Will Murphy

Agreed, this should definitely be possible now: ``` ❯ syft -q alpine:latest -o json | jq -r '.artifacts[] | .purl' pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.18.3 pkg:apk/alpine/[email protected]?arch=aarch64&upstream=alpine-baselayout&distro=alpine-3.18.3 pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.18.3 pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.18.3 pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.18.3 pkg:apk/alpine/[email protected]?arch=aarch64&upstream=busybox&distro=alpine-3.18.3 pkg:apk/alpine/ca-certificates-bundle@20230506-r0?arch=aarch64&upstream=ca-certificates&distro=alpine-3.18.3 pkg:apk/alpine/[email protected]?arch=aarch64&upstream=libc-dev&distro=alpine-3.18.3 pkg:apk/alpine/[email protected]?arch=aarch64&upstream=openssl&distro=alpine-3.18.3 pkg:apk/alpine/[email protected]?arch=aarch64&upstream=openssl&distro=alpine-3.18.3...

I have a couple concerns here with the linked PR before I am ready to merge it: 1. There's a TODO, that if we have an SBOM from a distro...

> Use as much distro information as possible and scan against all namespaces that match what info is present. For example, if only "distro=debian", then scan against all debian namespaces...

I did some more experimenting, and it looks like syft includes the Debian version except for trixie/sid/unstable: ``` ❯ syft -q -o json debian:bookworm-slim | jq '.artifacts[] | .purl' "pkg:deb/debian/[email protected]?arch=all&distro=debian-12"...

Hi @jonjohnsonjr, thanks for offering to help with this! The code changes to make are really in Syft. Essentially, Syft should make 2 changes: 1. The metadata Syft emits about...

Hi @josetirablaz, thanks for the issue! To help future investigations, here's a oneliner with a digest that reproduces this positive result (some of these get hard to investigate if the...

I think this is because the [binary classifier for redis](https://github.com/anchore/syft/blob/dde5d349b1eef740c285255e6a9e3a8f5c9938e1/syft/pkg/cataloger/binary/classifiers.go#L76-L86) matches against the amd64 build of redis but _not_the **arm64** build. ``` sh ❯ syft -q --platform=linux/amd64 docker.io/bitnami/redis@sha256:c1843bcdb2f413d2aff67adbaf482082673cd40ec602fa9fefad74ec685cb813 | grep...

We took at step in the direction @westonsteimel mentioned above with https://github.com/anchore/grype-db/pull/203, but I don't think it would fix this particular issue. @luhring can you able to post a Dockerfile...

I did a little investigation here. Right now Syft uses the following methods to try to infer the group ID of a JAR: 1. Check the pom properties if present...

#2796 should improve the situation somewhat.