diff --git a/internal/capabilities/generate/overrides.go b/internal/capabilities/generate/overrides.go index bf1afa47d..1f578a15e 100644 --- a/internal/capabilities/generate/overrides.go +++ b/internal/capabilities/generate/overrides.go @@ -96,6 +96,20 @@ var binaryClassifierOverrides = map[string][]binaryClassifierOverride{ CPEs: singleCPE("cpe:2.3:a:oracle:jdk:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource), }, }, + "openssl-binary": { + { + Class: "openssl-binary-aws-lc", + Package: "aws-lc", + PURL: mustPURL("pkg:generic/aws-lc@version"), + CPEs: singleCPE("cpe:2.3:a:amazon:aws_libcrypto:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource), + }, + { + Class: "openssl-binary", + Package: "openssl", + PURL: mustPURL("pkg:generic/openssl@version"), + CPEs: singleCPE("cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource), + }, + }, } func mustPURL(purl string) string { diff --git a/syft/pkg/cataloger/binary/capabilities.yaml b/syft/pkg/cataloger/binary/capabilities.yaml index b64362108..35a3e946b 100644 --- a/syft/pkg/cataloger/binary/capabilities.yaml +++ b/syft/pkg/cataloger/binary/capabilities.yaml @@ -427,6 +427,17 @@ catalogers: criteria: - '**/openssl' packages: + - class: openssl-binary + name: "" + purl: pkg:/ + cpes: [] + type: BinaryPkg + - class: openssl-binary-aws-lc + name: aws-lc + purl: pkg:generic/aws-lc + cpes: + - cpe:2.3:a:amazon:aws_libcrypto:*:*:*:*:*:*:*:* + type: BinaryPkg - class: openssl-binary name: openssl purl: pkg:generic/openssl diff --git a/syft/pkg/cataloger/binary/classifier_cataloger_test.go b/syft/pkg/cataloger/binary/classifier_cataloger_test.go index f14628764..279a21099 100644 --- a/syft/pkg/cataloger/binary/classifier_cataloger_test.go +++ b/syft/pkg/cataloger/binary/classifier_cataloger_test.go @@ -1485,6 +1485,17 @@ func Test_Cataloger_PositiveCases(t *testing.T) { Metadata: metadata("openssl-binary"), }, }, + { + logicalFixture: "aws-lc/1.69.0/linux-amd64", + expected: pkg.Package{ + Name: "aws-lc", + Version: "1.69.0", + Type: "binary", + PURL: "pkg:generic/aws-lc@1.69.0", + Locations: locations("openssl"), + Metadata: metadata("openssl-binary-aws-lc"), + }, + }, { logicalFixture: "openldap/2.6.10/linux-amd64", expected: pkg.Package{ diff --git a/syft/pkg/cataloger/binary/classifiers.go b/syft/pkg/cataloger/binary/classifiers.go index 2802b16a7..8a0f32fb8 100644 --- a/syft/pkg/cataloger/binary/classifiers.go +++ b/syft/pkg/cataloger/binary/classifiers.go @@ -564,14 +564,29 @@ func DefaultClassifiers() []binutils.Classifier { { Class: "openssl-binary", FileGlob: "**/openssl", - EvidenceMatcher: m.FileContentsVersionMatcher( - // [NUL]OpenSSL 3.1.4' - // [NUL]OpenSSL 1.1.1w' - `\x00OpenSSL (?P[0-9]+\.[0-9]+\.[0-9]+([a-z]+|-alpha[0-9]|-beta[0-9]|-rc[0-9])?)`, - ), - Package: "openssl", - PURL: mustPURL("pkg:generic/openssl@version"), - CPEs: singleCPE("cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource), + EvidenceMatcher: binutils.BranchingEvidenceMatcher([]binutils.Classifier{ + { + Class: "openssl-binary-aws-lc", + EvidenceMatcher: m.FileContentsVersionMatcher( + // [NUL]OpenSSL 1.1.1 (compatible; AWS-LC 1.69.0)[NUL] + `AWS-LC (?P[0-9]+\.[0-9]+\.[0-9]+)\)\x00`, + ), + Package: "aws-lc", + PURL: mustPURL("pkg:generic/aws-lc@version"), + CPEs: singleCPE("cpe:2.3:a:amazon:aws_libcrypto:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource), + }, + { + Class: "openssl-binary", + EvidenceMatcher: m.FileContentsVersionMatcher( + // [NUL]OpenSSL 3.1.4' + // [NUL]OpenSSL 1.1.1w' + `\x00OpenSSL (?P[0-9]+\.[0-9]+\.[0-9]+([a-z]+|-alpha[0-9]|-beta[0-9]|-rc[0-9])?)`, + ), + Package: "openssl", + PURL: mustPURL("pkg:generic/openssl@version"), + CPEs: singleCPE("cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource), + }, + }...), }, { Class: "openldap-search-binary", diff --git a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/aws-lc/1.69.0/linux-amd64/openssl b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/aws-lc/1.69.0/linux-amd64/openssl new file mode 100644 index 000000000..0bf1688e0 Binary files /dev/null and b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/aws-lc/1.69.0/linux-amd64/openssl differ diff --git a/syft/pkg/cataloger/binary/testdata/config.yaml b/syft/pkg/cataloger/binary/testdata/config.yaml index e215088d1..ea1540b68 100644 --- a/syft/pkg/cataloger/binary/testdata/config.yaml +++ b/syft/pkg/cataloger/binary/testdata/config.yaml @@ -919,11 +919,19 @@ from-images: - name: openssl version: 1.1.1w images: - - ref: openresty/openresty:1.25.3.1-2-alpine@sha256:b1cb45b1556801b8cb1bc29ea78faf2eaf67926a37b052dd070866e44d7df07a + - ref: openresty/openresty:1.25.3.1-2-alpine@sha256:6c24f25318e5ecf0c981bec584842af329552a538fe48a24ec25387374c652b2 platform: linux/arm64 paths: - /usr/local/openresty/openssl/bin/openssl + - name: aws-lc + version: 1.69.0 + images: + - ref: haproxytech/haproxy-alpine:3.3.8@sha256:ba237771cc7e734b4449829b09d107012c8d7578d77487b8453207e7ca851996 + platform: linux/amd64 + paths: + - /opt/aws-lc/bin/openssl + - name: openldap version: 2.6.10 images: