file option not working

[devinrsmith]

I've got an action defined:

      - name: Create SBOMs
        uses: anchore/sbom-action@v0
        with:
          file: ./server/jetty-app/build/distributions/server-jetty-0.20.0.tar
          upload-release-assets: false

Unfortunately, it looks like it's running with path instead of file.

2022-12-13T20:56:09.6180813Z ##[group]Run anchore/sbom-action@v0
2022-12-13T20:56:09.6181622Z with:
2022-12-13T20:56:09.6182429Z   file: ./server/jetty-app/build/distributions/server-jetty-0.20.0.tar
2022-12-13T20:56:09.6183453Z   upload-release-assets: false
2022-12-13T20:56:09.6184185Z   path: .
2022-12-13T20:56:09.6184877Z   format: spdx-json
2022-12-13T20:56:09.6185775Z   github-token: ***
2022-12-13T20:56:09.6186510Z   dependency-snapshot: false
2022-12-13T20:56:09.6187251Z   upload-artifact: true
2022-12-13T20:56:09.6187965Z env:
2022-12-13T20:56:09.6188746Z   JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/11.0.17-8/x64
2022-12-13T20:56:09.6189666Z   JAVA_HOME_11_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/11.0.17-8/x64
2022-12-13T20:56:09.6190582Z   JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.5-8/x64
2022-12-13T20:56:09.6191378Z ##[endgroup]
...
2022-12-13T20:56:13.5970942Z ␛[0;90m[0000]␛[0m ␛[0;34mDEBUG␛[0m indexing filesystem path="."
...

Related to #385?

[kzantow]

Is there something to indicate the scan itself is using path instead of file? The path default is ., which means it will always get that path value by default...

[devinrsmith]

I'm new to the SBOM / syft scene, so maybe my expectations are wrong, but I expected the SBOM to only be related to the file I specified, somewhat analogous to if I had run

syft file:./server/jetty-app/build/distributions/server-jetty-0.20.0.tar

but everything in my working directory is being scanned. I can add the full action logs, or the resulting SBOM, if it would be helpful.

[devinrsmith]

indexing filesystem path="."

[kzantow]

Could you extract the tar in a prior step and then run the scan-action on the directory?

[felddy]

FWIW, I'm seeing this same behavior.

GitHub Actions run:

• https://github.com/felddy/foundryvtt-docker/actions/runs/4600601595/jobs/8128005604#step:6:1

Calling step:

      - name: Generate SBOM
        uses: anchore/sbom-action@422cb34a0f8b599678c41b21163ea6088edb2624
        with:
          artifact-name: ${{ steps.clean.outputs.image_archive_name_stem }}-sbom.spdx.json
          file: ${{ steps.clean.outputs.image_archive_name_stem }}.tar
          upload-artifact-retention: ${{ inputs.artifact_retention_days }}

[spiffcs]

It looks like file and path should be mutually exclusive here (one clobbering the other if provided). I added the bug label to this and put it into our backlog to take a look at when we have some team cycles.

If anyone on this issue has already investigated and knows the specific fix I am happy to take a look at the PR for review and help approve / work to make it into main =)

[dn0]

This is seems to be a problem with the defaults and input parsing. This helps:

with:
  path: null
  file: ...