From dfb60110835debf23f8e823fee249c4e5dc814f4 Mon Sep 17 00:00:00 2001
From: Alex Goodman <wagoodman@users.noreply.github.com>
Date: Mon, 11 May 2026 16:30:35 -0400
Subject: [PATCH] pin and update fixture versions (#4913)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---
 .../php/interpreter_cataloger_test.go         | 106 +++++++++---------
 .../php/testdata/image-apache/Dockerfile      |   9 +-
 2 files changed, 61 insertions(+), 54 deletions(-)

diff --git a/syft/pkg/cataloger/php/interpreter_cataloger_test.go b/syft/pkg/cataloger/php/interpreter_cataloger_test.go
index 9e84c661e..8d6d9e6d7 100644
--- a/syft/pkg/cataloger/php/interpreter_cataloger_test.go
+++ b/syft/pkg/cataloger/php/interpreter_cataloger_test.go
@@ -73,63 +73,63 @@ func Test_InterpreterCataloger(t *testing.T) {
 			fixture: "image-apache",
 			expectedPkgs: []string{
 				// interpreters
-				"libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
 
 				// extensions
-				"calendar @ 8.2.30 (/usr/lib/php/20220829/calendar.so)",
-				"ctype @ 8.2.30 (/usr/lib/php/20220829/ctype.so)",
-				"exif @ 8.2.30 (/usr/lib/php/20220829/exif.so)",
-				"ffi @ 8.2.30 (/usr/lib/php/20220829/ffi.so)",
-				"fileinfo @ 8.2.30 (/usr/lib/php/20220829/fileinfo.so)",
-				"ftp @ 8.2.30 (/usr/lib/php/20220829/ftp.so)",
-				"gettext @ 8.2.30 (/usr/lib/php/20220829/gettext.so)",
-				"iconv @ 8.2.30 (/usr/lib/php/20220829/iconv.so)",
-				"mysqli @ 8.2.30 (/usr/lib/php/20220829/mysqli.so)",
-				"opcache @ 8.2.30 (/usr/lib/php/20220829/opcache.so)",
-				"pdo @ 8.2.30 (/usr/lib/php/20220829/pdo.so)",
-				"pdo_mysql @ 8.2.30 (/usr/lib/php/20220829/pdo_mysql.so)",
-				"phar @ 8.2.30 (/usr/lib/php/20220829/phar.so)",
-				"posix @ 8.2.30 (/usr/lib/php/20220829/posix.so)",
-				"readline @ 8.2.30 (/usr/lib/php/20220829/readline.so)",
-				"shmop @ 8.2.30 (/usr/lib/php/20220829/shmop.so)",
-				"simplexml @ 8.2.30 (/usr/lib/php/20220829/simplexml.so)",
-				"sockets @ 8.2.30 (/usr/lib/php/20220829/sockets.so)",
-				"sysvmsg @ 8.2.30 (/usr/lib/php/20220829/sysvmsg.so)",
-				"sysvsem @ 8.2.30 (/usr/lib/php/20220829/sysvsem.so)",
-				"sysvshm @ 8.2.30 (/usr/lib/php/20220829/sysvshm.so)",
-				"tokenizer @ 8.2.30 (/usr/lib/php/20220829/tokenizer.so)",
-				"xml @ 8.2.30 (/usr/lib/php/20220829/xml.so)",
-				"xmlreader @ 8.2.30 (/usr/lib/php/20220829/xmlreader.so)",
-				"xmlwriter @ 8.2.30 (/usr/lib/php/20220829/xmlwriter.so)",
-				"xsl @ 8.2.30 (/usr/lib/php/20220829/xsl.so)",
+				"calendar @ 8.2.31 (/usr/lib/php/20220829/calendar.so)",
+				"ctype @ 8.2.31 (/usr/lib/php/20220829/ctype.so)",
+				"exif @ 8.2.31 (/usr/lib/php/20220829/exif.so)",
+				"ffi @ 8.2.31 (/usr/lib/php/20220829/ffi.so)",
+				"fileinfo @ 8.2.31 (/usr/lib/php/20220829/fileinfo.so)",
+				"ftp @ 8.2.31 (/usr/lib/php/20220829/ftp.so)",
+				"gettext @ 8.2.31 (/usr/lib/php/20220829/gettext.so)",
+				"iconv @ 8.2.31 (/usr/lib/php/20220829/iconv.so)",
+				"mysqli @ 8.2.31 (/usr/lib/php/20220829/mysqli.so)",
+				"opcache @ 8.2.31 (/usr/lib/php/20220829/opcache.so)",
+				"pdo @ 8.2.31 (/usr/lib/php/20220829/pdo.so)",
+				"pdo_mysql @ 8.2.31 (/usr/lib/php/20220829/pdo_mysql.so)",
+				"phar @ 8.2.31 (/usr/lib/php/20220829/phar.so)",
+				"posix @ 8.2.31 (/usr/lib/php/20220829/posix.so)",
+				"readline @ 8.2.31 (/usr/lib/php/20220829/readline.so)",
+				"shmop @ 8.2.31 (/usr/lib/php/20220829/shmop.so)",
+				"simplexml @ 8.2.31 (/usr/lib/php/20220829/simplexml.so)",
+				"sockets @ 8.2.31 (/usr/lib/php/20220829/sockets.so)",
+				"sysvmsg @ 8.2.31 (/usr/lib/php/20220829/sysvmsg.so)",
+				"sysvsem @ 8.2.31 (/usr/lib/php/20220829/sysvsem.so)",
+				"sysvshm @ 8.2.31 (/usr/lib/php/20220829/sysvshm.so)",
+				"tokenizer @ 8.2.31 (/usr/lib/php/20220829/tokenizer.so)",
+				"xml @ 8.2.31 (/usr/lib/php/20220829/xml.so)",
+				"xmlreader @ 8.2.31 (/usr/lib/php/20220829/xmlreader.so)",
+				"xmlwriter @ 8.2.31 (/usr/lib/php/20220829/xmlwriter.so)",
+				"xsl @ 8.2.31 (/usr/lib/php/20220829/xsl.so)",
 			},
 			expectedRels: []string{
-				"calendar @ 8.2.30 (/usr/lib/php/20220829/calendar.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"ctype @ 8.2.30 (/usr/lib/php/20220829/ctype.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"exif @ 8.2.30 (/usr/lib/php/20220829/exif.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"ffi @ 8.2.30 (/usr/lib/php/20220829/ffi.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"fileinfo @ 8.2.30 (/usr/lib/php/20220829/fileinfo.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"ftp @ 8.2.30 (/usr/lib/php/20220829/ftp.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"gettext @ 8.2.30 (/usr/lib/php/20220829/gettext.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"iconv @ 8.2.30 (/usr/lib/php/20220829/iconv.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"mysqli @ 8.2.30 (/usr/lib/php/20220829/mysqli.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"opcache @ 8.2.30 (/usr/lib/php/20220829/opcache.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"pdo @ 8.2.30 (/usr/lib/php/20220829/pdo.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"pdo_mysql @ 8.2.30 (/usr/lib/php/20220829/pdo_mysql.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"phar @ 8.2.30 (/usr/lib/php/20220829/phar.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"posix @ 8.2.30 (/usr/lib/php/20220829/posix.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"readline @ 8.2.30 (/usr/lib/php/20220829/readline.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"shmop @ 8.2.30 (/usr/lib/php/20220829/shmop.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"simplexml @ 8.2.30 (/usr/lib/php/20220829/simplexml.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"sockets @ 8.2.30 (/usr/lib/php/20220829/sockets.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"sysvmsg @ 8.2.30 (/usr/lib/php/20220829/sysvmsg.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"sysvsem @ 8.2.30 (/usr/lib/php/20220829/sysvsem.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"sysvshm @ 8.2.30 (/usr/lib/php/20220829/sysvshm.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"tokenizer @ 8.2.30 (/usr/lib/php/20220829/tokenizer.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"xml @ 8.2.30 (/usr/lib/php/20220829/xml.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"xmlreader @ 8.2.30 (/usr/lib/php/20220829/xmlreader.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"xmlwriter @ 8.2.30 (/usr/lib/php/20220829/xmlwriter.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
-				"xsl @ 8.2.30 (/usr/lib/php/20220829/xsl.so) [dependency-of] libphp @ 8.2.30 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"calendar @ 8.2.31 (/usr/lib/php/20220829/calendar.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"ctype @ 8.2.31 (/usr/lib/php/20220829/ctype.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"exif @ 8.2.31 (/usr/lib/php/20220829/exif.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"ffi @ 8.2.31 (/usr/lib/php/20220829/ffi.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"fileinfo @ 8.2.31 (/usr/lib/php/20220829/fileinfo.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"ftp @ 8.2.31 (/usr/lib/php/20220829/ftp.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"gettext @ 8.2.31 (/usr/lib/php/20220829/gettext.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"iconv @ 8.2.31 (/usr/lib/php/20220829/iconv.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"mysqli @ 8.2.31 (/usr/lib/php/20220829/mysqli.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"opcache @ 8.2.31 (/usr/lib/php/20220829/opcache.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"pdo @ 8.2.31 (/usr/lib/php/20220829/pdo.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"pdo_mysql @ 8.2.31 (/usr/lib/php/20220829/pdo_mysql.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"phar @ 8.2.31 (/usr/lib/php/20220829/phar.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"posix @ 8.2.31 (/usr/lib/php/20220829/posix.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"readline @ 8.2.31 (/usr/lib/php/20220829/readline.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"shmop @ 8.2.31 (/usr/lib/php/20220829/shmop.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"simplexml @ 8.2.31 (/usr/lib/php/20220829/simplexml.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"sockets @ 8.2.31 (/usr/lib/php/20220829/sockets.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"sysvmsg @ 8.2.31 (/usr/lib/php/20220829/sysvmsg.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"sysvsem @ 8.2.31 (/usr/lib/php/20220829/sysvsem.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"sysvshm @ 8.2.31 (/usr/lib/php/20220829/sysvshm.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"tokenizer @ 8.2.31 (/usr/lib/php/20220829/tokenizer.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"xml @ 8.2.31 (/usr/lib/php/20220829/xml.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"xmlreader @ 8.2.31 (/usr/lib/php/20220829/xmlreader.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"xmlwriter @ 8.2.31 (/usr/lib/php/20220829/xmlwriter.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
+				"xsl @ 8.2.31 (/usr/lib/php/20220829/xsl.so) [dependency-of] libphp @ 8.2.31 (/usr/lib/apache2/modules/libphp8.2.so)",
 			},
 		},
 	}
diff --git a/syft/pkg/cataloger/php/testdata/image-apache/Dockerfile b/syft/pkg/cataloger/php/testdata/image-apache/Dockerfile
index 04ca6c329..4484d04bc 100644
--- a/syft/pkg/cataloger/php/testdata/image-apache/Dockerfile
+++ b/syft/pkg/cataloger/php/testdata/image-apache/Dockerfile
@@ -1,6 +1,13 @@
 FROM --platform=linux/amd64 httpd:2.4.63-bookworm AS builder
 
-RUN apt update -y && apt install -y libapache2-mod-php php8.2-memcache php8.2-memcache php8.2-xml php8.2-mysqli php8.2-opcache
+# pin php8.2 packages to avoid version drift when debian publishes security updates
+ARG PHP_VERSION=8.2.31-1~deb12u1
+RUN apt update -y && apt install -y \
+    libapache2-mod-php8.2=${PHP_VERSION} \
+    php8.2-common=${PHP_VERSION} \
+    php8.2-xml=${PHP_VERSION} \
+    php8.2-mysql=${PHP_VERSION} \
+    php8.2-opcache=${PHP_VERSION}
 
 FROM busybox:latest