grype Different results scanning PHP SBOMs generated by cdxgen and Syft

Different results scanning PHP SBOMs generated by cdxgen and Syft

Open metametadata opened this issue 6 months ago • 1 comments

What happened:

I'm working on detecting vulns in a PHP project and I get quite different results when scanning and I'm not sure if it's expected or there could be something to improve in Grype, Syft or cdxgen. I've created a minimal example to demonstrate the problem.

cdxgen + Grype:

~/dev/composer_issue ᐅ grype --add-cpes-if-none sbom:cdxgen.json
 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [1 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 1 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 1 not-fixed, 0 ignored
NAME    INSTALLED  FIXED-IN  TYPE          VULNERABILITY  SEVERITY
jquery  3.7.1                php-composer  CVE-2007-2379  Medium

Syft + Grype:

~/dev/composer_issue ᐅ grype --add-cpes-if-none sbom:syft.json
 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [2 vulnerability matches]
   ├── by severity: 0 critical, 1 high, 1 medium, 0 low, 0 negligible
   └── by status:   2 fixed, 0 not-fixed, 0 ignored
NAME          INSTALLED  FIXED-IN  TYPE          VULNERABILITY        SEVERITY
yiisoft/yii2  2.0.49.2   2.0.49.4  php-composer  GHSA-cjcc-p67m-7qxm  High
yiisoft/yii2  2.0.49.2   2.0.49.4  php-composer  GHSA-qg5r-95m4-mjgj  Medium

As we can see, completely different vulns are detected.

What you expected to happen:

Same results in two scenarios.

How to reproduce it (as minimally and precisely as possible):

PHP composer.json:

{
  "name": "example/php_sbom_issue",
  "require": {
    "yiisoft/yii2": "2.0.49.2"
  },
  "repositories": [
    {
      "type": "composer",
      "url": "https://asset-packagist.org"
    }
  ],
  "config": {
    "allow-plugins": {
      "yiisoft/yii2-composer": true
    }
  }
}

composer.lock generated via composer update --no-install:

Click me

{
    "_readme": [
        "This file locks the dependencies of your project to a known state",
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
    "content-hash": "de1bd552949dd523bc63bbf9630f3ab5",
    "packages": [
        {
            "name": "bower-asset/inputmask",
            "version": "5.0.9",
            "source": {
                "type": "git",
                "url": "https://github.com/RobinHerbots/Inputmask.git",
                "reference": "310a33557e2944daf86d5946a5e8c82b9118f8f7"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/RobinHerbots/Inputmask/zipball/310a33557e2944daf86d5946a5e8c82b9118f8f7",
                "reference": "310a33557e2944daf86d5946a5e8c82b9118f8f7"
            },
            "require": {
                "bower-asset/jquery": ">=1.7"
            },
            "type": "bower-asset",
            "license": [
                "http://opensource.org/licenses/mit-license.php"
            ]
        },
        {
            "name": "bower-asset/jquery",
            "version": "3.7.1",
            "source": {
                "type": "git",
                "url": "https://github.com/jquery/jquery-dist.git",
                "reference": "fde1f76e2799dd877c176abde0ec836553246991"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/jquery/jquery-dist/zipball/fde1f76e2799dd877c176abde0ec836553246991",
                "reference": "fde1f76e2799dd877c176abde0ec836553246991"
            },
            "type": "bower-asset",
            "license": [
                "MIT"
            ]
        },
        {
            "name": "bower-asset/punycode",
            "version": "v2.2.3",
            "source": {
                "type": "git",
                "url": "https://github.com/mathiasbynens/punycode.js.git",
                "reference": "46d412120e2feb868876769a9847790ba278c882"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/mathiasbynens/punycode.js/zipball/46d412120e2feb868876769a9847790ba278c882",
                "reference": "46d412120e2feb868876769a9847790ba278c882"
            },
            "type": "bower-asset"
        },
        {
            "name": "bower-asset/yii2-pjax",
            "version": "2.0.8",
            "source": {
                "type": "git",
                "url": "[email protected]:yiisoft/jquery-pjax.git",
                "reference": "a9298d57da63d14a950f1b94366a864bc62264fb"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/yiisoft/jquery-pjax/zipball/a9298d57da63d14a950f1b94366a864bc62264fb",
                "reference": "a9298d57da63d14a950f1b94366a864bc62264fb"
            },
            "require": {
                "bower-asset/jquery": ">=1.8"
            },
            "type": "bower-asset",
            "license": [
                "MIT"
            ]
        },
        {
            "name": "cebe/markdown",
            "version": "1.2.1",
            "source": {
                "type": "git",
                "url": "https://github.com/cebe/markdown.git",
                "reference": "9bac5e971dd391e2802dca5400bbeacbaea9eb86"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/cebe/markdown/zipball/9bac5e971dd391e2802dca5400bbeacbaea9eb86",
                "reference": "9bac5e971dd391e2802dca5400bbeacbaea9eb86",
                "shasum": ""
            },
            "require": {
                "lib-pcre": "*",
                "php": ">=5.4.0"
            },
            "require-dev": {
                "cebe/indent": "*",
                "facebook/xhprof": "*@dev",
                "phpunit/phpunit": "4.1.*"
            },
            "bin": [
                "bin/markdown"
            ],
            "type": "library",
            "extra": {
                "branch-alias": {
                    "dev-master": "1.2.x-dev"
                }
            },
            "autoload": {
                "psr-4": {
                    "cebe\\markdown\\": ""
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "MIT"
            ],
            "authors": [
                {
                    "name": "Carsten Brandt",
                    "email": "[email protected]",
                    "homepage": "http://cebe.cc/",
                    "role": "Creator"
                }
            ],
            "description": "A super fast, highly extensible markdown parser for PHP",
            "homepage": "https://github.com/cebe/markdown#readme",
            "keywords": [
                "extensible",
                "fast",
                "gfm",
                "markdown",
                "markdown-extra"
            ],
            "support": {
                "issues": "https://github.com/cebe/markdown/issues",
                "source": "https://github.com/cebe/markdown"
            },
            "time": "2018-03-26T11:24:36+00:00"
        },
        {
            "name": "ezyang/htmlpurifier",
            "version": "v4.17.0",
            "source": {
                "type": "git",
                "url": "https://github.com/ezyang/htmlpurifier.git",
                "reference": "bbc513d79acf6691fa9cf10f192c90dd2957f18c"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/bbc513d79acf6691fa9cf10f192c90dd2957f18c",
                "reference": "bbc513d79acf6691fa9cf10f192c90dd2957f18c",
                "shasum": ""
            },
            "require": {
                "php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0"
            },
            "require-dev": {
                "cerdic/css-tidy": "^1.7 || ^2.0",
                "simpletest/simpletest": "dev-master"
            },
            "suggest": {
                "cerdic/css-tidy": "If you want to use the filter 'Filter.ExtractStyleBlocks'.",
                "ext-bcmath": "Used for unit conversion and imagecrash protection",
                "ext-iconv": "Converts text to and from non-UTF-8 encodings",
                "ext-tidy": "Used for pretty-printing HTML"
            },
            "type": "library",
            "autoload": {
                "files": [
                    "library/HTMLPurifier.composer.php"
                ],
                "psr-0": {
                    "HTMLPurifier": "library/"
                },
                "exclude-from-classmap": [
                    "/library/HTMLPurifier/Language/"
                ]
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "LGPL-2.1-or-later"
            ],
            "authors": [
                {
                    "name": "Edward Z. Yang",
                    "email": "[email protected]",
                    "homepage": "http://ezyang.com"
                }
            ],
            "description": "Standards compliant HTML filter written in PHP",
            "homepage": "http://htmlpurifier.org/",
            "keywords": [
                "html"
            ],
            "support": {
                "issues": "https://github.com/ezyang/htmlpurifier/issues",
                "source": "https://github.com/ezyang/htmlpurifier/tree/v4.17.0"
            },
            "time": "2023-11-17T15:01:25+00:00"
        },
        {
            "name": "paragonie/random_compat",
            "version": "v9.99.100",
            "source": {
                "type": "git",
                "url": "https://github.com/paragonie/random_compat.git",
                "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/996434e5492cb4c3edcb9168db6fbb1359ef965a",
                "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a",
                "shasum": ""
            },
            "require": {
                "php": ">= 7"
            },
            "require-dev": {
                "phpunit/phpunit": "4.*|5.*",
                "vimeo/psalm": "^1"
            },
            "suggest": {
                "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
            },
            "type": "library",
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "MIT"
            ],
            "authors": [
                {
                    "name": "Paragon Initiative Enterprises",
                    "email": "[email protected]",
                    "homepage": "https://paragonie.com"
                }
            ],
            "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
            "keywords": [
                "csprng",
                "polyfill",
                "pseudorandom",
                "random"
            ],
            "support": {
                "email": "[email protected]",
                "issues": "https://github.com/paragonie/random_compat/issues",
                "source": "https://github.com/paragonie/random_compat"
            },
            "time": "2020-10-15T08:29:30+00:00"
        },
        {
            "name": "yiisoft/yii2",
            "version": "2.0.49.2",
            "source": {
                "type": "git",
                "url": "https://github.com/yiisoft/yii2-framework.git",
                "reference": "7d38bf7584acbe838a8d08e40e949b6393162441"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/yiisoft/yii2-framework/zipball/7d38bf7584acbe838a8d08e40e949b6393162441",
                "reference": "7d38bf7584acbe838a8d08e40e949b6393162441",
                "shasum": ""
            },
            "require": {
                "bower-asset/inputmask": "~3.2.2 | ~3.3.5 | ~5.0.8 ",
                "bower-asset/jquery": "3.7.*@stable | 3.6.*@stable | 3.5.*@stable | 3.4.*@stable | 3.3.*@stable | 3.2.*@stable | 3.1.*@stable | 2.2.*@stable | 2.1.*@stable | 1.11.*@stable | 1.12.*@stable",
                "bower-asset/punycode": "1.3.* | 2.2.*",
                "bower-asset/yii2-pjax": "~2.0.1",
                "cebe/markdown": "~1.0.0 | ~1.1.0 | ~1.2.0",
                "ext-ctype": "*",
                "ext-mbstring": "*",
                "ezyang/htmlpurifier": "^4.6",
                "lib-pcre": "*",
                "paragonie/random_compat": ">=1",
                "php": ">=5.4.0",
                "yiisoft/yii2-composer": "~2.0.4"
            },
            "bin": [
                "yii"
            ],
            "type": "library",
            "extra": {
                "branch-alias": {
                    "dev-master": "2.0.x-dev"
                }
            },
            "autoload": {
                "psr-4": {
                    "yii\\": ""
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "BSD-3-Clause"
            ],
            "authors": [
                {
                    "name": "Qiang Xue",
                    "email": "[email protected]",
                    "homepage": "https://www.yiiframework.com/",
                    "role": "Founder and project lead"
                },
                {
                    "name": "Alexander Makarov",
                    "email": "[email protected]",
                    "homepage": "https://rmcreative.ru/",
                    "role": "Core framework development"
                },
                {
                    "name": "Maurizio Domba",
                    "homepage": "http://mdomba.info/",
                    "role": "Core framework development"
                },
                {
                    "name": "Carsten Brandt",
                    "email": "[email protected]",
                    "homepage": "https://www.cebe.cc/",
                    "role": "Core framework development"
                },
                {
                    "name": "Timur Ruziev",
                    "email": "[email protected]",
                    "homepage": "http://resurtm.com/",
                    "role": "Core framework development"
                },
                {
                    "name": "Paul Klimov",
                    "email": "[email protected]",
                    "role": "Core framework development"
                },
                {
                    "name": "Dmitry Naumenko",
                    "email": "[email protected]",
                    "role": "Core framework development"
                },
                {
                    "name": "Boudewijn Vahrmeijer",
                    "email": "[email protected]",
                    "homepage": "http://dynasource.eu",
                    "role": "Core framework development"
                }
            ],
            "description": "Yii PHP Framework Version 2",
            "homepage": "https://www.yiiframework.com/",
            "keywords": [
                "framework",
                "yii2"
            ],
            "support": {
                "forum": "https://forum.yiiframework.com/",
                "irc": "ircs://irc.libera.chat:6697/yii",
                "issues": "https://github.com/yiisoft/yii2/issues?state=open",
                "source": "https://github.com/yiisoft/yii2",
                "wiki": "https://www.yiiframework.com/wiki"
            },
            "funding": [
                {
                    "url": "https://github.com/yiisoft",
                    "type": "github"
                },
                {
                    "url": "https://opencollective.com/yiisoft",
                    "type": "open_collective"
                },
                {
                    "url": "https://tidelift.com/funding/github/packagist/yiisoft/yii2",
                    "type": "tidelift"
                }
            ],
            "time": "2023-10-12T15:46:26+00:00"
        },
        {
            "name": "yiisoft/yii2-composer",
            "version": "2.0.10",
            "source": {
                "type": "git",
                "url": "https://github.com/yiisoft/yii2-composer.git",
                "reference": "94bb3f66e779e2774f8776d6e1bdeab402940510"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/yiisoft/yii2-composer/zipball/94bb3f66e779e2774f8776d6e1bdeab402940510",
                "reference": "94bb3f66e779e2774f8776d6e1bdeab402940510",
                "shasum": ""
            },
            "require": {
                "composer-plugin-api": "^1.0 | ^2.0"
            },
            "require-dev": {
                "composer/composer": "^1.0 | ^2.0@dev",
                "phpunit/phpunit": "<7"
            },
            "type": "composer-plugin",
            "extra": {
                "class": "yii\\composer\\Plugin",
                "branch-alias": {
                    "dev-master": "2.0.x-dev"
                }
            },
            "autoload": {
                "psr-4": {
                    "yii\\composer\\": ""
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "BSD-3-Clause"
            ],
            "authors": [
                {
                    "name": "Qiang Xue",
                    "email": "[email protected]"
                },
                {
                    "name": "Carsten Brandt",
                    "email": "[email protected]"
                }
            ],
            "description": "The composer plugin for Yii extension installer",
            "keywords": [
                "composer",
                "extension installer",
                "yii2"
            ],
            "support": {
                "forum": "http://www.yiiframework.com/forum/",
                "irc": "irc://irc.freenode.net/yii",
                "issues": "https://github.com/yiisoft/yii2-composer/issues",
                "source": "https://github.com/yiisoft/yii2-composer",
                "wiki": "http://www.yiiframework.com/wiki/"
            },
            "funding": [
                {
                    "url": "https://github.com/yiisoft",
                    "type": "github"
                },
                {
                    "url": "https://opencollective.com/yiisoft",
                    "type": "open_collective"
                },
                {
                    "url": "https://tidelift.com/funding/github/packagist/yiisoft/yii2-composer",
                    "type": "tidelift"
                }
            ],
            "time": "2020-06-24T00:04:01+00:00"
        }
    ],
    "packages-dev": [],
    "aliases": [],
    "minimum-stability": "stable",
    "stability-flags": [],
    "prefer-stable": false,
    "prefer-lowest": false,
    "platform": [],
    "platform-dev": [],
    "plugin-api-version": "2.6.0"
}

Commands to generate SBOMs:

CDXGEN_DEBUG_MODE=debug cdxgen --output cdxgen.json .

syft -o cyclonedx-json composer.lock > syft.json

Generarted cdxgen.json SBOM:

Click me

{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:f108f84c-51a3-4f75-84ae-27eaf31d1390",
"version": 1,
"metadata": {
 "timestamp": "2024-08-06T22:07:01Z",
 "tools": {
   "components": [
     {
       "group": "@cyclonedx",
       "name": "cdxgen",
       "version": "10.8.1",
       "purl": "pkg:npm/%40cyclonedx/[email protected]",
       "type": "application",
       "bom-ref": "pkg:npm/@cyclonedx/[email protected]",
       "author": "OWASP Foundation",
       "publisher": "OWASP Foundation"
     }
   ]
 },
 "authors": [
   {
     "name": "OWASP Foundation"
   }
 ],
 "lifecycles": [
   {
     "phase": "build"
   }
 ],
 "component": {
   "group": "example",
   "name": "php_sbom_issue",
   "type": "application",
   "version": "latest",
   "bom-ref": "pkg:composer/example/php_sbom_issue@latest",
   "purl": "pkg:composer/example/php_sbom_issue%40latest",
   "components": [
     {
       "group": "",
       "name": "composer_issue",
       "version": "latest",
       "type": "application",
       "bom-ref": "pkg:gem/composer_issue@latest",
       "purl": "pkg:gem/composer_issue@latest"
     }
   ]
 },
 "properties": [
   {
     "name": "cdx:bom:componentTypes",
     "value": "composer"
   },
   {
     "name": "cdx:bom:componentNamespaces",
     "value": "bower-asset\\ncebe\\nezyang\\nparagonie\\nyiisoft"
   }
 ]
},
"components": [
 {
   "group": "bower-asset",
   "name": "inputmask",
   "version": "5.0.9",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "MIT",
         "url": "http://opensource.org/licenses/mit-license.php"
       }
     }
   ],
   "purl": "pkg:composer/bower-asset/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/RobinHerbots/Inputmask.git"
     }
   ],
   "type": "library",
   "bom-ref": "pkg:composer/bower-asset/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     }
   ]
 },
 {
   "group": "bower-asset",
   "name": "jquery",
   "version": "3.7.1",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "MIT",
         "url": "https://opensource.org/licenses/MIT"
       }
     }
   ],
   "purl": "pkg:composer/bower-asset/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/jquery/jquery-dist.git"
     }
   ],
   "type": "framework",
   "bom-ref": "pkg:composer/bower-asset/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     }
   ]
 },
 {
   "group": "bower-asset",
   "name": "punycode",
   "version": "v2.2.3",
   "scope": "required",
   "purl": "pkg:composer/bower-asset/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/mathiasbynens/punycode.js.git"
     }
   ],
   "type": "library",
   "bom-ref": "pkg:composer/bower-asset/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     }
   ]
 },
 {
   "group": "bower-asset",
   "name": "yii2-pjax",
   "version": "2.0.8",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "MIT",
         "url": "https://opensource.org/licenses/MIT"
       }
     }
   ],
   "purl": "pkg:composer/bower-asset/[email protected]",
   "type": "library",
   "bom-ref": "pkg:composer/bower-asset/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     }
   ]
 },
 {
   "group": "cebe",
   "name": "markdown",
   "version": "1.2.1",
   "description": "A super fast, highly extensible markdown parser for PHP",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "MIT",
         "url": "https://opensource.org/licenses/MIT"
       }
     }
   ],
   "purl": "pkg:composer/cebe/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/cebe/markdown.git"
     }
   ],
   "type": "library",
   "bom-ref": "pkg:composer/cebe/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     },
     {
       "name": "Namespaces",
       "value": "cebe\\markdown\\"
     }
   ]
 },
 {
   "group": "ezyang",
   "name": "htmlpurifier",
   "version": "v4.17.0",
   "description": "Standards compliant HTML filter written in PHP",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "LGPL-2.1-or-later",
         "url": "https://opensource.org/licenses/LGPL-2.1-or-later"
       }
     }
   ],
   "purl": "pkg:composer/ezyang/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/ezyang/htmlpurifier.git"
     }
   ],
   "type": "library",
   "bom-ref": "pkg:composer/ezyang/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     },
     {
       "name": "Namespaces",
       "value": "HTMLPurifier"
     }
   ]
 },
 {
   "group": "paragonie",
   "name": "random_compat",
   "version": "v9.99.100",
   "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "MIT",
         "url": "https://opensource.org/licenses/MIT"
       }
     }
   ],
   "purl": "pkg:composer/paragonie/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/paragonie/random_compat.git"
     }
   ],
   "type": "library",
   "bom-ref": "pkg:composer/paragonie/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     }
   ]
 },
 {
   "group": "yiisoft",
   "name": "yii2",
   "version": "2.0.49.2",
   "description": "Yii PHP Framework Version 2",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "BSD-3-Clause",
         "url": "https://opensource.org/licenses/BSD-3-Clause"
       }
     }
   ],
   "purl": "pkg:composer/yiisoft/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/yiisoft/yii2-framework.git"
     }
   ],
   "type": "framework",
   "bom-ref": "pkg:composer/yiisoft/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     },
     {
       "name": "Namespaces",
       "value": "yii\\"
     }
   ]
 },
 {
   "group": "yiisoft",
   "name": "yii2-composer",
   "version": "2.0.10",
   "description": "The composer plugin for Yii extension installer",
   "scope": "required",
   "licenses": [
     {
       "license": {
         "id": "BSD-3-Clause",
         "url": "https://opensource.org/licenses/BSD-3-Clause"
       }
     }
   ],
   "purl": "pkg:composer/yiisoft/[email protected]",
   "externalReferences": [
     {
       "type": "vcs",
       "url": "https://github.com/yiisoft/yii2-composer.git"
     }
   ],
   "type": "framework",
   "bom-ref": "pkg:composer/yiisoft/[email protected]",
   "evidence": {
     "identity": {
       "field": "purl",
       "confidence": 1,
       "methods": [
         {
           "technique": "manifest-analysis",
           "confidence": 1,
           "value": "/Users/yuri/dev/composer_issue/composer.lock"
         }
       ]
     }
   },
   "properties": [
     {
       "name": "SrcFile",
       "value": "/Users/yuri/dev/composer_issue/composer.lock"
     },
     {
       "name": "Namespaces",
       "value": "yii\\composer\\"
     }
   ]
 }
],
"services": [],
"dependencies": [
 {
   "ref": "pkg:composer/example/php_sbom_issue@latest",
   "dependsOn": [
     "pkg:composer/yiisoft/[email protected]"
   ]
 },
 {
   "ref": "pkg:composer/bower-asset/[email protected]",
   "dependsOn": [
     "pkg:composer/bower-asset/[email protected]"
   ]
 },
 {
   "ref": "pkg:composer/bower-asset/[email protected]",
   "dependsOn": []
 },
 {
   "ref": "pkg:composer/bower-asset/[email protected]",
   "dependsOn": []
 },
 {
   "ref": "pkg:composer/bower-asset/[email protected]",
   "dependsOn": [
     "pkg:composer/bower-asset/[email protected]"
   ]
 },
 {
   "ref": "pkg:composer/cebe/[email protected]",
   "dependsOn": []
 },
 {
   "ref": "pkg:composer/ezyang/[email protected]",
   "dependsOn": []
 },
 {
   "ref": "pkg:composer/paragonie/[email protected]",
   "dependsOn": []
 },
 {
   "ref": "pkg:composer/yiisoft/[email protected]",
   "dependsOn": [
     "pkg:composer/bower-asset/[email protected]",
     "pkg:composer/bower-asset/[email protected]",
     "pkg:composer/bower-asset/[email protected]",
     "pkg:composer/bower-asset/[email protected]",
     "pkg:composer/cebe/[email protected]",
     "pkg:composer/ezyang/[email protected]",
     "pkg:composer/paragonie/[email protected]",
     "pkg:composer/yiisoft/[email protected]"
   ]
 },
 {
   "ref": "pkg:composer/yiisoft/[email protected]",
   "dependsOn": []
 }
]
}

Generated syft.json SBOM:

Click me

{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:93dd2a98-ace9-48b4-8a3d-f9c21b6f5925",
"version": 1,
"metadata": {
  "timestamp": "2024-08-07T01:07:10+03:00",
  "tools": {
    "components": [
      {
        "type": "application",
        "author": "anchore",
        "name": "syft",
        "version": "1.9.0"
      }
    ]
  },
  "component": {
    "bom-ref": "280526f80efd5b66",
    "type": "file",
    "name": "composer.lock",
    "version": "sha256:fa49da4efa632d3f4871a5faaf2b891adddcb25024d480decb71cb7921139eb7"
  }
},
"components": [
  {
    "bom-ref": "pkg:composer/bower-asset/[email protected]?package-id=f8aba670d7b79f5d",
    "type": "library",
    "name": "bower-asset/inputmask",
    "version": "5.0.9",
    "licenses": [
      {
        "license": {
          "name": "http://opensource.org/licenses/mit-license.php"
        }
      }
    ],
    "cpe": "cpe:2.3:a:bower-asset\\/inputmask:bower-asset\\/inputmask:5.0.9:*:*:*:*:*:*:*",
    "purl": "pkg:composer/bower-asset/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower-asset\\/inputmask:bower_asset\\/inputmask:5.0.9:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/inputmask:bower-asset\\/inputmask:5.0.9:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/inputmask:bower_asset\\/inputmask:5.0.9:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower-asset\\/inputmask:5.0.9:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower_asset\\/inputmask:5.0.9:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/bower-asset/[email protected]?package-id=c88c3e90f3660303",
    "type": "library",
    "name": "bower-asset/jquery",
    "version": "3.7.1",
    "licenses": [
      {
        "license": {
          "id": "MIT"
        }
      }
    ],
    "cpe": "cpe:2.3:a:bower-asset\\/jquery:bower-asset\\/jquery:3.7.1:*:*:*:*:*:*:*",
    "purl": "pkg:composer/bower-asset/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower-asset\\/jquery:bower_asset\\/jquery:3.7.1:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/jquery:bower-asset\\/jquery:3.7.1:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/jquery:bower_asset\\/jquery:3.7.1:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower-asset\\/jquery:3.7.1:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower_asset\\/jquery:3.7.1:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/bower-asset/[email protected]?package-id=9852900b72cb9bf9",
    "type": "library",
    "name": "bower-asset/punycode",
    "version": "v2.2.3",
    "cpe": "cpe:2.3:a:bower-asset\\/punycode:bower-asset\\/punycode:v2.2.3:*:*:*:*:*:*:*",
    "purl": "pkg:composer/bower-asset/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower-asset\\/punycode:bower_asset\\/punycode:v2.2.3:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/punycode:bower-asset\\/punycode:v2.2.3:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/punycode:bower_asset\\/punycode:v2.2.3:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower-asset\\/punycode:v2.2.3:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower_asset\\/punycode:v2.2.3:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/bower-asset/[email protected]?package-id=3678ef28348a125a",
    "type": "library",
    "name": "bower-asset/yii2-pjax",
    "version": "2.0.8",
    "licenses": [
      {
        "license": {
          "id": "MIT"
        }
      }
    ],
    "cpe": "cpe:2.3:a:bower-asset\\/yii2-pjax:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*",
    "purl": "pkg:composer/bower-asset/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower-asset\\/yii2-pjax:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/yii2_pjax:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/yii2_pjax:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower-asset\\/yii2:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower-asset\\/yii2:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/yii2:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower_asset\\/yii2:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower-asset\\/yii2-pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:bower:bower_asset\\/yii2_pjax:2.0.8:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/cebe/[email protected]?package-id=56cffb7a90fbdc65",
    "type": "library",
    "name": "cebe/markdown",
    "version": "1.2.1",
    "licenses": [
      {
        "license": {
          "id": "MIT"
        }
      }
    ],
    "cpe": "cpe:2.3:a:cebe\\/markdown:cebe\\/markdown:1.2.1:*:*:*:*:*:*:*",
    "purl": "pkg:composer/cebe/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/ezyang/[email protected]?package-id=1a01f1ab7bc76032",
    "type": "library",
    "name": "ezyang/htmlpurifier",
    "version": "v4.17.0",
    "licenses": [
      {
        "license": {
          "id": "LGPL-2.1-or-later"
        }
      }
    ],
    "cpe": "cpe:2.3:a:ezyang\\/htmlpurifier:ezyang\\/htmlpurifier:v4.17.0:*:*:*:*:*:*:*",
    "purl": "pkg:composer/ezyang/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/paragonie/[email protected]?package-id=dc7a937336b89997",
    "type": "library",
    "name": "paragonie/random_compat",
    "version": "v9.99.100",
    "licenses": [
      {
        "license": {
          "id": "MIT"
        }
      }
    ],
    "cpe": "cpe:2.3:a:paragonie\\/random-compat:paragonie\\/random-compat:v9.99.100:*:*:*:*:*:*:*",
    "purl": "pkg:composer/paragonie/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:paragonie\\/random-compat:paragonie\\/random_compat:v9.99.100:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:paragonie\\/random_compat:paragonie\\/random-compat:v9.99.100:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:paragonie\\/random_compat:paragonie\\/random_compat:v9.99.100:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:paragonie\\/random:paragonie\\/random-compat:v9.99.100:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:paragonie\\/random:paragonie\\/random_compat:v9.99.100:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/yiisoft/[email protected]?package-id=69ac11cfcc2cf90c",
    "type": "library",
    "name": "yiisoft/yii2",
    "version": "2.0.49.2",
    "licenses": [
      {
        "license": {
          "id": "BSD-3-Clause"
        }
      }
    ],
    "cpe": "cpe:2.3:a:yiisoft\\/yii2:yiisoft\\/yii2:2.0.49.2:*:*:*:*:*:*:*",
    "purl": "pkg:composer/yiisoft/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  },
  {
    "bom-ref": "pkg:composer/yiisoft/[email protected]?package-id=9e649fc0c2007f55",
    "type": "library",
    "name": "yiisoft/yii2-composer",
    "version": "2.0.10",
    "licenses": [
      {
        "license": {
          "id": "BSD-3-Clause"
        }
      }
    ],
    "cpe": "cpe:2.3:a:yiisoft\\/yii2-composer:yiisoft\\/yii2-composer:2.0.10:*:*:*:*:*:*:*",
    "purl": "pkg:composer/yiisoft/[email protected]",
    "properties": [
      {
        "name": "syft:package:foundBy",
        "value": "php-composer-lock-cataloger"
      },
      {
        "name": "syft:package:language",
        "value": "php"
      },
      {
        "name": "syft:package:type",
        "value": "php-composer"
      },
      {
        "name": "syft:package:metadataType",
        "value": "php-composer-lock-entry"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:yiisoft\\/yii2-composer:yiisoft\\/yii2_composer:2.0.10:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:yiisoft\\/yii2_composer:yiisoft\\/yii2-composer:2.0.10:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:yiisoft\\/yii2_composer:yiisoft\\/yii2_composer:2.0.10:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:yiisoft\\/yii2:yiisoft\\/yii2-composer:2.0.10:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:cpe23",
        "value": "cpe:2.3:a:yiisoft\\/yii2:yiisoft\\/yii2_composer:2.0.10:*:*:*:*:*:*:*"
      },
      {
        "name": "syft:location:0:path",
        "value": "/composer.lock"
      }
    ]
  }
]
}

Anything else we need to know?:

It looks like the significant difference between SBOMs is that cdxgen splits the name and group:
```
group": "yiisoft",
name": "yii2",
version": "2.0.49.2",
```
OTOH, Syft doesn't:
```
name": "yiisoft/yii2",
version": "2.0.49.2",
```
Other scanners (osv-scanner, Trivy, composer audit) detect only Yii2 vulns in composer.lock.

Environment:

Output of grype version:

Application:         grype
Version:             0.79.4
BuildDate:           2024-07-31T15:05:32Z
GitCommit:           brew
GitDescription:      [not provided]
Platform:            darwin/arm64
GoVersion:           go1.22.5
Compiler:            gc
Syft Version:        v1.10.0
Supported DB Schema: 5

cdxgen version: 10.8.1.
OS: macOS.

Aug 06 '24 22:08 metametadata

grype grype copied to clipboard

Different results scanning PHP SBOMs generated by cdxgen and Syft

grype
grype copied to clipboard