Latest Syft buildpack (2.0.0) relies on Syft CLI 1.x #1524
anthonydahanne
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
What happened?
Since February 29th, the Anchore Syft team started publishing 1.x (from 0.x) versions of the Syft CLI.
It was about time the Syft Paketo buildpack upgraded to it! It's now done with the latest release of Paketo Syft Buildpack 2.0.0 (that relies on Syft CLI 1.11.1)
The changes
So, what are the changes we can observe, just looking at the files generated during a Java build?
Let's do a build of the sample maven app
and let's pull its SBOMs
Let's do the same using the new Syft buildpack (not yet in a composite, so we'll have to specify explicitly component buildpacks)
OK, same set of files than before, that looks like a smooth start.
Let's compare them
Not many files were different, only the SBOMs generated by
executable-jar
; probably due by an upgrade of the schemas; fromhttp://cyclonedx.org/schema/bom-1.5.schema.json
tohttp://cyclonedx.org/schema/bom-1.6.schema.json
for CycloneDX, and fromhttps://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-16.0.4.json
tohttps://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-16.0.15.json
for Syft own format.Conclusion?
Looking a little bit more deeper into the changes, Syft 1.x seems to find more dependencies, with more information about them (groupIds, maven locations, etc.).
That looks like a safe and even needed upgrade!
Please let us know in the comments if you have examples of breaking changes, before we make this buildpack the default with
java
andjava-native
composites!Thanks for reading!
Beta Was this translation helpful? Give feedback.
All reactions