Bump github.com/anchore/syft from 0.94.0 to 0.97.1 #83
Conversation
Full diff: anchore/syft@v0.94.0...v0.97.1 Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
| @@ -38,7 +38,12 @@ func (s Scanner) Scan() error { | |||
| return err | |||
| } | |||
|
|
|||
| output, err := syft.Encode(result, spdxjson.Format()) | |||
| enc, err := spdxjson.NewFormatEncoderWithConfig(spdxjson.DefaultEncoderConfig()) | |||
There was a problem hiding this comment.
With this change it now defaults to SPDX 2.3 (previously 2.2): https://github.com/anchore/syft/blob/8ee209a5ae18bee4db9d845abdc6b2d00b41a8ec/syft/format/internal/spdxutil/versions.go#L7
There was a problem hiding this comment.
Not sure if we should provide this as an option so user can choose a specific version/format. Maybe a BUILDKIT_SCAN_FORMAT that would default to spdxjson. If user wants to pin to a specific version of this format it could then set BUILDKIT_SCAN_FORMAT=spdxjson:2.2.
Ofc we would have only one format available atm but it lets doors open for others in the future?
There was a problem hiding this comment.
I think allowing specifying formats would be good IMO, it also opens the route to doing CycloneDX at some point (not worth blocking this PR on though IMO).
I'm not quite sure what the user-interface to this should be though - ideally, we could put it in the --attestation type=sbom,format=... or somewhere like that? Or maybe it's more generic, and we should allow passing arbitrary parameters, which we discussed at some point on the buildkit repo.
There was a problem hiding this comment.
Or maybe it's more generic, and we should allow passing arbitrary parameters, which we discussed at some point on the buildkit repo.
Yes generic attributes that could be inferred as an env var like BUILDKIT_SCAN_<name> and then used with --attestation type=sbom,<name>=... on client-side would be handy.
fixes #82
Full diff: anchore/syft@v0.94.0...v0.97.1
sbom.Encodeis not a thing anymore and the encoding interface has been split since anchore/syft#2186.