From 952469f0f01f4881b764ed7cb6cae1675cf3798d Mon Sep 17 00:00:00 2001
From: witchcraze <67056980+witchcraze@users.noreply.github.com>
Date: Wed, 15 Apr 2026 23:41:37 +0900
Subject: [PATCH] update vault classifier (#4742)

Signed-off-by: witchcraze <witchcraze@gmail.com>
---
 .../binary/classifier_cataloger_test.go       |  55 ++++++++++++++++++
 syft/pkg/cataloger/binary/classifiers.go      |  23 +++++++-
 .../snippets/vault/1.11.6/linux-amd64/vault   | Bin 0 -> 351 bytes
 .../snippets/vault/1.13.13/linux-amd64/vault  |   9 +++
 .../snippets/vault/1.14.10/linux-amd64/vault  |   9 +++
 .../snippets/vault/1.14.3/linux-amd64/vault   |  10 ++++
 .../vault/1.21.0-rc1/linux-amd64/vault        |  11 ++++
 .../pkg/cataloger/binary/testdata/config.yaml |  35 +++++++++++
 8 files changed, 149 insertions(+), 3 deletions(-)
 create mode 100644 syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.11.6/linux-amd64/vault
 create mode 100644 syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.13.13/linux-amd64/vault
 create mode 100644 syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.14.10/linux-amd64/vault
 create mode 100644 syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.14.3/linux-amd64/vault
 create mode 100644 syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.21.0-rc1/linux-amd64/vault

diff --git a/syft/pkg/cataloger/binary/classifier_cataloger_test.go b/syft/pkg/cataloger/binary/classifier_cataloger_test.go
index b17a4e08c..2b526f967 100644
--- a/syft/pkg/cataloger/binary/classifier_cataloger_test.go
+++ b/syft/pkg/cataloger/binary/classifier_cataloger_test.go
@@ -1111,6 +1111,17 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("consul-binary"),
 			},
 		},
+		{
+			logicalFixture: "vault/1.21.0-rc1/linux-amd64",
+			expected: pkg.Package{
+				Name:      "github.com/hashicorp/vault",
+				Version:   "1.21.0-rc1",
+				Type:      "golang",
+				PURL:      "pkg:golang/github.com/hashicorp/vault@1.21.0-rc1",
+				Locations: locations("vault"),
+				Metadata:  metadata("hashicorp-vault-binary"),
+			},
+		},
 		{
 			logicalFixture: "vault/1.20.2/linux-amd64",
 			expected: pkg.Package{
@@ -1133,6 +1144,50 @@ func Test_Cataloger_PositiveCases(t *testing.T) {
 				Metadata:  metadata("hashicorp-vault-binary"),
 			},
 		},
+		{
+			logicalFixture: "vault/1.14.10/linux-amd64",
+			expected: pkg.Package{
+				Name:      "github.com/hashicorp/vault",
+				Version:   "1.14.10",
+				Type:      "golang",
+				PURL:      "pkg:golang/github.com/hashicorp/vault@1.14.10",
+				Locations: locations("vault"),
+				Metadata:  metadata("hashicorp-vault-binary"),
+			},
+		},
+		{
+			logicalFixture: "vault/1.14.3/linux-amd64",
+			expected: pkg.Package{
+				Name:      "github.com/hashicorp/vault",
+				Version:   "1.14.3",
+				Type:      "golang",
+				PURL:      "pkg:golang/github.com/hashicorp/vault@1.14.3",
+				Locations: locations("vault"),
+				Metadata:  metadata("hashicorp-vault-binary"),
+			},
+		},
+		{
+			logicalFixture: "vault/1.13.13/linux-amd64",
+			expected: pkg.Package{
+				Name:      "github.com/hashicorp/vault",
+				Version:   "1.13.13",
+				Type:      "golang",
+				PURL:      "pkg:golang/github.com/hashicorp/vault@1.13.13",
+				Locations: locations("vault"),
+				Metadata:  metadata("hashicorp-vault-binary"),
+			},
+		},
+		{
+			logicalFixture: "vault/1.11.6/linux-amd64",
+			expected: pkg.Package{
+				Name:      "github.com/hashicorp/vault",
+				Version:   "1.11.6",
+				Type:      "golang",
+				PURL:      "pkg:golang/github.com/hashicorp/vault@1.11.6",
+				Locations: locations("vault"),
+				Metadata:  metadata("hashicorp-vault-binary"),
+			},
+		},
 		{
 			logicalFixture: "erlang/25.3.2.6/linux-amd64",
 			expected: pkg.Package{
diff --git a/syft/pkg/cataloger/binary/classifiers.go b/syft/pkg/cataloger/binary/classifiers.go
index 35acc85f1..c3b7ae15b 100644
--- a/syft/pkg/cataloger/binary/classifiers.go
+++ b/syft/pkg/cataloger/binary/classifiers.go
@@ -479,9 +479,26 @@ func DefaultClassifiers() []binutils.Classifier {
 		{
 			Class:    "hashicorp-vault-binary",
 			FileGlob: "**/vault",
-			EvidenceMatcher: m.FileContentsVersionMatcher(
-				// revoke1.18.0
-				`(?m)revoke(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`),
+			EvidenceMatcher: binutils.MatchAny(
+				m.FileContentsVersionMatcher(
+					// revoke1.18.0
+					`(?m)revoke(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`,
+				),
+				m.FileContentsVersionMatcher(
+					// secondsindex_state1.20.0-rc1
+					`state(?P<version>[0-9]+\.[0-9]+\.[0-9]+\-rc[0-9])`,
+				),
+				m.FileContentsVersionMatcher(
+					// %s0.0.0.00x%016x1.14.101.49.22123-abc19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.92
+					// %s0.0.0.00x%016x1.14.3
+					// txn0.0.0.00x%016x1.13.13123-abc19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.92006-019765625: type ::1/128::ffff::method:
+					`016x(?P<version>1.1[1,3,4].[0-9]{1,2})`,
+				),
+				m.FileContentsVersionMatcher(
+					// [NUL][NUL][NUL]1.11.6[NUL][NUL][NUL]
+					`\x00+(?P<version>1\.[0-9][0,1]?\.[0-9]+)\x00+`,
+				),
+			),
 			Package: "github.com/hashicorp/vault",
 			PURL:    mustPURL("pkg:golang/github.com/hashicorp/vault@version"),
 			CPEs:    singleCPE("cpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
diff --git a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.11.6/linux-amd64/vault b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.11.6/linux-amd64/vault
new file mode 100644
index 0000000000000000000000000000000000000000..47415831ccb8200bebecd966bc44e2cf0ac4040a
GIT binary patch
literal 351
zcmXwzy-EW?6opq1g{drjfPtWm5a-U!&g_KUR<M+`HuH1GMAmE|Yc!=I_I80Z+V~t|
z?K4=4h@jYuZb)*Pb2#7Sa0m7bJ9KQ%%bHX%j<D`fV2pvtK#>v$Cv~rBI3uG$e>lXt
z+p|1X9qKWpA%I0`GKNv1jEI^u?E?gtGKI=2FOXZSB1G>67_UW|Y8irbn#6vIt1<03
zNE0GxB^`?%jI<Im?!ft|C38V!ydi?gR0kax<Iy<{+BhSfvxKx-E$SvU(&d}9u4t^v
zvbvxRBKyf)>&eqvV>C&A|B?jS0BtqzSK3;IeDio)>^@#C{VrdC`+RuxGMyg0=d-<s
i+u6-VaXmilJ@4ej+vnxa>1($b=aclyd=!iO@8Tbw?_oRu

literal 0
HcmV?d00001

diff --git a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.13.13/linux-amd64/vault b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.13.13/linux-amd64/vault
new file mode 100644
index 000000000..8a4bfdd60
--- /dev/null
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.13.13/linux-amd64/vault
@@ -0,0 +1,9 @@
+name: vault
+offset: 111090856
+length: 420
+snippetSha256: 6d04a36a400e279a87c110dde8c540566d4c449d1db9014436ec8e74c5febe38
+fileSha256: 96151b53d171e23674cd8a5cd4f60317efa1ae7f2c4abd8b612413cba65c0fb2
+
+### byte snippet to follow ###
+/.*)?$(".*?")(none)
+, Kind=, file=, goid=, j0 = , type=,errno=,packed,proto3-BEGIN .000000.bashrc.config.mathml.member.ndjson.pgpass.sqlite.sv4crc.tar.gz/?.lua;/api/v1/bin/sh/broker/certs//check//commit/config/emails/import/issue//logout/lookup/metric/revert/revoke/rotate/signal/stable/v1/kv//v1/txn0.0.0.00x%016x1.13.13123-abc19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.92006-019765625: type ::1/128::ffff::method:
\ No newline at end of file
diff --git a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.14.10/linux-amd64/vault b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.14.10/linux-amd64/vault
new file mode 100644
index 000000000..b6f43560b
--- /dev/null
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.14.10/linux-amd64/vault
@@ -0,0 +1,9 @@
+name: vault
+offset: 162133801
+length: 420
+snippetSha256: f3419c0c0ad0819dc20ce0965458f47fef6970ffe6cfd3057823e0855b92d843
+fileSha256: 64f0aefef6eed97fa9837ee4ebd19f8b043a107dcbf8bb272ba2811a0803c765
+
+### byte snippet to follow ###
+/.*)?$(".*?")(none)
+, Kind=, file=, goid=, j0 = , type=,errno=,packed,proto3-BEGIN .000000.bashrc.config.mathml.member.ndjson.pgpass.sqlite.sv4crc.tar.gz/?.lua;/api/v1/bin/sh/broker/certs//check//checks/commit/config/emails/import/issue//logout/lookup/metric/order//orders/revert/revoke/roles//rotate/signal/stable/v1/kv//v1/txn0.0.0%s0.0.0.00x%016x1.14.101.49.22123-abc19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.92
\ No newline at end of file
diff --git a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.14.3/linux-amd64/vault b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.14.3/linux-amd64/vault
new file mode 100644
index 000000000..64e6f74d0
--- /dev/null
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.14.3/linux-amd64/vault
@@ -0,0 +1,10 @@
+name: vault
+offset: 160880802
+length: 420
+snippetSha256: 8dbeecbde88f06d946e10e3672aee0baac4688fda28e42d7e9626a3440188fce
+fileSha256: 7369f8de5885507c74e42980079afb109bdc627df1d3de07cba4a2f39ec3ed31
+
+### byte snippet to follow ###
+/.*)?$(".*?")(none)
+, Kind=, file=, goid=, j0 = , type=,errno=,packed,proto3-BEGIN .000000.bashrc.config.mathml.member.ndjson.pgpass.sqlite.sv4crc.tar.gz/?.lua;/api/v1/bin/sh/broker/certs//check//checks/commit/config/emails/import/issue//logout/lookup/metric/order//orders/revert/revoke/roles//rotate/signal/stable/v1/kv//v1/txn0.0.0%s0.0.0.00x%016x1.14.3
+123-abc19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.92006-019
\ No newline at end of file
diff --git a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.21.0-rc1/linux-amd64/vault b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.21.0-rc1/linux-amd64/vault
new file mode 100644
index 000000000..e08ae05d7
--- /dev/null
+++ b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/vault/1.21.0-rc1/linux-amd64/vault
@@ -0,0 +1,11 @@
+name: vault
+offset: 215976149
+length: 320
+snippetSha256: 70eeb40843dd6bc76e5a40cacb49ea97dff607dfe3c1df434e9bb806bb4e19d7
+fileSha256: 757f0198f00706eb23afa1037b702520b993025d25f01557c12d2688eabefd7f
+
+### byte snippet to follow ###
+rver: %s
+Voters: %v
+Upgrade: %sencryptionsactive-nodecacheboltdbNeverAlwayslease_tokenvault_indexplugin_infomount_tablenum_entriesalicloudkmsenvironmentcredentialsUserLockout%s.NextPagedr-disabledperfstandbyttl_secondsindex_state1.21.0-rc1
+Options: %sMatches: %sMath_SymbolPrivate_UsePunctuationDives_AkuruMedefaidrinNag
\ No newline at end of file
diff --git a/syft/pkg/cataloger/binary/testdata/config.yaml b/syft/pkg/cataloger/binary/testdata/config.yaml
index 1edf43698..a8da591aa 100644
--- a/syft/pkg/cataloger/binary/testdata/config.yaml
+++ b/syft/pkg/cataloger/binary/testdata/config.yaml
@@ -797,6 +797,13 @@ from-images:
     paths:
       - /bin/consul
 
+  - version: 1.21.0-rc1
+    images:
+      - ref: hashicorp/vault:1.21.0-rc1@sha256:67523b1e97acc26b050bb74abd251effe728bc3c1d7e80af19d251a511aa68ad
+        platform: linux/amd64
+    paths:
+      - /bin/vault
+
   - version: 1.20.2
     images:
       - ref: hashicorp/vault@sha256:5cd2003247e0a574a66c66aee1916b1e9e7f99640298f2e61271a8842d2d2a19
@@ -811,6 +818,34 @@ from-images:
     paths:
       - /bin/vault
 
+  - version: 1.14.10
+    images:
+      - ref: hashicorp/vault:1.14.10@sha256:cf826411f1172c4109da38d9ad90ff83026ef30caae9312aeb77fde868fc7dc8
+        platform: linux/amd64
+    paths:
+      - /bin/vault
+
+  - version: 1.14.3
+    images:
+      - ref: hashicorp/vault:1.14.3@sha256:e95f46376b39654f4be020c7be91ac88b6729b6b506e48516bef3b140a901bd5
+        platform: linux/amd64
+    paths:
+      - /bin/vault
+
+  - version: 1.13.13
+    images:
+      - ref: hashicorp/vault:1.13.13@sha256:d278cb438626eef0d40de35917b13f032955671b3a15983a7fb336a720bebef4
+        platform: linux/amd64
+    paths:
+      - /bin/vault
+
+  - version: 1.11.6
+    images:
+      - ref: hashicorp/vault:1.11.6@sha256:8366b2e6ad9d0eea9019fda45ccc2551fc67cd0afa0c6e9217ee29f390fa4108
+        platform: linux/amd64
+    paths:
+      - /bin/vault
+
   - version: 3.0.2
     images:
       - ref: fluent/fluent-bit:3.0.2-amd64@sha256:7e6fe8efd51dda0739e355f58bf5e3b1623cbf2d4a23c06c7a365d9553e2d242