What happened:
When using syft packages against a temp directory with symlinks to *.jar files syft 0.85 in Linux does not find any package unless option --base-path / is used.
I suggest to change the default base path from "" to "/" (for unix type systems), but @kzantow suggests "We probably need a broader discussion to change the behavior", see #1867 (comment)
What you expected to happen:
I expected syft to find all packages represented by those symlinked *.jar files.
Steps to reproduce the issue:
- create temp directory, say
/tmp/foobar
- symlink one or more
*.jar files there ("good" jar files, that syft usually can detect the maven coordinates and license of)
- perform somethink like
syft packages /tmp/foobar -o cyclonedx-json --file syft-bom.cdx.json
- the generated
.cdx.json file has no packages
- repeast command with
--base-path / and you get a .cdx.json with the Maven package(s) listed
Anything else we need to know?:
- I wasn't sure between reporting a bug or a feature request, but with a new feature changing behaviour (and breaking the core function for certain situations) I went for bug.
Environment:
Application: syft
Version: 0.85.0
JsonSchemaVersion: 9.0.0
BuildDate: 2023-07-12T17:42:24Z
GitCommit: 4fc17edd146af34ab06f5b0443ef8ddac3aaf076
GitDescription: v0.85.0
Platform: linux/amd64
GoVersion: go1.20.5
Compiler: gc
- OS (e.g:
cat /etc/os-release or similar):
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
Remark: We automatically download the latest syft_*_linux_amd64.deb (only if it has changed, wget -N) daily and distribute it internally via an internal-ish deb repository for 3rd party software.
What happened:
When using
syft packagesagainst a temp directory with symlinks to*.jarfiles syft 0.85 in Linux does not find any package unless option--base-path /is used.I suggest to change the default base path from
""to"/"(for unix type systems), but @kzantow suggests "We probably need a broader discussion to change the behavior", see #1867 (comment)What you expected to happen:
I expected
syftto find all packages represented by those symlinked*.jarfiles.Steps to reproduce the issue:
/tmp/foobar*.jarfiles there ("good"jarfiles, that syft usually can detect the maven coordinates and license of)syft packages /tmp/foobar -o cyclonedx-json --file syft-bom.cdx.json.cdx.jsonfile has no packages--base-path /and you get a.cdx.jsonwith the Maven package(s) listedAnything else we need to know?:
Environment:
syft version:cat /etc/os-releaseor similar):Remark: We automatically download the latest
syft_*_linux_amd64.deb(only if it has changed,wget -N) daily and distribute it internally via an internal-ish deb repository for 3rd party software.