SBOM generation includes all dependencies in working dir, not just Go ones.

Question

SBOM generation includes all dependencies in working dir, not just Go ones.

Closed this issue 3 years ago · 1 comments

What happened?

What were you attempting to do?

Building a go+react app. The directory structure is such that the go.mod file is at the root and there is a subdirectory called web that contains the node stuff.

What did you expect to happen?

Builds after zero changes to be really fast.

What was the actual behavior? Please provide log output, if possible.

Builds were slow and it seems generating the SBOM is where most of the time is spent (~28s):

Paketo Go Mod Vendor Buildpack 0.5.0
  Checking module graph
    Running 'go mod graph'
      Completed in 752ms

  Executing build process
    Running 'go mod vendor'
      Completed in 462ms

  Generating SBOM for directory /workspace
      Completed in 28.804s

When I run pack --sbom-output-dir /tmp I can see that /tmp/sbom/build/paketo-buildpacks_go-mod-vendor/sbom.syft.json contains all the node dependencies in addition to the go dependencies.

It looks like on this line the parameter to the sbom generator is pointing to entire workingDir and I suppose I expect to be more specific like just go.mod?

Build Configuration

What platform (pack, kpack, tekton buildpacks plugin, etc.) are you
using? Please include a version.

pack --version
0.24.0+git-79a40b7.build-3148

Checklist

I have included log output.
The log output includes an error message.
I have included steps for reproduction.

Answer 1 · 2022-03-15T15:53:50.000Z

I've reproduced this. I agree that we should be cataloging just the go.mod dependencies in this buildpack.