Read version resources from non-.NET DLLs and executables #3842
Description
What happened:
Seems after the code changes from Merge the .NET deps.json and PE binary catalogers #3563 and #3563 as i reported in #3707 the binaries are not even being discovered. So the SBOM is now technically empty.
What you expected to happen:
I would expect to see the SBOM output similar to before the fix but with the correct values for bom-ref and purl.
Steps to reproduce the issue:
syft -o spdx-json libxml2.dll |jq .
✔ Indexed file system libxml2.dll
✔ Cataloged contents 62f848a2d187bb4f995aa738b2ccd8b4c4298e0b1c1bea080bb7acc6f651ea3d
├── ✔ Packages [1 packages]
├── ✔ File digests [1 files]
├── ✔ File metadata [1 locations]
└── ✔ Executables [1 executables]
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "libxml2.dll",
"documentNamespace": "https://anchore.com/syft/file/libxml2.dll-fd8ad11b-79e5-4374-8c20-a9c396865ac3",
"creationInfo": {
"licenseListVersion": "3.25",
"creators": [
"Organization: Anchore, Inc",
"Tool: syft-1.20.0"
],
"created": "2025-03-04T18:44:38Z"
},
"packages": [
{
"name": "libxml2",
"SPDXID": "SPDXRef-Package-dotnet-libxml2-33aabfd1f10e2851",
"versionInfo": "2.13.5",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from dotnet project assets file: /libxml2.dll",
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:libxml2:libxml2:2.13.5:*:*:*:*:*:*:*"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:nuget/libxml2@2.13.5"
}
]
},
{
"name": "libxml2.dll",
"SPDXID": "SPDXRef-DocumentRoot-File-libxml2.dll",
"versionInfo": "sha256:c33b878ebf18a580f77e1dd4dd07221bccbda2dd6593249cefec0dd36704a5ab",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "c33b878ebf18a580f77e1dd4dd07221bccbda2dd6593249cefec0dd36704a5ab"
}
],
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"primaryPackagePurpose": "FILE"
}
],
"files": [
{
"fileName": "libxml2.dll",
"SPDXID": "SPDXRef-File-libxml2.dll-4ffa5ca3ddd8ad9b",
"fileTypes": [
"APPLICATION",
"BINARY"
],
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "ebcb673b6bd139b1a0247b4f1aed893a5ed48741"
},
{
"algorithm": "SHA256",
"checksumValue": "c33b878ebf18a580f77e1dd4dd07221bccbda2dd6593249cefec0dd36704a5ab"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": [
"NOASSERTION"
],
"copyrightText": "NOASSERTION"
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-Package-dotnet-libxml2-33aabfd1f10e2851",
"relatedSpdxElement": "SPDXRef-File-libxml2.dll-4ffa5ca3ddd8ad9b",
"relationshipType": "OTHER",
"comment": "evident-by: indicates the package's existence is evident by the given file"
},
{
"spdxElementId": "SPDXRef-DocumentRoot-File-libxml2.dll",
"relatedSpdxElement": "SPDXRef-Package-dotnet-libxml2-33aabfd1f10e2851",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-DocumentRoot-File-libxml2.dll",
"relationshipType": "DESCRIBES"
}
]
}
and after the fix syft version 1.23.1
syft libxml2.dll -o spdx-json |jq .
✔ Indexed file system libxml2.dll
✔ Cataloged contents 62f848a2d187bb4f995aa738b2ccd8b4c4298e0b1c1bea080bb7acc6f651ea3d
├── ✔ Packages [0 packages]
└── ✔ Executables [1 executables]
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "libxml2.dll",
"documentNamespace": "https://anchore.com/syft/file/libxml2.dll-324349ae-2921-4db3-8a7e-5022626eaa09",
"creationInfo": {
"licenseListVersion": "3.25",
"creators": [
"Organization: Anchore, Inc",
"Tool: syft-1.23.1"
],
"created": "2025-05-01T10:53:16Z"
},
"packages": [
{
"name": "libxml2.dll",
"SPDXID": "SPDXRef-DocumentRoot-File-libxml2.dll",
"versionInfo": "sha256:c33b878ebf18a580f77e1dd4dd07221bccbda2dd6593249cefec0dd36704a5ab",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "c33b878ebf18a580f77e1dd4dd07221bccbda2dd6593249cefec0dd36704a5ab"
}
],
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"primaryPackagePurpose": "FILE"
}
],
"files": [
{
"fileName": "libxml2.dll",
"SPDXID": "SPDXRef-File-libxml2.dll-4ffa5ca3ddd8ad9b",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": [
"NOASSERTION"
],
"copyrightText": "NOASSERTION"
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-DocumentRoot-File-libxml2.dll",
"relationshipType": "DESCRIBES"
}
]
}
Anything else we need to know?:
Environment:
- Output of
syft version: 1.23.1 - OS (e.g:
cat /etc/os-releaseor similar): linunx - Windows binary - libxml2.dll.zip
Metadata
Metadata
Assignees
Labels
Type
Projects
Status