From a1b23bd57d414b3715f41da7bee825ce81125265 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Wed, 14 Feb 2024 16:57:31 -0500 Subject: [PATCH] add syft version used to SBOM tool info by default (#2647) Signed-off-by: Alex Goodman --- syft/create_sbom_config.go | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/syft/create_sbom_config.go b/syft/create_sbom_config.go index 3229855ff..8acfc63f6 100644 --- a/syft/create_sbom_config.go +++ b/syft/create_sbom_config.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "runtime/debug" "strings" "github.com/anchore/syft/internal/task" @@ -44,9 +45,34 @@ func DefaultCreateSBOMConfig() *CreateSBOMConfig { Files: filecataloging.DefaultConfig(), Parallelism: 1, packageTaskFactories: task.DefaultPackageTaskFactories(), + + // library consumers are free to override the tool values to fit their needs, however, we have some sane defaults + // to ensure that SBOMs generated don't have missing tool metadata. + ToolName: "syft", + ToolVersion: syftVersion(), } } +func syftVersion() string { + // extract the syft version from the go module info from the current binary that is running. This is useful for + // library consumers to at least encode the version of syft that was used to generate the SBOM. Note: we don't + // use the version info from main because it's baked in with ldflags, which we don't control for library consumers. + // This approach won't work in all cases though, such as when the binary is stripped of the buildinfo section. + + buildInfo, ok := debug.ReadBuildInfo() + if !ok { + return "" + } + + for _, d := range buildInfo.Deps { + if d.Path == "github.com/anchore/syft" && d.Version != "(devel)" { + return d.Version + } + } + + return "" +} + // WithTool allows for setting the specific name, version, and any additional configuration that is not captured // in the syft default API configuration. This could cover inputs for catalogers that were user-provided, thus, // is not visible to the syft API, but would be useful to see in the SBOM output.