Skip to content

Run syft directly to collect SBOM #1787

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Run syft directly to collect SBOM #1787

wants to merge 6 commits into from

Conversation

mthalman
Copy link
Member

Fixes dotnet/dotnet-buildtools-prereqs-docker#1435
Fixes https://github.com/dotnet/dotnet-docker-internal/issues/8172

Replaces the use of ManifestGeneratorTask with calling of the syft tool directly in order to product SBOMs. This is done using a Dockerfile pattern that executes syft targeting a local file system from within a container rather than calling syft targeting an image name. This greatly improves performance when targeting large images.

I will log a follow-up issue to handle the automatic updating of the syft image tag that is defined in the YAML file.

@mthalman mthalman requested a review from a team as a code owner August 27, 2025 19:29
@MichaelSimons
Copy link
Member

This greatly improves performance when targeting large images.

Can you quantify this or is this a wait and see? Curious how much improvement we will see for the scenarios mentioned in dotnet/dotnet-buildtools-prereqs-docker#1435.

@mthalman
Copy link
Member Author

This greatly improves performance when targeting large images.

Can you quantify this or is this a wait and see? Curious how much improvement we will see for the scenarios mentioned in dotnet/dotnet-buildtools-prereqs-docker#1435.

See dotnet/dotnet-buildtools-prereqs-docker#1435 (comment):

This Dockerfile takes 16 seconds to build on my machine. If I were to run it with syft targeting the local container image, it takes 2.5 minutes.

@lbussell
Copy link
Contributor

Can you quantify this

We could create and run a BTPR unofficial build pipeline with these changes. Otherwise it's a wait and see. @mthalman do you want to create an unofficial pipeline and do that? Or just go ahead with these changes without validating?

lbussell
lbussell reviewed Aug 27, 2025
View reviewed changes
eng/common/templates/variables/docker-images.yml Outdated
@@ -4,3 +4,4 @@ variables:
imageNames.imageBuilder.withrepo: imagebuilder-withrepo:$(Build.BuildId)-$(System.JobId)
imageNames.testRunner: mcr.microsoft.com/dotnet-buildtools/prereqs:azurelinux3.0-docker-testrunner
imageNames.testRunner.withrepo: testrunner-withrepo:$(Build.BuildId)-$(System.JobId)
imageNames.syft: anchore/syft:v1.26.1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How will this stay updated? Is there a way we can utilize dependabot or renovate here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will log a follow-up issue to handle the automatic updating of the syft image tag that is defined in the YAML file.

Yes, Renovate could be used here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we update to v1.32.0-debug at least? That's the latest.

Suggested change
imageNames.syft: anchore/syft:v1.26.1
imageNames.syft: anchore/syft:v1.32.0-debug

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed with 865cb63.

@mthalman
Copy link
Member Author

Can you quantify this

We could create and run a BTPR unofficial build pipeline with these changes. Otherwise it's a wait and see. @mthalman do you want to create an unofficial pipeline and do that? Or just go ahead with these changes without validating?

I plan on just going with these changes and see what it looks like. It's definitely going to be faster.

lbussell
lbussell reviewed Aug 28, 2025
View reviewed changes
lbussell
lbussell reviewed Aug 28, 2025
View reviewed changes
eng/common/Dockerfile.syft Outdated
FROM ${SYFT_IMAGE_NAME} AS syft
FROM ${TARGET_IMAGE_NAME} AS target

RUN --mount=from=syft,source=/,target=/syft /syft/syft scan / --select-catalogers image -o spdx-json=/manifest.spdx.json
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this work for distroless images? Since it's using shell form and not exec form.

Here's the dotnet-docker test implementation, for reference: https://github.com/dotnet/dotnet-docker/blob/8e0a89c21c0eedc9658c3e4e9019693711869828/tests/Microsoft.DotNet.Docker.Tests/SyftHelper.cs#L138-L150

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed it doesn't. I followed your pattern the tests. Fixed with 8fb672e. You should be able to consume this Dockerfile from the tests. I solved the issue of setting the source name by using an environment variable so I don't need to pass it in and have the value resolution problem.

@mthalman mthalman requested a review from lbussell August 28, 2025 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lbussell lbussell lbussell approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Generate SBOMs is taking a ridiculous amount of time
3 participants
@mthalman @MichaelSimons @lbussell