search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.07k stars 562 forks source link

SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false is not working #2911

Open marinedayo opened 4 months ago

marinedayo commented 4 months ago

What happened:

SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false is not working in Syft v1.4.0 or later.

I am using Syft with SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false to output java installed via RPM package as CycloneDX component type application. But it is not working. None of application type is output.

It works fine when using Syft v1.3.0.

What you expected to happen:

Expect java and node, etc. installed via RPM package to be output as CycloneDX component type application.

Steps to reproduce the issue:

  1. For example, prepare the following container image named myapp:latest:

    FROM rockylinux:9
RUN dnf install --debuglevel=1 -y java-21-openjdk

  2. Execute syft with SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false:

    $ SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false syft myapp:latest --output cyclonedx-json@1.5=java.cdx.json

  3. None of application type is output:

    $ jq '.components | map(select(.type == "application") | .name)' java.cdx.json 
[]

Anything else we need to know?:

When it is binary, it becomes application in CycloneDX format. https://github.com/anchore/syft/blob/v1.5.0/syft/format/internal/cyclonedxutil/helpers/component.go#L39-L42

Environment:

$ syft version
Application: syft
Version:    1.5.0
BuildDate:  2024-05-28T15:11:44Z
GitCommit:  ac34808b9c55bb274b1205f9b5d9cf495239577d
GitDescription: v1.5.0
Platform:   linux/amd64
GoVersion:  go1.21.10
Compiler:   gc
kzantow commented 4 months ago

Thanks for the report @marinedayo -- I can confirm this on the latest Syft, 1.5.0, even with the base rockylinux:9, binary packages detected:

$ syft rockylinux:9 --select-catalogers binary -q | grep binary
bash     5.1.8    binary    
openssl  3.0.7    binary    
python   3.9.18   binary

... but none included with the aforementioned option:

$ SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false syft rockylinux:9 -q | grep binary
marinedayo commented 4 months ago

Thanks for the reply.

As you mentioned, other binaries are also installed with RPM packages in Rocky Linux, so it's the same thing.

Syft v1.5.0:

$ syft rockylinux:9 -q | grep binary
$ SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false syft rockylinux:9 -q | grep binary

Syft v1.3.0:

$ syft rockylinux:9 -q | grep binary
$ SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false syft rockylinux:9 -q | grep binary
bash                         5.1.8                          binary    
openssl                      3.0.7                          binary    
python                       3.9.18                         binary
marinedayo commented 3 months ago

Looks like it is affected by this commit https://github.com/anchore/syft/commit/4194a2cd34d2f15dd9a96774ba2fbc5463db4c58 in v1.4.0.

https://github.com/anchore/syft/blob/4194a2cd34d2f15dd9a96774ba2fbc5463db4c58/internal/relationship/finalize.go#L12-L28

Since bash binary package is bash as an executable file, while bash RPM package is bash as an RPM package (i.e. it contains files other than the executable bash), in my case I would prefer not to remove it.

I suggest a configuration like SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP that skips this process.