From e388b5249d80495c0fee833eeeec47b9127b62f7 Mon Sep 17 00:00:00 2001 From: nadimz Date: Mon, 29 Jun 2026 17:54:44 +0200 Subject: [PATCH] Add support for MIT and Heimdal Kerberos 5 library detection (#4781) * Add support for MIT and Heimdal Kerberos 5 library detection Signed-off-by: Nadim Zubidat * support 2-component case Signed-off-by: Alex Goodman --------- Signed-off-by: Nadim Zubidat Signed-off-by: Alex Goodman Co-authored-by: Nadim Zubidat Co-authored-by: Alex Goodman --- syft/pkg/cataloger/binary/capabilities.yaml | 20 +++++++++++ .../binary/classifier_cataloger_test.go | 34 ++++++++++++++++++ syft/pkg/cataloger/binary/classifiers.go | 26 ++++++++++++++ .../7.8.0/linux-amd64/libkrb5.so.26.0.0 | Bin 0 -> 360 bytes .../krb5/1.17/linux-amd64/libkrb5.so.3.3 | Bin 0 -> 357 bytes .../krb5/1.18.4/linux-amd64/libkrb5.so.3.3 | Bin 0 -> 357 bytes .../pkg/cataloger/binary/testdata/config.yaml | 25 +++++++++++++ 7 files changed, 105 insertions(+) create mode 100644 syft/pkg/cataloger/binary/testdata/classifiers/snippets/heimdal-krb5/7.8.0/linux-amd64/libkrb5.so.26.0.0 create mode 100644 syft/pkg/cataloger/binary/testdata/classifiers/snippets/krb5/1.17/linux-amd64/libkrb5.so.3.3 create mode 100644 syft/pkg/cataloger/binary/testdata/classifiers/snippets/krb5/1.18.4/linux-amd64/libkrb5.so.3.3 diff --git a/syft/pkg/cataloger/binary/capabilities.yaml b/syft/pkg/cataloger/binary/capabilities.yaml index c98e5c57e..a40db6e16 100644 --- a/syft/pkg/cataloger/binary/capabilities.yaml +++ b/syft/pkg/cataloger/binary/capabilities.yaml @@ -846,6 +846,26 @@ catalogers: cpes: - cpe:2.3:a:elastic:elastic_agent:*:*:*:*:*:*:*:* type: BinaryPkg + - method: glob + criteria: + - '**/libkrb5.so*' + packages: + - class: krb5-library + name: krb5 + purl: pkg:generic/krb5 + cpes: + - cpe:2.3:a:mit:kerberos_5:*:*:*:*:*:*:*:* + type: BinaryPkg + - method: glob + criteria: + - '**/libkrb5.so*' + packages: + - class: heimdal-krb5-library + name: heimdal-krb5 + purl: pkg:generic/heimdal-krb5 + cpes: + - cpe:2.3:a:heimdal_project:heimdal:*:*:*:*:*:*:*:* + type: BinaryPkg - method: glob criteria: - '**/java' diff --git a/syft/pkg/cataloger/binary/classifier_cataloger_test.go b/syft/pkg/cataloger/binary/classifier_cataloger_test.go index a57290a9b..ab5af2703 100644 --- a/syft/pkg/cataloger/binary/classifier_cataloger_test.go +++ b/syft/pkg/cataloger/binary/classifier_cataloger_test.go @@ -1620,6 +1620,40 @@ func Test_Cataloger_PositiveCases(t *testing.T) { Metadata: metadata("haskell-cabal-binary"), }, }, + { + logicalFixture: "krb5/1.18.4/linux-amd64", + expected: pkg.Package{ + Name: "krb5", + Version: "1.18.4", + Type: "binary", + PURL: "pkg:generic/krb5@1.18.4", + Locations: locations("libkrb5.so.3.3"), + Metadata: metadata("krb5-library"), + }, + }, + { + // base releases brand with a 2-component version (e.g. "krb5-1.17-final 1.17") + logicalFixture: "krb5/1.17/linux-amd64", + expected: pkg.Package{ + Name: "krb5", + Version: "1.17", + Type: "binary", + PURL: "pkg:generic/krb5@1.17", + Locations: locations("libkrb5.so.3.3"), + Metadata: metadata("krb5-library"), + }, + }, + { + logicalFixture: "heimdal-krb5/7.8.0/linux-amd64", + expected: pkg.Package{ + Name: "heimdal-krb5", + Version: "7.8.0", + Type: "binary", + PURL: "pkg:generic/heimdal-krb5@7.8.0", + Locations: locations("libkrb5.so.26.0.0"), + Metadata: metadata("heimdal-krb5-library"), + }, + }, { logicalFixture: "nginx/1.25.1/linux-amd64", expected: pkg.Package{ diff --git a/syft/pkg/cataloger/binary/classifiers.go b/syft/pkg/cataloger/binary/classifiers.go index c5229235b..52a9be871 100644 --- a/syft/pkg/cataloger/binary/classifiers.go +++ b/syft/pkg/cataloger/binary/classifiers.go @@ -1191,6 +1191,32 @@ func DefaultClassifiers() []binutils.Classifier { PURL: mustPURL("pkg:generic/elastic-agent@version"), CPEs: singleCPE("cpe:2.3:a:elastic:elastic_agent:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource), }, + { + Class: "krb5-library", + FileGlob: "**/libkrb5.so*", + // [NUL]KRB5_BRAND: krb5-1.18.4-final 1.18.4 20210722 + // [NUL]KRB5_BRAND: krb5-1.17-final 1.17 20190108 (base releases brand as 2-component) + EvidenceMatcher: m.FileContentsVersionMatcher( + `\x00KRB5_BRAND:\s+krb5-[^\s]+\s+(?P[0-9]+(?:\.[0-9]+){1,2})(?:\s|$)`, + ), + Package: "krb5", + PURL: mustPURL("pkg:generic/krb5@version"), + CPEs: singleCPE("cpe:2.3:a:mit:kerberos_5:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource), + }, + { + Class: "heimdal-krb5-library", + FileGlob: "**/libkrb5.so*", + // $Version: Heimdal 7.5.0 + // $Version: Heimdal 7.8.0 + // $Version: Heimdal 7.1 + // $Version: Heimdal 7.0.3 + EvidenceMatcher: m.FileContentsVersionMatcher( + `(?m)\$Version:\s+Heimdal\s+(?P[0-9]+(?:\.[0-9]+){1,2})(?:\s|$)`, + ), + Package: "heimdal-krb5", + PURL: mustPURL("pkg:generic/heimdal-krb5@version"), + CPEs: singleCPE("cpe:2.3:a:heimdal_project:heimdal:*:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource), + }, } return append(classifiers, defaultJavaClassifiers()...) diff --git a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/heimdal-krb5/7.8.0/linux-amd64/libkrb5.so.26.0.0 b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/heimdal-krb5/7.8.0/linux-amd64/libkrb5.so.26.0.0 new file mode 100644 index 0000000000000000000000000000000000000000..8f7dd1d43403497f731592ecd18d227d4a49b788 GIT binary patch literal 360 zcmY+9O-sZu5Qcm1uNdea^iqDNl)4m!h-7rqZqXw+JyOi-AzClX_p+2M_gZbhH)_g5z2Vt9rHm6 z>VjgLArokM7z`zh32g!sK{75Ya-LJKJtdMzszZ=%hzb8>10A^$!#HR$Aa&LlYpBw+ zy1he5lpB=Ql3VLZ&B#%B&KWfvX%J%cZQFGn*vpFW`zEXfLP@Edp`zN$#MC@tJb05p z_Nph%-BowJdBb^$B~S2=!KS%6<$W&a3^>nazHMI0&(=IY+{3Y?=q@nh2fB5s^Yetu S+H4=Uurmu-#9WVGW&aJ~%WAU# literal 0 HcmV?d00001 diff --git a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/krb5/1.17/linux-amd64/libkrb5.so.3.3 b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/krb5/1.17/linux-amd64/libkrb5.so.3.3 new file mode 100644 index 0000000000000000000000000000000000000000..3c0856ed721c6c71a541b21fd30ce6746e44e911 GIT binary patch literal 357 zcmZvYO-jT-5QW_c(%>B$vJ)nBb*EF^S?SgXjlJh$%o)#-BROI0e?r!>T|;l>(NlI7Svjr)d!6m00)!y%6Mdy=}I zrRbBL;`Dtf?&1u$zuoslwzzX3hv&=$k&>D?0M>Q?%()yVkbxD zX1CQ3+uhaeb;IW$Y@h_(q_(5X=aowVR)8?8_v2s2=hxYy{CuA;yu3JF__*?J;xC+G BQ*!_S literal 0 HcmV?d00001 diff --git a/syft/pkg/cataloger/binary/testdata/classifiers/snippets/krb5/1.18.4/linux-amd64/libkrb5.so.3.3 b/syft/pkg/cataloger/binary/testdata/classifiers/snippets/krb5/1.18.4/linux-amd64/libkrb5.so.3.3 new file mode 100644 index 0000000000000000000000000000000000000000..71d35dd487b04a6e39fcc6e73164b067beb343d1 GIT binary patch literal 357 zcmZvYze)r_48|=4VelaauD)fG`M;f~op8nZ05Wrv@fOG3!(9+NAHmM|@)fM@d;rJw zusBSSUy_e}g!JKoT3)(%{}^>M4vlOi8*(0LYPl0AonVFfyJ^>QK*7eo+wW<**#*?5 zuTV~fRt$LERo;Y>aaJP)M|PrOR(M^W*Jw=GTFrmEY++ BRmuPW literal 0 HcmV?d00001 diff --git a/syft/pkg/cataloger/binary/testdata/config.yaml b/syft/pkg/cataloger/binary/testdata/config.yaml index 41d402bc9..5f8fa88aa 100644 --- a/syft/pkg/cataloger/binary/testdata/config.yaml +++ b/syft/pkg/cataloger/binary/testdata/config.yaml @@ -1433,6 +1433,31 @@ from-images: platform: linux/amd64 paths: - /usr/lib/x86_64-linux-gnu/libQtCore.so.4.8.6 + + - name: krb5 + version: 1.18.4 + images: + - ref: apache/ozone-testkrb5:20230318-1@sha256:6a7eeac1ebd12e8968e34ab93fb8d21f2b92ae52bc0a85b662a2d41065f05d3a + platform: linux/amd64 + paths: + - /usr/lib/libkrb5.so.3.3 + + - name: krb5 + version: 1.17 + images: + - ref: mongo:4.4@sha256:4be76f674fc4b27859816811b8baa3c51830eb1dbf4ca81a51e26b79edd662ef + platform: linux/amd64 + paths: + - /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3 + + - name: heimdal-krb5 + version: 7.8.0 + images: + - ref: nadimz/heimdal-krb5:7.8.0@sha256:23a5046493f3e97669353c18abcba6bd57fc9ddf53faa63b91b1a94f52f590e5 + platform: linux/amd64 + paths: + - /usr/lib/x86_64-linux-gnu/libkrb5.so.26.0.0 + - version: 1.36.4 images: - ref: envoyproxy/envoy:v1.36.4@sha256:ae31562b8cede20913a2d3d6a4f44c8479a50551e033cb8ef7bb8e38cec4b573