For scan C++ binary, how to recognize the package which the binary come from

if my C++ package directory contain a boost library like <libboost_filesystem.so.1.83.0>, can syft recognize the package as well?

Hi @laoshanxi, it can be difficult to determine packages and dependencies for C/C++ projects.

There are a couple ways Syft is able to determine packages from binaries, for example using ELF notes, embedded go mod information, or version resources; but these require something during the build step to put the information in the binary and I assume you’re not talking about one of these.

Beyond those, we are able to identify software from arbitrary binaries using the binary cataloger, which examines the bytes for specific version patterns and other information but is certainly one of the least desirable ways to determine what software we found. This only works on well-known binaries like MySQL or bash that we have determined patterns that seem to identify them appropriately, and these do not include dependency information. This method is fairly brittle and still probably isn’t what you are asking about.

If you’re referring to a binary created by yourself that doesn’t fall into the above categories, Syft is probably not going to identify the libraries used to build it today unless you’re able to add it at build time.

However, there are some dependency managers like Conan that are supported and others we could implement such as vpkg, so you could scan your source code to get this information at build time and possibly embed it as ELF notes if you chose to.

Do any of the above methods help with the specific artifact you are trying to scan? Is there something else you’re looking for?

Thank you for the reply.

You are right, C++ is hard to detect the source, I do not think self-built C++ library need to be detected, instead, while C++ build and pack process, many libraries are from yum/apt repository (e.g. liblog4cpp5-dev, libboost-all-dev), I think for this case can be possible (dpkg -S /path/to/file, rpm -qf /path/to/file), what do you think?

C++ build environment setup sample:
app-mesh/script/setup_build_env/autogen.sh.apt.sh at main · laoshanxi/app-mesh

C++ packing sample:
app-mesh/script/build_package.sh at main · laoshanxi/app-mesh

If there is dpkg or RPM metadata, Syft can identify these and should make packages for those libraries if pointed at the right spot (e.g. the apt installs) though it wouldn’t be exclusive to the libraries you installed via a specific script, but rather everything currently installed. You could perhaps filter the resulting SBOM to the known set of libraries or do something that compared before and after to get the diff from a script (though Syft has no “sbom diff” today, It’s something I’ve always thought would be useful for a lot of things and we would probably be willing to get added). I don’t really know what the right thing to do is here – maybe you could expand on exactly what you’re looking for: is it just effectively an SBOM generated as a result of the apt/rpm installs, specifically, or is there more to it?

  1. I installed C++ library packages (e.g. liblog4cpp5-dev, libboost-all-dev) by apt install to prepare the C++ build env.
  2. After compile my C++ project (with linked those C++ lib), while packing, I copy necessary librarise to packaging dir by link dependencies:
lv@laoshanxi:~/app-mesh/build$ ls nfpm_home/lib64/
libACE-7.1.2.so      libboost_filesystem.so.1.83.0       libboost_regex.so.1.83.0   libcrypto.so.3    libcurl.so.4     liboath.so.0  libyaml-cpp.so.0.8
libACE_SSL-7.1.2.so  libboost_program_options.so.1.83.0  libboost_system.so.1.83.0  libcrypto++.so.8  liblog4cpp.so.5  libssl.so.3

here is my deb package composite:

lv@laoshanxi:~/app-mesh/build$ dpkg-deb -c appmesh_2.1.2_gcc_13_glibc_2.39_x86_64.deb
drwxr-xr-x root/root         0 2025-05-15 17:52 ./opt/
drwxrwxr-x root/root         0 2025-05-15 17:52 ./opt/appmesh/
drwxrwxr-x root/root         0 2025-05-15 17:52 ./opt/appmesh/bin/
-rwxrwxr-x root/root  13997675 2025-05-15 17:52 ./opt/appmesh/bin/agent
-rwxrwxr-x root/root   8730769 2025-05-15 17:52 ./opt/appmesh/bin/appc
-rwxrwxr-x root/root  29679704 2025-05-15 17:52 ./opt/appmesh/bin/appsvc
-rw-rw-r-- root/root       112 2025-05-15 17:52 ./opt/appmesh/bin/py_exec.py
-rw-rw-r-- root/root      3009 2025-05-15 17:52 ./opt/appmesh/config.yaml
-rw-rw-r-- root/root       261 2025-05-15 17:52 ./opt/appmesh/consul.yaml
-rw-rw-r-- root/root       871 2025-05-15 17:52 ./opt/appmesh/ldap.yaml
drwxrwxr-x root/root         0 2025-05-15 17:52 ./opt/appmesh/lib64/
-rw-r--r-- root/root   1637032 2025-05-15 17:52 ./opt/appmesh/lib64/libACE-7.1.2.so
-rw-r--r-- root/root    112848 2025-05-15 17:52 ./opt/appmesh/lib64/libACE_SSL-7.1.2.so
-rw-r--r-- root/root    137640 2025-05-15 17:52 ./opt/appmesh/lib64/libboost_filesystem.so.1.83.0
-rw-r--r-- root/root    264376 2025-05-15 17:52 ./opt/appmesh/lib64/libboost_program_options.so.1.83.0
-rw-r--r-- root/root    329904 2025-05-15 17:52 ./opt/appmesh/lib64/libboost_regex.so.1.83.0
-rw-r--r-- root/root     13960 2025-05-15 17:52 ./opt/appmesh/lib64/libboost_system.so.1.83.0
-rw-r--r-- root/root   4334864 2025-05-15 17:52 ./opt/appmesh/lib64/libcrypto++.so.8
-rw-r--r-- root/root   5305304 2025-05-15 17:52 ./opt/appmesh/lib64/libcrypto.so.3
-rw-r--r-- root/root    786336 2025-05-15 17:52 ./opt/appmesh/lib64/libcurl.so.4
-rw-r--r-- root/root    232912 2025-05-15 17:52 ./opt/appmesh/lib64/liblog4cpp.so.5
-rw-r--r-- root/root     67736 2025-05-15 17:52 ./opt/appmesh/lib64/liboath.so.0
-rw-r--r-- root/root    696512 2025-05-15 17:52 ./opt/appmesh/lib64/libssl.so.3
-rw-r--r-- root/root    293688 2025-05-15 17:52 ./opt/appmesh/lib64/libyaml-cpp.so.0.8
-rw-rw-r-- root/root       156 2025-05-15 17:52 ./opt/appmesh/oauth2.yaml
......
  1. I scan the packing dir syft scan ./nfpm_home/ -c ../script/syft.yaml with syft.yaml, so far I saw python and golang dependency were correctly recognized, but can not known those C++ dependencies. sbom.spdx.json