Errors when using the syft image in a Cloud pipeline

Syft
1

Hello,
We want to generate the SBOM files for our python artifacts during CI using syft. The source code is in Github and the for CI we use GCP Cloud Build. Them step(job) of building the artifacts is fine. The artifacts are stored in this path /workspace/artifacts/ .

# output of pwd
/workspace/artifacts
# output of ls -l /workspace/artifacts
-rw-r--r-- 1 root root  88248 Jun 25 11:37 ca-0.3.1+bc29ba4.tar.gz
-rw-r--r-- 1 root root 101315 Jun 25 11:37 ca-0.3.1+bc29ba4-py3-none-any.whl

The step(job) configuration in the cloudbuild.yaml file is:

    # Generate SBOM with syft in SPDX 2.3 format
  - name: 'anchore/syft:latest'
    id: 'Generate SBOM files'
    args:
      - '/workspace/artifacts/*.tar.gz'
      - '-o'
      - 'spdx-json=/workspace/artifacts/ca-ds-alpha.spdx.json'
      - '-v'
    waitFor: ['Build pyproject.toml']

We trigger the pipeline but it fails at the SBOM generation. The step(job) show:

reverse chronological order:

  - additionally, the following providers failed with file does not exist: docker-archive, oci-archive, oci-dir, singularity, oci-dir, local-file, local-directory
  - oci-registry: unable to parse registry reference="/workspace/artifacts/*.tar.gz": could not parse reference: /workspace/artifacts/*.tar.gz
  - containerd: containerd not available: no grpc connection or services is available: unavailable
  - podman: podman not available: no host address
  - docker: could not parse reference: /workspace/artifacts/*.tar.gz
[0000] ERROR could not determine source: errors occurred attempting to resolve '/workspace/artifacts/*.tar.gz':
[0000]  INFO docker pulling image image=/workspace/artifacts/*.tar.gz
[0000] ERROR failed to fetch latest version: Get "https://toolbox-data.anchore.io/syft/releases/latest/VERSION": EOF
[0000]  INFO syft version: 1.27.1
docker.io/anchore/syft:latest
Status: Downloaded newer image for anchore/syft:latest
Digest: sha256:844ed6a928ef9396fac26d1de374e71dcaf80df14f05841670ed41619c5a718f
66f1113752fa: Pull complete
66f1113752fa: Download complete
66f1113752fa: Verifying Checksum
eacc05aa8ff3: Pull complete
e34fea3dd773: Pull complete
eacc05aa8ff3: Download complete
eacc05aa8ff3: Verifying Checksum
e34fea3dd773: Download complete
e34fea3dd773: Verifying Checksum
66f1113752fa: Waiting
eacc05aa8ff3: Waiting
e34fea3dd773: Waiting
66f1113752fa: Pulling fs layer
eacc05aa8ff3: Pulling fs layer
e34fea3dd773: Pulling fs layer
latest: Pulling from anchore/syft
Pulling image: anchore/syft:latest

I could see the entrypoint for the anchore/syft:latest is /syft and these are the args we set:

    args:
      - '/workspace/artifacts/*.tar.gz'
      - '-o'
      - 'spdx-json=/workspace/artifacts/ca-ds-alpha.spdx.json'
      - '-v'

I suspect these args are not ok.

May you please have some suggestion ?

Thank you.

2

Hi @yener-azs :waving_hand:!

When you use this input, the * is not being expanded by the shell like it is when you run:

syft /workspace/artifacts/*.tar.gz

The latter :backhand_index_pointing_up: expands via your shell to a single file and everything works, however if you had multiple matching .tar.gz files in that directory it would also fail. Since there’s no bash involved due to invoking syft with the provided args directly, as you noted, no expansion is happening.

To solve this, just use an exact reference to the file (and I would suggest use the exact same version for the SBOM output), e.g.

  - name: 'anchore/syft:latest'
    id: 'Generate SBOM files'
    args:
      - '/workspace/artifacts/ca-0.3.1+bc29ba4.tar.gz'
      - '-o'
      - 'spdx-json=/workspace/artifacts/ca-0.3.1+bc29ba4.spdx.json'
      - '-v'
1 Like
3

Thank you for the confirmation related to the expansion of * .

The thing is we have two artifacts and since it is a pipeline, we would like the pipeline configuration to work for all artifacts names.

I am thinking to use a bash for loop. Something like:

cd /workspace/artifacts
pwd
echo "The current working directory is $(pwd)"
echo "Start generating the SBOM files:"
  for pkg in /workspace/artifacts/*; 
       do
          base=$(basename "$pkg")
          syft "$base" -v -o spdx="$base".spdx
        done
echo "Listing the SBOM files *.spdx:"
ls -l *.spdx

Which anchore syft image could I use? The one with tag debug ?

Thank you.