Package detect, binary NOT detect

witchcraze · January 6, 2025, 5:39am

Hi,

I notice a case - package is detected, but binary is NOT detected.

php packages including php-cli are detected

$ syft -q cimg/php:5.6.40 | grep php
libapache2-mod-php5.6             5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php-common                        2:76+ubuntu18.04.1+deb.sury.org+9                         deb
php-pear                          1:1.10.8+submodules+notgz-1+ubuntu18.04.1+deb.sury.org+1  deb
php-xml                           2:7.4+76+ubuntu18.04.1+deb.sury.org+9                     deb
php5.6                            5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-cli                        5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-common                     5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-curl                       5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-dev                        5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-gd                         5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-json                       5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-mbstring                   5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-mysql                      5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-opcache                    5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-readline                   5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-xml                        5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php5.6-zip                        5.6.40-29+ubuntu18.04.1+deb.sury.org+1                    deb
php7.4-common                     7.4.6-1+ubuntu18.04.1+deb.sury.org+1                      deb
php7.4-xml                        7.4.6-1+ubuntu18.04.1+deb.sury.org+1                      deb
pkg-php-tools                     1.35ubuntu1                                               deb

But php-cli binary is not detected (libphp is detected)

$ syft -q cimg/php:5.6.40 --override-default-catalogers "binary"
NAME        VERSION  TYPE
bash        4.4.20   binary
curl        7.58.0   binary
gzip        1.6      binary
libphp      5.6.40   binary
openssl     1.1.1    binary
python      3.6.9    binary
util-linux  2.31.1   binary
xz          5.2.2    binary

php-cli target file exists

$ docker run -it --rm cimg/php:5.6.40 which php
/usr/bin/php
$ docker run -it --rm cimg/php:5.6.40 /usr/bin/php -v
PHP 5.6.40-29+ubuntu18.04.1+deb.sury.org+1 (cli)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies

I think this isn’t problem in most cases.
But, I’d like to hear if others have a different perspective on this.
If this is considered an issue or someone wants php-cli binary detections, I’ll open a GitHub issue.

spiffcs · January 8, 2025, 8:11pm

Thanks for the question witchcraze!

I just ruled out that it was a deduplication of the php cataloger vs the binary cataloger.

I ran against the original image (no catalog modifiers) with the following syft config and did not see a binary result:

package:
  # allows users to exclude synthetic binary packages from the sbom
  # these packages are removed if an overlap with a non-synthetic package is found (env: SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP)
  exclude-binary-overlap-by-ownership: false

This tells me there might be something wrong with the classifier for php-cli classifier.

github.com

anchore/syft/blob/b4e7b64d5ce04b6636b46ffe4b900936a51a4ddd/syft/pkg/cataloger/binary/classifiers.go#L220-L229


      
          		{
          			Class:    "php-cli-binary",
          			FileGlob: "**/php*",
          			EvidenceMatcher: fileNameTemplateVersionMatcher(
          				`(.*/|^)php[0-9]*$`,
          				`(?m)X-Powered-By: PHP\/(?P<version>[0-9]+\.[0-9]+\.[0-9]+(beta[0-9]+|alpha[0-9]+|RC[0-9]+)?)`),
          			Package: "php-cli",
          			PURL:    mustPURL("pkg:generic/php-cli@version"),
          			CPEs:    singleCPE("cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
          		},

It looks like we should be matching on the file correctly.

I ran
docker run -it cimg/php:5.6.40 /bin/bash

And then in the container to confirm it’s installed

apt show php5.6-cli

Checking the contents of the cli:

circleci@7b0fca49301e:~/project$ strings /usr/bin/php | grep X-Powered
X-Powered-By: PHP/5.6.40-29+ubuntu18.04.1+deb.sury.org+1

This does match the evidence matcher:

After this far on the investigation I’m a little stumped as to why it’s not being picked up so will close this reply and come back after I step through the syft with a debugger to see why this might not be firing correctly.

Thanks for the report and reproduction instructions!

Topic		Replies	Views
Syft - v1.12.2 released Announcements release	1	10	January 16, 2025
Syft 1.6.0 Released Announcements	1	22	January 16, 2025
Syft - v1.14.2 released Announcements release	1	9	January 16, 2025
Grype reporting vulns for unknown versions Grype	14	92	October 15, 2024
Syft - v1.10.0 released Announcements	1	14	January 16, 2025

Package detect, binary NOT detect

Related topics