SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false is not working

[marinedayo]

What happened:

SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false is not working in Syft v1.4.0 or later.

I am using Syft with SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false to output java installed via RPM package as CycloneDX component type application.
But it is not working. None of application type is output.

It works fine when using Syft v1.3.0.

What you expected to happen:

Expect java and node, etc. installed via RPM package to be output as CycloneDX component type application.

Steps to reproduce the issue:

1. For example, prepare the following container image named myapp:latest:

   FROM rockylinux:9
   RUN dnf install --debuglevel=1 -y java-21-openjdk

2. Execute syft with SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false:

   $ SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false syft myapp:latest --output [email protected]=java.cdx.json
   

3. None of application type is output:

   $ jq '.components | map(select(.type == "application") | .name)' java.cdx.json 
   []
   

Anything else we need to know?:

When it is binary, it becomes application in CycloneDX format.
https://github.com/anchore/syft/blob/v1.5.0/syft/format/internal/cyclonedxutil/helpers/component.go#L39-L42

Environment:

$ syft version
Application: syft
Version:    1.5.0
BuildDate:  2024-05-28T15:11:44Z
GitCommit:  ac34808b9c55bb274b1205f9b5d9cf495239577d
GitDescription: v1.5.0
Platform:   linux/amd64
GoVersion:  go1.21.10
Compiler:   gc

[kzantow]

Thanks for the report @marinedayo -- I can confirm this on the latest Syft, 1.5.0, even with the base rockylinux:9, binary packages detected:

$ syft rockylinux:9 --select-catalogers binary -q | grep binary
bash     5.1.8    binary    
openssl  3.0.7    binary    
python   3.9.18   binary

... but none included with the aforementioned option:

$ SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false syft rockylinux:9 -q | grep binary

[marinedayo]

Thanks for the reply.

As you mentioned, other binaries are also installed with RPM packages in Rocky Linux, so it's the same thing.

Syft v1.5.0:

$ syft rockylinux:9 -q | grep binary

$ SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false syft rockylinux:9 -q | grep binary

Syft v1.3.0:

$ syft rockylinux:9 -q | grep binary

$ SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false syft rockylinux:9 -q | grep binary
bash                         5.1.8                          binary    
openssl                      3.0.7                          binary    
python                       3.9.18                         binary

[marinedayo]

Looks like it is affected by this commit 4194a2c in v1.4.0.

syft/internal/relationship/finalize.go

Lines 12 to 28 in 4194a2c

	func Finalize(resolver file.Resolver, builder sbomsync.Builder, cfg cataloging.RelationshipsConfig, src artifact.Identifiable) {
	accessor := builder.(sbomsync.Accessor)
	// remove ELF packages and Binary packages that are already
	// represented by a source package (e.g. a package that is evident by some package manager)
	builder.DeletePackages(binary.PackagesToRemove(resolver, accessor)...)
	// add relationships showing packages that are evident by a file which is owned by another package (package-to-package)
	if cfg.PackageFileOwnershipOverlap {
	byFileOwnershipOverlapWorker(accessor)
	}
	// conditionally remove binary packages based on file ownership overlap relationships found
	// https://github.com/anchore/syft/issues/931
	if cfg.ExcludeBinaryPackagesWithFileOwnershipOverlap {
	excludeBinariesByFileOwnershipOverlap(accessor)
	}

Since bash binary package is bash as an executable file, while bash RPM package is bash as an RPM package (i.e. it contains files other than the executable bash), in my case I would prefer not to remove it.

I suggest a configuration like SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP that skips this process.