if my C++ package directory contain a boost library like <libboost_filesystem.so.1.83.0>, can syft recognize the package as well?
Hi @laoshanxi, it can be difficult to determine packages and dependencies for C/C++ projects.
There are a couple ways Syft is able to determine packages from binaries, for example using ELF notes, embedded go mod information, or version resources; but these require something during the build step to put the information in the binary and I assume you’re not talking about one of these.
Beyond those, we are able to identify software from arbitrary binaries using the binary cataloger, which examines the bytes for specific version patterns and other information but is certainly one of the least desirable ways to determine what software we found. This only works on well-known binaries like MySQL or bash that we have determined patterns that seem to identify them appropriately, and these do not include dependency information. This method is fairly brittle and still probably isn’t what you are asking about.
If you’re referring to a binary created by yourself that doesn’t fall into the above categories, Syft is probably not going to identify the libraries used to build it today unless you’re able to add it at build time.
However, there are some dependency managers like Conan that are supported and others we could implement such as vpkg, so you could scan your source code to get this information at build time and possibly embed it as ELF notes if you chose to.
Do any of the above methods help with the specific artifact you are trying to scan? Is there something else you’re looking for?
Thank you for the reply.
You are right, C++ is hard to detect the source, I do not think self-built C++ library need to be detected, instead, while C++ build and pack process, many libraries are from yum/apt repository (e.g. liblog4cpp5-dev, libboost-all-dev), I think for this case can be possible (dpkg -S /path/to/file, rpm -qf /path/to/file), what do you think?
C++ build environment setup sample:
app-mesh/script/setup_build_env/autogen.sh.apt.sh at main · laoshanxi/app-mesh
C++ packing sample:
app-mesh/script/build_package.sh at main · laoshanxi/app-mesh
If there is dpkg or RPM metadata, Syft can identify these and should make packages for those libraries if pointed at the right spot (e.g. the apt installs) though it wouldn’t be exclusive to the libraries you installed via a specific script, but rather everything currently installed. You could perhaps filter the resulting SBOM to the known set of libraries or do something that compared before and after to get the diff from a script (though Syft has no “sbom diff” today, It’s something I’ve always thought would be useful for a lot of things and we would probably be willing to get added). I don’t really know what the right thing to do is here – maybe you could expand on exactly what you’re looking for: is it just effectively an SBOM generated as a result of the apt/rpm installs, specifically, or is there more to it?
- I installed C++ library packages (e.g. liblog4cpp5-dev, libboost-all-dev) by
apt install
to prepare the C++ build env. - After compile my C++ project (with linked those C++ lib), while packing, I copy necessary librarise to packaging dir by link dependencies:
lv@laoshanxi:~/app-mesh/build$ ls nfpm_home/lib64/
libACE-7.1.2.so libboost_filesystem.so.1.83.0 libboost_regex.so.1.83.0 libcrypto.so.3 libcurl.so.4 liboath.so.0 libyaml-cpp.so.0.8
libACE_SSL-7.1.2.so libboost_program_options.so.1.83.0 libboost_system.so.1.83.0 libcrypto++.so.8 liblog4cpp.so.5 libssl.so.3
here is my deb package composite:
lv@laoshanxi:~/app-mesh/build$ dpkg-deb -c appmesh_2.1.2_gcc_13_glibc_2.39_x86_64.deb
drwxr-xr-x root/root 0 2025-05-15 17:52 ./opt/
drwxrwxr-x root/root 0 2025-05-15 17:52 ./opt/appmesh/
drwxrwxr-x root/root 0 2025-05-15 17:52 ./opt/appmesh/bin/
-rwxrwxr-x root/root 13997675 2025-05-15 17:52 ./opt/appmesh/bin/agent
-rwxrwxr-x root/root 8730769 2025-05-15 17:52 ./opt/appmesh/bin/appc
-rwxrwxr-x root/root 29679704 2025-05-15 17:52 ./opt/appmesh/bin/appsvc
-rw-rw-r-- root/root 112 2025-05-15 17:52 ./opt/appmesh/bin/py_exec.py
-rw-rw-r-- root/root 3009 2025-05-15 17:52 ./opt/appmesh/config.yaml
-rw-rw-r-- root/root 261 2025-05-15 17:52 ./opt/appmesh/consul.yaml
-rw-rw-r-- root/root 871 2025-05-15 17:52 ./opt/appmesh/ldap.yaml
drwxrwxr-x root/root 0 2025-05-15 17:52 ./opt/appmesh/lib64/
-rw-r--r-- root/root 1637032 2025-05-15 17:52 ./opt/appmesh/lib64/libACE-7.1.2.so
-rw-r--r-- root/root 112848 2025-05-15 17:52 ./opt/appmesh/lib64/libACE_SSL-7.1.2.so
-rw-r--r-- root/root 137640 2025-05-15 17:52 ./opt/appmesh/lib64/libboost_filesystem.so.1.83.0
-rw-r--r-- root/root 264376 2025-05-15 17:52 ./opt/appmesh/lib64/libboost_program_options.so.1.83.0
-rw-r--r-- root/root 329904 2025-05-15 17:52 ./opt/appmesh/lib64/libboost_regex.so.1.83.0
-rw-r--r-- root/root 13960 2025-05-15 17:52 ./opt/appmesh/lib64/libboost_system.so.1.83.0
-rw-r--r-- root/root 4334864 2025-05-15 17:52 ./opt/appmesh/lib64/libcrypto++.so.8
-rw-r--r-- root/root 5305304 2025-05-15 17:52 ./opt/appmesh/lib64/libcrypto.so.3
-rw-r--r-- root/root 786336 2025-05-15 17:52 ./opt/appmesh/lib64/libcurl.so.4
-rw-r--r-- root/root 232912 2025-05-15 17:52 ./opt/appmesh/lib64/liblog4cpp.so.5
-rw-r--r-- root/root 67736 2025-05-15 17:52 ./opt/appmesh/lib64/liboath.so.0
-rw-r--r-- root/root 696512 2025-05-15 17:52 ./opt/appmesh/lib64/libssl.so.3
-rw-r--r-- root/root 293688 2025-05-15 17:52 ./opt/appmesh/lib64/libyaml-cpp.so.0.8
-rw-rw-r-- root/root 156 2025-05-15 17:52 ./opt/appmesh/oauth2.yaml
......
- I scan the packing dir
syft scan ./nfpm_home/ -c ../script/syft.yaml
with syft.yaml, so far I saw python and golang dependency were correctly recognized, but can not known those C++ dependencies. sbom.spdx.json