Hi All,
I have tried generating SBOM with syft 1.32 version, i see it contains even configuration files, SBOM should contain only components and dependencies rite ? Adding screenshot for reference.
In earlier versions i have not seen, is this introduced newly ?
Thanks in advance, Anvitha
Thanks for the question!
Can you tell me more about what this is a screenshot of? What format did you ask Syft for, and what program are you using to view it?
In general, Syft SBOMs contain packages, files, and metadata about which packages own which files. Is this causing some sort of difficulty?
Out of curiosity, I ran syft on alpine:latest for every format, and found “/etc/apk/keys*” in two formats, syft-json and cyclonedx-xml, and they’re in the alpine-keys package.
pkg:apk/alpine/alpine-keys@2.5-r0?arch=aarch64&distro=alpine-3.22.1"
e.g.
{
"path": "/etc/apk/keys/alpine-devel@lists.alpinelinux.org-524d27bb.rsa.pub",
"digest": {
"algorithm": "'Q1'+base64(sha1)",
"value": "Q1BTqS+H/UUyhQuzHwiBl47+BTKuU="
}
},
Dunno if this is helpful, but my curiosity has been satiated.