How to scan 2 directories at one time

Syft
1

how to scan 2 directory at one time

1 Like
2

Good question. On Linux I guess you can use bind mounts to aggregate multiple directories into one, but the paths might be a bit wonky. In the demo below I have two folders (./dir-of-debs, ./dir-of-rpms) which contain different things. I use bind mounts to aggregate them all under ./mountpoint.

e.g.

$ pwd
/home/alan/Temp/2-dirs-test
# We have two folders, but these could be anywhere on the filesystem
$ tree
.
β”œβ”€β”€ dir-of-debs
β”‚   β”œβ”€β”€ figlet_2.2.5-3_amd64.deb
β”‚   β”œβ”€β”€ gzip_1.10-4ubuntu4_amd64.deb
β”‚   └── openssl_3.0.2-0ubuntu1.19_amd64.deb
└── dir-of-rpms
    β”œβ”€β”€ spack-repos-0.19.1-0.20230207git25cb55c.1.mga9.noarch.rpm
    β”œβ”€β”€ toilet-0.3-lp152.1.3.x86_64.rpm
    └── zstd-gzip-1.5.7-3.1.x86_64.rpm
# Make a directory to mount each one under
$ mkdir -p ./mountpoint/debs ./mountpoint/rpms
# Use bind mounts to make the dir-of* folders appear under ./mountpoint
$ sudo mount -o bind ~/Temp/2-dirs-test/dir-of-debs ~/Temp/2-dirs-test/mountpoint/debs/
$ sudo mount -o bind ~/Temp/2-dirs-test/dir-of-rpms ~/Temp/2-dirs-test/mountpoint/rpms/
# Show that the debs and rpms now show up under ./mountpoint
$ tree
.
β”œβ”€β”€ dir-of-debs
β”‚   β”œβ”€β”€ figlet_2.2.5-3_amd64.deb
β”‚   β”œβ”€β”€ gzip_1.10-4ubuntu4_amd64.deb
β”‚   └── openssl_3.0.2-0ubuntu1.19_amd64.deb
β”œβ”€β”€ dir-of-rpms
β”‚   β”œβ”€β”€ spack-repos-0.19.1-0.20230207git25cb55c.1.mga9.noarch.rpm
β”‚   β”œβ”€β”€ toilet-0.3-lp152.1.3.x86_64.rpm
β”‚   └── zstd-gzip-1.5.7-3.1.x86_64.rpm
└── mountpoint
    β”œβ”€β”€ debs
    β”‚   β”œβ”€β”€ figlet_2.2.5-3_amd64.deb
    β”‚   β”œβ”€β”€ gzip_1.10-4ubuntu4_amd64.deb
    β”‚   └── openssl_3.0.2-0ubuntu1.19_amd64.deb
    └── rpms
        β”œβ”€β”€ spack-repos-0.19.1-0.20230207git25cb55c.1.mga9.noarch.rpm
        β”œβ”€β”€ toilet-0.3-lp152.1.3.x86_64.rpm
        └── zstd-gzip-1.5.7-3.1.x86_64.rpm

Now if we run syft against the ./mountpoint folder, we see the debs and rpms from the bind-mounted folders.

$ syft ./mountpoint/
 βœ” Indexed file system mountpoint
 βœ” Cataloged contents c7f7506e9fa9dcfb617f0294ba7b278f3d284a24dc4d71f2b5f59dec23c23ef8
   β”œβ”€β”€ βœ” Packages                        [6 packages]
   β”œβ”€β”€ βœ” Executables                     [0 executables]
   β”œβ”€β”€ βœ” File metadata                   [6 locations]
   └── βœ” File digests                    [6 files]
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME         VERSION                               TYPE
figlet       2.2.5-3                               deb
gzip         1.10-4ubuntu4                         deb
openssl      3.0.2-0ubuntu1.19                     deb
spack-repos  0:0.19.1-0.20230207git25cb55c.1.mga9  rpm
toilet       0:0.3-lp152.1.3                       rpm
zstd-gzip    0:1.5.7-3.1                           rpm

If we look at an SBOM generated from this, we’ll see the accessPath shows the relative location under ./mountpoint, e.g. /debs - as an absolute path.

$ syft ./mountpoint/ -o syft-json=mountpoint-demo.json

$ jq '.artifacts[] | select(.name == "figlet") | .locations[].accessPath' < mountpoint-demo.json
"/debs/figlet_2.2.5-3_amd64.deb"

This might be okay, in your case because whatever we did, it’s still identifying the packages correctly, even if the path is a bit weird.

3

Thanks for the solution, will try this later.

1 Like