We are using Syft as a library to generate CycloneDX json format SBOMs.
Our code runs on a scratch container and works fine. We added a /tmp directory to the scratch container and in our example generates a 2000+ line sbom json file full of components.
When we run the same code as part of a test (go test), this time running on a container based on a RedHat ubi minimal image, we get a very small sbom file with only the meta data and no components. The container running the test has a /tmp directory. There are no errors, warnings or info messages to indicate the issue.
If we run the test locally on our laptops we get the full file with components.
Given that the test runs locally and that the code can run correctly on a scratch container (with /tmp) it would appear that something on the ubi container is causing the problem. Is there anything aside from a missing /tmp that could cause this issue or has anybody experienced something similar.
Are you doing an image scan in one case vs a directory scan in the other? There are a different set of catalogers that run by default for these cases. If you run syft cataloger list you can see which catalogers are run for directory and which are for image. If that doesn’t happen to be the problem, we’ll need some more info to get to the bottom of this. A sample program and some steps to run on either type of image would probably let us see what the difference is fairly quickly.
In both cases the code executing is the same - building a CycloneDX1.4 json file from an oci-archive tar file.
We have been unable to produce a test case. For every scenario we have tried, the code produces the correct output. The only place it behaves incorrectly is running in a pipeline on our Openshift cluster.
We are completely out of ideas on how to debug this further so will skip running this test on the cluster.