-
Notifications
You must be signed in to change notification settings - Fork 594
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invoke known tools to gather build-time dependency information #1562
Comments
cc: @lumjjb |
This is most likely needed on order to achieve #1674 and #572 in a meaningful way. This functionality should be opt-in, that is, by default syft should remain a static analysis tool. Executing other commands on the system should still be not allowed by default (again, unless the user opts in). Considerations:
|
would the same be true for npm, too? |
Instead of shelling out to cli tools, would you consider building parsers directly inside syft? It wouldn't require one to depend on the presence of local tooling, and I could envision that the tools might have different ouputs depending on the installed version of the tooling. Snyk, for example, has built a bunch of parsers for various ecosystems in js https://github.com/snyk/dotnet-deps-parser I just implemented something similar in cdxgen for .NET [ref] and npm [ref] to determine direct/indirect deps in build files. Wondering if the same could work here but written in golang.
Can you expand on what specifically would be more accurate. In my mind I can only imagine direct/indirect deps. But is there more? I also noticed that syft doesn't generate a |
@noqcks we do already have lots of parsers for different ecosystems. This change, at least initially, would be an opt-in behavior to shell out to the tools. This would allow things like Go - which has a flat list of dependencies in the go.mod - to get the dependency graph and properly output it in different formats. |
I suppose what I meant is only shelling out to tools where necessary (in the case that go mod graph is truly the only way to see the dependency tree for go projects), and writing all other dep graph parsers directly into syft where possible. I'd like to work on getting real dependency graph for javascript projects inside syft, and wanted to write this dep parser inside syft instead of relying on an external npm cli. Wanted to clarify whether this would be an appropriate avenue to pursue before I started the work. |
Since this is a potentially large item that would affect multiple ecosystems I think a detailed plan is needed to move forward with this (how would this work within a single cataloger, what abstractions do we want to introduce (if any), would abstractions be generalizable to other ecosystem catalogers (if so, how), etc) |
This continues to come up in discussion and also some open PRs: for mvn and for dotnet. At the very least, once we start allowing shell-out behavior, we should probably integrate every option with the |
What would you like to be added:
Add the ability to shell-out to known tools such as
go
andmvn
in order to capture more accurate build-time dependency information.Why is this needed:
To improve the build-time dependency support in Syft.
Additional context:
From a working document:
Creating higher quality SBOMs in Syft at build-time
At build time, static analysis of dependencies implemented today is limited. Improving static analysis metrics can be done by simulating what build systems do. This is subject to drift and additional maintenance to keep up with behaviors of the build systems.
One approach to resolving this issue is to call out to build systems to get that information instead. This introduces additional (optional) dependencies.
Syft as a build-time SBOM generator tool
Syft can be seen as a “build-time” SBOM generator tool, and can start thinking about utilizing build tooling. Calling out to build tools can be such as the following, we will use 2 examples.
Golang
Instead of reading and trying to parse and resolve the go.mod file, the
go mod graph
command can be used to get a fully resolved dependency tree.go mod graph
to resolve dependency information for go source #2018Java
Maven has the
mvn dependency:tree
command which shows the fully-resolved dependency graph.mvn dependency:tree
to resolve dependency information for Maven source #2019NPM
Npm has
npm ls --all
npm ls --all
to resolve dependency information for NPM packages #2020Python
Python has
pipdeptree
Considerations
The text was updated successfully, but these errors were encountered: