Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Different results scanning PHP SBOMs generated by cdxgen and Syft #2037

Open
metametadata opened this issue Aug 6, 2024 · 2 comments
Open

Different results scanning PHP SBOMs generated by cdxgen and Syft #2037

metametadata opened this issue Aug 6, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@metametadata
Copy link

metametadata commented Aug 6, 2024
edited
Loading

What happened:

I'm working on detecting vulns in a PHP project and I get quite different results when scanning and I'm not sure if it's expected or there could be something to improve in Grype, Syft or cdxgen. I've created a minimal example to demonstrate the problem.

cdxgen + Grype:

~/dev/composer_issue ᐅ grype --add-cpes-if-none sbom:cdxgen.json
 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [1 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 1 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 1 not-fixed, 0 ignored
NAME    INSTALLED  FIXED-IN  TYPE          VULNERABILITY  SEVERITY
jquery  3.7.1                php-composer  CVE-2007-2379  Medium

Syft + Grype:

~/dev/composer_issue ᐅ grype --add-cpes-if-none sbom:syft.json
 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [2 vulnerability matches]
   ├── by severity: 0 critical, 1 high, 1 medium, 0 low, 0 negligible
   └── by status:   2 fixed, 0 not-fixed, 0 ignored
NAME          INSTALLED  FIXED-IN  TYPE          VULNERABILITY        SEVERITY
yiisoft/yii2  2.0.49.2   2.0.49.4  php-composer  GHSA-cjcc-p67m-7qxm  High
yiisoft/yii2  2.0.49.2   2.0.49.4  php-composer  GHSA-qg5r-95m4-mjgj  Medium

As we can see, completely different vulns are detected.

What you expected to happen:

Same results in two scenarios.

How to reproduce it (as minimally and precisely as possible):

PHP composer.json:

{
  "name": "example/php_sbom_issue",
  "require": {
    "yiisoft/yii2": "2.0.49.2"
  },
  "repositories": [
    {
      "type": "composer",
      "url": "https://asset-packagist.org"
    }
  ],
  "config": {
    "allow-plugins": {
      "yiisoft/yii2-composer": true
    }
  }
}

composer.lock generated via composer update --no-install:

Click me 
{
    "_readme": [
        "This file locks the dependencies of your project to a known state",
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
    "content-hash": "de1bd552949dd523bc63bbf9630f3ab5",
    "packages": [
        {
            "name": "bower-asset/inputmask",
            "version": "5.0.9",
            "source": {
                "type": "git",
                "url": "https://github.com/RobinHerbots/Inputmask.git",
                "reference": "310a33557e2944daf86d5946a5e8c82b9118f8f7"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/RobinHerbots/Inputmask/zipball/310a33557e2944daf86d5946a5e8c82b9118f8f7",
                "reference": "310a33557e2944daf86d5946a5e8c82b9118f8f7"
            },
            "require": {
                "bower-asset/jquery": ">=1.7"
            },
            "type": "bower-asset",
            "license": [
                "http://opensource.org/licenses/mit-license.php"
            ]
        },
        {
            "name": "bower-asset/jquery",
            "version": "3.7.1",
            "source": {
                "type": "git",
                "url": "https://github.com/jquery/jquery-dist.git",
                "reference": "fde1f76e2799dd877c176abde0ec836553246991"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/jquery/jquery-dist/zipball/fde1f76e2799dd877c176abde0ec836553246991",
                "reference": "fde1f76e2799dd877c176abde0ec836553246991"
            },
            "type": "bower-asset",
            "license": [
                "MIT"
            ]
        },
        {
            "name": "bower-asset/punycode",
            "version": "v2.2.3",
            "source": {
                "type": "git",
                "url": "https://github.com/mathiasbynens/punycode.js.git",
                "reference": "46d412120e2feb868876769a9847790ba278c882"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/mathiasbynens/punycode.js/zipball/46d412120e2feb868876769a9847790ba278c882",
                "reference": "46d412120e2feb868876769a9847790ba278c882"
            },
            "type": "bower-asset"
        },
        {
            "name": "bower-asset/yii2-pjax",
            "version": "2.0.8",
            "source": {
                "type": "git",
                "url": "[email protected]:yiisoft/jquery-pjax.git",
                "reference": "a9298d57da63d14a950f1b94366a864bc62264fb"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/yiisoft/jquery-pjax/zipball/a9298d57da63d14a950f1b94366a864bc62264fb",
                "reference": "a9298d57da63d14a950f1b94366a864bc62264fb"
            },
            "require": {
                "bower-asset/jquery": ">=1.8"
            },
            "type": "bower-asset",
            "license": [
                "MIT"
            ]
        },
        {
            "name": "cebe/markdown",
            "version": "1.2.1",
            "source": {
                "type": "git",
                "url": "https://github.com/cebe/markdown.git",
                "reference": "9bac5e971dd391e2802dca5400bbeacbaea9eb86"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/cebe/markdown/zipball/9bac5e971dd391e2802dca5400bbeacbaea9eb86",
                "reference": "9bac5e971dd391e2802dca5400bbeacbaea9eb86",
                "shasum": ""
            },
            "require": {
                "lib-pcre": "*",
                "php": ">=5.4.0"
            },
            "require-dev": {
                "cebe/indent": "*",
                "facebook/xhprof": "*@dev",
                "phpunit/phpunit": "4.1.*"
            },
            "bin": [
                "bin/markdown"
            ],
            "type": "library",
            "extra": {
                "branch-alias": {
                    "dev-master": "1.2.x-dev"
                }
            },
            "autoload": {
                "psr-4": {
                    "cebe\\markdown\\": ""
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "MIT"
            ],
            "authors": [
                {
                    "name": "Carsten Brandt",
                    "email": "[email protected]",
                    "homepage": "http://cebe.cc/",
                    "role": "Creator"
                }
            ],
            "description": "A super fast, highly extensible markdown parser for PHP",
            "homepage": "https://github.com/cebe/markdown#readme",
            "keywords": [
                "extensible",
                "fast",
                "gfm",
                "markdown",
                "markdown-extra"
            ],
            "support": {
                "issues": "https://github.com/cebe/markdown/issues",
                "source": "https://github.com/cebe/markdown"
            },
            "time": "2018-03-26T11:24:36+00:00"
        },
        {
            "name": "ezyang/htmlpurifier",
            "version": "v4.17.0",
            "source": {
                "type": "git",
                "url": "https://github.com/ezyang/htmlpurifier.git",
                "reference": "bbc513d79acf6691fa9cf10f192c90dd2957f18c"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/bbc513d79acf6691fa9cf10f192c90dd2957f18c",
                "reference": "bbc513d79acf6691fa9cf10f192c90dd2957f18c",
                "shasum": ""
            },
            "require": {
                "php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0"
            },
            "require-dev": {
                "cerdic/css-tidy": "^1.7 || ^2.0",
                "simpletest/simpletest": "dev-master"
            },
            "suggest": {
                "cerdic/css-tidy": "If you want to use the filter 'Filter.ExtractStyleBlocks'.",
                "ext-bcmath": "Used for unit conversion and imagecrash protection",
                "ext-iconv": "Converts text to and from non-UTF-8 encodings",
                "ext-tidy": "Used for pretty-printing HTML"
            },
            "type": "library",
            "autoload": {
                "files": [
                    "library/HTMLPurifier.composer.php"
                ],
                "psr-0": {
                    "HTMLPurifier": "library/"
                },
                "exclude-from-classmap": [
                    "/library/HTMLPurifier/Language/"
                ]
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "LGPL-2.1-or-later"
            ],
            "authors": [
                {
                    "name": "Edward Z. Yang",
                    "email": "[email protected]",
                    "homepage": "http://ezyang.com"
                }
            ],
            "description": "Standards compliant HTML filter written in PHP",
            "homepage": "http://htmlpurifier.org/",
            "keywords": [
                "html"
            ],
            "support": {
                "issues": "https://github.com/ezyang/htmlpurifier/issues",
                "source": "https://github.com/ezyang/htmlpurifier/tree/v4.17.0"
            },
            "time": "2023-11-17T15:01:25+00:00"
        },
        {
            "name": "paragonie/random_compat",
            "version": "v9.99.100",
            "source": {
                "type": "git",
                "url": "https://github.com/paragonie/random_compat.git",
                "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/996434e5492cb4c3edcb9168db6fbb1359ef965a",
                "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a",
                "shasum": ""
            },
            "require": {
                "php": ">= 7"
            },
            "require-dev": {
                "phpunit/phpunit": "4.*|5.*",
                "vimeo/psalm": "^1"
            },
            "suggest": {
                "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
            },
            "type": "library",
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "MIT"
            ],
            "authors": [
                {
                    "name": "Paragon Initiative Enterprises",
                    "email": "[email protected]",
                    "homepage": "https://paragonie.com"
                }
            ],
            "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
            "keywords": [
                "csprng",
                "polyfill",
                "pseudorandom",
                "random"
            ],
            "support": {
                "email": "[email protected]",
                "issues": "https://github.com/paragonie/random_compat/issues",
                "source": "https://github.com/paragonie/random_compat"
            },
            "time": "2020-10-15T08:29:30+00:00"
        },
        {
            "name": "yiisoft/yii2",
            "version": "2.0.49.2",
            "source": {
                "type": "git",
                "url": "https://github.com/yiisoft/yii2-framework.git",
                "reference": "7d38bf7584acbe838a8d08e40e949b6393162441"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/yiisoft/yii2-framework/zipball/7d38bf7584acbe838a8d08e40e949b6393162441",
                "reference": "7d38bf7584acbe838a8d08e40e949b6393162441",
                "shasum": ""
            },
            "require": {
                "bower-asset/inputmask": "~3.2.2 | ~3.3.5 | ~5.0.8 ",
                "bower-asset/jquery": "3.7.*@stable | 3.6.*@stable | 3.5.*@stable | 3.4.*@stable | 3.3.*@stable | 3.2.*@stable | 3.1.*@stable | 2.2.*@stable | 2.1.*@stable | 1.11.*@stable | 1.12.*@stable",
                "bower-asset/punycode": "1.3.* | 2.2.*",
                "bower-asset/yii2-pjax": "~2.0.1",
                "cebe/markdown": "~1.0.0 | ~1.1.0 | ~1.2.0",
                "ext-ctype": "*",
                "ext-mbstring": "*",
                "ezyang/htmlpurifier": "^4.6",
                "lib-pcre": "*",
                "paragonie/random_compat": ">=1",
                "php": ">=5.4.0",
                "yiisoft/yii2-composer": "~2.0.4"
            },
            "bin": [
                "yii"
            ],
            "type": "library",
            "extra": {
                "branch-alias": {
                    "dev-master": "2.0.x-dev"
                }
            },
            "autoload": {
                "psr-4": {
                    "yii\\": ""
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "BSD-3-Clause"
            ],
            "authors": [
                {
                    "name": "Qiang Xue",
                    "email": "[email protected]",
                    "homepage": "https://www.yiiframework.com/",
                    "role": "Founder and project lead"
                },
                {
                    "name": "Alexander Makarov",
                    "email": "[email protected]",
                    "homepage": "https://rmcreative.ru/",
                    "role": "Core framework development"
                },
                {
                    "name": "Maurizio Domba",
                    "homepage": "http://mdomba.info/",
                    "role": "Core framework development"
                },
                {
                    "name": "Carsten Brandt",
                    "email": "[email protected]",
                    "homepage": "https://www.cebe.cc/",
                    "role": "Core framework development"
                },
                {
                    "name": "Timur Ruziev",
                    "email": "[email protected]",
                    "homepage": "http://resurtm.com/",
                    "role": "Core framework development"
                },
                {
                    "name": "Paul Klimov",
                    "email": "[email protected]",
                    "role": "Core framework development"
                },
                {
                    "name": "Dmitry Naumenko",
                    "email": "[email protected]",
                    "role": "Core framework development"
                },
                {
                    "name": "Boudewijn Vahrmeijer",
                    "email": "[email protected]",
                    "homepage": "http://dynasource.eu",
                    "role": "Core framework development"
                }
            ],
            "description": "Yii PHP Framework Version 2",
            "homepage": "https://www.yiiframework.com/",
            "keywords": [
                "framework",
                "yii2"
            ],
            "support": {
                "forum": "https://forum.yiiframework.com/",
                "irc": "ircs://irc.libera.chat:6697/yii",
                "issues": "https://github.com/yiisoft/yii2/issues?state=open",
                "source": "https://github.com/yiisoft/yii2",
                "wiki": "https://www.yiiframework.com/wiki"
            },
            "funding": [
                {
                    "url": "https://github.com/yiisoft",
                    "type": "github"
                },
                {
                    "url": "https://opencollective.com/yiisoft",
                    "type": "open_collective"
                },
                {
                    "url": "https://tidelift.com/funding/github/packagist/yiisoft/yii2",
                    "type": "tidelift"
                }
            ],
            "time": "2023-10-12T15:46:26+00:00"
        },
        {
            "name": "yiisoft/yii2-composer",
            "version": "2.0.10",
            "source": {
                "type": "git",
                "url": "https://github.com/yiisoft/yii2-composer.git",
                "reference": "94bb3f66e779e2774f8776d6e1bdeab402940510"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/yiisoft/yii2-composer/zipball/94bb3f66e779e2774f8776d6e1bdeab402940510",
                "reference": "94bb3f66e779e2774f8776d6e1bdeab402940510",
                "shasum": ""
            },
            "require": {
                "composer-plugin-api": "^1.0 | ^2.0"
            },
            "require-dev": {
                "composer/composer": "^1.0 | ^2.0@dev",
                "phpunit/phpunit": "<7"
            },
            "type": "composer-plugin",
            "extra": {
                "class": "yii\\composer\\Plugin",
                "branch-alias": {
                    "dev-master": "2.0.x-dev"
                }
            },
            "autoload": {
                "psr-4": {
                    "yii\\composer\\": ""
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "BSD-3-Clause"
            ],
            "authors": [
                {
                    "name": "Qiang Xue",
                    "email": "[email protected]"
                },
                {
                    "name": "Carsten Brandt",
                    "email": "[email protected]"
                }
            ],
            "description": "The composer plugin for Yii extension installer",
            "keywords": [
                "composer",
                "extension installer",
                "yii2"
            ],
            "support": {
                "forum": "http://www.yiiframework.com/forum/",
                "irc": "irc://irc.freenode.net/yii",
                "issues": "https://github.com/yiisoft/yii2-composer/issues",
                "source": "https://github.com/yiisoft/yii2-composer",
                "wiki": "http://www.yiiframework.com/wiki/"
            },
            "funding": [
                {
                    "url": "https://github.com/yiisoft",
                    "type": "github"
                },
                {
                    "url": "https://opencollective.com/yiisoft",
                    "type": "open_collective"
                },
                {
                    "url": "https://tidelift.com/funding/github/packagist/yiisoft/yii2-composer",
                    "type": "tidelift"
                }
            ],
            "time": "2020-06-24T00:04:01+00:00"
        }
    ],
    "packages-dev": [],
    "aliases": [],
    "minimum-stability": "stable",
    "stability-flags": [],
    "prefer-stable": false,
    "prefer-lowest": false,
    "platform": [],
    "platform-dev": [],
    "plugin-api-version": "2.6.0"
}

Commands to generate SBOMs:

CDXGEN_DEBUG_MODE=debug cdxgen --output cdxgen.json .

syft -o cyclonedx-json composer.lock > syft.json

Generarted cdxgen.json SBOM:

Click me 
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:f108f84c-51a3-4f75-84ae-27eaf31d1390",
"version": 1,
"metadata": {
 "timestamp": "2024-08-06T22:07:01Z",
 "tools": {
   "components": [
     {
       "group": "@cyclonedx",
       "name": "cdxgen",
       "version": "10.8.1",
       "purl": "pkg:npm/%40cyclonedx/[email protected]",
       "type": "application",
       "bom-ref": "pkg:npm/@cyclonedx/[email protected]",
       "author": "OWASP Foundation",
       "publisher": "OWASP Foundation"
     }
   ]
 },
 "authors": [
   {
     "name": "OWASP Foundation"
   }
 ],
 "lifecycles": [
   {
     "phase": "build"
   }
 ],
 "component": {
   "group": "example",
   "name": "php_sbom_issue",
   "type": "application",
   "version": "latest",
   "bom-ref": "pkg:composer/example/php_sbom_issue@latest",
   "purl": "pkg:composer/example/php_sbom_issue%40latest",
   "components": [
     {
       "group": "",
       "name": "composer_issue",
       "version": "latest",
       "type": "application",
       "bom-ref": "pkg:gem/composer_issue@latest",
       "purl": "pkg:gem/composer_issue@latest"
     }
   ]
 },
 "properties": [
   {
     "name": "cdx:bom:componentTypes",
     "value": "composer"
   },
   {
     "name": "cdx:bom:componentNamespaces",
     "value": "bower-asset\\ncebe\\nezyang\\nparagonie\\nyiisoft"
   }
 ]
},
"components": [
 {
   "group": "bower-asset",
   "name": "inputmask",
   "version": "5.0.9",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "MIT",
         "url": "http://opensource.org/licenses/mit-license.php"
       }
     }
   ],
   "purl": "pkg:composer/bower-asset/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/RobinHerbots/Inputmask.git"
     }
   ],
   "type": "library",
   "bom-ref": "pkg:composer/bower-asset/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     }
   ]
 },
 {
   "group": "bower-asset",
   "name": "jquery",
   "version": "3.7.1",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "MIT",
         "url": "https://opensource.org/licenses/MIT"
       }
     }
   ],
   "purl": "pkg:composer/bower-asset/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/jquery/jquery-dist.git"
     }
   ],
   "type": "framework",
   "bom-ref": "pkg:composer/bower-asset/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     }
   ]
 },
 {
   "group": "bower-asset",
   "name": "punycode",
   "version": "v2.2.3",
   "scope": "required",
   "purl": "pkg:composer/bower-asset/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/mathiasbynens/punycode.js.git"
     }
   ],
   "type": "library",
   "bom-ref": "pkg:composer/bower-asset/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     }
   ]
 },
 {
   "group": "bower-asset",
   "name": "yii2-pjax",
   "version": "2.0.8",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "MIT",
         "url": "https://opensource.org/licenses/MIT"
       }
     }
   ],
   "purl": "pkg:composer/bower-asset/[email protected]",
   "type": "library",
   "bom-ref": "pkg:composer/bower-asset/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     }
   ]
 },
 {
   "group": "cebe",
   "name": "markdown",
   "version": "1.2.1",
   "description": "A super fast, highly extensible markdown parser for PHP",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "MIT",
         "url": "https://opensource.org/licenses/MIT"
       }
     }
   ],
   "purl": "pkg:composer/cebe/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/cebe/markdown.git"
     }
   ],
   "type": "library",
   "bom-ref": "pkg:composer/cebe/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     },
     {
       "name": "Namespaces",
       "value": "cebe\\markdown\\"
     }
   ]
 },
 {
   "group": "ezyang",
   "name": "htmlpurifier",
   "version": "v4.17.0",
   "description": "Standards compliant HTML filter written in PHP",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "LGPL-2.1-or-later",
         "url": "https://opensource.org/licenses/LGPL-2.1-or-later"
       }
     }
   ],
   "purl": "pkg:composer/ezyang/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/ezyang/htmlpurifier.git"
     }
   ],
   "type": "library",
   "bom-ref": "pkg:composer/ezyang/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     },
     {
       "name": "Namespaces",
       "value": "HTMLPurifier"
     }
   ]
 },
 {
   "group": "paragonie",
   "name": "random_compat",
   "version": "v9.99.100",
   "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "MIT",
         "url": "https://opensource.org/licenses/MIT"
       }
     }
   ],
   "purl": "pkg:composer/paragonie/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/paragonie/random_compat.git"
     }
   ],
   "type": "library",
   "bom-ref": "pkg:composer/paragonie/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     }
   ]
 },
 {
   "group": "yiisoft",
   "name": "yii2",
   "version": "2.0.49.2",
   "description": "Yii PHP Framework Version 2",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "BSD-3-Clause",
         "url": "https://opensource.org/licenses/BSD-3-Clause"
       }
     }
   ],
   "purl": "pkg:composer/yiisoft/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/yiisoft/yii2-framework.git"
     }
   ],
   "type": "framework",
   "bom-ref": "pkg:composer/yiisoft/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     },
     {
       "name": "Namespaces",
       "value": "yii\\"
     }
   ]
 },
 {
   "group": "yiisoft",
   "name": "yii2-composer",
   "version": "2.0.10",
   "description": "The composer plugin for Yii extension installer",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "BSD-3-Clause",
         "url": "https://opensource.org/licenses/BSD-3-Clause"
       }
     }
   ],
   "purl": "pkg:composer/yiisoft/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/yiisoft/yii2-composer.git"
     }
   ],
   "type": "framework",
   "bom-ref": "pkg:composer/yiisoft/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     },
     {
       "name": "Namespaces",
       "value": "yii\\composer\\"
     }
   ]
 }
],
"services": [],
"dependencies": [
 {
   "ref": "pkg:composer/example/php_sbom_issue@latest",
   "dependsOn": [
     "pkg:composer/yiisoft/[email protected]"
   ]
 },
 {
   "ref": "pkg:composer/bower-asset/[email protected]",
   "dependsOn": [
     "pkg:composer/bower-asset/[email protected]"
   ]
 },
 {
   "ref": "pkg:composer/bower-asset/[email protected]",
   "dependsOn": []
 },
 {
   "ref": "pkg:composer/bower-asset/[email protected]",
   "dependsOn": []
 },
 {
   "ref": "pkg:composer/bower-asset/[email protected]",
   "dependsOn": [
     "pkg:composer/bower-asset/[email protected]"
   ]
 },
 {
   "ref": "pkg:composer/cebe/[email protected]",
   "dependsOn": []
 },
 {
   "ref": "pkg:composer/ezyang/[email protected]",
   "dependsOn": []
 },
 {
   "ref": "pkg:composer/paragonie/[email protected]",
   "dependsOn": []
 },
 {
   "ref": "pkg:composer/yiisoft/[email protected]",
   "dependsOn": [
     "pkg:composer/bower-asset/[email protected]",
     "pkg:composer/bower-asset/[email protected]",
     "pkg:composer/bower-asset/[email protected]",
     "pkg:composer/bower-asset/[email protected]",
     "pkg:composer/cebe/[email protected]",
     "pkg:composer/ezyang/[email protected]",
     "pkg:composer/paragonie/[email protected]",
     "pkg:composer/yiisoft/[email protected]"
   ]
 },
 {
   "ref": "pkg:composer/yiisoft/[email protected]",
   "dependsOn": []
 }
]
}

Generated syft.json SBOM:

Click me 
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:93dd2a98-ace9-48b4-8a3d-f9c21b6f5925",
"version": 1,
"metadata": {
  "timestamp": "2024-08-07T01:07:10+03:00",
  "tools": {
    "components": [
      {
        "type": "application",
        "author": "anchore",
        "name": "syft",
        "version": "1.9.0"
      }
    ]
  },
  "component": {
    "bom-ref": "280526f80efd5b66",
    "type": "file",
    "name": "composer.lock",
    "version": "sha256:fa49da4efa632d3f4871a5faaf2b891adddcb25024d480decb71cb7921139eb7"
  }
},
"components": [
  {
    "bom-ref": "pkg:composer/bower-asset/[email protected]?package-id=f8aba670d7b79f5d",
    "type": "library",
    "name": "bower-asset/inputmask",
    "version": "5.0.9",
    "licenses": [
      {
        "license": {
          "name": "http://opensource.org/licenses/mit-license.php"
        }
      }
    ],
    "cpe": "cpe:2.3:a:bower-asset\\/inputmask:bower-asset\\/inputmask:5.0.9:*:*:*:*:*:*:*",
    "purl": "pkg:composer/bower-asset/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower-asset\\/inputmask:bower_asset\\/inputmask:5.0.9:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/inputmask:bower-asset\\/inputmask:5.0.9:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/inputmask:bower_asset\\/inputmask:5.0.9:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower-asset\\/inputmask:5.0.9:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower_asset\\/inputmask:5.0.9:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/bower-asset/[email protected]?package-id=c88c3e90f3660303",
    "type": "library",
    "name": "bower-asset/jquery",
    "version": "3.7.1",
    "licenses": [
      {
        "license": {
          "id": "MIT"
        }
      }
    ],
    "cpe": "cpe:2.3:a:bower-asset\\/jquery:bower-asset\\/jquery:3.7.1:*:*:*:*:*:*:*",
    "purl": "pkg:composer/bower-asset/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower-asset\\/jquery:bower_asset\\/jquery:3.7.1:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/jquery:bower-asset\\/jquery:3.7.1:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/jquery:bower_asset\\/jquery:3.7.1:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower-asset\\/jquery:3.7.1:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower_asset\\/jquery:3.7.1:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/bower-asset/[email protected]?package-id=9852900b72cb9bf9",
    "type": "library",
    "name": "bower-asset/punycode",
    "version": "v2.2.3",
    "cpe": "cpe:2.3:a:bower-asset\\/punycode:bower-asset\\/punycode:v2.2.3:*:*:*:*:*:*:*",
    "purl": "pkg:composer/bower-asset/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower-asset\\/punycode:bower_asset\\/punycode:v2.2.3:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/punycode:bower-asset\\/punycode:v2.2.3:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/punycode:bower_asset\\/punycode:v2.2.3:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower-asset\\/punycode:v2.2.3:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower_asset\\/punycode:v2.2.3:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/bower-asset/[email protected]?package-id=3678ef28348a125a",
    "type": "library",
    "name": "bower-asset/yii2-pjax",
    "version": "2.0.8",
    "licenses": [
      {
        "license": {
          "id": "MIT"
        }
      }
    ],
    "cpe": "cpe:2.3:a:bower-asset\\/yii2-pjax:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*",
    "purl": "pkg:composer/bower-asset/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower-asset\\/yii2-pjax:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/yii2_pjax:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/yii2_pjax:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower-asset\\/yii2:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower-asset\\/yii2:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/yii2:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/yii2:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/cebe/[email protected]?package-id=56cffb7a90fbdc65",
    "type": "library",
    "name": "cebe/markdown",
    "version": "1.2.1",
    "licenses": [
      {
        "license": {
          "id": "MIT"
        }
      }
    ],
    "cpe": "cpe:2.3:a:cebe\\/markdown:cebe\\/markdown:1.2.1:*:*:*:*:*:*:*",
    "purl": "pkg:composer/cebe/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/ezyang/[email protected]?package-id=1a01f1ab7bc76032",
    "type": "library",
    "name": "ezyang/htmlpurifier",
    "version": "v4.17.0",
    "licenses": [
      {
        "license": {
          "id": "LGPL-2.1-or-later"
        }
      }
    ],
    "cpe": "cpe:2.3:a:ezyang\\/htmlpurifier:ezyang\\/htmlpurifier:v4.17.0:*:*:*:*:*:*:*",
    "purl": "pkg:composer/ezyang/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/paragonie/[email protected]?package-id=dc7a937336b89997",
    "type": "library",
    "name": "paragonie/random_compat",
    "version": "v9.99.100",
    "licenses": [
      {
        "license": {
          "id": "MIT"
        }
      }
    ],
    "cpe": "cpe:2.3:a:paragonie\\/random-compat:paragonie\\/random-compat:v9.99.100:*:*:*:*:*:*:*",
    "purl": "pkg:composer/paragonie/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:paragonie\\/random-compat:paragonie\\/random_compat:v9.99.100:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:paragonie\\/random_compat:paragonie\\/random-compat:v9.99.100:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:paragonie\\/random_compat:paragonie\\/random_compat:v9.99.100:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:paragonie\\/random:paragonie\\/random-compat:v9.99.100:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:paragonie\\/random:paragonie\\/random_compat:v9.99.100:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/yiisoft/[email protected]?package-id=69ac11cfcc2cf90c",
    "type": "library",
    "name": "yiisoft/yii2",
    "version": "2.0.49.2",
    "licenses": [
      {
        "license": {
          "id": "BSD-3-Clause"
        }
      }
    ],
    "cpe": "cpe:2.3:a:yiisoft\\/yii2:yiisoft\\/yii2:2.0.49.2:*:*:*:*:*:*:*",
    "purl": "pkg:composer/yiisoft/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/yiisoft/[email protected]?package-id=9e649fc0c2007f55",
    "type": "library",
    "name": "yiisoft/yii2-composer",
    "version": "2.0.10",
    "licenses": [
      {
        "license": {
          "id": "BSD-3-Clause"
        }
      }
    ],
    "cpe": "cpe:2.3:a:yiisoft\\/yii2-composer:yiisoft\\/yii2-composer:2.0.10:*:*:*:*:*:*:*",
    "purl": "pkg:composer/yiisoft/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:yiisoft\\/yii2-composer:yiisoft\\/yii2_composer:2.0.10:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:yiisoft\\/yii2_composer:yiisoft\\/yii2-composer:2.0.10:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:yiisoft\\/yii2_composer:yiisoft\\/yii2_composer:2.0.10:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:yiisoft\\/yii2:yiisoft\\/yii2-composer:2.0.10:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:yiisoft\\/yii2:yiisoft\\/yii2_composer:2.0.10:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  }
]
}

Anything else we need to know?:

  • It looks like the significant difference between SBOMs is that cdxgen splits the name and group:

     "group": "yiisoft",
 "name": "yii2",
 "version": "2.0.49.2",

    OTOH, Syft doesn't:

     "name": "yiisoft/yii2",
 "version": "2.0.49.2",

  • Other scanners (osv-scanner, Trivy, composer audit) detect only Yii2 vulns in composer.lock.

Environment:

  • Output of grype version:
Application:         grype
Version:             0.79.4
BuildDate:           2024-07-31T15:05:32Z
GitCommit:           brew
GitDescription:      [not provided]
Platform:            darwin/arm64
GoVersion:           go1.22.5
Compiler:            gc
Syft Version:        v1.10.0
Supported DB Schema: 5
  • cdxgen version: 10.8.1.
  • OS: macOS.
@metametadata metametadata added the bug Something isn't working label Aug 6, 2024
@metametadata
Copy link
Author

Look related: anchore/syft#1202, anchore/syft#2981.

@metametadata
Copy link
Author

It looks like the significant difference between SBOMs is that cdxgen splits the name and group:

I see the similar problem with SBOMs generated from pnpm-lock.yaml.

SBOM by cdxgen:

      "group": "@colors",
      "name": "colors",
      "version": "1.5.0",

SBOM by Syft:

      "name": "@colors/colors",
      "version": "1.5.0",

This leads to a false positive GHSA-gh88-3pxp-6fm8 on scanning cdxgen's SBOM:

NAME    INSTALLED  FIXED-IN  TYPE  VULNERABILITY        SEVERITY
colors  1.5.0                npm   GHSA-gh88-3pxp-6fm8  High

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@metametadata