-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Package Count doesn't match list of packages #2304
Comments
Thanks for the issue @amouat It seems the tool has incorrect output on the length of the json as well - let me investigate and see what's happening in the UI that might be giving incorrect numbers here. From first glance there seems to be a couple of seemingly duplicate entries being surfaced in the json output that are not as apparent in the table form: Example: the json is surfacing two packages for
We might be doing some deduplication after that number is generated resulting in the final list in the The packages discovered by the |
Just for confirmation I ran syft with the following config (note the sbom-cataloger is ommited):
Here we see the expected result so the bug lies in how syft is reconciling a discovered sbom |
Thanks for looking at this! Note that there might still be another issue: |
Thanks @tgerla . It works for
Which says there are 17 packages but only 16 are listed. Syft version:
|
Hi @amouat, sorry about that, I believe now the issue is actually fixed in Grype 0.77.2: anchore/grype#1837 -- I will close this issue but please let me know if you run into any other weird counts. Thanks! |
Oops -- just realized this is in Syft, not Grype. Keeping open! |
What happened:
Syft returns the number of packages in an image, but this doesn't match the number of package names listed. This happens on multiple images (e.g. redis:alpine reports 19 packages, but only 18 are named) but is particularly pronounced on some Chainguard Images e.g. cgr.dev/chainguard/redis reports 34 packages but only 16 are named).
What you expected to happen:
The total number of packages reported to match the number of named packages. Or some explanation for the difference.
Steps to reproduce the issue:
Anything else we need to know?:
Not sure if this a bug or a misunderstanding on my part.
Environment:
syft version
:cat /etc/os-release
or similar):MacOS
The text was updated successfully, but these errors were encountered: