Development status

[betaboon]

Hello @ihavespoons,

First off, thanks for setting this up.

I wanted to ask if you're actively maintaining this and whether you're open for PRs.

I've got several ideas on how to make this ruleset more feature-complete and more convenient to use.

Looking forward to hearing back from you.

all the best.

[ihavespoons]

Hey @betaboon,

Cheers for reaching out,

I am certainly actively maintaining this although in the past couple of months I haven't actively been adding features due to some role changes.

I'd love to see and hear your ideas and I am happy to assist in anyway I can from review, to writing to whatever you'd like

Thanks

[betaboon]

Here's a list of things I'm considering/playing with atm.

Looking forward to hearing your opinions :)

this is my WIP-branch: main...betaboon:rules_syft:feat-grype

maintenance

• update tool versions (done in chore: update tool versions #3)
• update to latest rules-template
  • it now mirrors what has been here in .github/workflows/ci.yaml
  • I have this done, will send a PR after chore: update tool versions #3 is merged
• update dependencies
  • I have this done, will send a PR after chore: update tool versions #3 is merged
• refactor e2e tests
  • the current bzlmod and generate tests have a very large overlap
  • I propose merging them into a smoke suite
  • I have this done, will send a PR after chore: update tool versions #3 is merged

convenience

• have syft.toolchain default to latest
  • I have this done, will send a PR after chore: update tool versions #3 is merged

features

• introduce grype-toolchain
  • currently working on this
• introduce grype.database, grype_report and grype_test
• rename syft_generate_sbom to syft_sbom
• rename the type argument of syft_generate_sbom to format
  • having progressed on the grype-integration, i would actually prefer having the rule generate all output-formats and then exposing the syft-json format via a provider, so that a grype_report can rely on it as input

[betaboon]

just an update:

i have the grype-integration basically done.

https://github.com/betaboon/rules_syft/blob/93b825a3e46c7996893f22f1cacaad1eee3a00a2/e2e/smoke/MODULE.bazel#L34-L46

https://github.com/betaboon/rules_syft/blob/93b825a3e46c7996893f22f1cacaad1eee3a00a2/e2e/smoke/BUILD.bazel#L32-L53

[betaboon]

any news? :)

[ihavespoons]

Sorry @betaboon been crook the last few days. Running the workflows on that PR now

[betaboon]

no worries.

any opinion on renaming syft_generate_sbom to syft_sbom?
my reasoning for it is, that the majority of rules is named as a noun.

[ihavespoons]

Don't have an issue with rename but lets keep both with a notice in docs that syft_generate_sbom will be deprecated in the future.

[betaboon]

sounds good

[betaboon]

done in the last commit on my PR

[ihavespoons]

Awesome appreciate it mate, just pushing the last stuff through to BCR now. Then I will do a final review for this grype change.

[ihavespoons]

Out of curiosity what got you onto this ruleset @betaboon? It felt pretty niche when I originally created it hahaha

[betaboon]

quite a while ago i evaluated https://github.com/hxtk/rules_anchore, tried to get a PR in, barely any response.

now ~18 month later i had some time on my hands and was about to do what you did here :)

[ihavespoons]

Hahah awesome, you had exactly the same response I did! pretty sure my issues were deleted and all. Well I am glad to have you here. Definitely planned a lot more for this module but life and health got in the way. I want to see if we can get our hands on the rules_anchore module name at some point

[betaboon]

i think aside from the grype_updater rule (which imho isn't really compatible with bzlmod) this ruleset has reached feature parity with my PR.

so maybe they're willing to deprecate in favor of this, and donate the name :)

[betaboon]

thanks for merging.

could you release on BCR when you find the time?

[ihavespoons]

Hey @betaboon sorry planning to fix up some issues today then get the merge in.

[betaboon]

heya. i just sent another PR to update tool-versions.
I'll close this issue, as everything discussed in here is done :)