-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
image: multi-manifest index support #176
base: main
Are you sure you want to change the base?
Conversation
461d95c
to
1860471
Compare
Thanks for the contribution (and sorry for the delay)! I'm curious on your thoughts on how this might get wired up in syft/grype? Or maybe this is specifically an API update to be used elsewhere, which is also alright. And from your issue:
This resonates with me. I think the best way to reconcile this is still allow both code paths, but enhance the How does this path sound to you? Also would you like help getting this across the finish line? |
I'm unsure about this as well. I looked into integrating it into Syft, but the code path the Image type traverses is massive which would require a lot of refactoring or re-thinking of how the integration would work. I know there has been a discussion around how SBOMs would work for multiple images, but I think that's as simple as treating each image in the index independently as while indexes are used and designed for supporting multiple architectures, the images themselves can still be completely different and contain different dependencies (especially if cross-compiled). So I guess being able to run Syft and have it generate SBOMs per image in an index would be the best approach, maybe with the ability to add a reference in the index to the SBOMs (assuming they are pushed to a registry).
My main goal with this was to get support added in Syft and Grype for image indexes. Just thought I would start here seeing as it is a prerequisite to be able to add support for image indexes in those consumers.
So we would keep the new API as is, but modify So we could add a What do you think about those ideas?
I'm fine to make the changes in Stereoscope assuming we can agree on a good API design for this. My main problem is figuring out the next steps after this is merged relating to adding support in Syft and/or Grype for this. Some guidance on where to start an integration code-wise, or having a discussion about how the integration should work would be appreciated. |
Linking the related syft issue here anchore/syft#1683 |
👋 found my way here after hitting some I agree with @matthewpi that a fanout approach - one SBOM per image:platform - is probably the best short term fix. That's going to be my workaround, if I need to put one in place, and I recently left similar feedback in anchore/syft#1683 |
Signed-off-by: Matthew Penner <[email protected]>
I added the ability for the OCI providers to take into account a platform selector like a few of the other providers, alongside rebasing on top of the latest There are two TODO comments in the latest commit, asking two interesting questions.
The other thing that clicked into my head about #2, is a image index can refer to another image index and I believe other media types that are not manifests or images entirely. Should we be ensuring that these get filtered out? |
Closes #175
The code works and ready to be merged after a review. Any feedback related to the API design is welcome.