Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow for stubbing unknown versions over dropping packages #2652

Closed
wagoodman opened this issue Feb 16, 2024 · 1 comment · Fixed by #3257
Closed

Allow for stubbing unknown versions over dropping packages #2652

wagoodman opened this issue Feb 16, 2024 · 1 comment · Fixed by #3257
Assignees
@wagoodman
Labels
enhancement New feature or request
Milestone
Meet NTIA Minimum...

Comments

@wagoodman
Copy link
Contributor

Today when we cannot find a version for a pacakge, we end up not including it in the SBOM at all. This is consistent with the NTIA minimum requirements, however, there is another option we have: we could stub version values with UNKNOWN_VERSION in these cases.

Ideally this behavior should be opt-in (drop packages by default), allowing a user to specify something like SYFT_PACKAGE_STUB_UNKONWN_VERSIONS=true (or something similar).

(this has come up in a few different offline conversations over the last few months, so figured I'd create an issue for it)
@wagoodman wagoodman added the enhancement New feature or request label Feb 16, 2024
@kzantow kzantow self-assigned this Apr 18, 2024
@kzantow kzantow moved this to In Progress in OSS Apr 18, 2024
@kzantow kzantow moved this from In Progress to Backlog in OSS Apr 18, 2024
@kzantow kzantow removed their assignment Apr 18, 2024
@GijsCalis
Copy link
Contributor

At least for cyclonedx-json SBOM's quite a lot of java packages without versions are being included in the output file. Is that a bug in the java cataloger?

@wagoodman wagoodman mentioned this issue Jul 3, 2024
Open
@wagoodman wagoodman mentioned this issue Sep 19, 2024
Merged
@wagoodman wagoodman self-assigned this Sep 19, 2024
@wagoodman wagoodman moved this from Backlog to In Review in OSS Sep 19, 2024
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Sep 20, 2024
@BrewTestBot BrewTestBot mentioned this issue Sep 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wagoodman wagoodman

Labels
enhancement New feature or request
Projects
OSS
Archived in project
Milestone
Meet NTIA Minimum SBOM Requirements
Development

Successfully merging a pull request may close this issue.

Add compliance policy for empty name and version anchore/syft
3 participants
@wagoodman @kzantow @GijsCalis