Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade syft version to v0.63.0 #10

Merged
merged 2 commits into from
Dec 15, 2022
Merged

Upgrade syft version to v0.63.0 #10

merged 2 commits into from
Dec 15, 2022

Conversation

jedevc
Copy link
Collaborator

@jedevc jedevc commented Dec 15, 2022

@jedevc
vendor: update syft to v0.63.0
325e630 
Signed-off-by: Justin Chadwell <me@jedevc.com>
@jedevc
syft: use new name field to avoid leaking path
13b1420 
The mount points of the target filesystem into the scanner image are
irrelevant - so we should discard those and explicitly set the new name
field for the syft source.

Signed-off-by: Justin Chadwell <me@jedevc.com>
@jedevc jedevc requested a review from crazy-max December 15, 2022 10:53
@jedevc jedevc marked this pull request as ready for review December 15, 2022 12:04
@jedevc
Copy link
Collaborator Author

jedevc commented Dec 15, 2022

Tested this on moby/buildkit#3405, can see a total size reduction in files.

Before:

$ ls -lh old/*
old/linux_amd64:
total 62M
-rw-r--r-- 1 jedevc jedevc  62M Dec 15 11:58 buildkit-v0.11.0-rc2-3-g4e6709a67.linux-amd64.tar.gz
-rw------- 1 jedevc jedevc  33K Dec 15 11:59 provenance.json
-rw------- 1 jedevc jedevc 175K Dec 15 11:59 sbom-binaries.spdx.json
-rw------- 1 jedevc jedevc  642 Dec 15 11:59 sbom.spdx.json

old/linux_arm64:
total 59M
-rw-r--r-- 1 jedevc jedevc  58M Dec 15 11:58 buildkit-v0.11.0-rc2-3-g4e6709a67.linux-arm64.tar.gz
-rw------- 1 jedevc jedevc  33K Dec 15 11:59 provenance.json
-rw------- 1 jedevc jedevc 174K Dec 15 11:59 sbom-binaries.spdx.json
-rw------- 1 jedevc jedevc  641 Dec 15 11:59 sbom.spdx.json

After:

$ ls -lh new/*
new/linux_amd64:
total 62M
-rw-r--r-- 1 jedevc jedevc  62M Dec 15 11:58 buildkit-v0.11.0-rc2-3-g4e6709a67.linux-amd64.tar.gz
-rw------- 1 jedevc jedevc  33K Dec 15 11:59 provenance.json
-rw------- 1 jedevc jedevc 152K Dec 15 11:59 sbom-binaries.spdx.json
-rw------- 1 jedevc jedevc  591 Dec 15 11:59 sbom.spdx.json

new/linux_arm64:
total 59M
-rw-r--r-- 1 jedevc jedevc  58M Dec 15 11:58 buildkit-v0.11.0-rc2-3-g4e6709a67.linux-arm64.tar.gz
-rw------- 1 jedevc jedevc  33K Dec 15 11:59 provenance.json
-rw------- 1 jedevc jedevc 151K Dec 15 11:59 sbom-binaries.spdx.json
-rw------- 1 jedevc jedevc  591 Dec 15 11:59 sbom.spdx.json

The small SBOMs seem to be caused by the removal of invalid relationship pairs (the target spdx id wasn't present in the doc). I can't work out which syft fix picked up the issue, but it now seems resolved.

Definitely a note that we need to watch the stability of the output over time - ideally we should have some sort of regression job to compare the output of the scanner over time, over a number of projects.

@jedevc jedevc requested a review from tonistiigi December 15, 2022 12:12
@jedevc jedevc merged commit d8c951d into master Dec 15, 2022
@jedevc jedevc deleted the upgrade-syft branch December 15, 2022 12:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crazy-max crazy-max crazy-max approved these changes

@tonistiigi tonistiigi Awaiting requested review from tonistiigi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jedevc @crazy-max