Invalid catalogers are silently ignored #2389

selzoc · 2023-12-01T18:22:48Z

What happened:
Due to #2277, some catalogers were renamed. As a result, our config file (which had the old names) lead our syft scan to produce no packages.

What you expected to happen:
syft to print an error or warning letting us know that our config is invalid.

Steps to reproduce the issue:

→ pwd
/Users/cselzo/workspace/syft
→ cat /tmp/foo.yml
catalogers:
  - foo
  - bar
  - baz
  - qux
→ syft -v packages . -c /tmp/foo.yml
[0000]  INFO syft version: 0.98.0
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
[0000]  INFO could not identify distro
[0000]  INFO skipping cataloger "alpm-db-cataloger"
[0000]  INFO skipping cataloger "apk-db-cataloger"
[0000]  INFO skipping cataloger "binary-cataloger"
[0000]  INFO skipping cataloger "conan-cataloger"
[0000]  INFO skipping cataloger "dart-pubspec-lock-cataloger"
[0000]  INFO skipping cataloger "dpkg-db-cataloger"
[0000]  INFO skipping cataloger "dotnet-deps-cataloger"
[0000]  INFO skipping cataloger "dotnet-portable-executable-cataloger"
[0000]  INFO skipping cataloger "elixir-mix-lock-cataloger"
[0000]  INFO skipping cataloger "erlang-rebar-lock-cataloger"
[0000]  INFO skipping cataloger "github-actions-usage-cataloger"
[0000]  INFO skipping cataloger "github-action-workflow-usage-cataloger"
[0000]  INFO skipping cataloger "go-module-file-cataloger"
[0000]  INFO skipping cataloger "go-module-binary-cataloger"
[0000]  INFO skipping cataloger "haskell-cataloger"
[0000]  INFO skipping cataloger "java-archive-cataloger"
[0000]  INFO skipping cataloger "java-gradle-lockfile-cataloger"
[0000]  INFO skipping cataloger "java-pom-cataloger"
[0000]  INFO skipping cataloger "graalvm-native-image-cataloger"
[0000]  INFO skipping cataloger "javascript-lock-cataloger"
[0000]  INFO skipping cataloger "javascript-package-cataloger"
[0000]  INFO skipping cataloger "linux-kernel-cataloger"
[0000]  INFO skipping cataloger "nix-store-cataloger"
[0000]  INFO skipping cataloger "php-composer-installed-cataloger"
[0000]  INFO skipping cataloger "php-composer-lock-cataloger"
[0000]  INFO skipping cataloger "portage-cataloger"
[0000]  INFO skipping cataloger "python-package-cataloger"
[0000]  INFO skipping cataloger "python-installed-package-cataloger"
[0000]  INFO skipping cataloger "r-package-cataloger"
[0000]  INFO skipping cataloger "rpm-archive-cataloger"
[0000]  INFO skipping cataloger "rpm-db-cataloger"
[0000]  INFO skipping cataloger "ruby-gemfile-cataloger"
[0000]  INFO skipping cataloger "ruby-gemspec-cataloger"
[0000]  INFO skipping cataloger "ruby-installed-gemspec-cataloger"
[0000]  INFO skipping cataloger "cargo-auditable-binary-cataloger"
[0000]  INFO skipping cataloger "rust-cargo-lock-cataloger"
[0000]  INFO skipping cataloger "sbom-cataloger"
[0000]  INFO skipping cataloger "cocoapods-cataloger"
[0000]  INFO skipping cataloger "swift-package-manager-cataloger"
No packages discovered

Anything else we need to know?:

Environment:

Output of syft version:

Application: syft
Version:    0.98.0
BuildDate:  2023-11-29T14:42:34Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/arm64
GoVersion:  go1.21.4
Compiler:   gc

OS (e.g: cat /etc/os-release or similar): macOS 13.6.2

The text was updated successfully, but these errors were encountered:

tgerla · 2023-12-04T23:14:35Z

Hi @selzoc, thanks for the report. Looking at your output I see that Syft is logging an INFO line noting each skipped cataloger. That message might be better being a WARN or even a fatal error. Would changing INFO to WARN solve your problem, do you think? I can see the argument for making it a fatal error, though.

daxxog · 2023-12-22T14:44:47Z

I don't think changing all the "skipping cataloger" messages to WARN would be what we would want; rather having a WARN emitted when a non-existent cataloger is used.

% syft -v packages . --catalogers this-cataloger-does-not-exist |& grep this-cataloger-does-not-exist
% echo $?
1

wagoodman · 2024-01-03T14:03:35Z

yeah, if there are no catalogers that are ultimately used, this should be an error and exit 1. It seems like a simple check here and return an error around here would do the trick:

syft/syft/pkg/cataloger/catalog.go

Line 110 in 0e5fb8e

nCatalogers := len(catalogers)

wagoodman · 2024-01-22T15:09:59Z

Fixed by #1383

selzoc added the bug Something isn't working label Dec 1, 2023

anchoretoolsops added this to OSS Dec 1, 2023

tgerla moved this to Awaiting Response in OSS Dec 4, 2023

wagoodman added the good-first-issue Good for newcomers label Jan 3, 2024

wagoodman moved this from Awaiting Response to Backlog in OSS Jan 3, 2024

wagoodman closed this as completed Jan 22, 2024

github-project-automation bot moved this from Backlog to Done in OSS Jan 22, 2024

wagoodman added the changelog-ignore Don't include this issue in the release changelog label Jan 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Invalid catalogers are silently ignored #2389

Invalid catalogers are silently ignored #2389

selzoc commented Dec 1, 2023

tgerla commented Dec 4, 2023

daxxog commented Dec 22, 2023

wagoodman commented Jan 3, 2024

wagoodman commented Jan 22, 2024

Invalid catalogers are silently ignored #2389

Invalid catalogers are silently ignored #2389

Comments

selzoc commented Dec 1, 2023

tgerla commented Dec 4, 2023

daxxog commented Dec 22, 2023

wagoodman commented Jan 3, 2024

wagoodman commented Jan 22, 2024