From c95c2d47738d29e2640c3bf5e8b4199064d7c231 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20OLIVIER?= <cedric3.olivier@orange.com>
Date: Tue, 11 Mar 2025 09:29:51 +0100
Subject: [PATCH] fix(sbom): disable file catalogers for Syft SBOM (to minimize
 SBOM file)

---
 README.md                      | 2 +-
 kicker.json                    | 2 +-
 templates/gitlab-ci-docker.yml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index cc02d33..7fea616 100644
--- a/README.md
+++ b/README.md
@@ -458,7 +458,7 @@ It is bound to the `package-test` stage, and uses the following variables:
 | `sbom-disabled` / `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job       | _none_                                                                                                                  |
 | `TBC_SBOM_MODE` | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `DOCKER_SBOM_DISABLED` takes precedence | `onrelease` |
 | `sbom-image` / `DOCKER_SBOM_IMAGE`       | The docker image used to emit SBOM      | `registry.hub.docker.com/anchore/syft:debug`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SBOM_IMAGE)|
-| `sbom-opts` / `DOCKER_SBOM_OPTS`         | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger` |
+| `sbom-opts` / `DOCKER_SBOM_OPTS`         | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file` |
 
 ### `docker-publish` job
 
diff --git a/kicker.json b/kicker.json
index 22439e1..7bc910f 100644
--- a/kicker.json
+++ b/kicker.json
@@ -212,7 +212,7 @@
         {
           "name": "DOCKER_SBOM_OPTS",
           "description": "Options for syft used for SBOM analysis",
-          "default": "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger",
+          "default": "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file",
           "advanced": true
         }
       ]
diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index f5b9ed8..7a4ed27 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -169,7 +169,7 @@ spec:
       default: registry.hub.docker.com/anchore/syft:debug
     sbom-opts:
       description: Options for syft used for SBOM analysis
-      default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger
+      default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file
 ---
 # default workflow rules: Merge Request pipelines
 workflow:
-- 
GitLab