Turn off the SBOM cataloger by default (#2527)

* turn off the SBOM cataloger by default Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix integration tests Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-11-17 08:23:15 +01:00 · 2024-01-22 12:32:45 -05:00 · 2024-01-22 12:32:45 -05:00 · 03b7938fbf
commit 03b7938fbf
parent 4c77783461
3 changed files with 39 additions and 20 deletions
--- a/internal/task/package_tasks.go
+++ b/internal/task/package_tasks.go
@ -123,6 +123,6 @@ func DefaultPackageTaskFactories() PackageTaskFactories {
 			},
 			pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, "linux", "kernel",
 		),
-		newSimplePackageTaskFactory(sbomCataloger.NewCataloger, pkgcataloging.ImageTag, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, "sbom"), // note: not evidence of installed packages
+		newSimplePackageTaskFactory(sbomCataloger.NewCataloger, "sbom"), // note: not evidence of installed packages
 	}
 }
--- a/test/integration/package_catalogers_represented_test.go
+++ b/test/integration/package_catalogers_represented_test.go
@ -53,6 +53,9 @@ func TestAllPackageCatalogersReachableInTasks(t *testing.T) {
 	assert.Equal(t, len(taskTagsByName), constructorCount, "mismatch in number of cataloger constructors and task names")

 	for taskName, tags := range taskTagsByName {
+		if taskName == "sbom-cataloger" {
+			continue // this is a special case
+		}
 		if !strset.New(tags...).HasAny(pkgcataloging.ImageTag, pkgcataloging.DirectoryTag) {
 			t.Errorf("task %q is missing 'directory' or 'image' a tag", taskName)
 		}
--- a/test/integration/sbom_cataloger_test.go
+++ b/test/integration/sbom_cataloger_test.go
@ -4,19 +4,15 @@ import (
 	"testing"

 	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/sbom"
 	"github.com/anchore/syft/syft/source"
 )

 func TestSbomCataloger(t *testing.T) {
-	// The image contains a go.mod file with 2 dependencies and an spdx json sbom.
-	// The go.mod file contains 2 dependencies, and the sbom includes a go dependency
-	// that overlaps with the go.mod
-	sbom, _ := catalogFixtureImage(t, "image-sbom-cataloger", source.SquashedScope, "+go-module-file-cataloger")
-
-	expectedSbomCatalogerPkgs := 1
-	expectedGoModCatalogerPkgs := 2
+	assertCount := func(t *testing.T, sbom sbom.SBOM, expectedGoModCatalogerPkgs int, expectedSbomCatalogerPkgs int) {
 		actualSbomPkgs := 0
 		actualGoModPkgs := 0
+
 		for p := range sbom.Artifacts.Packages.Enumerate(pkg.GoModulePkg) {
 			if p.FoundBy == "go-module-file-cataloger" {
 				actualGoModPkgs += 1
@ -31,4 +27,24 @@ func TestSbomCataloger(t *testing.T) {
 		if actualSbomPkgs != expectedSbomCatalogerPkgs {
 			t.Errorf("unexpected number of packages from sbom cataloger: %d != %d", expectedSbomCatalogerPkgs, actualSbomPkgs)
 		}
+	}
+
+	t.Run("default catalogers", func(t *testing.T) {
+		sbom, _ := catalogFixtureImage(t, "image-sbom-cataloger", source.SquashedScope, "+go-module-file-cataloger")
+
+		expectedSbomCatalogerPkgs := 0
+		expectedGoModCatalogerPkgs := 2
+		assertCount(t, sbom, expectedGoModCatalogerPkgs, expectedSbomCatalogerPkgs)
+	})
+
+	// The image contains a go.mod file with 2 dependencies and an spdx json sbom.
+	// The go.mod file contains 2 dependencies, and the sbom includes a go dependency
+	// that overlaps with the go.mod
+	t.Run("with sbom cataloger", func(t *testing.T) {
+		sbom, _ := catalogFixtureImage(t, "image-sbom-cataloger", source.SquashedScope, "+go-module-file-cataloger", "+sbom-cataloger")
+
+		expectedSbomCatalogerPkgs := 1
+		expectedGoModCatalogerPkgs := 2
+		assertCount(t, sbom, expectedGoModCatalogerPkgs, expectedSbomCatalogerPkgs)
+	})
 }