syft
syft copied to clipboard
anchore
Redis not listed in the artifact lists of the bitnami/redis image
What happened:
I am creating an SBOM for the docker.io/bitnami/redis image.
As I was looking at the artifacts, I noticed that the redis binary was absent from the list of artifacts in the SBOM.
bitnami/redis SBOM syft-1.1.1
What you expected to happen: The redis binary should be listed as an artifact in the SBOM
Steps to reproduce the issue:
syft docker.io/bitnami/redis@sha256:c1843bcdb2f413d2aff67adbaf482082673cd40ec602fa9fefad74ec685cb813 --output syft-json=syft-redis-sbom.json
Anything else we need to know?:
I compared the SBOM with syft version 0.101.1 and the only difference is that in the older version there is a mention of the redis in the list of artifacts:
{
"id": "0063efe371213ed7",
"name": "Redis (TM)",
"version": "7.2.4-3",
"type": "UnknownPackage",
"foundBy": "sbom-cataloger",
"locations": [
{
"path": "/opt/bitnami/redis/.spdx-redis.spdx",
"layerID": "sha256:730b9522f949b7d691cf82395a311ffe8fbf2d9d18fac0a1a06f3697f12aad55",
"accessPath": "/opt/bitnami/redis/.spdx-redis.spdx",
"annotations": {
"evidence": "primary"
}
}
],
"licenses": [
{
"value": "BSD-3-Clause",
"spdxExpression": "BSD-3-Clause",
"type": "concluded",
"urls": [],
"locations": []
},
{
"value": "BSD-3-Clause",
"spdxExpression": "BSD-3-Clause",
"type": "declared",
"urls": [],
"locations": []
}
],
"language": "",
"cpes": [
"cpe:2.3:*:redis:redis:7.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:Redis_\\(TM\\):Redis_\\(TM\\):7.2.4-3:*:*:*:*:*:*:*"
],
"purl": "pkg:bitnami/[email protected]?arch=arm64&distro=debian-12"
},
bitnami/redis SBOM syft-0.101.1
Environment:
- Output of
syft version:
Application: syft
Version: 1.1.1
BuildDate: 2024-04-04T14:34:19Z
GitCommit: Homebrew
GitDescription: [not provided]
Platform: darwin/arm64
GoVersion: go1.22.2
Compiler: gc
- OS (e.g:
cat /etc/os-releaseor similar):macos,m1
I think this is because the binary classifier for redis matches against the amd64 build of redis but _not_the arm64 build.
❯ syft -q --platform=linux/amd64 docker.io/bitnami/redis@sha256:c1843bcdb2f413d2aff67adbaf482082673cd40ec602fa9fefad74ec685cb813 | grep -i ^redis
redis 7.2.4 binary
❯ syft -q --platform=linux/arm64 docker.io/bitnami/redis@sha256:c1843bcdb2f413d2aff67adbaf482082673cd40ec602fa9fefad74ec685cb813 | grep -i ^redis
I believe the digest points to a multi-architecture manifest, so when syft asks docker to pull the image, the client decides which platform to pull, and if the client pulls the linux/amd64 platform, redis is found, but not if it pulls the linux/arm64 platform.
I'll leave this issue open as a request to enhance the binary classifier to detect the arm64 build of redis.
Please let me report additional not listed cases.
syft does not detect redis frmo 3/8 OS/ARCH of redis:latest.
$ syft -q --platform=linux/386 redis | grep redis
$
$ syft -q --platform=linux/arm/v5 redis | grep redis
$
$ syft -q --platform=linux/arm/v7 redis | grep redis
$
format includes text - buildkitsandbox
$ docker run -it --rm --platform linux/386 redis sh -c "apt update && apt install -y binutils && strings /usr/local/bin/redis-server | grep -E '7\.2\.4'"
:
:
:
7.2.4
7.2.4buildkitsandbox-1712714399000000000
$ docker run -it --rm --platform linux/arm/v5 redis sh -c "apt update && apt install -y binutils && strings /usr/local/bin/redis-server | grep -E '7\.2\.4'"
:
:
:
7.2.4
7.2.4buildkitsandbox-1712788833000000000
$ docker run -it --rm --platform linux/arm/v7 redis sh -c "apt update && apt install -y binutils && strings /usr/local/bin/redis-server | grep -E '7\.2\.4'"
:
:
:
7.2.4
7.2.4buildkitsandbox-1712788833000000000
bitnami
$ docker run -it --rm --platform=linux/arm64 --user root docker.io/bitnami/redis@sha256:c1843bcdb2f413d2aff67adbaf482082673cd40ec602fa9fefad74ec685cb813 sh -c "apt update && apt install -y binutils && strings /opt/bitnami/redis/bin/redis-server | grep -E '7\.2\.4'"
:
:
:
7.2.4
7.2.4af940fca2d06-1706617069000000000
/bitnami/blacksmith-sandox/redis-7.2.4/src
/bitnami/blacksmith-sandox/redis-7.2.4/deps/hiredis
