feat: Add config option to allow user to select the default image source location by spiffcs · Pull Request #1703 · anchore/syft

spiffcs · 2023-03-30T16:20:47Z

Add config option to allow user to select the default image source location

Syft is consumed by upstream tools for generating SBOM. These SBOM can be generated from a variety of sources including local and OCI registry images.

anchore/grype#1204 surfaces the need for allowing a user to express a preference over the default source to be used when building an SBOM for an image (and then subsequently generating a vulnerability scan).

This first step adds a config option into syft and changes the library behavior so this preference can be injected into the SBOM generation process. A follow up PR will be made for grype to adapt to this new ability.

Demo showing latest updates:

Registry value pulls source from OCI registry

Docker value pulls source from

local Docker Daemon

No value keeps the same current behavior of default order lookup

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

github-actions · 2023-03-30T16:22:55Z

Benchmark Test Results

Benchmark results from the latest changes vs base branch

goos: linux
goarch: amd64
pkg: github.com/anchore/syft/test/integration
cpu: Intel(R) Xeon(R) Platinum 8272CL CPU @ 2.60GHz
                                                          │ ./.tmp/benchmark-844a161.txt │
                                                          │            sec/op            │
ImagePackageCatalogers/alpmdb-cataloger-2                                   11.62m ± 21%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             841.4µ ±  1%
ImagePackageCatalogers/python-package-cataloger-2                           3.009m ± 14%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   678.2µ ±  1%
ImagePackageCatalogers/javascript-package-cataloger-2                       352.6µ ±  0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   499.1µ ±  1%
ImagePackageCatalogers/rpm-db-cataloger-2                                   475.3µ ±  3%
ImagePackageCatalogers/java-cataloger-2                                     10.52m ±  2%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     7.909µ ±  2%
ImagePackageCatalogers/apkdb-cataloger-2                                    547.1µ ±  1%
ImagePackageCatalogers/go-module-binary-cataloger-2                         17.93µ ±  2%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              947.2µ ±  1%
ImagePackageCatalogers/portage-cataloger-2                                  311.4µ ±  1%
ImagePackageCatalogers/sbom-cataloger-2                                     102.9µ ±  1%
ImagePackageCatalogers/binary-cataloger-2                                   177.2µ ±  1%
geomean                                                                     454.6µ

                                                          │ ./.tmp/benchmark-844a161.txt │
                                                          │             B/op             │
ImagePackageCatalogers/alpmdb-cataloger-2                                   5.061Mi ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             123.9Ki ± 0%
ImagePackageCatalogers/python-package-cataloger-2                           946.5Ki ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   155.8Ki ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                       90.82Ki ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   144.8Ki ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                   170.2Ki ± 0%
ImagePackageCatalogers/java-cataloger-2                                     2.722Mi ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     1.555Ki ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                    129.2Ki ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                         3.133Ki ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              314.6Ki ± 0%
ImagePackageCatalogers/portage-cataloger-2                                  75.47Ki ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                     13.08Ki ± 0%
ImagePackageCatalogers/binary-cataloger-2                                   29.05Ki ± 0%
geomean                                                                     108.4Ki

                                                          │ ./.tmp/benchmark-844a161.txt │
                                                          │          allocs/op           │
ImagePackageCatalogers/alpmdb-cataloger-2                                    86.71k ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                              2.049k ± 0%
ImagePackageCatalogers/python-package-cataloger-2                            15.48k ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                    3.458k ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                        1.214k ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                    2.646k ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                    3.759k ± 0%
ImagePackageCatalogers/java-cataloger-2                                      38.26k ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                       40.00 ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                     3.438k ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                           101.0 ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                               5.011k ± 0%
ImagePackageCatalogers/portage-cataloger-2                                   1.487k ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                       392.0 ± 0%
ImagePackageCatalogers/binary-cataloger-2                                     872.0 ± 0%
geomean                                                                      2.219k

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

spiffcs · 2023-03-30T16:47:22Z

cc @luhring

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

luhring · 2023-03-30T17:36:37Z

@spiffcs This looks amazing! Thank you so so much!!!

I just tried it out and it works great so far. 🤩

Two cents:

It'd be nice to put a little section in the README about this functionality. It will make a lot of people happy, and it'll give me something to directly link to as I further evangelize Syft/Grype!
It also might be worth considering naming the config item with "default" in the name, so users know that it's not restricting down the set of sources that will eventually be tried, it's just choosing the first source to try.

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

spiffcs · 2023-03-30T18:24:17Z

I'll get this cleaned up now with the readme section and behavior change - thanks for the quick feedback!

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

luhring · 2023-03-31T16:19:30Z

You all rock!!!

feat: add default-image-source to config

4d1d57f

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

spiffcs added 2 commits March 30, 2023 12:34

chore: cleanup

03d2143

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

chore: test cleanup; mapstructure bug

4b89a5b

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

spiffcs marked this pull request as ready for review March 30, 2023 16:47

docs: update README with new config

116deb5

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

chore: rename image-pull-source to default-image-pull-source

c2db446

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

docs: add source configuration to README

b9f2bb7

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

spiffcs enabled auto-merge (squash) March 30, 2023 18:57