Merge multiple targets for the same .NET package #3869

wagoodman · 2025-05-08T15:10:09Z

It is possible for multiple targets in a deps.json to be for the same package, something that is not considered today (so the first target wins). In cases where we process the first target we might associate PE binaries with the deps.json package, however, if we process with other target first (which might have fewer PE references) then we will not associate that PE with the package and create a unique package.

This PR merges targets together so that dependencies and DLL paths are preserved, thus, multiple runs of syft should always produce the same results.

Fixes .NET cataloger does not always pair up PE binaries and deps.json packages, resulting in duplicate packages on some runs #3866

Type of change

Bug fix (non-breaking change which fixes an issue)

Checklist

I have added unit tests that cover changed behavior
I have tested my code in common scenarios and confirmed there are no regressions
I have added comments to my code, particularly in hard-to-understand sections

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

popey · 2025-05-08T15:20:26Z

Ok, built this and ran it with the script in #3866, which previously failed (as in, created a non-duplicate SBOM) pretty quickly.

It has run over 50 times now with no differences in the SBOMs.

-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00014-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00014-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00015-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00015-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00016-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00016-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00017-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00017-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00018-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00018-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00019-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00019-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00020-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00020-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:17 00021-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00021-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00022-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00022-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00023-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00023-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00024-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00024-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00025-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00025-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00026-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00026-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00027-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00027-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00028-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00028-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00029-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00029-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00030-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00030-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:18 00031-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00031-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00032-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00032-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00033-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00033-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00034-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00034-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00035-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00035-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00036-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00036-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00037-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00037-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00038-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00038-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00039-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00039-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00040-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00040-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00041-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:19 00041-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:20 00042-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:20 00042-anchore_test_images.grype-quality-dotnet-69f15d2-arm64-syft.json
-rw-r--r-- 1 alan alan 1704111 May  8 16:20 00043-anchore_test_images.grype-quality-dotnet-69f15d2-amd64-syft.json

kzantow

LGTM

wagoodman self-assigned this May 8, 2025

wagoodman added this to OSS May 8, 2025

wagoodman added the bug Something isn't working label May 8, 2025

merge multiple targets for the same dotnet package

23de228

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

wagoodman force-pushed the dotnet-duplicate-targets branch from 379df8d to 23de228 Compare May 8, 2025 15:11

wagoodman moved this to In Review in OSS May 8, 2025

kzantow approved these changes May 8, 2025

View reviewed changes

wagoodman enabled auto-merge (squash) May 8, 2025 15:21

wagoodman removed this from OSS May 8, 2025

wagoodman merged commit 1574fb2 into main May 8, 2025
13 checks passed

wagoodman deleted the dotnet-duplicate-targets branch May 8, 2025 15:28

BrewTestBot mentioned this pull request May 14, 2025

syft 1.24.0 Homebrew/homebrew-core#223465

Merged

jaskaransinghdr6j mentioned this pull request May 19, 2025

Dotnet deps binary cataloger hangs #3919

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Merge multiple targets for the same .NET package #3869

Merge multiple targets for the same .NET package #3869

Uh oh!

wagoodman commented May 8, 2025

Uh oh!

popey commented May 8, 2025

Uh oh!

kzantow left a comment

Uh oh!

Uh oh!

Uh oh!

Merge multiple targets for the same .NET package #3869

Merge multiple targets for the same .NET package #3869

Uh oh!

Conversation

wagoodman commented May 8, 2025

Type of change

Checklist

Uh oh!

popey commented May 8, 2025

Uh oh!

kzantow left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!