-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Golang: Search remote licenses not working in a CI pipeline when scanning Docker image #2798
Comments
Hi @Joerki -- I'm a bit confused what the problem is. I see |
Hi @kzantow , I changed the inspection and updated the description. |
Hi @kzantow , now I can describe the exact problem after I debug it properly. I modified HOME in the environment (to simulate that I do not have go on my machine).
Please look here:
Syft appended "go/pkg/mod" to my HOME path. This is the content of my My temporary workaround in the pipeline will be hopefully the creation of $HOME/go/pkg/mod directory. BR, |
I can confirm that my temporary solution - the creation of $HOME/go/pkg/mod before Syft invocation - is working. |
What happened:
In our CI pipeline we run syft to scan a Docker image. No Go environment is present. search-remote-licenses (in env or .syft.yaml) is configured as "true".
But Syft does not write license information into Syft-JSON file.
It is working on my local machine where I have a Go installation.
It looks that search remote licenses function has a path dependency that it should not have when working in an environment without Go.
What you expected to happen:
If search-remote-licenses is set by config file or environment file it should work always if set.
Steps to reproduce the issue:
On a machine with Go installation ($HOME/go exists):
Invocation:
syft scan mongo:5.0.26-focal -o syft-json=/home/joerg/projects/mongo_inspect/mongo-syft-single.json -vv
Result 1:
Go Licenses are present in Syft-JSON
$HOME/go renamed to $HOME/go_
Same invocation.
Result 2:
Go licenses are not present in Syft-JSON
Anything else we need to know?:
N/A
Environment:
Output of
syft version
:Application: syft
Version: 1.2.0
BuildDate: 2024-04-12T18:31:58Z
GitCommit: dde5d34
GitDescription: v1.2.0
Platform: linux/amd64
GoVersion: go1.21.9
Compiler: gc
OS (e.g:
cat /etc/os-release
or similar):uname -a
Linux delly 6.1.0-18-amd64 Add package definition(s) & Catalog #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
(Native Linux, no WSL)
The text was updated successfully, but these errors were encountered: