Why SBOM contains configuration files?

anvitha_haviligi · September 15, 2025, 9:56am

Hi All,

I have tried generating SBOM with syft 1.32 version, i see it contains even configuration files, SBOM should contain only components and dependencies rite ? Adding screenshot for reference.

In earlier versions i have not seen, is this introduced newly ?

Thanks in advance, Anvitha

willmurphy · September 15, 2025, 1:42pm

Hi @anvitha_haviligi,

Thanks for the question!

Can you tell me more about what this is a screenshot of? What format did you ask Syft for, and what program are you using to view it?

In general, Syft SBOMs contain packages, files, and metadata about which packages own which files. Is this causing some sort of difficulty?

popey · September 15, 2025, 8:52pm

Out of curiosity, I ran syft on alpine:latest for every format, and found “/etc/apk/keys*” in two formats, syft-json and cyclonedx-xml, and they’re in the alpine-keys package.

pkg:apk/alpine/alpine-keys@2.5-r0?arch=aarch64&distro=alpine-3.22.1"

e.g.

         {
            "path": "/etc/apk/keys/alpine-devel@lists.alpinelinux.org-524d27bb.rsa.pub",
            "digest": {
              "algorithm": "'Q1'+base64(sha1)",
              "value": "Q1BTqS+H/UUyhQuzHwiBl47+BTKuU="
            }
          },

Dunno if this is helpful, but my curiosity has been satiated.

anvitha_haviligi · September 16, 2025, 6:18am

Command Used : syft scan -o cyclonedx-json@1.5

In below output, it even shows zoneinfo which is not useful i feel.

{
“bom-ref”: “b9e0f43950d00ad3”,
“type”: “file”,
“name”: “/usr/share/zoneinfo/Africa/Addis_Ababa”,
“hashes”: [
{
“alg”: “SHA-1”,
“content”: “289d1fb5a419107bc1d23a84a9e06ad3f9ee8403”
},
{
“alg”: “SHA-256”,
“content”: “c89b2e253a8926a6cecf7eff34e4bfcdb7fe24daff22d84718c30deec0ea4968”
}
]
},
{
“bom-ref”: “ba9f54bbc89ac30d”,
“type”: “file”,
“name”: “/usr/share/zoneinfo/Africa/Algiers”,
“hashes”: [
{
“alg”: “SHA-1”,
“content”: “edb95d3dc9238b5545f4f1d85d8bc879cdacdec8”
},
{
“alg”: “SHA-256”,
“content”: “bda1698cd542c0e6e76dfbbcdab390cdd26f37a9d5826a57a50d5aab37f3b2a6”

willmurphy · September 16, 2025, 1:31pm

By default, Syft will find files that are owned by a package it finds. So if apk or rpm or whatever have written down that a package owns a file, Syft will report that package.

You can set SYFT_FILE_METADATA_SELECTION=none in the environment to make Syft not do this if you don’t find it useful.

anvitha_haviligi · September 17, 2025, 5:41am

Thanks @willmurphy , I will try this option

Topic		Replies	Views
Does Syft automaticaly detects existing SBOM files? Syft	1	67	March 20, 2025
Why is syft reporting hundreds of random files? Syft	2	73	July 31, 2025
How to make valid sbom files? (Newbie Questions) General	1	42	November 13, 2024
Why syft version 1.20 is now listing files in the SBOM as default? General	3	177	February 25, 2025
Unable to detect nghttp2, brotli, and sqlite components in a container image SBOM Syft	3	37	January 14, 2025

Why SBOM contains configuration files?

Related topics