Package detect, binary NOT detect

Syft
1

Hi,

I notice a case - package is detected, but binary is NOT detected.

php packages including php-cli are detected

$ syft -q cimg/php:5.6.40 | grep php
libapache2-mod-php5.6             5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php-common                        2:76+ubuntu18.04.1+deb.sury.org+9                         deb
php-pear                          1:1.10.8+submodules+notgz-1+ubuntu18.04.1+deb.sury.org+1  deb
php-xml                           2:7.4+76+ubuntu18.04.1+deb.sury.org+9                     deb
php5.6                            5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-cli                        5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-common                     5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-curl                       5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-dev                        5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-gd                         5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-json                       5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-mbstring                   5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-mysql                      5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-opcache                    5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-readline                   5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-xml                        5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-zip                        5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php7.4-common                     7.4.6-1+ubuntu18.04.1+deb.sury.org+1                      deb
php7.4-xml                        7.4.6-1+ubuntu18.04.1+deb.sury.org+1                      deb
pkg-php-tools                     1.35ubuntu1                                               deb

But php-cli binary is not detected (libphp is detected)

$ syft -q cimg/php:5.6.40 --override-default-catalogers "binary"
NAME        VERSION  TYPE
bash        4.4.20   binary
curl        7.58.0   binary
gzip        1.6      binary
libphp      5.6.40   binary
openssl     1.1.1    binary
python      3.6.9    binary
util-linux  2.31.1   binary
xz          5.2.2    binary

php-cli target file exists

$ docker run -it --rm cimg/php:5.6.40 which php
/usr/bin/php
$ docker run -it --rm cimg/php:5.6.40 /usr/bin/php -v
PHP 5.6.40-29+ubuntu18.04.1+deb.sury.org+1 (cli)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies

I think this isn’t problem in most cases.
But, I’d like to hear if others have a different perspective on this.
If this is considered an issue or someone wants php-cli binary detections, I’ll open a GitHub issue.

2

Thanks for the question witchcraze!

I just ruled out that it was a deduplication of the php cataloger vs the binary cataloger.

I ran against the original image (no catalog modifiers) with the following syft config and did not see a binary result:

package:
  # allows users to exclude synthetic binary packages from the sbom
  # these packages are removed if an overlap with a non-synthetic package is found (env: SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP)
  exclude-binary-overlap-by-ownership: false

This tells me there might be something wrong with the classifier for php-cli classifier.

It looks like we should be matching on the file correctly.

I ran
docker run -it cimg/php:5.6.40 /bin/bash

And then in the container to confirm it’s installed

apt show php5.6-cli

Checking the contents of the cli:

circleci@7b0fca49301e:~/project$ strings /usr/bin/php | grep X-Powered
X-Powered-By: PHP/5.6.40-29+ubuntu18.04.1+deb.sury.org+1

This does match the evidence matcher:

Screenshot 2025-01-08 at 3.09.50 PM
Screenshot 2025-01-08 at 3.09.50 PM1712Γ—356 39.3 KB

After this far on the investigation I’m a little stumped as to why it’s not being picked up so will close this reply and come back after I step through the syft with a debugger to see why this might not be firing correctly.

Thanks for the report and reproduction instructions!

3

Let me report similar topic.
Mariadb binary is not detected from recent library/mariadb build. (deb packages are detected.)
Do you think this need updating binary detection pettern ?

$ syft -q library/mariadb:11.4.4 | grep maria
libmariadb3               1:11.4.4+maria~ubu2404       deb
mariadb-backup            1:11.4.4+maria~ubu2404       deb
mariadb-client            1:11.4.4+maria~ubu2404       deb
mariadb-client-core       1:11.4.4+maria~ubu2404       deb
mariadb-common            1:11.4.4+maria~ubu2404       deb
mariadb-server            1:11.4.4+maria~ubu2404       deb
mariadb-server-core       1:11.4.4+maria~ubu2404       deb
mysql-common              1:11.4.4+maria~ubu2404       deb
$ syft -q library/mariadb:11.4.4 --override-default-catalogers "binary" | grep maria
mariadb                   11.4.4                 binary

$ syft -q library/mariadb:11.4.5 | grep maria
libmariadb3               1:11.4.5+maria~ubu2404        deb
mariadb-backup            1:11.4.5+maria~ubu2404        deb
mariadb-client            1:11.4.5+maria~ubu2404        deb
mariadb-client-core       1:11.4.5+maria~ubu2404        deb
mariadb-common            1:11.4.5+maria~ubu2404        deb
mariadb-server            1:11.4.5+maria~ubu2404        deb
mariadb-server-core       1:11.4.5+maria~ubu2404        deb
mysql-common              1:11.4.5+maria~ubu2404        deb
$ syft -q library/mariadb:11.4.5 --override-default-catalogers "binary" | grep maria
mariadb                   1:11.4.5+maria~ubu2404  deb
4

I was surprised to see a deb result when you ran syft -q library/mariadb:11.4.5 --override-default-catalogers "binary". This deb result is causing the binary result to be deduplicated and dropped.

I think what’s happening here is you are not being specific enough when you selected binary as the cataloger type – this actually results in 4 package catalogers:

$ syft cataloger list --override-default-catalogers binary                         
[0000]  WARN adding 'file' tag to the default cataloger selection, to override add '-file' to the cataloger selection request
Default selections: 2
  β€’ 'binary'
  β€’ 'file'
Selection expressions: 0
...
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ PACKAGE CATALOGER                β”‚ TAGS                                                                      β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ binary-classifier-cataloger      β”‚ binary, declared, directory, image, installed, package                    β”‚
β”‚ cargo-auditable-binary-cataloger β”‚ binary, directory, image, installed, language, package, rust              β”‚
β”‚ elf-binary-package-cataloger     β”‚ binary, declared, directory, elf-package, image, installed, package       β”‚
β”‚ go-module-binary-cataloger       β”‚ binary, directory, go, golang, gomod, image, installed, language, package β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

And, in this image it seems the ELF metadata actually has package information which we are surfacing as the more correct DEB result.

Note if you run with binary-classifier-cataloger, you will see:

$ syft -q library/mariadb:11.4.5 --override-default-catalogers binary-classifier-cataloger | grep maria
mariadb     11.4.5   binary

So… It seems like Syft is doing the best job it can here surfacing the best results for you, at least for the mariadb images and it doesn’t look like we need to update anything, just remember to use the binary-classifier-cataloger instead of the tag binary.

For the PHP images you might be right that there are some updates needed, I don’t see the binaries showing up.

Apologies if I’ve missed something!

5

Thank you for your confirmation.

My usage/understanding about cataloger option was wrong.
This mariadb image is not issue.

cataloger list seems very useful.
I think I can use cataloger option more clearlly with this command.

By the way, sample option written in wiki makes error.
Need update wiki ? Or my understanding is still wrong ?

$ syft cataloger list --override-default-catalogers "go-module-binary-cataloger,go-module-file-cataloger"
[0000]  WARN adding 'file' tag to the default cataloger selection, to override add '-file' to the cataloger selection request
[0000] ERROR unable to generate cataloger list report: unable to select catalogers: no cataloger tasks respond to the following selections: go-module-binary-cataloger,go-module-file-cataloger
6

It looks like what’s in the docs does work properly for scanning:

$ syft -q --override-default-catalogers "go-module-binary-cataloger,go-module-file-cataloger" alpine:latest
No packages discovered

But the same --override-default-catalogers does not work in cataloger list due to it not splitting the options the same way. I’ve added an issue. I’ll follow this up with a PR unless someone beats me to it. PR here

1 Like