CLI tool and library for generating a Software Bill of Materials from container images and filesystems

Overview

Cute pink owl syft logo

Validations Go Report Card GitHub release GitHub go.mod Go version License: Apache-2.0 Slack Invite

A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner tool like Grype.

Join us at the virtual OSS meetup!

When: December 1, 2021 @ 11am-noon PT (2-3pm ET)

We’ve got security experts from VMware and Anchore who will share their tips, tricks, and lessons learned on securing containers using Syft, Grype, and Cartographer.

Register now: https://get.anchore.com/anchore-oss-meetup-dec-1-2021/


syft-demo

Features

  • Catalog container images and filesystems to discover packages and libraries.
  • Supports packages and libraries from various ecosystems (APK, DEB, RPM, Ruby Bundles, Python Wheel/Egg/requirements.txt, JavaScript NPM/Yarn, Java JAR/EAR/WAR, Jenkins plugins JPI/HPI, Go modules)
  • Linux distribution identification (supports Alpine, BusyBox, CentOS/RedHat, Debian/Ubuntu flavored distributions)
  • Supports Docker and OCI image formats
  • Direct support for Grype, a fast and powerful vulnerability matcher.

If you encounter an issue, please let us know using the issue tracker.

Installation

Recommended

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

...or, you can specify a release version and destination directory for the installation:

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b 
    
    

    
   

Homebrew

brew tap anchore/syft
brew install syft

Note: Currently, Syft is built only for macOS and Linux.

Getting started

To generate an SBOM for a Docker or OCI image:

syft 

Note: This is equivalent to specifying the packages subcommand:

syft packages 

The above output includes only software that is visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the SBOM, regardless of its presence in the final image, provide --scope all-layers:

syft packages  --scope all-layers

Supported sources

Syft can generate a SBOM from a variety of sources:

# catalog a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands)
syft packages path/to/image.tar

# catalog a directory
syft packages path/to/dir

Sources can be explicitly provided with a scheme:

docker:yourrepo/yourimage:tag          use images from the Docker daemon
docker-archive:path/to/yourimage.tar   use a tarball from disk for archives created from "docker save"
oci-archive:path/to/yourimage.tar      use a tarball from disk for OCI archives (from Skopeo or otherwise)
oci-dir:path/to/yourimage              read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
dir:path/to/yourproject                read directly from a path on disk (any directory)
file:path/to/yourproject/file          read directly from a path on disk (any single file)
registry:yourrepo/yourimage:tag        pull image directly from a registry (no container runtime required)

Output formats

The output format for Syft is configurable as well:

syft packages  -o 
   

   

Where the formats available are:

  • json: Use this to get as much information out of Syft as possible!
  • text: A row-oriented, human-and-machine-friendly output.
  • cyclonedx: A XML report conforming to the CycloneDX 1.2 specification.
  • spdx: A tag-value formatted report conforming to the SPDX 2.2 specification.
  • spdx-json: A JSON report conforming to the SPDX 2.2 JSON Schema.
  • table: A columnar summary (default).

Private Registry Authentication

Local Docker Credentials

When a container runtime is not present, Syft can still utilize credentials configured in common credential sources (such as ~/.docker/config.json). It will pull images from private registries using these credentials. The config file is where your credentials are stored when authenticating with private registries via some command like docker login. For more information see the go-containerregistry documentation.

An example config.json looks something like this:

// config.json
{
	"auths": {
		"registry.example.com": {
			"username": "AzureDiamond",
			"password": "hunter2"
		}
	}
}

You can run the following command as an example. It details the mount/environment configuration a container needs to access a private registry:

docker run -v ./config.json:/config/config.json -e "DOCKER_CONFIG=/config" anchore/syft:latest

Docker Credentials in Kubernetes

The below section shows a simple workflow on how to mount this config file as a secret into a container on kubernetes.

  1. Create a secret. The value of config.json is important. It refers to the specification detailed here. Below this section is the secret.yaml file that the pod configuration will consume as a volume. The key config.json is important. It will end up being the name of the file when mounted into the pod.

    # secret.yaml
    
    apiVersion: v1
    kind: Secret
    metadata:
      name: registry-config
      namespace: syft
    data:
      config.json: 
         
    
         

    kubectl apply -f secret.yaml

  2. Create your pod running syft. The env DOCKER_CONFIG is important because it advertises where to look for the credential file. In the below example, setting DOCKER_CONFIG=/config informs syft that credentials can be found at /config/config.json. This is why we used config.json as the key for our secret. When mounted into containers the secrets' key is used as the filename. The volumeMounts section mounts our secret to /config. The volumes section names our volume and leverages the secret we created in step one.

    # pod.yaml
    
    apiVersion: v1
    kind: Pod
    spec:
      containers:
        - image: anchore/syft:latest
          name: syft-private-registry-demo
          env:
            - name: DOCKER_CONFIG
              value: /config
          volumeMounts:
          - mountPath: /config
            name: registry-config
            readOnly: true
          args:
            - 
         
          
      volumes:
      - name: registry-config
        secret:
          secretName: registry-config
    
         

    kubectl apply -f pod.yaml

  3. The user can now run kubectl logs syft-private-registry-demo. The logs should show the syft analysis for the provided in the pod configuration.

Using the above information, users should be able to configure private registry access without having to do so in the grype or syft configuration files. They will also not be dependent on a docker daemon, (or some other runtime software) for registry configuration and access.

Configuration

Configuration search paths:

  • .syft.yaml
  • .syft/config.yaml
  • ~/.syft.yaml
  • /syft/config.yaml

Configuration options (example values are the default):

# the output format of the SBOM report (options: table, text, json)
# same as -o ; SYFT_OUTPUT env var
output: "table"

# suppress all output (except for the SBOM report)
# same as -q ; SYFT_QUIET env var
quiet: false

# same as --file; write output report to a file (default is to write to stdout)
file: ""

# enable/disable checking for application updates on startup
# same as SYFT_CHECK_FOR_APP_UPDATE env var
check-for-app-update: true

# cataloging packages is exposed through the packages and power-user subcommands
package:
  cataloger:
    # enable/disable cataloging of packages
    # SYFT_PACKAGE_CATALOGER_ENABLED env var
    enabled: true

    # the search space to look for packages (options: all-layers, squashed)
    # same as -s ; SYFT_PACKAGE_CATALOGER_SCOPE env var
    scope: "squashed"

# cataloging file classifications is exposed through the power-user subcommand
file-classification:
  cataloger:
    # enable/disable cataloging of file classifications
    # SYFT_FILE_CLASSIFICATION_CATALOGER_ENABLED env var
    enabled: true

    # the search space to look for file classifications (options: all-layers, squashed)
    # SYFT_FILE_CLASSIFICATION_CATALOGER_SCOPE env var
    scope: "squashed"

# cataloging file contents is exposed through the power-user subcommand
file-contents:
  cataloger:
    # enable/disable cataloging of secrets
    # SYFT_FILE_CONTENTS_CATALOGER_ENABLED env var
    enabled: true

    # the search space to look for secrets (options: all-layers, squashed)
    # SYFT_FILE_CONTENTS_CATALOGER_SCOPE env var
    scope: "squashed"

  # skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes)
  # SYFT_FILE_CONTENTS_SKIP_FILES_ABOVE_SIZE env var
  skip-files-above-size: 1048576

  # file globs for the cataloger to match on
  # SYFT_FILE_CONTENTS_GLOBS env var
  globs: []

# cataloging file metadata is exposed through the power-user subcommand
file-metadata:
  cataloger:
    # enable/disable cataloging of file metadata
    # SYFT_FILE_METADATA_CATALOGER_ENABLED env var
    enabled: true

    # the search space to look for file metadata (options: all-layers, squashed)
    # SYFT_FILE_METADATA_CATALOGER_SCOPE env var
    scope: "squashed"

  # the file digest algorithms to use when cataloging files (options: "sha256", "md5", "sha1")
  # SYFT_FILE_METADATA_DIGESTS env var
  digests: ["sha256"]

# cataloging secrets is exposed through the power-user subcommand
secrets:
  cataloger:
    # enable/disable cataloging of secrets
    # SYFT_SECRETS_CATALOGER_ENABLED env var
    enabled: true

    # the search space to look for secrets (options: all-layers, squashed)
    # SYFT_SECRETS_CATALOGER_SCOPE env var
    scope: "all-layers"

  # show extracted secret values in the final JSON report
  # SYFT_SECRETS_REVEAL_VALUES env var
  reveal-values: false

  # skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes)
  # SYFT_SECRETS_SKIP_FILES_ABOVE_SIZE env var
  skip-files-above-size: 1048576

  # name-regex pairs to consider when searching files for secrets. Note: the regex must match single line patterns
  # but may also have OPTIONAL multiline capture groups. Regexes with a named capture group of "value" will
  # use the entire regex to match, but the secret value will be assumed to be entirely contained within the
  # "value" named capture group.
  additional-patterns: {}

  # names to exclude from the secrets search, valid values are: "aws-access-key", "aws-secret-key", "pem-private-key",
  # "docker-config-auth", and "generic-api-key". Note: this does not consider any names introduced in the
  # "secrets.additional-patterns" config option.
  # SYFT_SECRETS_EXCLUDE_PATTERN_NAMES env var
  exclude-pattern-names: []

# options when pulling directly from a registry via the "registry:" scheme
registry:
  # skip TLS verification when communicating with the registry
  # SYFT_REGISTRY_INSECURE_SKIP_TLS_VERIFY env var
  insecure-skip-tls-verify: false
  # use http instead of https when connecting to the registry
  # SYFT_REGISTRY_INSECURE_USE_HTTP env var
  insecure-use-http: false

  # credentials for specific registries
  auth:
    - # the URL to the registry (e.g. "docker.io", "localhost:5000", etc.)
      # SYFT_REGISTRY_AUTH_AUTHORITY env var
      authority: ""
      # SYFT_REGISTRY_AUTH_USERNAME env var
      username: ""
      # SYFT_REGISTRY_AUTH_PASSWORD env var
      password: ""
      # note: token and username/password are mutually exclusive
      # SYFT_REGISTRY_AUTH_TOKEN env var
      token: ""
    - ... # note, more credentials can be provided via config file only

log:
  # use structured logging
  # same as SYFT_LOG_STRUCTURED env var
  structured: false

  # the log level; note: detailed logging suppress the ETUI
  # same as SYFT_LOG_LEVEL env var
  level: "error"

  # location to write the log file (default is not to have a log file)
  # same as SYFT_LOG_FILE env var
  file: ""

# uploading package SBOM is exposed through the packages subcommand
anchore:
  # (feature-preview) the Anchore Enterprise Host or URL to upload results to (supported on Enterprise 3.0+)
  # same as -H ; SYFT_ANCHORE_HOST env var
  host: ""

  # (feature-preview) the path after the host to the Anchore External API (supported on Enterprise 3.0+)
  # same as SYFT_ANCHORE_PATH env var
  path: ""

  # (feature-preview) the username to authenticate against Anchore Enterprise (supported on Enterprise 3.0+)
  # same as -u ; SYFT_ANCHORE_USERNAME env var
  username: ""

  # (feature-preview) the password to authenticate against Anchore Enterprise (supported on Enterprise 3.0+)
  # same as -p ; SYFT_ANCHORE_PASSWORD env var
  password: ""

  # (feature-preview) path to dockerfile to be uploaded with the syft results to Anchore Enterprise (supported on Enterprise 3.0+)
  # same as -d ; SYFT_ANCHORE_DOCKERFILE env var
  dockerfile: ""
Comments
  • SBOM cataloger

    SBOM cataloger

    Supports ad hoc binary application layouts:

    CI saves CycloneDX SBOM JSON in docker image or application deployment/installation folder.

    During image/directory scanning, Syft does not need to rely on specific layouts supported by specific catalogers.

    Instead, application may use whatever layout and format it needs, and provides SBOM JSON artifact for integration with Syft or other tools.

    Typical scenario is a node/react/webpack build folder with static content for web server. This particular use case can be supported by providing npm/yarn lock file and enabling javascript-lock-cataloger (#1022).

    SBOM cataloger provides more generic approach to this problem.

    opened by patrikbeno 39
  • SPDX-json output differs between cli and golang implementation

    SPDX-json output differs between cli and golang implementation

    What happened: Hi all, I'm the maintainer of the https://github.com/ckotzbauer/sbom-operator project. Syft is integrated there via its golang api. This is unit-tested to ensure, that my code and the cli of the same version produce the same SBOM for images. Since 0.56.0 the spdxjson-output differs. (with 0.55.0 the syftjson format also differed, but that was fixed with 0.56.0).

    What you expected to happen: My code and the cli produce the same SBOM for images.

    How to reproduce it (as minimally and precisely as possible): Used image: alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300 Used format: spdxjson

    SPDX-json from go-integration
    {
    "SPDXID": "SPDXRef-DOCUMENT",
    "name": "/tmp/sha256_21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300.tar.gz",
    "spdxVersion": "SPDX-2.2",
    "creationInfo": {
    "created": "2022-09-18T08:20:02.269681097Z",
    "creators": [
     "Organization: Anchore, Inc",
     "Tool: syft-v9.9.9"
    ],
    "licenseListVersion": "3.18"
    },
    "dataLicense": "CC0-1.0",
    "documentNamespace": "https://anchore.com/syft/image/tmp/sha256_21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300.tar.gz-480350d2-9f14-4665-b9b6-737b6333a21a",
    "packages": [
    {
     "SPDXID": "SPDXRef-9f527213f4d2a873",
     "name": "alpine-baselayout",
     "licenseConcluded": "GPL-2.0-only",
     "description": "Alpine base dir structure and init scripts",
     "downloadLocation": "https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout",
     "externalRefs": [
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.2.0-r18:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.2.0-r18:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.2.0-r18:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.2.0-r18:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:alpine:alpine-baselayout:3.2.0-r18:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:alpine:alpine_baselayout:3.2.0-r18:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "PACKAGE_MANAGER",
       "referenceLocator": "pkg:alpine/alpine-baselayout@3.2.0-r18?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.15.0",
       "referenceType": "purl"
      }
     ],
     "filesAnalyzed": false,
     "hasFiles": [
      "SPDXRef-2eaa15c5fc625ebe",
      "SPDXRef-a53373020dfa8bb4",
      "SPDXRef-38605c90f707fb90",
      "SPDXRef-60fa740c32339374",
      "SPDXRef-24d0f8d913cd9906",
      "SPDXRef-d41a5f82a774a6a1",
      "SPDXRef-13d6d27618d264f7",
      "SPDXRef-b499705c36475f74",
      "SPDXRef-2e3613b244458b5a",
      "SPDXRef-84fd54b3f2a2e825",
      "SPDXRef-32701f6d1e056c29",
      "SPDXRef-93b858998f2c7034",
      "SPDXRef-fb021b79aa9cd553",
      "SPDXRef-82fda88ae28dd50",
      "SPDXRef-9ab25fdcabefa4ac",
      "SPDXRef-2c0eaf2a7d7dbad",
      "SPDXRef-f3ee626693308800",
      "SPDXRef-420fa6f3289d6ee6",
      "SPDXRef-ae2cba512a3f4065",
      "SPDXRef-b3a5f05adcd1cf82",
      "SPDXRef-64b20ab568341372",
      "SPDXRef-5e12c5188eeb9cb3",
      "SPDXRef-18d9a7fcef583aeb",
      "SPDXRef-dc65dbf355556024"
     ],
     "licenseDeclared": "GPL-2.0-only",
     "originator": "Person: Natanael Copa <ncopa@alpinelinux.org>",
     "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
     "versionInfo": "3.2.0-r18"
    },
    {
     "SPDXID": "SPDXRef-1a72ca3b88e1b67e",
     "name": "alpine-keys",
     "licenseConcluded": "MIT",
     "description": "Public keys for Alpine Linux packages",
     "downloadLocation": "https://alpinelinux.org",
     "externalRefs": [
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "PACKAGE_MANAGER",
       "referenceLocator": "pkg:alpine/alpine-keys@2.4-r1?arch=x86_64&upstream=alpine-keys&distro=alpine-3.15.0",
       "referenceType": "purl"
      }
     ],
     "filesAnalyzed": false,
     "hasFiles": [
      "SPDXRef-ccc2b3e76affde68",
      "SPDXRef-3562d93285c5a3c5",
      "SPDXRef-27d8de5355fdb7ba",
      "SPDXRef-ff0560ee36b984a7",
      "SPDXRef-79cc1d44454e11b9",
      "SPDXRef-56080e31fd12fe67",
      "SPDXRef-7803dc5a1a496765",
      "SPDXRef-57149f915867bf12",
      "SPDXRef-2363acec0a71a382",
      "SPDXRef-8ec9dcf9b3d1d7ce",
      "SPDXRef-39dcc03ca17480ca",
      "SPDXRef-496698ff67ca49fc",
      "SPDXRef-66756a275982c586",
      "SPDXRef-4d646d694b6380fc",
      "SPDXRef-add734ec170033bd",
      "SPDXRef-abfd85d1b45289dc",
      "SPDXRef-2dac0f0b0463195c",
      "SPDXRef-f059a81847acaad9",
      "SPDXRef-395f72182f48f77c",
      "SPDXRef-187efc434122356a",
      "SPDXRef-59d943ecba7b9db1",
      "SPDXRef-2c8a8c151837aa6e"
     ],
     "licenseDeclared": "MIT",
     "originator": "Person: Natanael Copa <ncopa@alpinelinux.org>",
     "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
     "versionInfo": "2.4-r1"
    },
    {
     "SPDXID": "SPDXRef-1c6e057c6965bdd6",
     "name": "apk-tools",
     "licenseConcluded": "GPL-2.0-only",
     "description": "Alpine Package Keeper - package manager for alpine",
     "downloadLocation": "https://gitlab.alpinelinux.org/alpine/apk-tools",
     "externalRefs": [
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:apk-tools:apk-tools:2.12.7-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:apk-tools:apk_tools:2.12.7-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:apk_tools:apk-tools:2.12.7-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:apk_tools:apk_tools:2.12.7-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:apk:apk-tools:2.12.7-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:apk:apk_tools:2.12.7-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "PACKAGE_MANAGER",
       "referenceLocator": "pkg:alpine/apk-tools@2.12.7-r3?arch=x86_64&upstream=apk-tools&distro=alpine-3.15.0",
       "referenceType": "purl"
      }
     ],
     "filesAnalyzed": false,
     "hasFiles": [
      "SPDXRef-5f14b5421fba85af",
      "SPDXRef-d72447617fa2b70c"
     ],
     "licenseDeclared": "GPL-2.0-only",
     "originator": "Person: Natanael Copa <ncopa@alpinelinux.org>",
     "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
     "versionInfo": "2.12.7-r3"
    },
    {
     "SPDXID": "SPDXRef-2e32896982ce9587",
     "name": "busybox",
     "licenseConcluded": "GPL-2.0-only",
     "description": "Size optimized toolbox of many common UNIX utilities",
     "downloadLocation": "https://busybox.net/",
     "externalRefs": [
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:busybox:busybox:1.34.1-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "PACKAGE_MANAGER",
       "referenceLocator": "pkg:alpine/busybox@1.34.1-r3?arch=x86_64&upstream=busybox&distro=alpine-3.15.0",
       "referenceType": "purl"
      }
     ],
     "filesAnalyzed": false,
     "hasFiles": [
      "SPDXRef-be5355441673f6dc",
      "SPDXRef-e7d6b30bf31f933a",
      "SPDXRef-e6d162458c0b30b0",
      "SPDXRef-d5ee1ce0839cb21a",
      "SPDXRef-988a54d89f5c4c09",
      "SPDXRef-cd1c702a19149d7d"
     ],
     "licenseDeclared": "GPL-2.0-only",
     "originator": "Person: Natanael Copa <ncopa@alpinelinux.org>",
     "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
     "versionInfo": "1.34.1-r3"
    },
    {
     "SPDXID": "SPDXRef-9bb0a989e24e7661",
     "name": "ca-certificates-bundle",
     "licenseConcluded": "MPL-2.0 AND MIT",
     "description": "Pre generated bundle of Mozilla certificates",
     "downloadLocation": "https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/",
     "externalRefs": [
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20191127-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20191127-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20191127-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20191127-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ca-certificates:ca-certificates-bundle:20191127-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ca-certificates:ca_certificates_bundle:20191127-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ca_certificates:ca-certificates-bundle:20191127-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ca_certificates:ca_certificates_bundle:20191127-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ca:ca-certificates-bundle:20191127-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ca:ca_certificates_bundle:20191127-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "PACKAGE_MANAGER",
       "referenceLocator": "pkg:alpine/ca-certificates-bundle@20191127-r7?arch=x86_64&upstream=ca-certificates&distro=alpine-3.15.0",
       "referenceType": "purl"
      }
     ],
     "filesAnalyzed": false,
     "hasFiles": [
      "SPDXRef-b7cfa7f53a05225f"
     ],
     "licenseDeclared": "MPL-2.0 AND MIT",
     "originator": "Person: Natanael Copa <ncopa@alpinelinux.org>",
     "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
     "versionInfo": "20191127-r7"
    },
    {
     "SPDXID": "SPDXRef-e87a79fdaecaabd2",
     "name": "libc-utils",
     "licenseConcluded": "BSD-2-Clause AND BSD-3-Clause",
     "description": "Meta package to pull in correct libc",
     "downloadLocation": "https://alpinelinux.org",
     "externalRefs": [
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "PACKAGE_MANAGER",
       "referenceLocator": "pkg:alpine/libc-utils@0.7.2-r3?arch=x86_64&upstream=libc-dev&distro=alpine-3.15.0",
       "referenceType": "purl"
      }
     ],
     "filesAnalyzed": false,
     "licenseDeclared": "BSD-2-Clause AND BSD-3-Clause",
     "originator": "Person: Natanael Copa <ncopa@alpinelinux.org>",
     "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
     "versionInfo": "0.7.2-r3"
    },
    {
     "SPDXID": "SPDXRef-873ddd0587a8ac17",
     "name": "libcrypto1.1",
     "licenseConcluded": "OpenSSL",
     "description": "Crypto library from openssl",
     "downloadLocation": "https://www.openssl.org/",
     "externalRefs": [
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:libcrypto1.1:libcrypto1.1:1.1.1l-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "PACKAGE_MANAGER",
       "referenceLocator": "pkg:alpine/libcrypto1.1@1.1.1l-r7?arch=x86_64&upstream=openssl&distro=alpine-3.15.0",
       "referenceType": "purl"
      }
     ],
     "filesAnalyzed": false,
     "hasFiles": [
      "SPDXRef-4862e08252039e5",
      "SPDXRef-f57c06db35618298",
      "SPDXRef-ba1b2107c3063563",
      "SPDXRef-b7cfa7f53a05225f",
      "SPDXRef-d1029b42eed49dbe",
      "SPDXRef-5f7354d1f6e1cdce",
      "SPDXRef-1a7b85af7f458360",
      "SPDXRef-a00e69b6cf4b0ef0"
     ],
     "licenseDeclared": "OpenSSL",
     "originator": "Person: Timo Teras <timo.teras@iki.fi>",
     "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
     "versionInfo": "1.1.1l-r7"
    },
    {
     "SPDXID": "SPDXRef-484b9eacc3ccdd48",
     "name": "libretls",
     "licenseConcluded": "ISC",
     "description": "port of libtls from libressl to openssl",
     "downloadLocation": "https://git.causal.agency/libretls/",
     "externalRefs": [
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:libretls:libretls:3.3.4-r2:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "PACKAGE_MANAGER",
       "referenceLocator": "pkg:alpine/libretls@3.3.4-r2?arch=x86_64&upstream=libretls&distro=alpine-3.15.0",
       "referenceType": "purl"
      }
     ],
     "filesAnalyzed": false,
     "hasFiles": [
      "SPDXRef-81250f1630c1a804"
     ],
     "licenseDeclared": "ISC",
     "originator": "Person: Ariadne Conill <ariadne@dereferenced.org>",
     "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
     "versionInfo": "3.3.4-r2"
    },
    {
     "SPDXID": "SPDXRef-7d62dc5b1a20803f",
     "name": "libssl1.1",
     "licenseConcluded": "OpenSSL",
     "description": "SSL shared libraries",
     "downloadLocation": "https://www.openssl.org/",
     "externalRefs": [
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1l-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "PACKAGE_MANAGER",
       "referenceLocator": "pkg:alpine/libssl1.1@1.1.1l-r7?arch=x86_64&upstream=openssl&distro=alpine-3.15.0",
       "referenceType": "purl"
      }
     ],
     "filesAnalyzed": false,
     "hasFiles": [
      "SPDXRef-a64a40d78e73f3bd"
     ],
     "licenseDeclared": "OpenSSL",
     "originator": "Person: Timo Teras <timo.teras@iki.fi>",
     "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
     "versionInfo": "1.1.1l-r7"
    },
    {
     "SPDXID": "SPDXRef-20dc20cbb6dbea6",
     "name": "musl",
     "licenseConcluded": "MIT",
     "description": "the musl c library (libc) implementation",
     "downloadLocation": "https://musl.libc.org/",
     "externalRefs": [
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:musl:musl:1.2.2-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "PACKAGE_MANAGER",
       "referenceLocator": "pkg:alpine/musl@1.2.2-r7?arch=x86_64&upstream=musl&distro=alpine-3.15.0",
       "referenceType": "purl"
      }
     ],
     "filesAnalyzed": false,
     "hasFiles": [
      "SPDXRef-e322847d6485c76d"
     ],
     "licenseDeclared": "MIT",
     "originator": "Person: Timo Teräs <timo.teras@iki.fi>",
     "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
     "versionInfo": "1.2.2-r7"
    },
    {
     "SPDXID": "SPDXRef-35c3680577fae0df",
     "name": "musl-utils",
     "licenseConcluded": "MIT",
     "description": "the musl c library (libc) implementation",
     "downloadLocation": "https://musl.libc.org/",
     "externalRefs": [
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:musl-utils:musl-utils:1.2.2-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:musl-utils:musl_utils:1.2.2-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:musl_utils:musl-utils:1.2.2-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:musl_utils:musl_utils:1.2.2-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:musl:musl-utils:1.2.2-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:musl:musl_utils:1.2.2-r7:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "PACKAGE_MANAGER",
       "referenceLocator": "pkg:alpine/musl-utils@1.2.2-r7?arch=x86_64&upstream=musl&distro=alpine-3.15.0",
       "referenceType": "purl"
      }
     ],
     "filesAnalyzed": false,
     "hasFiles": [
      "SPDXRef-780fcf6f56cca2e0",
      "SPDXRef-ab2d028a906db5df",
      "SPDXRef-8e69e89855b5ae0f",
      "SPDXRef-d59e19c68624688f",
      "SPDXRef-757b30be1d3baa0b"
     ],
     "licenseDeclared": "MIT",
     "originator": "Person: Timo Teräs <timo.teras@iki.fi>",
     "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
     "versionInfo": "1.2.2-r7"
    },
    {
     "SPDXID": "SPDXRef-f2d426372356602d",
     "name": "scanelf",
     "licenseConcluded": "GPL-2.0-only",
     "description": "Scan ELF binaries for stuff",
     "downloadLocation": "https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities",
     "externalRefs": [
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:scanelf:scanelf:1.3.3-r0:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "PACKAGE_MANAGER",
       "referenceLocator": "pkg:alpine/scanelf@1.3.3-r0?arch=x86_64&upstream=pax-utils&distro=alpine-3.15.0",
       "referenceType": "purl"
      }
     ],
     "filesAnalyzed": false,
     "hasFiles": [
      "SPDXRef-7516f5d905deb6db"
     ],
     "licenseDeclared": "GPL-2.0-only",
     "originator": "Person: Natanael Copa <ncopa@alpinelinux.org>",
     "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
     "versionInfo": "1.3.3-r0"
    },
    {
     "SPDXID": "SPDXRef-38bc092600723894",
     "name": "ssl_client",
     "licenseConcluded": "GPL-2.0-only",
     "description": "EXternal ssl_client for busybox wget",
     "downloadLocation": "https://busybox.net/",
     "externalRefs": [
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ssl-client:ssl-client:1.34.1-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ssl-client:ssl_client:1.34.1-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ssl_client:ssl-client:1.34.1-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ssl_client:ssl_client:1.34.1-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ssl:ssl-client:1.34.1-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:ssl:ssl_client:1.34.1-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "PACKAGE_MANAGER",
       "referenceLocator": "pkg:alpine/ssl_client@1.34.1-r3?arch=x86_64&upstream=busybox&distro=alpine-3.15.0",
       "referenceType": "purl"
      }
     ],
     "filesAnalyzed": false,
     "hasFiles": [
      "SPDXRef-711694a1725d661e"
     ],
     "licenseDeclared": "GPL-2.0-only",
     "originator": "Person: Natanael Copa <ncopa@alpinelinux.org>",
     "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
     "versionInfo": "1.34.1-r3"
    },
    {
     "SPDXID": "SPDXRef-50d3560550c47774",
     "name": "zlib",
     "licenseConcluded": "Zlib",
     "description": "A compression/decompression Library",
     "downloadLocation": "https://zlib.net/",
     "externalRefs": [
      {
       "referenceCategory": "SECURITY",
       "referenceLocator": "cpe:2.3:a:zlib:zlib:1.2.11-r3:*:*:*:*:*:*:*",
       "referenceType": "cpe23Type"
      },
      {
       "referenceCategory": "PACKAGE_MANAGER",
       "referenceLocator": "pkg:alpine/zlib@1.2.11-r3?arch=x86_64&upstream=zlib&distro=alpine-3.15.0",
       "referenceType": "purl"
      }
     ],
     "filesAnalyzed": false,
     "hasFiles": [
      "SPDXRef-bfd3d0235da50adb"
     ],
     "licenseDeclared": "Zlib",
     "originator": "Person: Natanael Copa <ncopa@alpinelinux.org>",
     "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
     "versionInfo": "1.2.11-r3"
    }
    ],
    "files": [
    {
     "SPDXID": "SPDXRef-988a54d89f5c4c09",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/bin/busybox"
    },
    {
     "SPDXID": "SPDXRef-8ec9dcf9b3d1d7ce",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/apk/keys/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-39dcc03ca17480ca",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/apk/keys/alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-4d646d694b6380fc",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/apk/keys/alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-395f72182f48f77c",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/apk/keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-496698ff67ca49fc",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/apk/keys/alpine-devel@lists.alpinelinux.org-61666e3f.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-2eaa15c5fc625ebe",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/crontabs/root"
    },
    {
     "SPDXID": "SPDXRef-a53373020dfa8bb4",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/fstab"
    },
    {
     "SPDXID": "SPDXRef-2c0eaf2a7d7dbad",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/group"
    },
    {
     "SPDXID": "SPDXRef-f3ee626693308800",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/hostname"
    },
    {
     "SPDXID": "SPDXRef-38605c90f707fb90",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/hosts"
    },
    {
     "SPDXID": "SPDXRef-60fa740c32339374",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/inittab"
    },
    {
     "SPDXID": "SPDXRef-cd1c702a19149d7d",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/logrotate.d/acpid"
    },
    {
     "SPDXID": "SPDXRef-420fa6f3289d6ee6",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/modprobe.d/aliases.conf"
    },
    {
     "SPDXID": "SPDXRef-ae2cba512a3f4065",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/modprobe.d/blacklist.conf"
    },
    {
     "SPDXID": "SPDXRef-24d0f8d913cd9906",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/modprobe.d/i386.conf"
    },
    {
     "SPDXID": "SPDXRef-d41a5f82a774a6a1",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/modprobe.d/kms.conf"
    },
    {
     "SPDXID": "SPDXRef-dc65dbf355556024",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/modules"
    },
    {
     "SPDXID": "SPDXRef-b3a5f05adcd1cf82",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/motd"
    },
    {
     "SPDXID": "SPDXRef-be5355441673f6dc",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/network/if-up.d/dad"
    },
    {
     "SPDXID": "SPDXRef-b499705c36475f74",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/passwd"
    },
    {
     "SPDXID": "SPDXRef-2e3613b244458b5a",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/profile"
    },
    {
     "SPDXID": "SPDXRef-64b20ab568341372",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/profile.d/README"
    },
    {
     "SPDXID": "SPDXRef-84fd54b3f2a2e825",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/profile.d/color_prompt.sh.disabled"
    },
    {
     "SPDXID": "SPDXRef-32701f6d1e056c29",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/profile.d/locale.sh"
    },
    {
     "SPDXID": "SPDXRef-5e12c5188eeb9cb3",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/protocols"
    },
    {
     "SPDXID": "SPDXRef-e7d6b30bf31f933a",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/securetty"
    },
    {
     "SPDXID": "SPDXRef-9ab25fdcabefa4ac",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/services"
    },
    {
     "SPDXID": "SPDXRef-18d9a7fcef583aeb",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/shadow"
    },
    {
     "SPDXID": "SPDXRef-93b858998f2c7034",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/shells"
    },
    {
     "SPDXID": "SPDXRef-b7cfa7f53a05225f",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/ssl/certs/ca-certificates.crt"
    },
    {
     "SPDXID": "SPDXRef-d1029b42eed49dbe",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/ssl1.1/ct_log_list.cnf.dist"
    },
    {
     "SPDXID": "SPDXRef-5f7354d1f6e1cdce",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/ssl1.1/openssl.cnf"
    },
    {
     "SPDXID": "SPDXRef-1a7b85af7f458360",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/ssl1.1/openssl.cnf.dist"
    },
    {
     "SPDXID": "SPDXRef-fb021b79aa9cd553",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/sysctl.conf"
    },
    {
     "SPDXID": "SPDXRef-e6d162458c0b30b0",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/etc/udhcpd.conf"
    },
    {
     "SPDXID": "SPDXRef-e322847d6485c76d",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/lib/ld-musl-x86_64.so.1"
    },
    {
     "SPDXID": "SPDXRef-5f14b5421fba85af",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/lib/libapk.so.3.12.0"
    },
    {
     "SPDXID": "SPDXRef-a00e69b6cf4b0ef0",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/lib/libcrypto.so.1.1"
    },
    {
     "SPDXID": "SPDXRef-a64a40d78e73f3bd",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/lib/libssl.so.1.1"
    },
    {
     "SPDXID": "SPDXRef-bfd3d0235da50adb",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/lib/libz.so.1.2.11"
    },
    {
     "SPDXID": "SPDXRef-82fda88ae28dd50",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/lib/sysctl.d/00-alpine.conf"
    },
    {
     "SPDXID": "SPDXRef-d72447617fa2b70c",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/sbin/apk"
    },
    {
     "SPDXID": "SPDXRef-d59e19c68624688f",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/sbin/ldconfig"
    },
    {
     "SPDXID": "SPDXRef-13d6d27618d264f7",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/sbin/mkmntdirs"
    },
    {
     "SPDXID": "SPDXRef-757b30be1d3baa0b",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/bin/getconf"
    },
    {
     "SPDXID": "SPDXRef-780fcf6f56cca2e0",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/bin/getent"
    },
    {
     "SPDXID": "SPDXRef-ab2d028a906db5df",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/bin/iconv"
    },
    {
     "SPDXID": "SPDXRef-8e69e89855b5ae0f",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/bin/ldd"
    },
    {
     "SPDXID": "SPDXRef-7516f5d905deb6db",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/bin/scanelf"
    },
    {
     "SPDXID": "SPDXRef-711694a1725d661e",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/bin/ssl_client"
    },
    {
     "SPDXID": "SPDXRef-4862e08252039e5",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/lib/engines-1.1/afalg.so"
    },
    {
     "SPDXID": "SPDXRef-f57c06db35618298",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/lib/engines-1.1/capi.so"
    },
    {
     "SPDXID": "SPDXRef-ba1b2107c3063563",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/lib/engines-1.1/padlock.so"
    },
    {
     "SPDXID": "SPDXRef-81250f1630c1a804",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/lib/libtls.so.2.0.3"
    },
    {
     "SPDXID": "SPDXRef-add734ec170033bd",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-59d943ecba7b9db1",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-27d8de5355fdb7ba",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-524d27bb.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-ff0560ee36b984a7",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-66756a275982c586",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-58199dcc.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-2c8a8c151837aa6e",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-58cbb476.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-79cc1d44454e11b9",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-58e4f17d.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-abfd85d1b45289dc",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-5e69ca50.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-56080e31fd12fe67",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-60ac2099.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-7803dc5a1a496765",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-6165ee59.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-ccc2b3e76affde68",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-61666e3f.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-3562d93285c5a3c5",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616a9724.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-57149f915867bf12",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616abc23.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-2363acec0a71a382",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616ac3bc.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-2dac0f0b0463195c",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616adfeb.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-187efc434122356a",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616ae350.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-f059a81847acaad9",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/apk/keys/alpine-devel@lists.alpinelinux.org-616db30d.rsa.pub"
    },
    {
     "SPDXID": "SPDXRef-d5ee1ce0839cb21a",
     "comment": "layerID: sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759",
     "licenseConcluded": "NOASSERTION",
     "fileName": "/usr/share/udhcpc/default.script"
    }
    ],
    "relationships": [
    {
     "spdxElementId": "SPDXRef-20dc20cbb6dbea6",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-e322847d6485c76d"
    },
    {
     "spdxElementId": "SPDXRef-2e32896982ce9587",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-be5355441673f6dc"
    },
    {
     "spdxElementId": "SPDXRef-2e32896982ce9587",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-e7d6b30bf31f933a"
    },
    {
     "spdxElementId": "SPDXRef-2e32896982ce9587",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-e6d162458c0b30b0"
    },
    {
     "spdxElementId": "SPDXRef-2e32896982ce9587",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-d5ee1ce0839cb21a"
    },
    {
     "spdxElementId": "SPDXRef-2e32896982ce9587",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-988a54d89f5c4c09"
    },
    {
     "spdxElementId": "SPDXRef-2e32896982ce9587",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-cd1c702a19149d7d"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-2eaa15c5fc625ebe"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-a53373020dfa8bb4"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-38605c90f707fb90"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-60fa740c32339374"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-24d0f8d913cd9906"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-d41a5f82a774a6a1"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-13d6d27618d264f7"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-b499705c36475f74"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-2e3613b244458b5a"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-84fd54b3f2a2e825"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-32701f6d1e056c29"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-93b858998f2c7034"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-fb021b79aa9cd553"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-82fda88ae28dd50"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-9ab25fdcabefa4ac"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-2c0eaf2a7d7dbad"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-f3ee626693308800"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-420fa6f3289d6ee6"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-ae2cba512a3f4065"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-b3a5f05adcd1cf82"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-64b20ab568341372"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-5e12c5188eeb9cb3"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-18d9a7fcef583aeb"
    },
    {
     "spdxElementId": "SPDXRef-9f527213f4d2a873",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-dc65dbf355556024"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-ccc2b3e76affde68"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-3562d93285c5a3c5"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-27d8de5355fdb7ba"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-ff0560ee36b984a7"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-79cc1d44454e11b9"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-56080e31fd12fe67"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-7803dc5a1a496765"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-57149f915867bf12"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-2363acec0a71a382"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-8ec9dcf9b3d1d7ce"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-39dcc03ca17480ca"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-496698ff67ca49fc"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-66756a275982c586"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-4d646d694b6380fc"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-add734ec170033bd"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-abfd85d1b45289dc"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-2dac0f0b0463195c"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-f059a81847acaad9"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-395f72182f48f77c"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-187efc434122356a"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-59d943ecba7b9db1"
    },
    {
     "spdxElementId": "SPDXRef-1a72ca3b88e1b67e",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-2c8a8c151837aa6e"
    },
    {
     "spdxElementId": "SPDXRef-9bb0a989e24e7661",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-b7cfa7f53a05225f"
    },
    {
     "spdxElementId": "SPDXRef-873ddd0587a8ac17",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-4862e08252039e5"
    },
    {
     "spdxElementId": "SPDXRef-873ddd0587a8ac17",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-f57c06db35618298"
    },
    {
     "spdxElementId": "SPDXRef-873ddd0587a8ac17",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-ba1b2107c3063563"
    },
    {
     "spdxElementId": "SPDXRef-873ddd0587a8ac17",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-b7cfa7f53a05225f"
    },
    {
     "spdxElementId": "SPDXRef-873ddd0587a8ac17",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-d1029b42eed49dbe"
    },
    {
     "spdxElementId": "SPDXRef-873ddd0587a8ac17",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-5f7354d1f6e1cdce"
    },
    {
     "spdxElementId": "SPDXRef-873ddd0587a8ac17",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-1a7b85af7f458360"
    },
    {
     "spdxElementId": "SPDXRef-873ddd0587a8ac17",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-a00e69b6cf4b0ef0"
    },
    {
     "spdxElementId": "SPDXRef-7d62dc5b1a20803f",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-a64a40d78e73f3bd"
    },
    {
     "spdxElementId": "SPDXRef-484b9eacc3ccdd48",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-81250f1630c1a804"
    },
    {
     "spdxElementId": "SPDXRef-38bc092600723894",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-711694a1725d661e"
    },
    {
     "spdxElementId": "SPDXRef-50d3560550c47774",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-bfd3d0235da50adb"
    },
    {
     "spdxElementId": "SPDXRef-1c6e057c6965bdd6",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-5f14b5421fba85af"
    },
    {
     "spdxElementId": "SPDXRef-1c6e057c6965bdd6",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-d72447617fa2b70c"
    },
    {
     "spdxElementId": "SPDXRef-f2d426372356602d",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-7516f5d905deb6db"
    },
    {
     "spdxElementId": "SPDXRef-35c3680577fae0df",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-780fcf6f56cca2e0"
    },
    {
     "spdxElementId": "SPDXRef-35c3680577fae0df",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-ab2d028a906db5df"
    },
    {
     "spdxElementId": "SPDXRef-35c3680577fae0df",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-8e69e89855b5ae0f"
    },
    {
     "spdxElementId": "SPDXRef-35c3680577fae0df",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-d59e19c68624688f"
    },
    {
     "spdxElementId": "SPDXRef-35c3680577fae0df",
     "relationshipType": "CONTAINS",
     "relatedSpdxElement": "SPDXRef-757b30be1d3baa0b"
    }
    ]
    }
    
    Differences to CLI-Output
    61c61,62
    <     "SPDXRef-2eaa15c5fc625ebe",
    ---
    >     "SPDXRef-84fd54b3f2a2e825",
    >     "SPDXRef-18d9a7fcef583aeb",
    63,64c64
    <     "SPDXRef-38605c90f707fb90",
    <     "SPDXRef-60fa740c32339374",
    ---
    >     "SPDXRef-2c0eaf2a7d7dbad",
    66,67c66,67
    <     "SPDXRef-d41a5f82a774a6a1",
    <     "SPDXRef-13d6d27618d264f7",
    ---
    >     "SPDXRef-64b20ab568341372",
    >     "SPDXRef-dc65dbf355556024",
    69,71c69,75
    <     "SPDXRef-2e3613b244458b5a",
    <     "SPDXRef-84fd54b3f2a2e825",
    <     "SPDXRef-32701f6d1e056c29",
    ---
    >     "SPDXRef-9ab25fdcabefa4ac",
    >     "SPDXRef-13d6d27618d264f7",
    >     "SPDXRef-2eaa15c5fc625ebe",
    >     "SPDXRef-38605c90f707fb90",
    >     "SPDXRef-60fa740c32339374",
    >     "SPDXRef-420fa6f3289d6ee6",
    >     "SPDXRef-5e12c5188eeb9cb3",
    73d76
    <     "SPDXRef-fb021b79aa9cd553",
    75,76d77
    <     "SPDXRef-9ab25fdcabefa4ac",
    <     "SPDXRef-2c0eaf2a7d7dbad",
    78d78
    <     "SPDXRef-420fa6f3289d6ee6",
    81,84c81,84
    <     "SPDXRef-64b20ab568341372",
    <     "SPDXRef-5e12c5188eeb9cb3",
    <     "SPDXRef-18d9a7fcef583aeb",
    <     "SPDXRef-dc65dbf355556024"
    ---
    >     "SPDXRef-2e3613b244458b5a",
    >     "SPDXRef-d41a5f82a774a6a1",
    >     "SPDXRef-32701f6d1e056c29",
    >     "SPDXRef-fb021b79aa9cd553"
    136,137d135
    <     "SPDXRef-ccc2b3e76affde68",
    <     "SPDXRef-3562d93285c5a3c5",
    139,141d136
    <     "SPDXRef-ff0560ee36b984a7",
    <     "SPDXRef-79cc1d44454e11b9",
    <     "SPDXRef-56080e31fd12fe67",
    143d137
    <     "SPDXRef-57149f915867bf12",
    144a139,146
    >     "SPDXRef-395f72182f48f77c",
    >     "SPDXRef-66756a275982c586",
    >     "SPDXRef-56080e31fd12fe67",
    >     "SPDXRef-187efc434122356a",
    >     "SPDXRef-59d943ecba7b9db1",
    >     "SPDXRef-79cc1d44454e11b9",
    >     "SPDXRef-abfd85d1b45289dc",
    >     "SPDXRef-ccc2b3e76affde68",
    148,151c150
    <     "SPDXRef-66756a275982c586",
    <     "SPDXRef-4d646d694b6380fc",
    <     "SPDXRef-add734ec170033bd",
    <     "SPDXRef-abfd85d1b45289dc",
    ---
    >     "SPDXRef-3562d93285c5a3c5",
    154,157c153,157
    <     "SPDXRef-395f72182f48f77c",
    <     "SPDXRef-187efc434122356a",
    <     "SPDXRef-59d943ecba7b9db1",
    <     "SPDXRef-2c8a8c151837aa6e"
    ---
    >     "SPDXRef-2c8a8c151837aa6e",
    >     "SPDXRef-57149f915867bf12",
    >     "SPDXRef-4d646d694b6380fc",
    >     "SPDXRef-add734ec170033bd",
    >     "SPDXRef-ff0560ee36b984a7"
    236a237,238
    >     "SPDXRef-988a54d89f5c4c09",
    >     "SPDXRef-cd1c702a19149d7d",
    240,242c242
    <     "SPDXRef-d5ee1ce0839cb21a",
    <     "SPDXRef-988a54d89f5c4c09",
    <     "SPDXRef-cd1c702a19149d7d"
    ---
    >     "SPDXRef-d5ee1ce0839cb21a"
    1097c1097
    <    "relatedSpdxElement": "SPDXRef-be5355441673f6dc"
    ---
    >    "relatedSpdxElement": "SPDXRef-988a54d89f5c4c09"
    1102c1102
    <    "relatedSpdxElement": "SPDXRef-e7d6b30bf31f933a"
    ---
    >    "relatedSpdxElement": "SPDXRef-cd1c702a19149d7d"
    1107c1107
    <    "relatedSpdxElement": "SPDXRef-e6d162458c0b30b0"
    ---
    >    "relatedSpdxElement": "SPDXRef-be5355441673f6dc"
    1112c1112
    <    "relatedSpdxElement": "SPDXRef-d5ee1ce0839cb21a"
    ---
    >    "relatedSpdxElement": "SPDXRef-e7d6b30bf31f933a"
    1117c1117
    <    "relatedSpdxElement": "SPDXRef-988a54d89f5c4c09"
    ---
    >    "relatedSpdxElement": "SPDXRef-e6d162458c0b30b0"
    1122c1122
    <    "relatedSpdxElement": "SPDXRef-cd1c702a19149d7d"
    ---
    >    "relatedSpdxElement": "SPDXRef-d5ee1ce0839cb21a"
    1127c1127
    <    "relatedSpdxElement": "SPDXRef-2eaa15c5fc625ebe"
    ---
    >    "relatedSpdxElement": "SPDXRef-84fd54b3f2a2e825"
    1132c1132
    <    "relatedSpdxElement": "SPDXRef-a53373020dfa8bb4"
    ---
    >    "relatedSpdxElement": "SPDXRef-18d9a7fcef583aeb"
    1137c1137
    <    "relatedSpdxElement": "SPDXRef-38605c90f707fb90"
    ---
    >    "relatedSpdxElement": "SPDXRef-a53373020dfa8bb4"
    1142c1142
    <    "relatedSpdxElement": "SPDXRef-60fa740c32339374"
    ---
    >    "relatedSpdxElement": "SPDXRef-2c0eaf2a7d7dbad"
    1152c1152
    <    "relatedSpdxElement": "SPDXRef-d41a5f82a774a6a1"
    ---
    >    "relatedSpdxElement": "SPDXRef-64b20ab568341372"
    1157c1157
    <    "relatedSpdxElement": "SPDXRef-13d6d27618d264f7"
    ---
    >    "relatedSpdxElement": "SPDXRef-dc65dbf355556024"
    1167c1167
    <    "relatedSpdxElement": "SPDXRef-2e3613b244458b5a"
    ---
    >    "relatedSpdxElement": "SPDXRef-9ab25fdcabefa4ac"
    1172c1172
    <    "relatedSpdxElement": "SPDXRef-84fd54b3f2a2e825"
    ---
    >    "relatedSpdxElement": "SPDXRef-13d6d27618d264f7"
    1177c1177
    <    "relatedSpdxElement": "SPDXRef-32701f6d1e056c29"
    ---
    >    "relatedSpdxElement": "SPDXRef-2eaa15c5fc625ebe"
    1182c1182
    <    "relatedSpdxElement": "SPDXRef-93b858998f2c7034"
    ---
    >    "relatedSpdxElement": "SPDXRef-38605c90f707fb90"
    1187c1187
    <    "relatedSpdxElement": "SPDXRef-fb021b79aa9cd553"
    ---
    >    "relatedSpdxElement": "SPDXRef-60fa740c32339374"
    1192c1192
    <    "relatedSpdxElement": "SPDXRef-82fda88ae28dd50"
    ---
    >    "relatedSpdxElement": "SPDXRef-420fa6f3289d6ee6"
    1197c1197
    <    "relatedSpdxElement": "SPDXRef-9ab25fdcabefa4ac"
    ---
    >    "relatedSpdxElement": "SPDXRef-5e12c5188eeb9cb3"
    1202c1202
    <    "relatedSpdxElement": "SPDXRef-2c0eaf2a7d7dbad"
    ---
    >    "relatedSpdxElement": "SPDXRef-93b858998f2c7034"
    1207c1207
    <    "relatedSpdxElement": "SPDXRef-f3ee626693308800"
    ---
    >    "relatedSpdxElement": "SPDXRef-82fda88ae28dd50"
    1212c1212
    <    "relatedSpdxElement": "SPDXRef-420fa6f3289d6ee6"
    ---
    >    "relatedSpdxElement": "SPDXRef-f3ee626693308800"
    1227c1227
    <    "relatedSpdxElement": "SPDXRef-64b20ab568341372"
    ---
    >    "relatedSpdxElement": "SPDXRef-2e3613b244458b5a"
    1232c1232
    <    "relatedSpdxElement": "SPDXRef-5e12c5188eeb9cb3"
    ---
    >    "relatedSpdxElement": "SPDXRef-d41a5f82a774a6a1"
    1237c1237
    <    "relatedSpdxElement": "SPDXRef-18d9a7fcef583aeb"
    ---
    >    "relatedSpdxElement": "SPDXRef-32701f6d1e056c29"
    1242c1242
    <    "relatedSpdxElement": "SPDXRef-dc65dbf355556024"
    ---
    >    "relatedSpdxElement": "SPDXRef-fb021b79aa9cd553"
    1247c1247
    <    "relatedSpdxElement": "SPDXRef-ccc2b3e76affde68"
    ---
    >    "relatedSpdxElement": "SPDXRef-27d8de5355fdb7ba"
    1252c1252
    <    "relatedSpdxElement": "SPDXRef-3562d93285c5a3c5"
    ---
    >    "relatedSpdxElement": "SPDXRef-7803dc5a1a496765"
    1257c1257
    <    "relatedSpdxElement": "SPDXRef-27d8de5355fdb7ba"
    ---
    >    "relatedSpdxElement": "SPDXRef-2363acec0a71a382"
    1262c1262
    <    "relatedSpdxElement": "SPDXRef-ff0560ee36b984a7"
    ---
    >    "relatedSpdxElement": "SPDXRef-395f72182f48f77c"
    1267c1267
    <    "relatedSpdxElement": "SPDXRef-79cc1d44454e11b9"
    ---
    >    "relatedSpdxElement": "SPDXRef-66756a275982c586"
    1277c1277
    <    "relatedSpdxElement": "SPDXRef-7803dc5a1a496765"
    ---
    >    "relatedSpdxElement": "SPDXRef-187efc434122356a"
    1282c1282
    <    "relatedSpdxElement": "SPDXRef-57149f915867bf12"
    ---
    >    "relatedSpdxElement": "SPDXRef-59d943ecba7b9db1"
    1287c1287
    <    "relatedSpdxElement": "SPDXRef-2363acec0a71a382"
    ---
    >    "relatedSpdxElement": "SPDXRef-79cc1d44454e11b9"
    1292c1292
    <    "relatedSpdxElement": "SPDXRef-8ec9dcf9b3d1d7ce"
    ---
    >    "relatedSpdxElement": "SPDXRef-abfd85d1b45289dc"
    1297c1297
    <    "relatedSpdxElement": "SPDXRef-39dcc03ca17480ca"
    ---
    >    "relatedSpdxElement": "SPDXRef-ccc2b3e76affde68"
    1302c1302
    <    "relatedSpdxElement": "SPDXRef-496698ff67ca49fc"
    ---
    >    "relatedSpdxElement": "SPDXRef-8ec9dcf9b3d1d7ce"
    1307c1307
    <    "relatedSpdxElement": "SPDXRef-66756a275982c586"
    ---
    >    "relatedSpdxElement": "SPDXRef-39dcc03ca17480ca"
    1312c1312
    <    "relatedSpdxElement": "SPDXRef-4d646d694b6380fc"
    ---
    >    "relatedSpdxElement": "SPDXRef-496698ff67ca49fc"
    1317c1317
    <    "relatedSpdxElement": "SPDXRef-add734ec170033bd"
    ---
    >    "relatedSpdxElement": "SPDXRef-3562d93285c5a3c5"
    1322c1322
    <    "relatedSpdxElement": "SPDXRef-abfd85d1b45289dc"
    ---
    >    "relatedSpdxElement": "SPDXRef-2dac0f0b0463195c"
    1327c1327
    <    "relatedSpdxElement": "SPDXRef-2dac0f0b0463195c"
    ---
    >    "relatedSpdxElement": "SPDXRef-f059a81847acaad9"
    1332c1332
    <    "relatedSpdxElement": "SPDXRef-f059a81847acaad9"
    ---
    >    "relatedSpdxElement": "SPDXRef-2c8a8c151837aa6e"
    1337c1337
    <    "relatedSpdxElement": "SPDXRef-395f72182f48f77c"
    ---
    >    "relatedSpdxElement": "SPDXRef-57149f915867bf12"
    1342c1342
    <    "relatedSpdxElement": "SPDXRef-187efc434122356a"
    ---
    >    "relatedSpdxElement": "SPDXRef-4d646d694b6380fc"
    1347c1347
    <    "relatedSpdxElement": "SPDXRef-59d943ecba7b9db1"
    ---
    >    "relatedSpdxElement": "SPDXRef-add734ec170033bd"
    1352c1352
    <    "relatedSpdxElement": "SPDXRef-2c8a8c151837aa6e"
    ---
    >    "relatedSpdxElement": "SPDXRef-ff0560ee36b984a7"
    

    Note: Differences like name, creationInfo or documentNamespace are ok and not part of my diff. The differences appear in hasFiles and relatedSpdxElement properties.

    Anything else we need to know?: Maybe I have to change something from my code which fixes the differences, then please let me know :wink:.

    Environment:

    • Output of syft version:
    Application:        syft
    Version:            0.56.0
    JsonSchemaVersion:  3.3.2
    BuildDate:          2022-09-12T16:36:53Z
    GitCommit:          c5dca001e267d2a91ff82e53ca72535ceef6af02
    GitDescription:     v0.56.0
    Platform:           linux/amd64
    GoVersion:          go1.18.5
    Compiler:           gc
    
    • OS (e.g: cat /etc/os-release or similar):
    PRETTY_NAME="Ubuntu 22.04.1 LTS"
    NAME="Ubuntu"
    VERSION_ID="22.04"
    VERSION="22.04.1 LTS (Jammy Jellyfish)"
    VERSION_CODENAME=jammy
    ID=ubuntu
    ID_LIKE=debian
    HOME_URL="https://www.ubuntu.com/"
    SUPPORT_URL="https://help.ubuntu.com/"
    BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
    PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
    UBUNTU_CODENAME=jammy
    
    enhancement 
    opened by ckotzbauer 20
  • Add pacman (alpm) parser support

    Add pacman (alpm) parser support

    This is a WIP parser for alpm/pacman packages.

    • [x] Should file listing include root?
    • [x] Should file listing include directories?
    • [x] Needs a purl implementation
    • [x] Extend metadata with all the information

    alpm also doesn't list any id/gid nor permissions in the files database. It's purely a file list. There is an mtree file that contains all this information, but we need a parser for that. Would something like this be fine? https://github.com/vbatts/go-mtree

    Opened as a draft as this is just a quick hack on my end. Would be nice to have an ack/nack if I'm on the right path with this implementation.

    Example artifacts
    {
       "id": "6b9036e3b623d28a",
       "name": "acl",
       "version": "2.3.1-2",
       "type": "alpm",
       "foundBy": "alpmdb-cataloger",
       "locations": [
        {
         "path": "/var/lib/pacman/local/acl-2.3.1-2/desc",
         "layerID": "sha256:cea84cf825c7157f3bd6e540ddca5cc765a0a2448496696314bef1f25e86256f"
        }
       ],
       "licenses": [
        "LGPL"
       ],
       "language": "",
       "cpes": [
        "cpe:2.3:a:acl:acl:2.3.1-2:*:*:*:*:*:*:*"
       ],
       "purl": "pkg:archlinux/",
       "metadataType": "AlpmMetadata",
       "metadata": {
        "package": "acl",
        "version": "2.3.1-2",
        "epoch": null,
        "architecture": "x86_64",
        "license": "LGPL",
        "files": [
         {
          "path": "usr/"
         },
         {
          "path": "usr/bin/"
         },
         {
          "path": "usr/bin/chacl"
         },
         {
          "path": "usr/bin/getfacl"
         },
         {
          "path": "usr/bin/setfacl"
         },
         {
          "path": "usr/include/"
         },
         {
          "path": "usr/include/acl/"
         },
         {
          "path": "usr/include/acl/libacl.h"
         },
         {
          "path": "usr/include/sys/"
         },
         {
          "path": "usr/include/sys/acl.h"
         },
         {
          "path": "usr/lib/"
         },
         {
          "path": "usr/lib/libacl.so"
         },
         {
          "path": "usr/lib/libacl.so.1"
         },
         {
          "path": "usr/lib/libacl.so.1.1.2301"
         },
         {
          "path": "usr/lib/pkgconfig/"
         },
         {
          "path": "usr/lib/pkgconfig/libacl.pc"
         },
         {
          "path": "usr/share/"
         },
         {
          "path": "usr/share/doc/"
         },
         {
          "path": "usr/share/doc/acl/"
         },
         {
          "path": "usr/share/doc/acl/CHANGES"
         },
         {
          "path": "usr/share/doc/acl/COPYING"
         },
         {
          "path": "usr/share/doc/acl/COPYING.LGPL"
         },
         {
          "path": "usr/share/doc/acl/PORTING"
         },
         {
          "path": "usr/share/doc/acl/extensions.txt"
         },
         {
          "path": "usr/share/doc/acl/libacl.txt"
         },
         {
          "path": "usr/share/locale/"
         },
         {
          "path": "usr/share/locale/de/"
         },
         {
          "path": "usr/share/locale/de/LC_MESSAGES/"
         },
         {
          "path": "usr/share/locale/de/LC_MESSAGES/acl.mo"
         },
         {
          "path": "usr/share/locale/en@boldquot/"
         },
         {
          "path": "usr/share/locale/en@boldquot/LC_MESSAGES/"
         },
         {
          "path": "usr/share/locale/en@boldquot/LC_MESSAGES/acl.mo"
         },
         {
          "path": "usr/share/locale/en@quot/"
         },
         {
          "path": "usr/share/locale/en@quot/LC_MESSAGES/"
         },
         {
          "path": "usr/share/locale/en@quot/LC_MESSAGES/acl.mo"
         },
         {
          "path": "usr/share/locale/es/"
         },
         {
          "path": "usr/share/locale/es/LC_MESSAGES/"
         },
         {
          "path": "usr/share/locale/es/LC_MESSAGES/acl.mo"
         },
         {
          "path": "usr/share/locale/fr/"
         },
         {
          "path": "usr/share/locale/fr/LC_MESSAGES/"
         },
         {
          "path": "usr/share/locale/fr/LC_MESSAGES/acl.mo"
         },
         {
          "path": "usr/share/locale/gl/"
         },
         {
          "path": "usr/share/locale/gl/LC_MESSAGES/"
         },
         {
          "path": "usr/share/locale/gl/LC_MESSAGES/acl.mo"
         },
         {
          "path": "usr/share/locale/pl/"
         },
         {
          "path": "usr/share/locale/pl/LC_MESSAGES/"
         },
         {
          "path": "usr/share/locale/pl/LC_MESSAGES/acl.mo"
         },
         {
          "path": "usr/share/locale/sv/"
         },
         {
          "path": "usr/share/locale/sv/LC_MESSAGES/"
         },
         {
          "path": "usr/share/locale/sv/LC_MESSAGES/acl.mo"
         },
         {
          "path": "usr/share/man/"
         },
         {
          "path": "usr/share/man/man1/"
         },
         {
          "path": "usr/share/man/man1/chacl.1.gz"
         },
         {
          "path": "usr/share/man/man1/getfacl.1.gz"
         },
         {
          "path": "usr/share/man/man1/setfacl.1.gz"
         },
         {
          "path": "usr/share/man/man3/"
         },
         {
          "path": "usr/share/man/man3/acl_add_perm.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_calc_mask.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_check.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_clear_perms.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_cmp.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_copy_entry.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_copy_ext.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_copy_int.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_create_entry.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_delete_def_file.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_delete_entry.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_delete_perm.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_dup.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_entries.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_equiv_mode.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_error.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_extended_fd.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_extended_file.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_extended_file_nofollow.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_free.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_from_mode.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_from_text.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_get_entry.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_get_fd.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_get_file.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_get_perm.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_get_permset.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_get_qualifier.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_get_tag_type.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_init.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_set_fd.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_set_file.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_set_permset.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_set_qualifier.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_set_tag_type.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_size.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_to_any_text.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_to_text.3.gz"
         },
         {
          "path": "usr/share/man/man3/acl_valid.3.gz"
         },
         {
          "path": "usr/share/man/man5/"
         },
         {
          "path": "usr/share/man/man5/acl.5.gz"
         }
        ]
       }
      }
    

    Fixes https://github.com/anchore/syft/issues/241

    opened by Foxboron 20
  • Curl: Could not resolve host: latest

    Curl: Could not resolve host: latest

    What happened:

    1. Executing installation via curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh latest

    2. Executed installation via curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest

    What you expected to happen: Installation of the syft binary to build out.

    How to reproduce it (as minimally and precisely as possible): Ran the above commands in #1. Anything else we need to know?:

    Environment:

    • Output of syft version:
    • OS (e.g: cat /etc/os-release or similar): Host OS: Linux 5.11.0-41-generic #45-Ubuntu SMP Fri Nov 5 11:37:01 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
    bug changelog-ignore 
    opened by jeremywood-ai 16
  • Media type for Syft SBoM JSON format

    Media type for Syft SBoM JSON format

    What would you like to be added:

    Declaration of an official media type for Syft's JSON SBoM format.

    Why is this needed:

    Integration with the Cloud Native Buildpacks project, which allows complete SBoM to be generated automatically (e.g., using Syft) during the application build process.

    Additional context:

    See: https://github.com/buildpacks/lifecycle/issues/755

    The CNCF Buildpacks project has an API that allows SBoM files with CycloneDX and SPDX media types to be generated by buildpacks and automatically attached to container images. This allows vulnerability scanning tools that consume SBoMs (like Grype) to match software components to vulnerabilities with a strong guarantee that the SBoMs are complete (due to the contractual nature of the buildpack API). Parts of this model were assessed by the CNCF Security TAG, with notes and details here.

    I would like users of Cloud Native Buildpacks to be able to scan buildpack-generated SBoMs with Grype, but Grype currently only supports Syft's JSON format. I'm proposing that Cloud Native Buildpacks add Syft's JSON format as a possible SBoM format, but this requires a defined a media type for Syft's JSON format. I might recommend something like: application/vnd.syft+json.

    enhancement 
    opened by sclevine 15
  • Keyless Attestation Support

    Keyless Attestation Support

    What would you like to be added: Support for Sigstore's "Keyless Workflow" in the syft attest command

    With the addition of #510 in #785 syft is now able to produce a signed attestation with the generated SBOM as the predicate.

    We want to see ephemeral keys and certificates (automatically signed by fulcio) supported where signatures are stored in the rekor transparency log.

    Users will no longer have to pass an on-disk key and can use attest in the same way they sign other entities with cosign today.

    Why is this needed: Supporting the keyless workflow means Syft users can generate signed SBOM attestations without needing to manage their own keys. Additionally, the keyless workflow provides a stronger way to bind identities (from OIDC) to signatures in a highly discoverable manner, which is valuable to downstream SBOM consumers looking to trust where the SBOM came from.

    Additional context: See #510 for greater attestation roadmap.

    enhancement 
    opened by spiffcs 14
  • Improve CycloneDX format output

    Improve CycloneDX format output

    This commit dramatically improves the information we add in the cyclonedx output -

    It adds -

    • CPEs
    • Authors
    • Publishers
    • External References (Website, Distribution, VCS)
    • Description
    • Fixes license (id is a required property and must follow SPDX license ids, name is optional)
    • syft metadata as arbitrary properties
    • distro information as an OS component

    Signed-off-by: Sambhav Kothari skothari44@bloomberg.net

    Note: This organizes the cyclonedx helpers in a structure similar to the SPDX helpers to better organize formatting code.

    Fixes #268 Partially Fixes #154 Partially Fixes #632 Depends on #714

    opened by samj1912 13
  • Illegal character '\' generation in CylconeDX-XML.

    Illegal character '\' generation in CylconeDX-XML.

    What happened:

    1. using syft to generate bom.xml in cyclonedx
    <properties>
            <property name="syft:package:foundBy">python-package-cataloger</property>
            <property name="syft:package:language">python</property>
            <property name="syft:package:metadataType">PythonPackageMetadata</property>
            <property name="syft:package:type">python</property>
            <property name="syft:cpe23">cpe:2.3:a:bibek_kafle_\<bkafle662\@gmail_com\>\,_roland_shoemaker_\<rolandshoemaker\@gmail_com\>:python_commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:bibek_kafle_\<bkafle662\@gmail_com\>\,_roland_shoemaker_\<rolandshoemaker\@gmail_com\>:commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:python-commonmark:python-commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:python-commonmark:python_commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:python_commonmark:python-commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:python_commonmark:python_commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:rolandshoemaker:python-commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:rolandshoemaker:python_commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:commonmark:python-commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:commonmark:python_commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:python-commonmark:commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:python_commonmark:commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:rolandshoemaker:commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:python:python-commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:python:python_commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:commonmark:commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:cpe23">cpe:2.3:a:python:commonmark:0.9.1:*:*:*:*:*:*:*</property>
            <property name="syft:location:0:layerID">sha256:e0bab8caf99538f2edbd0112c15a3108574a3793df0df3e7c54d11d1b939ac0f</property>
            <property name="syft:location:0:path">/usr/lib/python3.8/site-packages/commonmark-0.9.1-py3.8.egg-info/PKG-INFO</property>
            <property name="syft:location:1:layerID">sha256:e0bab8caf99538f2edbd0112c15a3108574a3793df0df3e7c54d11d1b939ac0f</property>
            <property name="syft:location:1:path">/usr/lib/python3.8/site-packages/commonmark-0.9.1-py3.8.egg-info/top_level.txt</property>
          </properties>
    

    2.Some property name is

    <property name="syft:cpe23">cpe:2.3:a:bibek_kafle_\<bkafle662\@gmail_com\>\,_roland_shoemaker_\<rolandshoemaker\@gmail_com\>:python_commonmark:0.9.1:*:*:*:*:*:*:*</property>
    <property name="syft:cpe23">cpe:2.3:a:bibek_kafle_\<bkafle662\@gmail_com\>\,_roland_shoemaker_\<rolandshoemaker\@gmail_com\>:commonmark:0.9.1:*:*:*:*:*:*:*</property>
    
    1. It will raise xml issue afterward. Processing input file bom-image.xml Unhandled exception: System.InvalidOperationException: There is an error in XML document (1500, 70). ---> System.Xml.XmlException: The '' character, hexadecimal value 0x5C, cannot be included in a name. Line 1500, position 70. at System.Xml.XmlTextReaderImpl.Throw(Exception ) at System.Xml.XmlTextReaderImpl.Throw(String , String[] ) at System.Xml.XmlTextReaderImpl.ParseElement() at System.Xml.XmlTextReaderImpl.ParseElementContent() at System.Xml.XmlReader.ReadString() at System.Xml.XmlTextReaderImpl.ReadString() at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderBom.Read25_Property(Boolean isNullable, Boolean checkType) at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderBom.Read30_Component(Boolean isNullable, Boolean checkType) at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderBom.Read50_Bom(Boolean isNullable, Boolean checkType) at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderBom.Read51_bom() --- End of inner exception stack trace --- at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events) at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle) at System.Xml.Serialization.XmlSerializer.Deserialize(Stream stream) at CycloneDX.Xml.Serializer.Deserialize(MemoryStream xmlStream) at CycloneDX.Xml.Serializer.Deserialize(Stream xmlStream) at CycloneDX.Cli.CliUtils.InputBomHelper(String filename, CycloneDXBomFormat format) at CycloneDX.Cli.Commands.MergeCommand.InputBoms(IEnumerable`1 inputFilenames, CycloneDXBomFormat inputFormat, Boolean outputToConsole) at CycloneDX.Cli.Commands.MergeCommand.Merge(MergeCommandOptions options) at System.CommandLine.Invocation.CommandHandler.GetExitCodeAsync(Object value, InvocationContext context) at System.CommandLine.Invocation.ModelBindingCommandHandler.InvokeAsync(InvocationContext context) at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<b__0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass23_0.<b__0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass16_0.<b__0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass27_0.<b__1>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass25_0.<b__0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__24_0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<b__0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass11_0.<b__0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<b__10_0>d.MoveNext() --- End of stack trace from previous location --- at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass14_0.<b__0>d.MoveNext()

    What you expected to happen: Convert email to a recognize name. Removing illegal characters in name.

    How to reproduce it (as minimally and precisely as possible): syft packages ${CI_REGISTRY_IMAGE}:${CI_DEFAULT_BRANCH} -o -o cyclonedx=bom-image.xml

    Anything else we need to know?:

    Environment:

    • Output of syft version: 0.42.3
    • OS (e.g: cat /etc/os-release or similar): Linux
    bug 
    opened by PatrickYanZ 12
  • First class relationships

    First class relationships

    This PR primarily introduces the concept of an artifact.Relationship (instead of a pkg.Relationship) and adds a new element to the sbom.SBOM struct (as a root level element, a sibling of the Artifact field).

    As a result the following additions/changes were also made to support introducing artifact.Relationship:

    1. Create the idea of an artifact.ID as a type
    2. Introduce a new Identifiable interface for objects that can return a stable artifact.ID (and thereby be able to be part of a artifact.Relationship)
    3. Hoist up the package fingerprinting to be a general purpose utility in the artifact package
    4. Hoist up the existing ownership-by-file-overlap relationship to now be discovered/created just after the cataloging phase (instead of within the syftjson format encoder as it is today)
    5. Ignore select metadata struct fields and made subtle changes to CPE generation behavior to further stabilize the package ID (based on an object hash)
    6. Migrate the encode-decode cycle test as an integration test (utilizing all of the known package types) to prove that a package ID remains stable upon multiple encode-decode cycles
    7. ~split source.Location into source.Coordinates. This new object has the minimal information needed to get to a path within a source. This new source.Coodinates implements artifact.Identifiable such that files can form relationships with packages (setting up for Port the SPDX JSON files relationships in a separate PR)~ This work has been broken out into a separate PR

    Additional considerations:

    • I attempted to remove the pkg.Catalog altogether, however, elected to leave it for now to keep this PR smaller and increment towards a final state in a future TBD PR. This keeps the same semantics as the catalog does today in the sense that when a package is added to the catalog it is assumed that it will not be mutated. This is further enforced now by never exposing references to packages that are contained within the catalog.

    Partially addresses #556 ; remaining work:

    • Port the SPDX JSON files relationships into the new artifact relationships (instead of doing do in the encoder)
    opened by wagoodman 12
  • feat: add initial dotnet-support

    feat: add initial dotnet-support

    Signed-off-by: Christian Kotzbauer git@ckotzbauer.de

    This PR adds initial support for .NET (Core). It focuses on the parsing of the *.deps.json files in the bin/ folders of a compiled project. This does not add support for parsing NuGet-related files which are usually only available at source-level.

    I tested the changes against a compiled .NET project and against a ASP.NET Core image with the compiled project inside.

    This changes are done alongside the PR adding dart-support. Please let me know, if anything is missing, wrong or should be changed.

    Fixes #726 Ref #373

    opened by ckotzbauer 11
  • 510 - SBOM attestation stdout

    510 - SBOM attestation stdout

    Attestation Stdout

    This PR adds the initial version of the syft attest command. A user can use attest to generate a summary of discovered packages formatted as the predicate to an image attestation.

    To run this command you'll need to generate a key via cosign generate-key-pair. You can either pass it directly to the command or have syft read from the default location ./cosign.key

    go run main.go attest --key cosign.key --output json anchore/syft:latest 
    

    Notes:

    • compile size increases from ~22mb --> ~60mb due to new library imports
    • CI time has increased for static analysis
    • keyless workflow will be added after; see here for outline of what is to come
    • snapshot build times have increased with the introduction of new cosign libraries

    TODO:

    • [x] update user input keysign options to be more friendly
    • [x] update to allow password inputs for keys
    • [x] inject command context to leverage correct cosign function signatures
    • [x] unit/integration coverage
    • [x] command coverage
    • [x] rebase
    • [x] BUG: keyreference panic found for certain keyoptions
    • [x] Question: Integration with SBOM writer/encoding pattern or keep write to stdout separate flow
    • [x] Question: static-analysis has increased to 4m beyond 2m timeout
    opened by spiffcs 10
  • Android Support

    Android Support

    What would you like to be added:

    Support for android Projects.

    Why is this needed:

    To have SBOMs for Apps, which is quite interesting as a lot of apps already deliver some kind of file mentioning all licenses and dependencies

    Additional context: I tried to scan a public project but the gradle scanner only found the gradle-wrapper

    sorry that I don't have much more context on this. Questions are highly appreciated if there are more.

    enhancement 
    opened by henrysachs 0
  • Symlink traversal confusion when scanning unpacked filesystems

    Symlink traversal confusion when scanning unpacked filesystems

    Assume we have a directory containing an unpacked container image in the target directory:

    $ echo "FROM alpine" | docker build -o type=local,dest=target
    

    We could also create target.tar out of this same target directory:

    $ tar cf target.tar target/*
    

    If we scan this as a directory source, we can note a couple warning message that indicate that syft is scanning directories that weren't intended by the user:

    $ syft -o spdx-json=out.json dir:./target -v
    [0000]  INFO syft version: [not provided]
    [0000]  WARN unable to access path="/bin/busybox": lstat /bin/busybox: no such file or directory
    [0000]  WARN unable to access path="/run/brltty": open /run/brltty: permission denied
    ...
    

    These warnings start to appear because of the symlinks /bin/tar to /bin/busybox and /var/run to /run. I would expect these contents to be resolved entirely within the provided path, but it seems like this behavior is intentional, though I'm not sure of the context: see https://github.com/anchore/syft/blob/main/syft/source/directory_resolver.go#L530-L532 introduced in https://github.com/anchore/syft/pull/442.

    What's even weirder to me is this behavior is identical even when scanning file:target.tar (since it shares the same directory resolver code, after unpacking it into a tmp directory):

    $ syft -o spdx-json=out.json file:./target.tar -v
    [0000]  INFO syft version: [not provided]
    [0000]  WARN unable to access path="/bin/busybox": lstat /bin/busybox: no such file or directory
    [0000]  WARN unable to access path="/run/brltty": open /run/brltty: permission denied
    

    After raising on the community slack, @kzantow suggested a possible new source type, root-dir (or similar), where all content could be resolved internally, additionally, with the same cataloguers as the image: source (since those also differ).

    bug 
    opened by jedevc 0
  • Update documentation to include template usage

    Update documentation to include template usage

    What would you like to be added: I would like to use templates via config files, but that doesn't seem to be possible at the moment, or at least I can't find it in the documentation. Why is this needed: Using config files is much more consistent than re-running commands all the time, and it should be possible to use all features via the config file.

    Additional context:

    enhancement 
    opened by rockofox 2
  • Parallel package catalog processing

    Parallel package catalog processing

    Closes #1353

    This introduces a new option syft --workers N, Which will use at most N workers to process the package catalogers in parallel.

    -w, --workers int : number of workers to use to process the catalogers (default 1)

    • uses the sync library to create a wait group, waiting for all package catalogers to finish before proceeding.
    • effectively has no real change in behaviour to users calling syft today, as the default is to create one worker.

    example performance benchmark comparision

    Open to recommendations on performance benchmarking but early results on laptop seem promising:

    Created an exmple directory with venv and node_modules

    ➜  syft git:(mikcl/concurrent-catalog) time go run cmd/syft/main.go packages   -w 1 --file ../dump  /path/to/project
    [indexing truncated]
     ✔ Indexed /Users/mikcl/Documents/junk/benchmark-concurrent
     ✔ Cataloged packages      [758 packages]
    
    go run cmd/syft/main.go packages -w 1 --file ../dump   13.29s user 1.75s system 114% cpu 13.179 total
    ➜  syft git:(mikcl/concurrent-catalog) time go run cmd/syft/main.go packages   -w 4 --file ../dump  /path/to/project
    [indexing truncated]
     ✔ Indexed /Users/mikcl/Documents/junk/benchmark-concurrent
     ✔ Cataloged packages      [758 packages]
    go run cmd/syft/main.go packages -w 4 --file ../dump   14.16s user 1.94s system 174% cpu 9.235 total
    

    1 worker: 13.29s user 1.75s system 114% cpu 13.179 total 4 workers: 14.16s user 1.94s system 174% cpu 9.235 total

    uname -a Darwin Kernel Version 21.6.0: [date redacted]; root:xnu-8020.141.5~2/RELEASE_ARM64_T8101 arm64

    For larger file systems and cpu's with more cores, this may be useful :)

    opened by Mikcl 2
  • Syft finds no apks for some images with apks

    Syft finds no apks for some images with apks

    Please provide a set of steps on how to reproduce the issue

    syft -q registry:cgr.dev/chainguard/sdk@sha256:871b75ddd7b91a29ea0ed8695e271f59056c21af6a2f937f9224e81d6030dbec | grep 'apk\s'
    

    What happened:

    No apk type packages are found by Syft for this image.

    What you expected to happen:

    Since the image's /lib/apk/db/installed does contain several package entries, Syft should have reported those packages.

    Anything else we need to know?:

    I did a small amount of debugging. It seems like Syft does find the installed db and starts to find packages, but then hits a scanner error (ErrTooLong) and so it returns a nil slice of packages.

    Package entries in the apk db can be pretty large. I think Syft's current parsing approach isn't able to handle these larger entries, because the entry's byte count exceeds the scanner's buffer size.

    This may be solvable by increasing the size of the buffer, but it may be better to try an approach that doesn't require the scanner to hold an entire package entry in the buffer at once. I haven't thought through this idea, but would be happy to chat through it on this issue if that helps!

    bug 
    opened by luhring 1
Releases(v0.62.1)
Owner
Anchore, Inc.
Anchore, Inc.
top in container - Running the original top command in a container

Running the original top command in a container will not get information of the container, many metrics like uptime, users, load average, tasks, cpu, memory, are about the host in fact. topic(top in container) will retrieve those metrics from container instead, and shows the status of the container, not the host.

silenceshell 130 Nov 25, 2022
Minutes is a CLI tool for synchronizing work logs between multiple time trackers, invoicing, and bookkeeping software to make entrepreneurs' daily work easier.

Minutes is a CLI tool for synchronizing work logs between multiple time trackers, invoicing, and bookkeeping software to make entrepreneurs' daily work easier.

Gábor Boros 21 Aug 8, 2022
A CLI for generating ER diagrams for Ent schema

enter A CLI for generating ER (entity-relationship) diagrams for Ent schema using mermaid.js.

Ariel Mashraki 101 Nov 1, 2022
A command line utility and library for generating professional looking invoices in Go.

ginvoicer A command line utility and library for generating professional looking invoices in Go. This is a very rough draft and there could still be b

Avi Zimmerman 12 Oct 4, 2022
mass-binding-target is a command line tool for generating binding target list by search plot files from disk.

mass-binding-target mass-binding-target is a command line tool for generating binding target list by search plot files from disk. Build Go 1.13 or new

null 0 Nov 5, 2021
git-glimpse is a command-line tool that is aimed at generating a git prompt like the one from zsh-vcs-prompt.

Git GoGlimpse git-glimpse is a command-line tool that is aimed at generating a git prompt like the one from zsh-vcs-prompt. The particularity of this

Corentin de Boisset 0 Jan 27, 2022
Nebula Diagnosis CLI Tool is an information diagnosis cli tool for the nebula service and the node to which the service belongs.

Nebula Diagnosis CLI Tool is an information diagnosis cli tool for the nebula service and the node to which the service belongs.

Katz 1 Jan 12, 2022
Simple CLI util for running OCR on images through PERO OCR API

pero_ocr Simple CLI util for running OCR on images through PERO OCR API Usage: Usage of batch_pero_ocr: -c string cancel request with given

Moravian Library in Brno 2 Dec 1, 2021
🐼 CLI client for images compressing using tinypng.com API

CLI tool for images compressing This tool uses tinypng.com API endpoint for compressing your local jpg/png images (it supports parallel jobs): API key

Paramtamtam 56 Nov 24, 2022
A command line utility for generating language-specific project structure.

hydra hydra is a command line utility for generating language-specific project structures. ⏬ ✨ Features Build project templates with just one command

Shravan 18 Oct 8, 2021
Command line tool to copy images from a camera SD card to your hard drive

Command line tool to copy images from a camera SD card to your hard drive

Clay Dowling 0 Nov 26, 2021
Go library and CLIs for working with container registries

Go library and CLIs for working with container registries

Google 32 Jun 1, 2021
Go library and CLIs for working with container registries

Go library and CLIs for working with container registries

Google 2.1k Nov 24, 2022
Syno-cli - Synology unofficial API CLI and library

Synology CLI Unofficial wrapper over Synology API in Go. Focus on administrative

Aleksandr Baryshnikov 15 Nov 8, 2022
Symfony-cli - The Symfony CLI tool For Golang

Symfony CLI Install To install Symfony CLI, please download the appropriate vers

Symfony CLI 387 Nov 22, 2022
bcrypt-cli is the CLI tool for hashing passwords with bcrypt.

bcrypt-cli bcrypt-cli is the CLI tool for hashing passwords with bcrypt. Install go install github.com/ryicoh/bcrypt-cli Usage It can be used like bas

Ryuichiroh Ikeuchi 1 Sep 11, 2022
GTDF-CLI - The official CLI tool to operate with Getting Things Done Framework

This is the official CLI tool to operate with Getting Things Done Framework. How

akrck02 1 Feb 14, 2022
CLI to run a docker image with R. CLI built using cobra library in go.

BlueBeak Installation Guide Task 1: Building the CLI The directory structure looks like Fastest process: 1)cd into bbtools 2)cd into bbtools/bin 3)I h

Aniruddha Chattopadhyay 0 Dec 20, 2021
The neph command installs, configures, and executes cloud setup software on a remote device using passwordless SSH with root privileges

The neph command installs, configures, and executes cloud setup software on a remote device using passwordless SSH with root privileges. Usage 1) nep

Read Write Pro 0 Dec 31, 2021