Different results scanning PHP SBOMs generated by cdxgen and Syft

metametadata commented 1 month ago

What happened:

I'm working on detecting vulns in a PHP project and I get quite different results when scanning and I'm not sure if it's expected or there could be something to improve in Grype, Syft or cdxgen. I've created a minimal example to demonstrate the problem.

cdxgen + Grype:

~/dev/composer_issue ᐅ grype --add-cpes-if-none sbom:cdxgen.json
 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [1 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 1 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 1 not-fixed, 0 ignored
NAME    INSTALLED  FIXED-IN  TYPE          VULNERABILITY  SEVERITY
jquery  3.7.1                php-composer  CVE-2007-2379  Medium

Syft + Grype:

~/dev/composer_issue ᐅ grype --add-cpes-if-none sbom:syft.json
 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [2 vulnerability matches]
   ├── by severity: 0 critical, 1 high, 1 medium, 0 low, 0 negligible
   └── by status:   2 fixed, 0 not-fixed, 0 ignored
NAME          INSTALLED  FIXED-IN  TYPE          VULNERABILITY        SEVERITY
yiisoft/yii2  2.0.49.2   2.0.49.4  php-composer  GHSA-cjcc-p67m-7qxm  High
yiisoft/yii2  2.0.49.2   2.0.49.4  php-composer  GHSA-qg5r-95m4-mjgj  Medium

As we can see, completely different vulns are detected.

What you expected to happen:

Same results in two scenarios.

How to reproduce it (as minimally and precisely as possible):

PHP composer.json:

{
  "name": "example/php_sbom_issue",
  "require": {
    "yiisoft/yii2": "2.0.49.2"
  },
  "repositories": [
    {
      "type": "composer",
      "url": "https://asset-packagist.org"
    }
  ],
  "config": {
    "allow-plugins": {
      "yiisoft/yii2-composer": true
    }
  }
}

composer.lock generated via composer update --no-install:

Click me

``` { "_readme": [ "This file locks the dependencies of your project to a known state", "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], "content-hash": "de1bd552949dd523bc63bbf9630f3ab5", "packages": [ { "name": "bower-asset/inputmask", "version": "5.0.9", "source": { "type": "git", "url": "https://github.com/RobinHerbots/Inputmask.git", "reference": "310a33557e2944daf86d5946a5e8c82b9118f8f7" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/RobinHerbots/Inputmask/zipball/310a33557e2944daf86d5946a5e8c82b9118f8f7", "reference": "310a33557e2944daf86d5946a5e8c82b9118f8f7" }, "require": { "bower-asset/jquery": ">=1.7" }, "type": "bower-asset", "license": [ "http://opensource.org/licenses/mit-license.php" ] }, { "name": "bower-asset/jquery", "version": "3.7.1", "source": { "type": "git", "url": "https://github.com/jquery/jquery-dist.git", "reference": "fde1f76e2799dd877c176abde0ec836553246991" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/jquery/jquery-dist/zipball/fde1f76e2799dd877c176abde0ec836553246991", "reference": "fde1f76e2799dd877c176abde0ec836553246991" }, "type": "bower-asset", "license": [ "MIT" ] }, { "name": "bower-asset/punycode", "version": "v2.2.3", "source": { "type": "git", "url": "https://github.com/mathiasbynens/punycode.js.git", "reference": "46d412120e2feb868876769a9847790ba278c882" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/mathiasbynens/punycode.js/zipball/46d412120e2feb868876769a9847790ba278c882", "reference": "46d412120e2feb868876769a9847790ba278c882" }, "type": "bower-asset" }, { "name": "bower-asset/yii2-pjax", "version": "2.0.8", "source": { "type": "git", "url": "git@github.com:yiisoft/jquery-pjax.git", "reference": "a9298d57da63d14a950f1b94366a864bc62264fb" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/yiisoft/jquery-pjax/zipball/a9298d57da63d14a950f1b94366a864bc62264fb", "reference": "a9298d57da63d14a950f1b94366a864bc62264fb" }, "require": { "bower-asset/jquery": ">=1.8" }, "type": "bower-asset", "license": [ "MIT" ] }, { "name": "cebe/markdown", "version": "1.2.1", "source": { "type": "git", "url": "https://github.com/cebe/markdown.git", "reference": "9bac5e971dd391e2802dca5400bbeacbaea9eb86" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/cebe/markdown/zipball/9bac5e971dd391e2802dca5400bbeacbaea9eb86", "reference": "9bac5e971dd391e2802dca5400bbeacbaea9eb86", "shasum": "" }, "require": { "lib-pcre": "*", "php": ">=5.4.0" }, "require-dev": { "cebe/indent": "*", "facebook/xhprof": "*@dev", "phpunit/phpunit": "4.1.*" }, "bin": [ "bin/markdown" ], "type": "library", "extra": { "branch-alias": { "dev-master": "1.2.x-dev" } }, "autoload": { "psr-4": { "cebe\\markdown\\": "" } }, "notification-url": "https://packagist.org/downloads/", "license": [ "MIT" ], "authors": [ { "name": "Carsten Brandt", "email": "mail@cebe.cc", "homepage": "http://cebe.cc/", "role": "Creator" } ], "description": "A super fast, highly extensible markdown parser for PHP", "homepage": "https://github.com/cebe/markdown#readme", "keywords": [ "extensible", "fast", "gfm", "markdown", "markdown-extra" ], "support": { "issues": "https://github.com/cebe/markdown/issues", "source": "https://github.com/cebe/markdown" }, "time": "2018-03-26T11:24:36+00:00" }, { "name": "ezyang/htmlpurifier", "version": "v4.17.0", "source": { "type": "git", "url": "https://github.com/ezyang/htmlpurifier.git", "reference": "bbc513d79acf6691fa9cf10f192c90dd2957f18c" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/bbc513d79acf6691fa9cf10f192c90dd2957f18c", "reference": "bbc513d79acf6691fa9cf10f192c90dd2957f18c", "shasum": "" }, "require": { "php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0" }, "require-dev": { "cerdic/css-tidy": "^1.7 || ^2.0", "simpletest/simpletest": "dev-master" }, "suggest": { "cerdic/css-tidy": "If you want to use the filter 'Filter.ExtractStyleBlocks'.", "ext-bcmath": "Used for unit conversion and imagecrash protection", "ext-iconv": "Converts text to and from non-UTF-8 encodings", "ext-tidy": "Used for pretty-printing HTML" }, "type": "library", "autoload": { "files": [ "library/HTMLPurifier.composer.php" ], "psr-0": { "HTMLPurifier": "library/" }, "exclude-from-classmap": [ "/library/HTMLPurifier/Language/" ] }, "notification-url": "https://packagist.org/downloads/", "license": [ "LGPL-2.1-or-later" ], "authors": [ { "name": "Edward Z. Yang", "email": "admin@htmlpurifier.org", "homepage": "http://ezyang.com" } ], "description": "Standards compliant HTML filter written in PHP", "homepage": "http://htmlpurifier.org/", "keywords": [ "html" ], "support": { "issues": "https://github.com/ezyang/htmlpurifier/issues", "source": "https://github.com/ezyang/htmlpurifier/tree/v4.17.0" }, "time": "2023-11-17T15:01:25+00:00" }, { "name": "paragonie/random_compat", "version": "v9.99.100", "source": { "type": "git", "url": "https://github.com/paragonie/random_compat.git", "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/paragonie/random_compat/zipball/996434e5492cb4c3edcb9168db6fbb1359ef965a", "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a", "shasum": "" }, "require": { "php": ">= 7" }, "require-dev": { "phpunit/phpunit": "4.*|5.*", "vimeo/psalm": "^1" }, "suggest": { "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." }, "type": "library", "notification-url": "https://packagist.org/downloads/", "license": [ "MIT" ], "authors": [ { "name": "Paragon Initiative Enterprises", "email": "security@paragonie.com", "homepage": "https://paragonie.com" } ], "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", "keywords": [ "csprng", "polyfill", "pseudorandom", "random" ], "support": { "email": "info@paragonie.com", "issues": "https://github.com/paragonie/random_compat/issues", "source": "https://github.com/paragonie/random_compat" }, "time": "2020-10-15T08:29:30+00:00" }, { "name": "yiisoft/yii2", "version": "2.0.49.2", "source": { "type": "git", "url": "https://github.com/yiisoft/yii2-framework.git", "reference": "7d38bf7584acbe838a8d08e40e949b6393162441" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/yiisoft/yii2-framework/zipball/7d38bf7584acbe838a8d08e40e949b6393162441", "reference": "7d38bf7584acbe838a8d08e40e949b6393162441", "shasum": "" }, "require": { "bower-asset/inputmask": "~3.2.2 | ~3.3.5 | ~5.0.8 ", "bower-asset/jquery": "3.7.*@stable | 3.6.*@stable | 3.5.*@stable | 3.4.*@stable | 3.3.*@stable | 3.2.*@stable | 3.1.*@stable | 2.2.*@stable | 2.1.*@stable | 1.11.*@stable | 1.12.*@stable", "bower-asset/punycode": "1.3.* | 2.2.*", "bower-asset/yii2-pjax": "~2.0.1", "cebe/markdown": "~1.0.0 | ~1.1.0 | ~1.2.0", "ext-ctype": "*", "ext-mbstring": "*", "ezyang/htmlpurifier": "^4.6", "lib-pcre": "*", "paragonie/random_compat": ">=1", "php": ">=5.4.0", "yiisoft/yii2-composer": "~2.0.4" }, "bin": [ "yii" ], "type": "library", "extra": { "branch-alias": { "dev-master": "2.0.x-dev" } }, "autoload": { "psr-4": { "yii\\": "" } }, "notification-url": "https://packagist.org/downloads/", "license": [ "BSD-3-Clause" ], "authors": [ { "name": "Qiang Xue", "email": "qiang.xue@gmail.com", "homepage": "https://www.yiiframework.com/", "role": "Founder and project lead" }, { "name": "Alexander Makarov", "email": "sam@rmcreative.ru", "homepage": "https://rmcreative.ru/", "role": "Core framework development" }, { "name": "Maurizio Domba", "homepage": "http://mdomba.info/", "role": "Core framework development" }, { "name": "Carsten Brandt", "email": "mail@cebe.cc", "homepage": "https://www.cebe.cc/", "role": "Core framework development" }, { "name": "Timur Ruziev", "email": "resurtm@gmail.com", "homepage": "http://resurtm.com/", "role": "Core framework development" }, { "name": "Paul Klimov", "email": "klimov.paul@gmail.com", "role": "Core framework development" }, { "name": "Dmitry Naumenko", "email": "d.naumenko.a@gmail.com", "role": "Core framework development" }, { "name": "Boudewijn Vahrmeijer", "email": "info@dynasource.eu", "homepage": "http://dynasource.eu", "role": "Core framework development" } ], "description": "Yii PHP Framework Version 2", "homepage": "https://www.yiiframework.com/", "keywords": [ "framework", "yii2" ], "support": { "forum": "https://forum.yiiframework.com/", "irc": "ircs://irc.libera.chat:6697/yii", "issues": "https://github.com/yiisoft/yii2/issues?state=open", "source": "https://github.com/yiisoft/yii2", "wiki": "https://www.yiiframework.com/wiki" }, "funding": [ { "url": "https://github.com/yiisoft", "type": "github" }, { "url": "https://opencollective.com/yiisoft", "type": "open_collective" }, { "url": "https://tidelift.com/funding/github/packagist/yiisoft/yii2", "type": "tidelift" } ], "time": "2023-10-12T15:46:26+00:00" }, { "name": "yiisoft/yii2-composer", "version": "2.0.10", "source": { "type": "git", "url": "https://github.com/yiisoft/yii2-composer.git", "reference": "94bb3f66e779e2774f8776d6e1bdeab402940510" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/yiisoft/yii2-composer/zipball/94bb3f66e779e2774f8776d6e1bdeab402940510", "reference": "94bb3f66e779e2774f8776d6e1bdeab402940510", "shasum": "" }, "require": { "composer-plugin-api": "^1.0 | ^2.0" }, "require-dev": { "composer/composer": "^1.0 | ^2.0@dev", "phpunit/phpunit": "<7" }, "type": "composer-plugin", "extra": { "class": "yii\\composer\\Plugin", "branch-alias": { "dev-master": "2.0.x-dev" } }, "autoload": { "psr-4": { "yii\\composer\\": "" } }, "notification-url": "https://packagist.org/downloads/", "license": [ "BSD-3-Clause" ], "authors": [ { "name": "Qiang Xue", "email": "qiang.xue@gmail.com" }, { "name": "Carsten Brandt", "email": "mail@cebe.cc" } ], "description": "The composer plugin for Yii extension installer", "keywords": [ "composer", "extension installer", "yii2" ], "support": { "forum": "http://www.yiiframework.com/forum/", "irc": "irc://irc.freenode.net/yii", "issues": "https://github.com/yiisoft/yii2-composer/issues", "source": "https://github.com/yiisoft/yii2-composer", "wiki": "http://www.yiiframework.com/wiki/" }, "funding": [ { "url": "https://github.com/yiisoft", "type": "github" }, { "url": "https://opencollective.com/yiisoft", "type": "open_collective" }, { "url": "https://tidelift.com/funding/github/packagist/yiisoft/yii2-composer", "type": "tidelift" } ], "time": "2020-06-24T00:04:01+00:00" } ], "packages-dev": [], "aliases": [], "minimum-stability": "stable", "stability-flags": [], "prefer-stable": false, "prefer-lowest": false, "platform": [], "platform-dev": [], "plugin-api-version": "2.6.0" } ```

Commands to generate SBOMs:

CDXGEN_DEBUG_MODE=debug cdxgen --output cdxgen.json .

syft -o cyclonedx-json composer.lock > syft.json

Generarted cdxgen.json SBOM:

Click me

```json { "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:f108f84c-51a3-4f75-84ae-27eaf31d1390", "version": 1, "metadata": { "timestamp": "2024-08-06T22:07:01Z", "tools": { "components": [ { "group": "@cyclonedx", "name": "cdxgen", "version": "10.8.1", "purl": "pkg:npm/%40cyclonedx/cdxgen@10.8.1", "type": "application", "bom-ref": "pkg:npm/@cyclonedx/cdxgen@10.8.1", "author": "OWASP Foundation", "publisher": "OWASP Foundation" } ] }, "authors": [ { "name": "OWASP Foundation" } ], "lifecycles": [ { "phase": "build" } ], "component": { "group": "example", "name": "php_sbom_issue", "type": "application", "version": "latest", "bom-ref": "pkg:composer/example/php_sbom_issue@latest", "purl": "pkg:composer/example/php_sbom_issue%40latest", "components": [ { "group": "", "name": "composer_issue", "version": "latest", "type": "application", "bom-ref": "pkg:gem/composer_issue@latest", "purl": "pkg:gem/composer_issue@latest" } ] }, "properties": [ { "name": "cdx:bom:componentTypes", "value": "composer" }, { "name": "cdx:bom:componentNamespaces", "value": "bower-asset\\ncebe\\nezyang\\nparagonie\\nyiisoft" } ] }, "components": [ { "group": "bower-asset", "name": "inputmask", "version": "5.0.9", "scope": "required", "licenses": [ { "license": { "id": "MIT", "url": "http://opensource.org/licenses/mit-license.php" } } ], "purl": "pkg:composer/bower-asset/inputmask@5.0.9", "externalReferences": [ { "type": "vcs", "url": "https://github.com/RobinHerbots/Inputmask.git" } ], "type": "library", "bom-ref": "pkg:composer/bower-asset/inputmask@5.0.9", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] }, { "group": "bower-asset", "name": "jquery", "version": "3.7.1", "scope": "required", "licenses": [ { "license": { "id": "MIT", "url": "https://opensource.org/licenses/MIT" } } ], "purl": "pkg:composer/bower-asset/jquery@3.7.1", "externalReferences": [ { "type": "vcs", "url": "https://github.com/jquery/jquery-dist.git" } ], "type": "framework", "bom-ref": "pkg:composer/bower-asset/jquery@3.7.1", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] }, { "group": "bower-asset", "name": "punycode", "version": "v2.2.3", "scope": "required", "purl": "pkg:composer/bower-asset/punycode@v2.2.3", "externalReferences": [ { "type": "vcs", "url": "https://github.com/mathiasbynens/punycode.js.git" } ], "type": "library", "bom-ref": "pkg:composer/bower-asset/punycode@v2.2.3", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] }, { "group": "bower-asset", "name": "yii2-pjax", "version": "2.0.8", "scope": "required", "licenses": [ { "license": { "id": "MIT", "url": "https://opensource.org/licenses/MIT" } } ], "purl": "pkg:composer/bower-asset/yii2-pjax@2.0.8", "type": "library", "bom-ref": "pkg:composer/bower-asset/yii2-pjax@2.0.8", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] }, { "group": "cebe", "name": "markdown", "version": "1.2.1", "description": "A super fast, highly extensible markdown parser for PHP", "scope": "required", "licenses": [ { "license": { "id": "MIT", "url": "https://opensource.org/licenses/MIT" } } ], "purl": "pkg:composer/cebe/markdown@1.2.1", "externalReferences": [ { "type": "vcs", "url": "https://github.com/cebe/markdown.git" } ], "type": "library", "bom-ref": "pkg:composer/cebe/markdown@1.2.1", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" }, { "name": "Namespaces", "value": "cebe\\markdown\\" } ] }, { "group": "ezyang", "name": "htmlpurifier", "version": "v4.17.0", "description": "Standards compliant HTML filter written in PHP", "scope": "required", "licenses": [ { "license": { "id": "LGPL-2.1-or-later", "url": "https://opensource.org/licenses/LGPL-2.1-or-later" } } ], "purl": "pkg:composer/ezyang/htmlpurifier@v4.17.0", "externalReferences": [ { "type": "vcs", "url": "https://github.com/ezyang/htmlpurifier.git" } ], "type": "library", "bom-ref": "pkg:composer/ezyang/htmlpurifier@v4.17.0", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" }, { "name": "Namespaces", "value": "HTMLPurifier" } ] }, { "group": "paragonie", "name": "random_compat", "version": "v9.99.100", "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", "scope": "required", "licenses": [ { "license": { "id": "MIT", "url": "https://opensource.org/licenses/MIT" } } ], "purl": "pkg:composer/paragonie/random_compat@v9.99.100", "externalReferences": [ { "type": "vcs", "url": "https://github.com/paragonie/random_compat.git" } ], "type": "library", "bom-ref": "pkg:composer/paragonie/random_compat@v9.99.100", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] }, { "group": "yiisoft", "name": "yii2", "version": "2.0.49.2", "description": "Yii PHP Framework Version 2", "scope": "required", "licenses": [ { "license": { "id": "BSD-3-Clause", "url": "https://opensource.org/licenses/BSD-3-Clause" } } ], "purl": "pkg:composer/yiisoft/yii2@2.0.49.2", "externalReferences": [ { "type": "vcs", "url": "https://github.com/yiisoft/yii2-framework.git" } ], "type": "framework", "bom-ref": "pkg:composer/yiisoft/yii2@2.0.49.2", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" }, { "name": "Namespaces", "value": "yii\\" } ] }, { "group": "yiisoft", "name": "yii2-composer", "version": "2.0.10", "description": "The composer plugin for Yii extension installer", "scope": "required", "licenses": [ { "license": { "id": "BSD-3-Clause", "url": "https://opensource.org/licenses/BSD-3-Clause" } } ], "purl": "pkg:composer/yiisoft/yii2-composer@2.0.10", "externalReferences": [ { "type": "vcs", "url": "https://github.com/yiisoft/yii2-composer.git" } ], "type": "framework", "bom-ref": "pkg:composer/yiisoft/yii2-composer@2.0.10", "evidence": { "identity": { "field": "purl", "confidence": 1, "methods": [ { "technique": "manifest-analysis", "confidence": 1, "value": "/Users/yuri/dev/composer_issue/composer.lock" } ] } }, "properties": [ { "name": "SrcFile", "value": "/Users/yuri/dev/composer_issue/composer.lock" }, { "name": "Namespaces", "value": "yii\\composer\\" } ] } ], "services": [], "dependencies": [ { "ref": "pkg:composer/example/php_sbom_issue@latest", "dependsOn": [ "pkg:composer/yiisoft/yii2@2.0.49.2" ] }, { "ref": "pkg:composer/bower-asset/inputmask@5.0.9", "dependsOn": [ "pkg:composer/bower-asset/jquery@3.7.1" ] }, { "ref": "pkg:composer/bower-asset/jquery@3.7.1", "dependsOn": [] }, { "ref": "pkg:composer/bower-asset/punycode@v2.2.3", "dependsOn": [] }, { "ref": "pkg:composer/bower-asset/yii2-pjax@2.0.8", "dependsOn": [ "pkg:composer/bower-asset/jquery@3.7.1" ] }, { "ref": "pkg:composer/cebe/markdown@1.2.1", "dependsOn": [] }, { "ref": "pkg:composer/ezyang/htmlpurifier@v4.17.0", "dependsOn": [] }, { "ref": "pkg:composer/paragonie/random_compat@v9.99.100", "dependsOn": [] }, { "ref": "pkg:composer/yiisoft/yii2@2.0.49.2", "dependsOn": [ "pkg:composer/bower-asset/inputmask@5.0.9", "pkg:composer/bower-asset/jquery@3.7.1", "pkg:composer/bower-asset/punycode@v2.2.3", "pkg:composer/bower-asset/yii2-pjax@2.0.8", "pkg:composer/cebe/markdown@1.2.1", "pkg:composer/ezyang/htmlpurifier@v4.17.0", "pkg:composer/paragonie/random_compat@v9.99.100", "pkg:composer/yiisoft/yii2-composer@2.0.10" ] }, { "ref": "pkg:composer/yiisoft/yii2-composer@2.0.10", "dependsOn": [] } ] } ```

Generated syft.json SBOM:

Click me

```json { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:93dd2a98-ace9-48b4-8a3d-f9c21b6f5925", "version": 1, "metadata": { "timestamp": "2024-08-07T01:07:10+03:00", "tools": { "components": [ { "type": "application", "author": "anchore", "name": "syft", "version": "1.9.0" } ] }, "component": { "bom-ref": "280526f80efd5b66", "type": "file", "name": "composer.lock", "version": "sha256:fa49da4efa632d3f4871a5faaf2b891adddcb25024d480decb71cb7921139eb7" } }, "components": [ { "bom-ref": "pkg:composer/bower-asset/inputmask@5.0.9?package-id=f8aba670d7b79f5d", "type": "library", "name": "bower-asset/inputmask", "version": "5.0.9", "licenses": [ { "license": { "name": "http://opensource.org/licenses/mit-license.php" } } ], "cpe": "cpe:2.3:a:bower-asset\\/inputmask:bower-asset\\/inputmask:5.0.9:*:*:*:*:*:*:*", "purl": "pkg:composer/bower-asset/inputmask@5.0.9", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower-asset\\/inputmask:bower_asset\\/inputmask:5.0.9:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/inputmask:bower-asset\\/inputmask:5.0.9:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/inputmask:bower_asset\\/inputmask:5.0.9:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower-asset\\/inputmask:5.0.9:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower_asset\\/inputmask:5.0.9:*:*:*:*:*:*:*" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/bower-asset/jquery@3.7.1?package-id=c88c3e90f3660303", "type": "library", "name": "bower-asset/jquery", "version": "3.7.1", "licenses": [ { "license": { "id": "MIT" } } ], "cpe": "cpe:2.3:a:bower-asset\\/jquery:bower-asset\\/jquery:3.7.1:*:*:*:*:*:*:*", "purl": "pkg:composer/bower-asset/jquery@3.7.1", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower-asset\\/jquery:bower_asset\\/jquery:3.7.1:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/jquery:bower-asset\\/jquery:3.7.1:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/jquery:bower_asset\\/jquery:3.7.1:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower-asset\\/jquery:3.7.1:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower_asset\\/jquery:3.7.1:*:*:*:*:*:*:*" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/bower-asset/punycode@v2.2.3?package-id=9852900b72cb9bf9", "type": "library", "name": "bower-asset/punycode", "version": "v2.2.3", "cpe": "cpe:2.3:a:bower-asset\\/punycode:bower-asset\\/punycode:v2.2.3:*:*:*:*:*:*:*", "purl": "pkg:composer/bower-asset/punycode@v2.2.3", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower-asset\\/punycode:bower_asset\\/punycode:v2.2.3:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/punycode:bower-asset\\/punycode:v2.2.3:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/punycode:bower_asset\\/punycode:v2.2.3:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower-asset\\/punycode:v2.2.3:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower_asset\\/punycode:v2.2.3:*:*:*:*:*:*:*" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/bower-asset/yii2-pjax@2.0.8?package-id=3678ef28348a125a", "type": "library", "name": "bower-asset/yii2-pjax", "version": "2.0.8", "licenses": [ { "license": { "id": "MIT" } } ], "cpe": "cpe:2.3:a:bower-asset\\/yii2-pjax:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*", "purl": "pkg:composer/bower-asset/yii2-pjax@2.0.8", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower-asset\\/yii2-pjax:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/yii2_pjax:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/yii2_pjax:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower-asset\\/yii2:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower-asset\\/yii2:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/yii2:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower_asset\\/yii2:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:bower:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/cebe/markdown@1.2.1?package-id=56cffb7a90fbdc65", "type": "library", "name": "cebe/markdown", "version": "1.2.1", "licenses": [ { "license": { "id": "MIT" } } ], "cpe": "cpe:2.3:a:cebe\\/markdown:cebe\\/markdown:1.2.1:*:*:*:*:*:*:*", "purl": "pkg:composer/cebe/markdown@1.2.1", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/ezyang/htmlpurifier@v4.17.0?package-id=1a01f1ab7bc76032", "type": "library", "name": "ezyang/htmlpurifier", "version": "v4.17.0", "licenses": [ { "license": { "id": "LGPL-2.1-or-later" } } ], "cpe": "cpe:2.3:a:ezyang\\/htmlpurifier:ezyang\\/htmlpurifier:v4.17.0:*:*:*:*:*:*:*", "purl": "pkg:composer/ezyang/htmlpurifier@v4.17.0", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/paragonie/random_compat@v9.99.100?package-id=dc7a937336b89997", "type": "library", "name": "paragonie/random_compat", "version": "v9.99.100", "licenses": [ { "license": { "id": "MIT" } } ], "cpe": "cpe:2.3:a:paragonie\\/random-compat:paragonie\\/random-compat:v9.99.100:*:*:*:*:*:*:*", "purl": "pkg:composer/paragonie/random_compat@v9.99.100", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:paragonie\\/random-compat:paragonie\\/random_compat:v9.99.100:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:paragonie\\/random_compat:paragonie\\/random-compat:v9.99.100:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:paragonie\\/random_compat:paragonie\\/random_compat:v9.99.100:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:paragonie\\/random:paragonie\\/random-compat:v9.99.100:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:paragonie\\/random:paragonie\\/random_compat:v9.99.100:*:*:*:*:*:*:*" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/yiisoft/yii2@2.0.49.2?package-id=69ac11cfcc2cf90c", "type": "library", "name": "yiisoft/yii2", "version": "2.0.49.2", "licenses": [ { "license": { "id": "BSD-3-Clause" } } ], "cpe": "cpe:2.3:a:yiisoft\\/yii2:yiisoft\\/yii2:2.0.49.2:*:*:*:*:*:*:*", "purl": "pkg:composer/yiisoft/yii2@2.0.49.2", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] }, { "bom-ref": "pkg:composer/yiisoft/yii2-composer@2.0.10?package-id=9e649fc0c2007f55", "type": "library", "name": "yiisoft/yii2-composer", "version": "2.0.10", "licenses": [ { "license": { "id": "BSD-3-Clause" } } ], "cpe": "cpe:2.3:a:yiisoft\\/yii2-composer:yiisoft\\/yii2-composer:2.0.10:*:*:*:*:*:*:*", "purl": "pkg:composer/yiisoft/yii2-composer@2.0.10", "properties": [ { "name": "syft:package:foundBy", "value": "php-composer-lock-cataloger" }, { "name": "syft:package:language", "value": "php" }, { "name": "syft:package:type", "value": "php-composer" }, { "name": "syft:package:metadataType", "value": "php-composer-lock-entry" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:yiisoft\\/yii2-composer:yiisoft\\/yii2_composer:2.0.10:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:yiisoft\\/yii2_composer:yiisoft\\/yii2-composer:2.0.10:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:yiisoft\\/yii2_composer:yiisoft\\/yii2_composer:2.0.10:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:yiisoft\\/yii2:yiisoft\\/yii2-composer:2.0.10:*:*:*:*:*:*:*" }, { "name": "syft:cpe23", "value": "cpe:2.3:a:yiisoft\\/yii2:yiisoft\\/yii2_composer:2.0.10:*:*:*:*:*:*:*" }, { "name": "syft:location:0:path", "value": "/composer.lock" } ] } ] } ```

Anything else we need to know?:

It looks like the significant difference between SBOMs is that cdxgen splits the name and group:
```
"group": "yiisoft",
"name": "yii2",
"version": "2.0.49.2",
```
OTOH, Syft doesn't:
```
"name": "yiisoft/yii2",
"version": "2.0.49.2",
```
Other scanners (osv-scanner, Trivy, composer audit) detect only Yii2 vulns in composer.lock.

Environment:

Output of grype version:

Application:         grype
Version:             0.79.4
BuildDate:           2024-07-31T15:05:32Z
GitCommit:           brew
GitDescription:      [not provided]
Platform:            darwin/arm64
GoVersion:           go1.22.5
Compiler:            gc
Syft Version:        v1.10.0
Supported DB Schema: 5

cdxgen version: 10.8.1.
OS: macOS.

metametadata commented 1 month ago

metametadata commented 1 day ago

It looks like the significant difference between SBOMs is that cdxgen splits the name and group:

I see the similar problem with SBOMs generated from pnpm-lock.yaml.

SBOM by cdxgen:

      "group": "@colors",
      "name": "colors",
      "version": "1.5.0",

SBOM by Syft:

      "name": "@colors/colors",
      "version": "1.5.0",

This leads to a false positive https://github.com/advisories/GHSA-gh88-3pxp-6fm8 on scanning cdxgen's SBOM:

NAME    INSTALLED  FIXED-IN  TYPE  VULNERABILITY        SEVERITY
colors  1.5.0                npm   GHSA-gh88-3pxp-6fm8  High

anchore / grype

Different results scanning PHP SBOMs generated by cdxgen and Syft #2037