Comments (5)
Hi @Joerki -- I'm a bit confused what the problem is. I see search-remote-licenses
is set to false, which is the default and I don't see this being set by an environment variable, so it's expected to be false. The default local-mod-cache-dir
is based on your home directory, which is also expected. Could you elaborate on your configuration and the problem a bit to help me understand?
from syft.
Hi @kzantow ,
I changed the inspection and updated the description.
I hope you can reproduce the problem.
BR,
Jörg
from syft.
Hi @kzantow ,
now I can describe the exact problem after I debug it properly.
Syft assumes that Go is installed on the machine when Go binaries are inspected. But this is a wrong assumption.
I modified HOME in the environment (to simulate that I do not have go on my machine).
{
"version": "0.2.0",
"configurations": [
{
"name": "Launch Package",
"type": "go",
"request": "launch",
"mode": "auto",
"program": "cmd/syft/main.go",
"args": ["scan", "mongo:5.0.26-focal", "-o", "syft-json=/home/joerg/projects/mongo_inspect/mongo-syft-single.json", "-vv"],
"env": { "HOME": "/home/joerg/projects/mongo_inspect/temp", "GOPATH": "", "SYFT_GOLANG_SEARCH_REMOTE_LICENSES": "true" }
}
]
}
Please look here:
syft/pkg/cataloger/golang/licenses.go
func modCacheResolver
Syft appended "go/pkg/mod" to my HOME path. This is the content of my modCacheDir
parameter.
My $HOME exists, but not $HOME/go/pkg/mod.
The result is that the path is not found (a trace method is written, not a trace for me, the problem should be much more obvious), and an empty fileresolver is created. So downloaded licenses go to nowhere.
My temporary workaround in the pipeline will be hopefully the creation of $HOME/go/pkg/mod directory.
But Syft has to use a directory where packages can be written to and analysed.
BR,
Jörg
from syft.
I can confirm that my temporary solution - the creation of $HOME/go/pkg/mod before Syft invocation - is working.
from syft.
face the same issue and the creation of $HOME/go/pkg/mod
directory - solved it
waiting for #2852 to be merged /cc @kzantow
from syft.
Related Issues (20)
- SBOM generated from poetry lock file contains no license information on any dependencies HOT 5
- Maven versions still blank in syft output when using specific search context HOT 3
- Allow scanning sub dir within a larger search context
- binary detection: openbsd OpenSSH and portable OpenSSH HOT 2
- Unable to resolve property ... ${cuda.version}-SNAPSHOT HOT 6
- Identify gconv libraries
- Syft overzealous in constructing CPE list HOT 1
- Support HAProxy rc and some old versions
- SBOM for MySQL:8.x doesn't include rpm packages HOT 5
- Support erlang ols versions
- Support node old versions
- Support haskell old versions
- Support ruby rc, preview
- Support rubylang/ruby dev versions
- Catalog VM images directly
- Catalog git repos natively
- Command `make add-snippet` can fail in some cases HOT 1
- Detect linux distro when not scanning root HOT 1
- Excluded paths are still scanned and cause syft to crash. HOT 12
- Publish official linux syft (and friends) in a repo
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.