Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow for ingestion of SPDX SBOM documents as input #395

Closed
wagoodman opened this issue Aug 23, 2021 · 5 comments · Fixed by #607
Closed

Allow for ingestion of SPDX SBOM documents as input #395

wagoodman opened this issue Aug 23, 2021 · 5 comments · Fixed by #607
Assignees
@wagoodman @kzantow
Labels
enhancement New feature or request format:spdx SPDX related enhancement or bug I/O Describes bug or enhancement around application input or output

Comments

@wagoodman
Copy link
Contributor

Today we allow for the syft JSON document as an SBOM input. It would be ideal to additionally interop with tools that produce SPDX documents and allow that as input into grype for vulnerability scanning.
@wagoodman wagoodman added enhancement New feature or request I/O Describes bug or enhancement around application input or output labels Aug 23, 2021
@wagoodman
Copy link
Contributor Author

Could be closely related to anchore/syft#400 and may have architectural changes/concerns. (we should try and tackle SBOM ingestion for syft and grype together)

@luhring
Copy link
Contributor

luhring commented Aug 23, 2021

Implementation idea (RFC): In addition to ingesting SPDX in general, we've mentioned the notion of piping SPDX into Grype (or Syft, per #395 (comment)). This could get tricky if we accept multiple formats (e.g. Syft + SPDX) and have to try to detect what we're receiving in the byte stream (not impossible, though).

Many tools have a convention of using - to refer to a command's stdin. We could use this in combination with our "schemes" system to allow the user to instruct the tool explicitly on how to interpret the inbound bytes.

E.g.: cat my-sbom.spdx | grype spdx:- ...

@wagoodman wagoodman self-assigned this Oct 5, 2021
This was referenced Oct 11, 2021
Closed
Merged
@wagoodman wagoodman mentioned this issue Oct 21, 2021
Closed
@wagoodman wagoodman added the blocked Progress is being stopped by something label Oct 22, 2021
@luhring luhring mentioned this issue Oct 26, 2021
Closed
@wagoodman wagoodman added blocked Progress is being stopped by something and removed blocked Progress is being stopped by something labels Nov 10, 2021
@wagoodman wagoodman mentioned this issue Nov 16, 2021
Merged
@luhring
Copy link
Contributor

luhring commented Nov 18, 2021

This will be unblocked once anchore/syft#556 is closed

@luhring luhring removed the blocked Progress is being stopped by something label Nov 23, 2021
@samj1912 samj1912 mentioned this issue Dec 5, 2021
Open
This was referenced Dec 6, 2021
Open
Closed
@wagoodman
Copy link
Contributor Author

This same comment applies #481 (comment)

@wagoodman wagoodman added the format:spdx SPDX related enhancement or bug label Dec 21, 2021
@kzantow
Copy link
Contributor

kzantow commented Jan 10, 2022

An associated Syft PR can be found here: anchore/syft#738

@kzantow kzantow mentioned this issue Jan 12, 2022
Merged
This was referenced Jan 18, 2022
Merged
Merged
Merged
Merged
This was referenced Jan 26, 2022
Merged
Merged
@wagoodman wagoodman mentioned this issue Feb 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wagoodman wagoodman

@kzantow kzantow

Labels
enhancement New feature or request format:spdx SPDX related enhancement or bug I/O Describes bug or enhancement around application input or output
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Abstract upstream package before matching anchore/grype
3 participants
@wagoodman @kzantow @luhring