Description
Syft offers the following two flags which could be useful for populating metadata on how an SBOM was generated
--source-name string set the name of the target being analyzed
--source-version string set the version of the target being analyzed
When running syft without the above flags, a warning is emitted:
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
It seems the flags are not really critical, but they append respective entires under "name" and "version " in the metadata>component section of the SBOM. For instance, without passing --source-name, the component name is a file path, whereas with --source-name it is whatever we pass.
Chalk could make use of that to keep the git remote uri and hash in version potentially, so as to know both the on-host path where the command run, as well as have an authoritative entry for the exact version of the repo (with whatever additional metadata we possibly could care about, like the chalk METADATA_ID, stored directly inside the SBOM).
Description
Syft offers the following two flags which could be useful for populating metadata on how an SBOM was generated
When running syft without the above flags, a warning is emitted:
It seems the flags are not really critical, but they append respective entires under "name" and "version " in the
metadata>componentsection of the SBOM. For instance, without passing--source-name, the component name is a file path, whereas with--source-nameit is whatever we pass.Chalk could make use of that to keep the git remote uri and hash in version potentially, so as to know both the on-host path where the command run, as well as have an authoritative entry for the exact version of the repo (with whatever additional metadata we possibly could care about, like the chalk METADATA_ID, stored directly inside the SBOM).