I noticed this today when my sbom started having 10 times more components listed and I thought it was weird. Then I investigated and discovered this pull request Add file catalogers to selection configuration by wagoodman · Pull Request #3505 · anchore/syft · GitHub that changed the way the file cataloger worked I think. And I noticed that now my sbom is listing a lot of files and it’s making the sbom 10 times as big and this is impacting our pipelines.
Why the default was changed? Is there a way to disable this?
I have some examples on my dependency-track that a project with 267 components became a project with 3800+ components. I need help on how to disable this.
I think I understood the issue that this PR solved but is it correct to be the new default? The file catalogers wasn’t working as default before, why should it now?
Syft has been hashing and outputting files for quite some time.
I see that you’re using Dependency Track, I suspect this means you’re using CycloneDX. A change was made to fix issue #3435 that CycloneDX now outputs files, it simply had been erroneously omitting them before. So, if you don’t want to include these, you will need to disable this behavior somewhere.
Unfortunately, it looks like syft --select-catalogers -file is still including them, and I haven’t been able to work out a concoction of options to disable them, after trying a number of things I would have expected to work.
I believe syft --select-catalogers -fileshould do what you want. Assuming this doesn’t work for you, would you mind filing an issue about it?
At the moment I am just forcing the use of v1.19.0 because I am going on vacations next week and I was worried that any of our pipelines would be impacted.
Yes, I am using syft + dependency-track as an SCA tool (and importing cyclonedx SBOMs).
I’ll test your solution in a test enviroment but I am not entirely sure on how to do it. Should I call this “syft --select-catalogers -file” before the scan command and it should exclude files from the sbom, is that it? Or should I include this on the scan command?
And if this is not solved, I’ll see if I can open a issue on github.
You would just add --select-catalogers -file to the syft command you are running. This should tell syft to remove any catalogers tagged with “file”. But it doesn’t seem to have the effect of excluding files from the final output.