Comments (6)
Hi @david-gherghita, thanks for the report. There is a similar discussion for Grype's templating capability here: anchore/grype#1243 -- it looks like the outcome is that we decided not to include the Sprig non-hermetic functions. I can run it by the team, but I believe we would come to the same conclusion for Syft. Can you describe in a bit more detail what you're trying to do, and maybe we can suggest an alternative?
from syft.
Hello @tgerla, thank you very much for your prompt response. I understand the situation.
What I am trying to achieve is to generate a slightly modified version of the CycloneDX 1.4 SBOM than you currently offer with the included format. For this, I need to also include the timestamp.
I noticed that for Grype the timestamp was included as a property of "Document.Descriptor": "Document.Descriptor.Timestamp". Do you think something like that could be done for syft too?
from syft.
It looks like that cyclonedx documents already include a timestamp:
❯ syft alpine:3.12 -o [email protected] | jq '.metadata'
✔ Loaded image alpine:3.12
✔ Parsed image sha256:cc604a625da1289c5dd57f947318133161ff7f40fb03dc2a649300473b97e743
✔ Cataloged packages [15 packages]
{
"timestamp": "2023-11-30T16:11:11-05:00",
"tools": [
{
"vendor": "anchore",
"name": "syft",
"version": "0.98.0"
}
],
"component": {
"bom-ref": "b0b5eff358e3ab6d",
"type": "container",
"name": "alpine",
"version": "3.12"
}
}
Is there another timestamp section that you're referring to?
from syft.
We probably won't add the full set of non-hermetic functions to the template options, but we could add select now
and date
functions... would that be helpful?
from syft.
Hello @wagoodman,
That's exactly the timestamp I need, but I want to use it in my own output file, generated from a Go template. And so far I couldn't find a way to integrate the timestamp into the template.
These two functions now
and date
would fully meet my requirements; implementing them would resolve my issue.
Thank you.
from syft.
Hello, I would like to bump this issue..
I am also planning to make a more minimal SBOM and for that I need a timestamp and when possible the uuid for the serial number field of the output SBOM. (for example via the now and uuidv4 function of sprig).
A timestamp and uuid/serialNumber field in the descriptor of the SBOM would be sufficient :)
from syft.
Related Issues (20)
- Regression in 1.1 cataloging openjdk: generates version containing a null byte HOT 13
- Syft reports some fw* packages, which are nowhere to find HOT 4
- Add support for dnf packages HOT 1
- Support Swift Package Manager Package.resolved schema version 3 HOT 2
- Catalog TiDB binary HOT 1
- Redis not listed in the artifact lists of the bitnami/redis image HOT 2
- License not pickedup for binaries like java (openjdk), node (nodejs) HOT 4
- Ignore Go compiler affecting CVE when Docker image only contains a binary compiled with Go HOT 2
- Pom parser not resolving all dependency versions
- SBOM is generated with empty name HOT 5
- components inside tar.gz / tgz not picked up HOT 2
- Golang: Search remote licenses not working in a CI pipeline when scanning Docker image HOT 5
- Clearly document the fact that CPE strings could be made up HOT 1
- Recognition of files in a folder works inconsistently between Linux distributions. HOT 3
- New version 1.3.0 leads to "too many open files" while scanning bigger images HOT 1
- Add `bun-lock-cataloger` & `bun-binary-cataloger` catalogers HOT 1
- Improve linting for `defer Close` type issues HOT 2
- Binary copied to image omitted from SBOM HOT 4
- Relationships / Dependencies are present in Syft json and SPDX json files but sometimes not in Cyclonedx json file format HOT 8
- Not all the packages are getting imported in Blackduck scanner HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.