Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report known unknowns directly in the output SBOM #518

Closed
wagoodman opened this issue Sep 28, 2021 · 1 comment · Fixed by #2998
Closed

Report known unknowns directly in the output SBOM #518

wagoodman opened this issue Sep 28, 2021 · 1 comment · Fixed by #2998
Assignees
@kzantow
Labels
enhancement New feature or request
Milestone
Meet NTIA Minimum...

Comments

@wagoodman
Copy link
Contributor

wagoodman commented Sep 28, 2021
edited
Loading

It would be ideal if the output SBOM of syft included a description of what is in scope and out of scope as clearly as possible. This includes (but not limited to):

  • which catalogers were used during the SBOM generation process
  • what was the configuration of each cataloger (should be covered in the app config section already)
  • what paths were included in the search vs excluded from the search (as input)
  • what paths were attempted to be parsed/searched but could not be for various reasons (IO error, permissions error, parse error)

Why? A good SBOM describes the positive cases of "what" was actually found (X packages, Y files, etc). A great SBOM should describe negative conditions. This doesn't apply to the cases themselves, such as "list all of the packages you didn't find" (which makes no sense), but instead the runtime, configuration, and environmental factors that lead to "places not searched". This helps SBOM consumers better reproduce results and understand the boundaries of what was "in scope" vs "out of scope" during the analysis.
@wagoodman wagoodman added the enhancement New feature or request label Sep 28, 2021
@wagoodman wagoodman mentioned this issue Oct 26, 2021
Open
@spiffcs
Copy link
Contributor

spiffcs commented Oct 28, 2021

#595 (comment)

^ This PR means we may enter a place where if a HASH cannot be generated for a package it won't be cataloged. This unknown should be surfaced in the SBOM output.

@luhring luhring mentioned this issue Mar 21, 2022
Merged
@wagoodman wagoodman added this to OSS Feb 7, 2024
@kzantow kzantow self-assigned this Apr 18, 2024
@kzantow kzantow moved this to In Progress in OSS Apr 18, 2024
@kzantow kzantow mentioned this issue Jun 26, 2024
Merged
3 tasks
@wagoodman wagoodman mentioned this issue Aug 7, 2024
Open
@kzantow kzantow moved this from In Progress to In Review in OSS Aug 19, 2024
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Oct 7, 2024
@BrewTestBot BrewTestBot mentioned this issue Oct 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzantow kzantow

Labels
enhancement New feature or request
Projects
OSS
Archived in project
Milestone
Meet NTIA Minimum SBOM Requirements
Development

Successfully merging a pull request may close this issue.

feat: report unknowns in sbom kzantow-anchore/syft
3 participants
@wagoodman @kzantow @spiffcs