Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Syft issue for binary-classifier-cataloger #3640

Open
patpatpat123 opened this issue Feb 4, 2025 · 1 comment
Open

Syft issue for binary-classifier-cataloger #3640

patpatpat123 opened this issue Feb 4, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@patpatpat123
Copy link

We are using the base image https://hub.docker.com/r/paketobuildpacks/builder-jammy-java-tiny

For this image, syft is generating a confusion:

After extracting the snippets of both package entries from the SBOM below, we can see TWO versions, and they both exist

Deb/dpkg package:

{
"bom-ref": "pkg:generic/[email protected]?package-id=fca182d086f8ec1f",
"type": "application",
"name": "openssl",
"version": "3.0.2",
"cpe": "cpe:2.3:a:openssl:openssl:3.0.2:*:*:*:*:*:*:*",
"purl": "pkg:generic/[email protected]",
"properties": [
{
"name": "syft:package:foundBy",
"value": "binary-classifier-cataloger"
},
{
"name": "syft:package:type",
"value": "binary"
},
{
"name": "syft:package:metadataType",
"value": "binary-signature"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:openssl:openssl:3.0.2:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:layerID",
"value": "sha256:d7926c8d51fbd4bb392cc7c36355a25352a9be11df8303426b82b6fff0261bd0"
},
{
"name": "syft:location:0:path",
"value": "/usr/bin/openssl"
}
]
},

Binary package: (but please do not look at me, I am ok, look at the one above)

{
"bom-ref": "pkg:deb/ubuntu/[email protected]?arch=arm64&distro=ubuntu-22.04&package-id=ebef1067338d401e",
"type": "library",
"publisher": "Ubuntu Developers <[[email protected]](mailto:[email protected])>",
"name": "openssl",
"version": "3.0.2-0ubuntu1.18",
"licenses": [
{
"license": {
"id": "Apache-2.0"
}
},
{
"license": {
"id": "GPL-1.0-only"
}
},
{
"license": {
"id": "GPL-1.0-or-later"
}
},
{
"license": {
"name": "Artistic"
}
}
],
"cpe": "cpe:2.3:a:openssl:openssl:3.0.2-0ubuntu1.18:*:*:*:*:*:*:*",
"purl": "pkg:deb/ubuntu/[email protected]?arch=arm64&distro=ubuntu-22.04",
"properties": [
{
"name": "syft:package:foundBy",
"value": "dpkg-db-cataloger"
},
{
"name": "syft:package:type",
"value": "deb"
},
{
"name": "syft:package:metadataType",
"value": "dpkg-db-entry"
},
{
"name": "syft:location:0:layerID",
"value": "sha256:d7926c8d51fbd4bb392cc7c36355a25352a9be11df8303426b82b6fff0261bd0"
},
{
"name": "syft:location:0:path",
"value": "/usr/share/doc/libssl3/copyright"
},
{
"name": "syft:location:1:layerID",
"value": "sha256:d7926c8d51fbd4bb392cc7c36355a25352a9be11df8303426b82b6fff0261bd0"
},
{
"name": "syft:location:1:path",
"value": "/var/lib/dpkg/status.d/openssl"
},
{
"name": "syft:metadata:installedSize",
"value": "1981"
}
]
},

One correct version of openssl is found via dpkg-db-cataloger.

The other entry is detected using the binary-classifier-cataloger

It seems syft syft saw this binary file and read some information out of it.

However, that entry is the limited info it was able to pull out of the binary.

This limited info is also wrong and confusing.

The entry shows version 3.0.2

{
"name": "syft:location:0:path",
"value": "/usr/bin/openssl"
}

and this version is vulnerable.

But it seems from the image sha, and from here: https://packages.ubuntu.com/jammy/amd64/openssl/filelist

The version is 3.0.2-0ubuntu1.18

Would it be possible for Syft not to create this confusion and mistake?

Thank you
@patpatpat123 patpatpat123 added the bug Something isn't working label Feb 4, 2025
@wagoodman
Copy link
Contributor

So far I haven't been able to reproduce this result, I only am ever seeing the debian package:

$ syft paketobuildpacks/builder-jammy-java-tiny -o json=output.json -o table | grep openssl
 ✔ Loaded image                                                                                                         paketobuildpacks/builder-jammy-java-tiny:latest
 ✔ Parsed image                                                                                 sha256:c36d3df9b6b2bf4f9f5facdd7dfdf21b52da399a5e610566e954f57bca2a6f4f
 ✔ Cataloged contents                                                                                  f0c449d51bc9fda1511b3525c3e615db6e9134ee7d062f7cbdb3b3e16dd31c1d
   ├── ✔ Packages                        [1,201 packages]
   ├── ✔ File digests                    [9,396 files]
   ├── ✔ File metadata                   [9,396 locations]
   └── ✔ Executables                     [934 executables]
A newer version of syft is available for download: 1.19.0 (installed version is 1.16.0)
openssl                                                        3.0.2-0ubuntu1.18                        deb

$ cat output.json | jq '.artifacts[] | select(.name == "openssl").version'

"3.0.2-0ubuntu1.18"

I tried this with syft 1.16.0, 1.18.1, and 1.19.0... only the debian package is being cataloged with version 3.0.2-0ubuntu1.18.

A few of questions:

  1. what version of syft are you using?
  2. do you have any specific configuration being used?
  3. what is the tag of the docker image above that you used to reproduce this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wagoodman @patpatpat123