From c732052cf1be3a7812810a62eb25d67370730118 Mon Sep 17 00:00:00 2001 From: Parthib Mukherjee <109328510+hawkaii@users.noreply.github.com> Date: Mon, 6 Oct 2025 19:39:38 +0530 Subject: [PATCH] feat(cpegenerate): add support for binary package digit-suffix variations in CPE generation (#4093) * feat(cpegenerate): add support for binary package digit-suffix variations in CPE generation Signed-off-by: Parthib Mukherjee * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.13 to 0.5.14 (#4089) Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps) from 0.5.13 to 0.5.14. - [Release notes](https://github.com/gkampitakis/go-snaps/releases) - [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.5.13...v0.5.14) --- updated-dependencies: - dependency-name: github.com/gkampitakis/go-snaps dependency-version: 0.5.14 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore(deps): bump modernc.org/sqlite from 1.38.1 to 1.38.2 (#4088) Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.38.1 to 1.38.2. - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.38.1...v1.38.2) --- updated-dependencies: - dependency-name: modernc.org/sqlite dependency-version: 1.38.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore(deps): bump github.com/docker/docker (#4092) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.2.2+incompatible to 28.3.3+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v28.2.2...v28.3.3) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-version: 28.3.3+incompatible dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore(deps): bump github.com/anchore/stereoscope (#4091) Bumps [github.com/anchore/stereoscope](https://github.com/anchore/stereoscope) from 0.1.7-0.20250716200927-94c6f92877d4 to 0.1.7. - [Release notes](https://github.com/anchore/stereoscope/releases) - [Changelog](https://github.com/anchore/stereoscope/blob/main/RELEASE.md) - [Commits](https://github.com/anchore/stereoscope/commits/v0.1.7) --- updated-dependencies: - dependency-name: github.com/anchore/stereoscope dependency-version: 0.1.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * migrate to get.anchore.io (#4095) Signed-off-by: Alex Goodman Signed-off-by: Parthib Mukherjee * chore(deps): update anchore dependencies (#4098) * chore(deps): update anchore dependencies Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * address reader close operations Signed-off-by: Alex Goodman --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Alex Goodman Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman Signed-off-by: Parthib Mukherjee * chore(deps): update anchore dependencies (#4104) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore(deps): bump github/codeql-action from 3.29.4 to 3.29.5 (#4096) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.4 to 3.29.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/4e828ff8d448a8a6e532957b1811f387a63867e8...51f77329afa6477de8c49fc9c7046c15b9a4e79d) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore(deps): update tools to latest versions (#4108) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore(deps): update CPE dictionary index (#4112) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore(deps): update tools to latest versions (#4111) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore(deps): bump actions/cache in /.github/actions/bootstrap (#4120) Bumps [actions/cache](https://github.com/actions/cache) from 4.2.3 to 4.2.4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/5a3ec84eff668545956fd18022155c47e93e2684...0400d5f644dc74513175e3cd8d07132dd4860809) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore(deps): bump actions/cache from 4.2.3 to 4.2.4 (#4119) Bumps [actions/cache](https://github.com/actions/cache) from 4.2.3 to 4.2.4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/5a3ec84eff668545956fd18022155c47e93e2684...0400d5f644dc74513175e3cd8d07132dd4860809) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore(deps): bump docker/login-action from 3.4.0 to 3.5.0 (#4115) Bumps [docker/login-action](https://github.com/docker/login-action) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/74a5d142397b4f367a81961eba4e8cd7edddf772...184bdaa0721073962dff0199f1fb9940f07167d1) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * fix: nondeterministic Java archive cataloging and improve groupID (#4118) Signed-off-by: Keith Zantow Signed-off-by: Parthib Mukherjee * feat: add binary classifier for hashicorp vault (#4121) * add binary classifier for hashicorp vault The Go Binary Cataloger isn't able to parse the version out of the binary shipped in the DockerHub images of hashicorp/vault because the version of the main module isn't set in the binary. Therefore, add a binary classifier cataloger for this binary. Signed-off-by: Will Murphy * chore: add test fixtures, update vault Signed-off-by: Keith Zantow * chore: set binary classifier package type based on PURL Signed-off-by: Keith Zantow * chore: use github.com/hashicorp/vault as package name Signed-off-by: Keith Zantow * chore: update tests Signed-off-by: Keith Zantow --------- Signed-off-by: Will Murphy Signed-off-by: Keith Zantow Co-authored-by: Keith Zantow Signed-off-by: Parthib Mukherjee * chore(deps): bump github/codeql-action from 3.29.7 to 3.29.8 (#4124) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.7 to 3.29.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/51f77329afa6477de8c49fc9c7046c15b9a4e79d...76621b61decf072c1cee8dd1ce2d2a82d33c17ed) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore(deps): bump golang.org/x/mod from 0.26.0 to 0.27.0 (#4123) Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.26.0 to 0.27.0. - [Commits](https://github.com/golang/mod/compare/v0.26.0...v0.27.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.27.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore(deps): bump golang.org/x/net from 0.42.0 to 0.43.0 (#4122) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.42.0 to 0.43.0. - [Commits](https://github.com/golang/net/compare/v0.42.0...v0.43.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.43.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore(deps): update CPE dictionary index (#4126) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore: update GoReleaser configurations (#4128) Signed-off-by: Emmanuel Ferdman Signed-off-by: Parthib Mukherjee * chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#4130) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/11bd71901bbe5b1630ceea73d27597364c9af683...08c6903cd8c0fde910a37f88322edcfb5dd907a8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * fix: closed reader during java binary detection (#4129) Signed-off-by: Keith Zantow Signed-off-by: Parthib Mukherjee * fix: support multiple letters in openssl patch version (#4106) Signed-off-by: honigbot Signed-off-by: Parthib Mukherjee * chore(deps): bump github/codeql-action from 3.29.8 to 3.29.9 (#4134) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.8 to 3.29.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/76621b61decf072c1cee8dd1ce2d2a82d33c17ed...df559355d593797519d70b90fc8edd5db049e7a2) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * feat: update syft license construction to be able to look up by URL (#4132) --------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * feat: add package supplier flag (#4131) --------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * chore(deps): bump zizmorcore/zizmor-action from 0.1.1 to 0.1.2 (#4135) Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.1.1 to 0.1.2. - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](https://github.com/zizmorcore/zizmor-action/compare/f52a838cfabf134edcbaa7c8b3677dde20045018...5ca5fc7a4779c5263a3ffa0e1f693009994446d1) --- updated-dependencies: - dependency-name: zizmorcore/zizmor-action dependency-version: 0.1.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * feat: add support for authors, maintainers, and contributors in package.json. (#4003) Fixes #2250 --------- Signed-off-by: Alan Pope Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee * feat(cpegentereate): added test for the addBinaryPackageDigitVariation function Signed-off-by: Parthib Mukherjee * docs(cpegenerate): made the comment more verbose Signed-off-by: Parthib Mukherjee * nit: separate digit variation concerns from case of use Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> --------- Signed-off-by: Parthib Mukherjee Signed-off-by: dependabot[bot] Signed-off-by: Alex Goodman Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Keith Zantow Signed-off-by: Will Murphy Signed-off-by: Emmanuel Ferdman Signed-off-by: honigbot Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Alan Pope Signed-off-by: Parthib Mukherjee <109328510+hawkaii@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Goodman Co-authored-by: anchore-actions-token-generator[bot] <102182147+anchore-actions-token-generator[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Keith Zantow Co-authored-by: Will Murphy Co-authored-by: Emmanuel Ferdman Co-authored-by: honigbot <34426443+honigbot@users.noreply.github.com> Co-authored-by: Alan Pope --- .../internal/cpegenerate/generate.go | 40 ++++++++++++ .../internal/cpegenerate/generate_test.go | 64 +++++++++++++++++++ 2 files changed, 104 insertions(+) diff --git a/syft/pkg/cataloger/internal/cpegenerate/generate.go b/syft/pkg/cataloger/internal/cpegenerate/generate.go index 3a8e7ac9d..1ccbf5e25 100644 --- a/syft/pkg/cataloger/internal/cpegenerate/generate.go +++ b/syft/pkg/cataloger/internal/cpegenerate/generate.go @@ -6,9 +6,11 @@ import ( _ "embed" "encoding/json" "fmt" + "regexp" "sort" "strings" "sync" + "unicode" "github.com/scylladb/go-set/strset" @@ -228,6 +230,11 @@ func candidateVendors(p pkg.Package) []string { vendors.union(candidateVendorsForWordpressPlugin(p)) } + if p.Type == pkg.BinaryPkg && endsWithNumber(p.Name) { + // add binary package digit-suffix variations (e.g. Qt5 -> Qt) + addBinaryPackageDigitVariations(vendors) + } + // We should no longer be generating vendor candidates with these values ["" and "*"] // (since CPEs will match any other value) vendors.removeByValue("") @@ -286,6 +293,9 @@ func candidateProductSet(p pkg.Package) fieldCandidateSet { if prod != "" { products.addValue(prod) } + case p.Type == pkg.BinaryPkg && endsWithNumber(p.Name): + // add binary package digit-suffix variations (e.g. Qt5 -> Qt) + addBinaryPackageDigitVariations(products) } switch p.Metadata.(type) { @@ -404,3 +414,33 @@ func addDelimiterVariations(fields fieldCandidateSet) { } } } + +// removeTrailingDigits removes all trailing digits from a string +func removeTrailingDigits(s string) string { + re := regexp.MustCompile(`\d+$`) + return re.ReplaceAllString(s, "") +} + +// addBinaryPackageDigitVariations adds variations with trailing digits removed for binary packages.For binary package types only, when the name ends with a digit, add a new variation with all suffix-digits removed (e.g. Qt5 -> Qt). This helps generate additional CPE permutations for better vulnerability matching. +func addBinaryPackageDigitVariations(fields fieldCandidateSet) { + candidatesForVariations := fields.copy() + for _, candidate := range candidatesForVariations.values() { + // Check if the candidate ends with a digit + if len(candidate) > 0 && candidate[len(candidate)-1] >= '0' && candidate[len(candidate)-1] <= '9' { + // Create variation with all suffix digits removed + withoutDigits := removeTrailingDigits(candidate) + if withoutDigits != "" && withoutDigits != candidate { + fields.addValue(withoutDigits) + } + } + } +} + +func endsWithNumber(s string) bool { + if len(s) == 0 { + return false + } + r := []rune(s) + last := r[len(r)-1] + return unicode.IsDigit(last) +} diff --git a/syft/pkg/cataloger/internal/cpegenerate/generate_test.go b/syft/pkg/cataloger/internal/cpegenerate/generate_test.go index d78baea1b..3323fbc6c 100644 --- a/syft/pkg/cataloger/internal/cpegenerate/generate_test.go +++ b/syft/pkg/cataloger/internal/cpegenerate/generate_test.go @@ -1145,3 +1145,67 @@ func TestDictionaryFindIsWired(t *testing.T) { }) } } + +// TestAddBinaryPackageDigitVariations tests the heuristic for binary package types +// where names ending with digits get variations with all suffix-digits removed (e.g. Qt5 -> Qt). +// This improves vulnerability matching for binary packages like Qt6, libfoo123, etc. +func TestAddBinaryPackageDigitVariations(t *testing.T) { + tests := []struct { + name string + packageType pkg.Type + inputCandidates []string + expectedPresent []string // These should be present in the result + expectedAbsent []string // These should NOT be present in the result + }{ + { + name: "Qt5 binary package example", + packageType: pkg.BinaryPkg, + inputCandidates: []string{"Qt5"}, + expectedPresent: []string{"Qt5", "Qt"}, + expectedAbsent: []string{}, + }, + { + name: "package with trailing digits", + packageType: pkg.BinaryPkg, + inputCandidates: []string{"Qt5", "libfoo123", "bar42", "baz"}, + expectedPresent: []string{"Qt5", "Qt", "libfoo123", "libfoo", "bar42", "bar", "baz"}, + expectedAbsent: []string{}, + }, + { + name: "multiple trailing digits", + inputCandidates: []string{"Qt872", "package999"}, + expectedPresent: []string{"Qt872", "Qt", "package999", "package"}, + expectedAbsent: []string{}, + }, + { + name: "package without trailing digits", + inputCandidates: []string{"QtCore", "libfoo", "bar"}, + expectedPresent: []string{"QtCore", "libfoo", "bar"}, + expectedAbsent: []string{"QtCor", "libfo", "ba"}, + }, + { + name: "empty candidate set", + packageType: pkg.BinaryPkg, + inputCandidates: []string{}, + expectedPresent: []string{}, + expectedAbsent: []string{}, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + fields := newFieldCandidateSet(test.inputCandidates...) + addBinaryPackageDigitVariations(fields) + + values := fields.uniqueValues() + + for _, expected := range test.expectedPresent { + assert.Contains(t, values, expected, "expected %q to be present", expected) + } + + for _, notExpected := range test.expectedAbsent { + assert.NotContains(t, values, notExpected, "expected %q to be absent", notExpected) + } + }) + } +}