You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened: syft reads any config.yaml in the current working directory as Syft configuration. If the config.yaml is not a valid syft config, then scanning fails.
What you expected to happen:
I expect config.yaml in the current working directory to not be read as Syft configuration.
Steps to reproduce the issue:
Create directory foo: mkdir foo
Create a config.yaml in the foo directory: touch foo/config.yaml
Place invalid Syft config in the config.yaml:
cat > foo/config.yaml << EOF
output:
example:
value: value
EOF
Note that is is important that the config file uses a Syft configuration value like output
4. Run syft in the foo directory: cd foo && syft packages .
5. Observe the error 'output[0]' expected type 'string', got unconvertible type 'map[string]interface {}', value: 'map[example:map[value:value]]'
On line 226 we add the pwd as a config path. We then check to see if a .syft config file exists. If it does not, we move to check the other documented config files.
On line 236 we add .syft as a config path. Note that pwd is still in the search path for configs. When we then search for config files with the name config, it picks up ./config.yaml which was never intended as a syft configuration file.
Environment:
Output of syft version: latest syft from git
OS (e.g: cat /etc/os-release or similar): Falure observed on Linux and Macos
The text was updated successfully, but these errors were encountered:
Only add the pwd to the config search path if and only if it contains
a config file that we expect. This avoids incorrectly finding config
files that may be specific to applictions other than syft.
fixes: anchore#1634
Signed-off-by: Aidan Delaney <adelaney21@bloomberg.net>
What happened:
syft
reads anyconfig.yaml
in the current working directory as Syft configuration. If theconfig.yaml
is not a validsyft
config, then scanning fails.What you expected to happen:
I expect
config.yaml
in the current working directory to not be read as Syft configuration.Steps to reproduce the issue:
foo
:mkdir foo
config.yaml
in thefoo
directory:touch foo/config.yaml
config.yaml
:Note that is is important that the config file uses a Syft configuration value like
output
4. Run syft in the
foo
directory:cd foo && syft packages .
5. Observe the error
'output[0]' expected type 'string', got unconvertible type 'map[string]interface {}', value: 'map[example:map[value:value]]'
Anything else we need to know?:
The problem occurs on https://github.com/anchore/syft/blob/main/internal/config/application.go#L226.
On line 226 we add the
pwd
as a config path. We then check to see if a.syft
config file exists. If it does not, we move to check the other documented config files.On line 236 we add
.syft
as a config path. Note thatpwd
is still in the search path for configs. When we then search for config files with the nameconfig
, it picks up./config.yaml
which was never intended as asyft
configuration file.Environment:
syft version
: latest syft fromgit
cat /etc/os-release
or similar): Falure observed on Linux and MacosThe text was updated successfully, but these errors were encountered: