Description
runSyft and runTrivy in pkg/generator/generator.go create temporary files but do not reliably close them in all paths. This can leak file descriptors and, on some platforms, keep file locks active.
Steps to Reproduce
- Run SBOM generation repeatedly in a loop (especially on macOS/Windows).
- Observe open file descriptors or temp file lock behavior while
syft/trivy subprocesses run.
- Notice occasional write/open failures or steadily increasing descriptors.
Expected Behavior
Temporary files are always closed correctly, and subprocesses can write to them without lock conflicts.
Actual Behavior
File descriptors may remain open longer than needed, and subprocesses may fail when exclusive file access is required.
Environment
- sbomit version: current main branch
- OS: Linux/macOS/Windows (lock issues are more visible on macOS/Windows)
Additional Context
- Area:
pkg/generator/generator.go
- Suggested fix:
- Add
defer tmpFile.Close() right after successful temp file creation.
- If subprocess needs exclusive write access, call
tmpFile.Close() before launching the subprocess and only pass the path.
Description
runSyftandrunTrivyinpkg/generator/generator.gocreate temporary files but do not reliably close them in all paths. This can leak file descriptors and, on some platforms, keep file locks active.Steps to Reproduce
syft/trivysubprocesses run.Expected Behavior
Temporary files are always closed correctly, and subprocesses can write to them without lock conflicts.
Actual Behavior
File descriptors may remain open longer than needed, and subprocesses may fail when exclusive file access is required.
Environment
Additional Context
pkg/generator/generator.godefer tmpFile.Close()right after successful temp file creation.tmpFile.Close()before launching the subprocess and only pass the path.