Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

command: compare with sbom:// #43

Closed
MPV opened this issue May 27, 2024 · 3 comments
Closed

command: compare with sbom:// #43

MPV opened this issue May 27, 2024 · 3 comments

Comments

@MPV
Copy link

MPV commented May 27, 2024

I'd like to be able to use the new sbom:// syntax, but it seems it's not (yet) supported with the command: compare mode.

Steps to reproduce:

  1. Run a workflow with a step like this:
      - name: Generate SBOM for image
        id: sbom
        uses: anchore/sbom-action@719133684c7d294116626d1344fe64f0d2ff3e9e # v0.15.2
        with:
          image: ${{ env.IMAGE }}:${{ github.sha }}
          output-file: sbom.spdx.json

      - name: Docker Scout
        if: ${{ github.event_name == 'pull_request' && !cancelled() }}
        uses: docker/scout-action@c01629436921e4c567967cbfa14764f4b6113237 # v1.6.4
        with:
          command: compare
          image: sbom://sbom.spdx.json
          to: ${{ env.IMAGE }}:latest
          ignore-unchanged: true
          only-fixed: true
          write-comment: true

Expected results:

  1. Same kind of output as in my non-SBOM example below.

Actual results:

  1. The step fails with Error: missing or wrong "image" input

non-SBOM example (for comparison):

      - name: Docker Scout
        if: ${{ github.event_name == 'pull_request' && !cancelled() }}
        uses: docker/scout-action@c01629436921e4c567967cbfa14764f4b6113237 # v1.6.4
        with:
          command: compare
          image: ${{ env.IMAGE }}:${{ github.sha }}
          to: ${{ env.IMAGE }}:latest
          ignore-unchanged: true
          only-fixed: true
          write-comment: true

For reference, this should be supported upstream nowadays, as per:

And here's using it without the action:

$ syft alpine:latest -o syft-json > sbom.spdx.json
$ docker scout compare --to alpine:latest sbom://sbom.spdx.json
[...]
@eunomie
Copy link
Contributor

eunomie commented May 30, 2024

Thanks @MPV to have raised the issue.
I'll see to have it in a following release.

@eunomie
Copy link
Contributor

eunomie commented Jun 26, 2024

@MPV The fix has been integrated in the new v1.10.0 release.

@eunomie eunomie closed this as completed Jun 26, 2024
@MPV
Copy link
Author

MPV commented Jun 27, 2024

@MPV The fix has been integrated in the new v1.10.0 release.

Thanks for your efforts. But to be honest I was looking for comparing an image with an SBOM (as you see in my example).

Doing this (now with v1.10.0) instead gives:
Error: missing or wrong "image" input

But I am able to do the equivalent using the Docker Scout CLI. I assume your intent is that they should be doing the same thing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MPV @eunomie