Skip to content

.NET cataloger does not always pair up PE binaries and deps.json packages, resulting in duplicate packages on some runs #3866

New issue
New issue
Closed
#3869
Closed
.NET cataloger does not always pair up PE binaries and deps.json packages, resulting in duplicate packages on some runs#3866
#3869
Assignees
wagoodman
Labels
bugSomething isn't working
@popey

Description

@popey
popey
opened on May 8, 2025

What happened:

On request of @westonsteimel I ran Syft against the same container on the same host, multiple times. Often the syft-json file is the same from run to run. Sometimes it isn't.

What you expected to happen:

The SBOM should be largely the same.

Steps to reproduce the issue:

I wrote this script to run syft 1000 times, but didn't need to, because it got different results after just two runs.

#!/bin/bash

export SYFT_CHECK_FOR_APP_UPDATE=false
export SYFT_LOG_LEVEL=debug

for container in anchore/test_images:grype-quality-dotnet-69f15d2; do
  sbom=$(echo $container | tr '/' '_' | tr ':' '.')
  for count in {0001..1000}; do
    for arch in amd64 arm64; do
      export SYFT_LOG_FILE="$count"-"$sbom"-"$arch".log
      echo "== Run $count for $container $arch"
      syft "$container" -o syft-json="$count"-"$sbom"-"$arch"-syft.json
    done
  done
done

Anything else we need to know?:

I ran this on an AMD64 Linux box but told it to test amd64 and arm64 containers.

ls -l *.json| head
-rw-r--r-- 1 alan alan 1718669 May  8 10:26 0001-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1718669 May  8 10:26 0001-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1718669 May  8 10:26 0002-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1698021 May  8 10:26 0002-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1718669 May  8 10:26 0003-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1718669 May  8 10:26 0003-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1718669 May  8 10:26 0004-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1718669 May  8 10:26 0004-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1718669 May  8 10:27 0005-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1718669 May  8 10:27 0005-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json

Environment:

  • Output of syft version:
Application: syft
Version:    1.23.1
BuildDate:  2025-04-25T14:52:16Z
GitCommit:  a714fb8391471c6ddf6e583229d982d1316d64a8
GitDescription: v1.23.1
Platform:   linux/amd64
GoVersion:  go1.24.2
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar):
PRETTY_NAME="Ubuntu 24.04 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

OSS

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions