Add support for parsing .NET assemblies (#1943)

* Add support for parsing .NET assemblies

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 69c33fe4d77357d843c11590f3b07825bc6249ac

* Add dll and exe files

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: b9d204efa6d2ef385b5fbb7a59a3474ecabea641

* Add PE cataloger to directory catalogers

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 9711c00d9da92e2887e0c1f92edd740ea5345849

* Don't set language to dotnet for PEs

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 368313fddac9160d8a06a01ebe8c5ac7990232f5

* Fix spelling of cataloger in constructor

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: e42fd77b2f8b6d42e076a84f6cce386861260941

* Adjust which cases in PE parsing return errors

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 95b25f8fc3a7d4e18fe30e489b09851f316795ff

* remove build binary from branch

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

Former-commit-id: fa54c0d0aef0998d5520e9f44cae51f5f9cd38a2

* Fix failing CLI tests

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

---------

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>

go.mod

@@ -69,6 +69,7 @@ require (
 	github.com/invopop/jsonschema v0.7.0
 	github.com/knqyf263/go-rpmdb v0.0.0-20230301153543-ba94b245509b
 	github.com/opencontainers/go-digest v1.0.0
+	github.com/saferwall/pe v1.4.4
 	github.com/sassoftware/go-rpmutils v0.2.0
 	github.com/vbatts/go-mtree v0.5.3
 	github.com/zyedidia/generic v1.2.2-0.20230320175451-4410d2372cb1
@@ -102,6 +103,7 @@ require (
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
+	github.com/edsrzf/mmap-go v1.1.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/felixge/fgprof v0.9.3 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
@@ -172,6 +174,7 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
+	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
 	golang.org/x/sync v0.1.0 // indirect
 	golang.org/x/sys v0.10.0 // indirect
 	golang.org/x/text v0.11.0 // indirect

go.sum

@@ -197,6 +197,8 @@ github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj6
 github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/edsrzf/mmap-go v1.1.0 h1:6EUwBLQ/Mcr1EYLE4Tn1VdW1A4ckqCQWZBw8Hr0kjpQ=
+github.com/edsrzf/mmap-go v1.1.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q=
 github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819 h1:RIB4cRk+lBqKK3Oy0r2gRX4ui7tuhiZq2SuTtTCi0/0=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
@@ -583,6 +585,8 @@ github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZV
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
+github.com/saferwall/pe v1.4.4 h1:Ml++7/2/Z1iKwV4zCsd1nIqTEAdUQKAetwbbcCarhOg=
+github.com/saferwall/pe v1.4.4/go.mod h1:SNzv3cdgk8SBI0UwHfyTcdjawfdnN+nbydnEL7GZ25s=
 github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig=
 github.com/sassoftware/go-rpmutils v0.2.0 h1:pKW0HDYMFWQ5b4JQPiI3WI12hGsVoW0V8+GMoZiI/JE=
 github.com/sassoftware/go-rpmutils v0.2.0/go.mod h1:TJJQYtLe/BeEmEjelI3b7xNZjzAukEkeWKmoakvaOoI=
@@ -703,6 +707,8 @@ github.com/zyedidia/generic v1.2.2-0.20230320175451-4410d2372cb1/go.mod h1:ly2RB
 go.etcd.io/etcd/api/v3 v3.5.1/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/client/pkg/v3 v3.5.1/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/v2 v2.305.1/go.mod h1:pMEacxZW7o8pg4CrFE7pquyCJJzZvkvdD2RibOCCCGs=
+go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak=
+go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
@@ -929,6 +935,7 @@ golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

internal/constants.go

@@ -6,5 +6,5 @@ const (
 
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "9.0.0"
+	JSONSchemaVersion = "9.0.1"
 )

syft/internal/packagemetadata/generated.go

@@ -6,5 +6,5 @@ import "github.com/anchore/syft/syft/pkg"
 
 // AllTypes returns a list of all pkg metadata types that syft supports (that are represented in the pkg.Package.Metadata field).
 func AllTypes() []any {
-	return []any{pkg.AlpmMetadata{}, pkg.ApkMetadata{}, pkg.BinaryMetadata{}, pkg.CargoPackageMetadata{}, pkg.CocoapodsMetadata{}, pkg.ConanLockMetadata{}, pkg.ConanMetadata{}, pkg.DartPubMetadata{}, pkg.DotnetDepsMetadata{}, pkg.DpkgMetadata{}, pkg.GemMetadata{}, pkg.GolangBinMetadata{}, pkg.GolangModMetadata{}, pkg.HackageMetadata{}, pkg.JavaMetadata{}, pkg.KbPackageMetadata{}, pkg.LinuxKernelMetadata{}, pkg.LinuxKernelModuleMetadata{}, pkg.MixLockMetadata{}, pkg.NixStoreMetadata{}, pkg.NpmPackageJSONMetadata{}, pkg.NpmPackageLockJSONMetadata{}, pkg.PhpComposerJSONMetadata{}, pkg.PortageMetadata{}, pkg.PythonPackageMetadata{}, pkg.PythonPipfileLockMetadata{}, pkg.PythonRequirementsMetadata{}, pkg.RDescriptionFileMetadata{}, pkg.RebarLockMetadata{}, pkg.RpmMetadata{}}
+	return []any{pkg.AlpmMetadata{}, pkg.ApkMetadata{}, pkg.BinaryMetadata{}, pkg.CargoPackageMetadata{}, pkg.CocoapodsMetadata{}, pkg.ConanLockMetadata{}, pkg.ConanMetadata{}, pkg.DartPubMetadata{}, pkg.DotnetDepsMetadata{}, pkg.DotnetPortableExecutableMetadata{}, pkg.DpkgMetadata{}, pkg.GemMetadata{}, pkg.GolangBinMetadata{}, pkg.GolangModMetadata{}, pkg.HackageMetadata{}, pkg.JavaMetadata{}, pkg.KbPackageMetadata{}, pkg.LinuxKernelMetadata{}, pkg.LinuxKernelModuleMetadata{}, pkg.MixLockMetadata{}, pkg.NixStoreMetadata{}, pkg.NpmPackageJSONMetadata{}, pkg.NpmPackageLockJSONMetadata{}, pkg.PhpComposerJSONMetadata{}, pkg.PortageMetadata{}, pkg.PythonPackageMetadata{}, pkg.PythonPipfileLockMetadata{}, pkg.PythonRequirementsMetadata{}, pkg.RDescriptionFileMetadata{}, pkg.RebarLockMetadata{}, pkg.RpmMetadata{}}
 }

syft/pkg/cataloger/cataloger.go

@@ -45,7 +45,7 @@ func ImageCatalogers(cfg Config) []pkg.Cataloger {
 		apkdb.NewApkdbCataloger(),
 		binary.NewCataloger(),
 		deb.NewDpkgdbCataloger(),
-		dotnet.NewDotnetDepsCataloger(),
+		dotnet.NewDotnetPortableExecutableCataloger(),
 		golang.NewGoModuleBinaryCataloger(cfg.Go()),
 		java.NewJavaCataloger(cfg.Java()),
 		java.NewNativeImageCataloger(),
@@ -71,6 +71,7 @@ func DirectoryCatalogers(cfg Config) []pkg.Cataloger {
 		dart.NewPubspecLockCataloger(),
 		deb.NewDpkgdbCataloger(),
 		dotnet.NewDotnetDepsCataloger(),
+		dotnet.NewDotnetPortableExecutableCataloger(),
 		elixir.NewMixLockCataloger(),
 		erlang.NewRebarLockCataloger(),
 		golang.NewGoModFileCataloger(cfg.Go()),
@@ -105,6 +106,7 @@ func AllCatalogers(cfg Config) []pkg.Cataloger {
 		dart.NewPubspecLockCataloger(),
 		deb.NewDpkgdbCataloger(),
 		dotnet.NewDotnetDepsCataloger(),
+		dotnet.NewDotnetPortableExecutableCataloger(),
 		elixir.NewMixLockCataloger(),
 		erlang.NewRebarLockCataloger(),
 		golang.NewGoModFileCataloger(cfg.Go()),

syft/pkg/cataloger/dotnet/cataloger.go

@@ -4,10 +4,13 @@ import (
 	"github.com/anchore/syft/syft/pkg/cataloger/generic"
 )
 
-const catalogerName = "dotnet-deps-cataloger"
-
 // NewDotnetDepsCataloger returns a new Dotnet cataloger object base on deps json files.
 func NewDotnetDepsCataloger() *generic.Cataloger {
-	return generic.NewCataloger(catalogerName).
+	return generic.NewCataloger("dotnet-deps-cataloger").
 		WithParserByGlobs(parseDotnetDeps, "**/*.deps.json")
 }
+
+func NewDotnetPortableExecutableCataloger() *generic.Cataloger {
+	return generic.NewCataloger("dotnet-portable-executable-cataloger").
+		WithParserByGlobs(parseDotnetPortableExecutable, "**/*.dll", "**/*.exe")
+}

syft/pkg/cataloger/dotnet/cataloger_test.go

@@ -3,6 +3,7 @@ package dotnet
 import (
 	"testing"
 
+	"github.com/anchore/syft/syft/pkg/cataloger/generic"
 	"github.com/anchore/syft/syft/pkg/cataloger/internal/pkgtest"
 )
 
@@ -10,15 +11,26 @@ func TestCataloger_Globs(t *testing.T) {
 	tests := []struct {
 		name      string
 		fixture   string
+		cataloger *generic.Cataloger
 		expected  []string
 	}{
 		{
 			name:      "obtain deps.json files",
 			fixture:   "test-fixtures/glob-paths",
+			cataloger: NewDotnetDepsCataloger(),
 			expected: []string{
 				"src/something.deps.json",
 			},
 		},
+		{
+			name:      "obtain portable executable files",
+			fixture:   "test-fixtures/glob-paths",
+			cataloger: NewDotnetPortableExecutableCataloger(),
+			expected: []string{
+				"src/something.dll",
+				"src/something.exe",
+			},
+		},
 	}
 
 	for _, test := range tests {
@@ -26,7 +38,7 @@ func TestCataloger_Globs(t *testing.T) {
 			pkgtest.NewCatalogTester().
 				FromDirectory(t, test.fixture).
 				ExpectsResolverContentQueries(test.expected).
-				TestCataloger(t, NewDotnetDepsCataloger())
+				TestCataloger(t, test.cataloger)
 		})
 	}
 }

syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable.go

@@ -0,0 +1,87 @@
+package dotnet
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/saferwall/pe"
+
+	"github.com/anchore/packageurl-go"
+	"github.com/anchore/syft/internal/log"
+	"github.com/anchore/syft/syft/artifact"
+	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/generic"
+)
+
+var _ generic.Parser = parseDotnetPortableExecutable
+
+func parseDotnetPortableExecutable(_ file.Resolver, _ *generic.Environment, f file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {
+	by, err := io.ReadAll(f)
+	if err != nil {
+		return nil, nil, fmt.Errorf("unable to read file: %w", err)
+	}
+
+	peFile, err := pe.NewBytes(by, &pe.Options{})
+	if err != nil {
+		return nil, nil, fmt.Errorf("unable to create PE file instance: %w", err)
+	}
+
+	err = peFile.Parse()
+	if err != nil {
+		return nil, nil, fmt.Errorf("unable to parse PE file: %w", err)
+	}
+
+	versionResources, err := peFile.ParseVersionResources()
+	if err != nil {
+		// this is not a fatal error, just log and continue
+		// TODO: consider this case for "known unknowns" (same goes for cases below)
+		log.Tracef("unable to parse version resources in PE file: %s", f.RealPath)
+		return nil, nil, nil
+	}
+
+	name := versionResources["FileDescription"]
+	if name == "" {
+		log.Tracef("unable to find FileDescription in PE file: %s", f.RealPath)
+		return nil, nil, nil
+	}
+
+	version := versionResources["FileVersion"]
+	if version == "" {
+		log.Tracef("unable to find FileVersion in PE file: %s", f.RealPath)
+		return nil, nil, nil
+	}
+
+	purl := packageurl.NewPackageURL(
+		packageurl.TypeNuget, // See explanation in syft/pkg/cataloger/dotnet/package.go as to why this was chosen.
+		"",
+		name,
+		version,
+		nil,
+		"",
+	).ToString()
+
+	metadata := pkg.DotnetPortableExecutableMetadata{
+		AssemblyVersion: versionResources["Assembly Version"],
+		LegalCopyright:  versionResources["LegalCopyright"],
+		Comments:        versionResources["Comments"],
+		InternalName:    versionResources["InternalName"],
+		CompanyName:     versionResources["CompanyName"],
+		ProductName:     versionResources["ProductName"],
+		ProductVersion:  versionResources["ProductVersion"],
+	}
+
+	p := pkg.Package{
+		Name:         name,
+		Version:      version,
+		Locations:    file.NewLocationSet(f.Location),
+		Type:         pkg.DotnetPkg,
+		PURL:         purl,
+		MetadataType: pkg.DotnetPortableExecutableMetadataType,
+		Metadata:     metadata,
+	}
+
+	p.SetID()
+
+	return []pkg.Package{p}, nil, nil
+}

syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable_test.go

@@ -0,0 +1,38 @@
+package dotnet
+
+import (
+	"testing"
+
+	"github.com/anchore/syft/syft/artifact"
+	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/internal/pkgtest"
+)
+
+func TestParseDotnetPortableExecutable(t *testing.T) {
+	fixture := "test-fixtures/System.Buffers.dll"
+	fixtureLocationSet := file.NewLocationSet(file.NewLocation(fixture))
+
+	expected := []pkg.Package{
+		{
+			Name:         "System.Buffers",
+			Version:      "7.0.923.36201",
+			Locations:    fixtureLocationSet,
+			Type:         pkg.DotnetPkg,
+			PURL:         "pkg:nuget/System.Buffers@7.0.923.36201",
+			MetadataType: pkg.DotnetPortableExecutableMetadataType,
+			Metadata: pkg.DotnetPortableExecutableMetadata{
+				AssemblyVersion: "7.0.0.0",
+				LegalCopyright:  "© Microsoft Corporation. All rights reserved.",
+				Comments:        "System.Buffers",
+				InternalName:    "System.Buffers.dll",
+				CompanyName:     "Microsoft Corporation",
+				ProductName:     "Microsoft® .NET",
+				ProductVersion:  "7.0.9+8e9a17b2216f51a5788f8b1c467a4cf3b769e7d7",
+			},
+		},
+	}
+
+	var expectedRelationships []artifact.Relationship
+	pkgtest.TestFileParser(t, fixture, parseDotnetPortableExecutable, expected, expectedRelationships)
+}

syft/pkg/cataloger/dotnet/test-fixtures/.gitignore

@@ -0,0 +1,2 @@
+!*.dll
+!*.exe

syft/pkg/cataloger/dotnet/test-fixtures/glob-paths/src/something.dll

@@ -0,0 +1 @@
+bogus .dll (portable executable)

syft/pkg/cataloger/dotnet/test-fixtures/glob-paths/src/something.exe

@@ -0,0 +1 @@
+bogus .exe portable executable)

syft/pkg/dotnet_portable_executable_metadata.go

@@ -0,0 +1,11 @@
+package pkg
+
+type DotnetPortableExecutableMetadata struct {
+	AssemblyVersion string `json:"assemblyVersion"`
+	LegalCopyright  string `json:"legalCopyright"`
+	Comments        string `json:"comments,omitempty"`
+	InternalName    string `json:"internalName,omitempty"`
+	CompanyName     string `json:"companyName"`
+	ProductName     string `json:"productName"`
+	ProductVersion  string `json:"productVersion"`
+}

syft/pkg/metadata.go

@@ -19,6 +19,7 @@ const (
 	ConanMetadataType                    MetadataType = "ConanMetadataType"
 	DartPubMetadataType                  MetadataType = "DartPubMetadata"
 	DotnetDepsMetadataType               MetadataType = "DotnetDepsMetadata"
+	DotnetPortableExecutableMetadataType MetadataType = "DotnetPortableExecutableMetadata"
 	DpkgMetadataType                     MetadataType = "DpkgMetadata"
 	GemMetadataType                      MetadataType = "GemMetadata"
 	GolangBinMetadataType                MetadataType = "GolangBinMetadata"
@@ -52,6 +53,7 @@ var AllMetadataTypes = []MetadataType{
 	ConanMetadataType,
 	DartPubMetadataType,
 	DotnetDepsMetadataType,
+	DotnetPortableExecutableMetadataType,
 	DpkgMetadataType,
 	GemMetadataType,
 	GolangBinMetadataType,
@@ -85,6 +87,7 @@ var MetadataTypeByName = map[MetadataType]reflect.Type{
 	ConanMetadataType:                    reflect.TypeOf(ConanMetadata{}),
 	DartPubMetadataType:                  reflect.TypeOf(DartPubMetadata{}),
 	DotnetDepsMetadataType:               reflect.TypeOf(DotnetDepsMetadata{}),
+	DotnetPortableExecutableMetadataType: reflect.TypeOf(DotnetPortableExecutableMetadata{}),
 	DpkgMetadataType:                     reflect.TypeOf(DpkgMetadata{}),
 	GemMetadataType:                      reflect.TypeOf(GemMetadata{}),
 	GolangBinMetadataType:                reflect.TypeOf(GolangBinMetadata{}),

test/cli/packages_cmd_test.go

@@ -96,7 +96,7 @@ func TestPackagesCmdFlags(t *testing.T) {
 			name: "squashed-scope-flag",
 			args: []string{"packages", "-o", "json", "-s", "squashed", coverageImage},
 			assertions: []traitAssertion{
-				assertPackageCount(36),
+				assertPackageCount(24),
 				assertSuccessfulReturnCode,
 			},
 		},
@@ -213,7 +213,7 @@ func TestPackagesCmdFlags(t *testing.T) {
 				// the application config in the log matches that of what we expect to have been configured.
 				assertInOutput("parallelism: 2"),
 				assertInOutput("parallelism=2"),
-				assertPackageCount(36),
+				assertPackageCount(24),
 				assertSuccessfulReturnCode,
 			},
 		},
@@ -224,7 +224,7 @@ func TestPackagesCmdFlags(t *testing.T) {
 				// the application config in the log matches that of what we expect to have been configured.
 				assertInOutput("parallelism: 1"),
 				assertInOutput("parallelism=1"),
-				assertPackageCount(36),
+				assertPackageCount(24),
 				assertSuccessfulReturnCode,
 			},
 		},
@@ -238,7 +238,7 @@ func TestPackagesCmdFlags(t *testing.T) {
 			assertions: []traitAssertion{
 				assertNotInOutput("secret_password"),
 				assertNotInOutput("secret_key_path"),
-				assertPackageCount(36),
+				assertPackageCount(24),
 				assertSuccessfulReturnCode,
 			},
 		},