Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

always output SBOM table #238

Closed
wants to merge 3 commits into from
Closed

always output SBOM table #238

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
be9b4be
always output SBOM table
jonasagx Apr 5, 2022
e52d742
fix snapshots
jonasagx Apr 6, 2022
b0c6301
npm run production
jonasagx Apr 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion dist/attachReleaseAssets/index.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/downloadSyft/index.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/runSyftAction/index.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion src/github/SyftGithubAction.ts
View file
Open in desktop
Expand Up @@ -126,7 +126,7 @@ async function executeSyft({
throw new Error("Invalid input, no image or path specified");
}

args = [...args, "-o", format];
args = [...args, "-o", format, "-o", "table"];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is going to work correctly. The way the code currently works, syft is invoked and the stdout captured as the sbom. Looking at the changes in the snapshots, this change seems to have caused multiple types of SBOMs to be output to stdout. Instead, we'd need to do something like syft -o table -o spdx-json=some-file.spdx.json and then instead of using stdout as the sbom, just print stdout to the console as this would have the table output, and then read or otherwise use the sbom file.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I see :) I got it really wrong.


if (opts.uploadToDependencySnapshotAPI) {
// generate github dependency format
Expand Down
31 changes: 31 additions & 0 deletions tests/integration/__snapshots__/spdx.test.ts.snap
View file
Open in desktop
Expand Up @@ -24,6 +24,8 @@ PackageCopyrightText: NOASSERTION
ExternalRef: SECURITY cpe23Type cpe:2.3:a:libvncserver:libvncserver:0.9.9:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:alpine/libvncserver@0.9.9?arch=x86_64&upstream=libvncserver&distro=alpine-3.12.0

NAME VERSION TYPE
libvncserver 0.9.9 apk
"
`;

Expand Down Expand Up @@ -182,6 +184,13 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:python:Pygments:2.6.1:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:georg:Pygments:2.6.1:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:pypi/Pygments@2.6.1

NAME VERSION TYPE
Pygments 2.6.1 python
apt 1.8.2 deb
bundler 2.1.4 gem
example-java-app-maven 0.1.0 java-archive
joda-time 2.9.2 java-archive
npm 6.14.6 npm
"
`;

Expand Down Expand Up @@ -414,6 +423,20 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:yallist:yallist:4.0.0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:*:yallist:4.0.0:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:npm/yallist@4.0.0

NAME VERSION TYPE
chownr 2.0.0 npm
fs-minipass 2.1.0 npm
js-tokens 4.0.0 npm
loose-envify 1.4.0 npm
minipass 3.1.3 npm
minizlib 2.1.2 npm
mkdirp 1.0.4 npm
object-assign 4.1.1 npm
prop-types 15.7.2 npm
react 16.14.0 npm
react-is 16.13.1 npm
tar 6.1.0 npm
yallist 4.0.0 npm
"
`;

Expand Down Expand Up @@ -556,5 +579,13 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:trim:trim:0.0.2:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:*:trim:0.0.2:*:*:*:*:*:*:*
ExternalRef: PACKAGE_MANAGER purl pkg:npm/trim@0.0.2

NAME VERSION TYPE
js-tokens 4.0.0 npm
loose-envify 1.4.0 npm
object-assign 4.1.1 npm
prop-types 15.7.2 npm
react 16.14.0 npm
react-is 16.13.1 npm
trim 0.0.2 npm
"
`;