Supply "depth" information when including relationships #3010
Labels
enhancement
New feature or request
Milestone
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
What would you like to be added:
Relationship depth information, when Syft is unable to provide a full transitive dependency graph.
Why is this needed:
One of the data elements mentioned in the NTIA minimum requirements is the depth of relationships. If Syft is able to build an accurate SBOM with a full transitive-dependency graph, that would be ideal, but different scenarios prevent this information from being included or accurately depicting the transitive graph. Some examples are Python
requirements.txtand Go binary mod information, which only provide a flat list of dependencies. Or binaries which are only directly identified without dependent component information.One solution is to provide an "unknown" indicator that Syft was unable to determine a full transitive dependency graph, or Syft stopped after 5-levels deep resolving online parent references. These can be returned as "unknowns" from catalogers where appropriate to be associated with the file(s) where package graph information originated.
Additional context:
This is likely to be dependent the PR for known unknowns getting merged.
This is a part of #632
The text was updated successfully, but these errors were encountered: