SBOM: the Syft preset could use a more suitable set of catalogers

[chmeliik]

Description

The "syft" SBOM preset scans both the context directory and the rootfs as plain dir:s. Syft selects the default set of catalogers based on what it is scanning: https://github.com/anchore/syft?tab=readme-ov-file#package-cataloger-selection

You can see the list of catalogers enabled for directory scanning and image scanning with:

syft cataloger list --select-catalogers directory
syft cataloger list --select-catalogers image

And the list of catalogers enabled only for image scanning:

$ syft cataloger list -o json | jq '.catalogers[] | select(.tags | contains(["image"])) | select(.tags | contains(["directory"]) | not) | .name' -r
cargo-auditable-binary-cataloger
conan-info-cataloger
javascript-package-cataloger
php-composer-installed-cataloger
r-package-cataloger
ruby-installed-gemspec-cataloger

It would be suitable to use --select-cataloggers image when scanning the rootfs.

[nalind]

Sounds reasonable. Is the default of "--select-catalogers directory" the best one for build context directories?

[chmeliik]

Sounds reasonable. Is the default of "--select-catalogers directory" the best one for build context directories?

Yes, I think so

[github-actions]

A friendly reminder that this issue had no activity for 30 days.