74ba637b83e91800197863b7d56cb53a6a6b96cb78668"
        }
      ]
    },

Type of change

  • New feature (non-breaking change which adds functionality)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@spiffcs spiffcs requested a review from wagoodman December 18, 2024 20:52
@spiffcs spiffcs changed the title fix: 3435 syft - add file components to cyclonedx bom output when file metadata is available feat: syft 3435 - add file components to cyclonedx bom output when file metadata is available Dec 18, 2024
@spiffcs spiffcs requested review from a team and removed request for wagoodman December 18, 2024 20:57
@spiffcs spiffcs mentioned this pull request Dec 19, 2024
Open
@spiffcs
Merge branch 'main' into 3435-syft
c8aea92 
* main: (67 commits)
  chore(deps): bump github/codeql-action from 3.28.7 to 3.28.8 (#3634)
  docs: update descriptions with correct options (#3630)
  chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.8 to 0.5.9 (#3627)
  chore(deps): bump github/codeql-action from 3.28.6 to 3.28.7 (#3628)
  feat: update licenses to including license content when SPDX expressions are unable to be determined (#3366)
  fix: update namespace value for OpenSUSE distros (#3615)
  chore(deps): bump github/codeql-action from 3.28.5 to 3.28.6 (#3625)
  chore(deps): update CPE dictionary index (#3620)
  chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.8.0 to 4.8.1 (#3621)
  chore(deps): bump github/codeql-action from 3.28.4 to 3.28.5 (#3622)
  chore(deps): bump github/codeql-action from 3.28.3 to 3.28.4 (#3618)
  chore(deps): bump anchore/sbom-action from 0.17.9 to 0.18.0 (#3619)
  chore(deps): update tools to latest versions (#3607)
  chore(deps): bump github/codeql-action from 3.28.2 to 3.28.3 (#3608)
  chore(deps): bump github.com/go-git/go-git/v5 from 5.13.1 to 5.13.2 (#3609)
  chore(deps): bump github.com/docker/docker (#3610)
  chore(deps): bump actions/setup-go in /.github/actions/bootstrap (#3612)
  chore(deps): bump actions/cache in /.github/actions/bootstrap (#3613)
  chore(ci): fix composite GitHub action path in dependabot config (#3611)
  chore(deps): update tools to latest versions (#3602)
  ...
@spiffcs spiffcs self-assigned this Jan 30, 2025
@spiffcs
chore: fix type for tests
13ef836 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs spiffcs requested review from willmurphyscode and a team January 30, 2025 18:57
@spiffcs
chore: code review sync
240f782 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
chore: remove comments
1560c02 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
chore: remove old info
ee76d07 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs spiffcs merged commit 9a9195e into main Jan 31, 2025
12 checks passed
@spiffcs spiffcs deleted the 3435-syft branch January 31, 2025 20:09
spiffcs added a commit that referenced this pull request Feb 5, 2025
@spiffcs
Merge branch 'main' into 3626-disable-license-content
2b91d09 
* main:
  Add file catalogers to selection configuration (#3505)
  chore: replace all shorthand tags of mapstruct -> mapstructure (#3633)
  chore(deps): update tools to latest versions (#3637)
  chore(deps): update CPE dictionary index (#3638)
  feat: syft 3435 - add file components to cyclonedx bom output when file metadata is available (#3539)
  chore(deps): update tools to latest versions (#3635)
  chore(deps): bump github/codeql-action from 3.28.7 to 3.28.8 (#3634)
juan131 pushed a commit to juan131/syft that referenced this pull request Feb 14, 2025
@spiffcs @juan131
feat: syft 3435 - add file components to cyclonedx bom output when fi…
3978879 
…le metadata is available (anchore#3539)

---------
Signed-off-by: Christopher Phillips <[email protected]>
@BrewTestBot BrewTestBot mentioned this pull request Feb 21, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willmurphyscode willmurphyscode willmurphyscode approved these changes

Assignees

@spiffcs spiffcs

Labels
None yet
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cyclone-dx presenter drops files, includes only packages
2 participants
@spiffcs @willmurphyscode