File Input not supported - Unexpected input(s) 'file'

[felickz]

With v0.12.0:

File Input is not supported as documented:

Warning: Unexpected input(s) 'file', valid inputs are ['path', 'image', 'registry-username', 'registry-password', 'format', 'github-token', 'artifact-name', 'output-file', 'syft-version', 'dependency-snapshot', 'upload-artifact', 'upload-release-assets']

ex:

    - uses: anchore/sbom-action@v0
      with: 
        file: ./path/to/target/app.jar
        dependency-snapshot: true

ref: #357

[kzantow]

Good catch! I've published v0.13.0; please let me know if that does not resolve the issue for you!

[felickz]

Hmm @kzantow ... a little unclear if this is working as it appears to be scanning the entire file system via dir

Yml

    - uses: anchore/sbom-action@v0
      with: 
        file: ./path/to/target/app.jar
        dependency-snapshot: true

Latest Version (0.13.0):

2022-10-28T19:06:17.9182183Z Download action repository 'anchore/sbom-action@v0' (SHA:b7e8507c6a3c89b7099a0198366d862c8f3ad8f1)

Cant find my "jar" being passed into syft cmd anywhere, still using dir

2022-10-28T19:07:27.2241987Z [command]/opt/hostedtoolcache/syft/0.59.0/x64/syft packages -vv dir:. -o spdx-json -o github=/tmp/sbom-action-pLu2ay/github.sbom.json

logs output as path="." with file: ""

2022-10-28T19:07:27.2817028Z file: ""
2022-10-28T19:07:27.2934784Z �[0;90m[0000]�[0m �[0;34mDEBUG�[0m indexing filesystem path="."

full logs

2022-10-28T19:07:25.1626685Z ------------------------------ Running SBOM Action -----------------------------
2022-10-28T19:07:25.2458495Z [command]/usr/bin/sh /home/runner/work/_temp/7b05425c-0193-423d-89fd-5d78efcc2f33 -d -b /home/runner/work/_temp/7b05425c-0193-423d-89fd-5d78efcc2f33_syft v0.59.0
2022-10-28T19:07:25.2531929Z [debug] checking github for release tag='v0.59.0' 
2022-10-28T19:07:25.2580032Z [debug] http_download(url=https://github.com/anchore/syft/releases/v0.59.0) 
2022-10-28T19:07:25.5053404Z [info] fetching release script for tag='v0.59.0' 
2022-10-28T19:07:25.5276269Z [debug] http_download(url=https://raw.githubusercontent.com/anchore/syft/v0.59.0/install.sh) 
2022-10-28T19:07:25.6031231Z [debug] checking github for release tag='v0.59.0' 
2022-10-28T19:07:25.6074126Z [debug] http_download(url=https://github.com/anchore/syft/releases/v0.59.0) 
2022-10-28T19:07:25.7626256Z [info] using release tag='v0.59.0' version='0.59.0' os='linux' arch='amd64' 
2022-10-28T19:07:25.7658653Z [debug] downloading files into /tmp/tmp.spFAdNXigF 
2022-10-28T19:07:25.7699547Z [debug] http_download(url=https://github.com/anchore/syft/releases/download/v0.59.0/syft_0.59.0_checksums.txt) 
2022-10-28T19:07:26.0227807Z [debug] http_download(url=https://github.com/anchore/syft/releases/download/v0.59.0/syft_0.59.0_linux_amd64.tar.gz) 
2022-10-28T19:07:27.0672802Z [info] installed /home/runner/work/_temp/7b05425c-0193-423d-89fd-5d78efcc2f33_syft/syft 
2022-10-28T19:07:27.2241987Z [command]/opt/hostedtoolcache/syft/0.59.0/x64/syft packages -vv dir:. -o spdx-json -o github=/tmp/sbom-action-pLu2ay/github.sbom.json
2022-10-28T19:07:27.2244229Z ##[group]Executing Syft...
2022-10-28T19:07:27.2794072Z �[0;90m[0000]�[0m �[0;32m INFO�[0m syft version: 0.59.0
2022-10-28T19:07:27.2794842Z 
2022-10-28T19:07:27.2811843Z �[0;90m[0000]�[0m �[0;34mDEBUG�[0m application config:
2022-10-28T19:07:27.2812671Z verbosity: 2
2022-10-28T19:07:27.2813265Z quiet: false
2022-10-28T19:07:27.2813886Z output:
2022-10-28T19:07:27.2814745Z - spdx-json
2022-10-28T19:07:27.2815403Z - github=/tmp/sbom-action-pLu2ay/github.sbom.json
2022-10-28T19:07:27.2816225Z output-template-path: ""
2022-10-28T19:07:27.2817028Z file: ""
2022-10-28T19:07:27.2818499Z check-for-app-update: false
2022-10-28T19:07:27.2919210Z dev:
2022-10-28T19:07:27.2919641Z   profile-cpu: false
2022-10-28T19:07:27.2920433Z   profile-mem: false
2022-10-28T19:07:27.2920709Z log:
2022-10-28T19:07:27.2920920Z   structured: false
2022-10-28T19:07:27.2921164Z   level: debug
2022-10-28T19:07:27.2921366Z   file: ""
2022-10-28T19:07:27.2921580Z catalogers: []
2022-10-28T19:07:27.2921796Z package:
2022-10-28T19:07:27.2921992Z   cataloger:
2022-10-28T19:07:27.2922212Z     enabled: true
2022-10-28T19:07:27.2922436Z     scope: Squashed
2022-10-28T19:07:27.2922765Z   search-unindexed-archives: false
2022-10-28T19:07:27.2923124Z   search-indexed-archives: true
2022-10-28T19:07:27.2923430Z file-metadata:
2022-10-28T19:07:27.2923637Z   cataloger:
2022-10-28T19:07:27.2923854Z     enabled: false
2022-10-28T19:07:27.2924085Z     scope: Squashed
2022-10-28T19:07:27.2924288Z   digests:
2022-10-28T19:07:27.2924537Z   - sha256
2022-10-28T19:07:27.2924809Z file-classification:
2022-10-28T19:07:27.2925026Z   cataloger:
2022-10-28T19:07:27.2925251Z     enabled: false
2022-10-28T19:07:27.2925474Z     scope: Squashed
2022-10-28T19:07:27.2925725Z file-contents:
2022-10-28T19:07:27.2925943Z   cataloger:
2022-10-28T19:07:27.2926157Z     enabled: false
2022-10-28T19:07:27.2926631Z     scope: Squashed
2022-10-28T19:07:27.2927005Z   skip-files-above-size: 1048576
2022-10-28T19:07:27.2927257Z   globs: []
2022-10-28T19:07:27.2927450Z secrets:
2022-10-28T19:07:27.2927652Z   cataloger:
2022-10-28T19:07:27.2927867Z     enabled: false
2022-10-28T19:07:27.2928079Z     scope: AllLayers
2022-10-28T19:07:27.2928388Z   additional-patterns: {}
2022-10-28T19:07:27.2928718Z   exclude-pattern-names: []
2022-10-28T19:07:27.2929019Z   reveal-values: false
2022-10-28T19:07:27.2929348Z   skip-files-above-size: 1048576
2022-10-28T19:07:27.2929601Z registry:
2022-10-28T19:07:27.2929900Z   insecure-skip-tls-verify: false
2022-10-28T19:07:27.2930239Z   insecure-use-http: false
2022-10-28T19:07:27.2930480Z   auth: []
2022-10-28T19:07:27.2930674Z exclude: []
2022-10-28T19:07:27.2930885Z attest:
2022-10-28T19:07:27.2931081Z   key: ""
2022-10-28T19:07:27.2931266Z   cert: ""
2022-10-28T19:07:27.2931479Z   no_upload: false
2022-10-28T19:07:27.2931701Z   force: false
2022-10-28T19:07:27.2931908Z   recursive: false
2022-10-28T19:07:27.2932137Z   replace: false
2022-10-28T19:07:27.2932436Z   fulcio_url: https://fulcio.sigstore.dev
2022-10-28T19:07:27.2932718Z   fulcio_identity_token: ""
2022-10-28T19:07:27.2932979Z   insecure_skip_verify: false
2022-10-28T19:07:27.2933272Z   rekor_url: https://rekor.sigstore.dev
2022-10-28T19:07:27.2933614Z   oidc_issuer: https://oauth2.sigstore.dev/auth
2022-10-28T19:07:27.2933913Z   oidc_client_id: sigstore
2022-10-28T19:07:27.2934159Z   oidc_redirect_url: ""
2022-10-28T19:07:27.2934380Z platform: ""
2022-10-28T19:07:27.2934519Z 
2022-10-28T19:07:27.2934526Z 
2022-10-28T19:07:27.2934784Z �[0;90m[0000]�[0m �[0;34mDEBUG�[0m indexing filesystem path="."
2022-10-28T19:07:27.2934979Z 

[kzantow]

@felickz -- it looks like you're using path: ., this would be the expected behavior. If you change this to file: <some-file>, you could reference a specific file. I don't know where a jar is located that you're expecting to find on your filesystem, could you provide some more information about the workflow?

[felickz]

@kzantow - here is what my workflow looks like, assuming it is injecting the path: . automatically

    - uses: anchore/sbom-action@v0
      with: 
        file: ./path/to/target/app.jar
        dependency-snapshot: true

I similarly tried to specify file without the preceding ./ but had the same behavior.

[kzantow]

Good catch @felickz ... I could have sworn I saw a test for this in the original PR, but it seems there wasn't one. We'll have this fixed up shortly with PR #385

Sorry for the inconvenience!

[kzantow]

Just a note: once this gets published, to use it you'll have to specify only the file input and omit path and image (just like your example has).