Skip to content

fix: support multiple letters in openssl patch version #4106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 12, 2025
Merged

fix: support multiple letters in openssl patch version #4106

merged 1 commit into from
Aug 12, 2025
+12 −1

Conversation

honigbot
Copy link
Contributor

Description

Some openssl versions have two letter versions. This is not supported by the current binary-classifier regex:

syft/syft/pkg/cataloger/binary/classifiers.go

Line 486 in 801b21b

`\x00OpenSSL (?P<version>[0-9]+\.[0-9]+\.[0-9]+([a-z]|-alpha[0-9]|-beta[0-9]|-rc[0-9])?)`,

These two-letter versions are referenced for example here:

Furthermore, grype db lists two-letter versions, but without syft detecting multi-letter versions it generate false positives:

$ grype sbom-1.1.1zb.json 
NAME        INSTALLED  FIXED IN                                ...
openssl     1.1.1z     1.0.2zk, 1.1.1za, 3.0.15, 3.1.7, 3.2.3, ...
openssl     1.1.1z     1.0.2zl, 1.1.1zb, 3.0.16, 3.1.8, 3.2.4, ...

Therefore this patch fixes the pattern to allow multiple letters after the patch level:

  • fix: accept '[a-z]+' letters in openssl regex
        NAME      VERSION  TYPE      
BEFORE  openssl   1.1.1z   binary  
 AFTER  openssl   1.1.1zb  binary

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@honigbot
support multiple letters in openssl patch version
6cb1eb7 
Signed-off-by: honigbot <thesoftbear@gmail.com>
@honigbot honigbot changed the title support multiple letters in openssl patch version fix: support multiple letters in openssl patch version Aug 7, 2025
@honigbot
Copy link
Contributor Author

I would kindly request and appreciate a review maintainers. Is there something I can do to support with that?

kzantow
kzantow approved these changes Aug 12, 2025
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the contribution @honigbot

@kzantow kzantow merged commit 80e6117 into anchore:main Aug 12, 2025
12 checks passed
@kzantow kzantow added the bug Something isn't working label Aug 13, 2025
@BrewTestBot BrewTestBot mentioned this pull request Aug 13, 2025
Merged
hawkaii pushed a commit to hawkaii/syft that referenced this pull request Aug 14, 2025
@honigbot @hawkaii
fix: support multiple letters in openssl patch version (anchore#4106)
0b34485 
Signed-off-by: honigbot <thesoftbear@gmail.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
spiffcs added a commit that referenced this pull request Aug 18, 2025
@spiffcs
Merge branch 'main' into merge-source-mod-cataloger
983e59f 
* main:
  chore(deps): bump github.com/hashicorp/go-getter from 1.7.8 to 1.7.9 (#4144)
  chore(deps): bump anchore/sbom-action from 0.20.4 to 0.20.5 (#4141)
  chore(deps): update tools to latest versions (#4139)
  feat: add support for authors, maintainers, and contributors in package.json.  (#4003)
  chore(deps): bump zizmorcore/zizmor-action from 0.1.1 to 0.1.2 (#4135)
  feat: add package supplier flag (#4131)
  feat: update syft license construction to be able to look up by URL (#4132)
  chore(deps): bump github/codeql-action from 3.29.8 to 3.29.9 (#4134)
  fix: support multiple letters in openssl patch version (#4106)
  fix: closed reader during java binary detection (#4129)
  chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#4130)
  chore: update GoReleaser configurations (#4128)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@honigbot @kzantow