Will Murphy

@wagoodman I wanted to make sure I understand why the `rust-cargo-lock-cataloger` is labeled as "complete" not as "mixed". It seems like as we make a set of dependency relationships more...

Cross posting https://github.com/anchore/syft/issues/3010#issuecomment-2485475311 so that it gets seen here.

@reure1 that's a good idea! It would be great if we could report this as part of our new "known unknowns" feature which was added by https://github.com/anchore/syft/pull/2998/. What we would...

Thanks for the issue @alexhaydock! Here's the matching data that Syft gives to Grype in this situation: ``` ❯ syft -q -o json tmp | jq '.artifacts[] | select(.name ==...

Hi all! I just wanted to check in and see if there's anything I can do to help here. My understanding is that the current state of this PR is...

Hi @juan131! I just testing this, but I'm seeing something surprising: ``` sh ❯ SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=true go run ./cmd/syft -q bitnami/postgresql:14 | rg -e NAME -e postgres NAME VERSION TYPE postgresql...

Hi @juan131! Thanks for that comment. We've pushed a partial fix that needs some modification before it can be merged. More on that below. @wagoodman and I did some digging...

> I don't think we have other alternatives. My concern here is: would that imply that we're unable to detect duplicates on these other secondary packages? It would make it...

I've confirmed the bug. Running with no group and `-vvv`, we see: ``` [0000] TRACE fetched affected package record distro=debian@12 duration=5.234583ms pkg=package(name=wget) records=21 vulns=any ``` in the logs (package name...

https://github.com/anchore/syft/blob/9217f2099f57f1376fd4a6df62ce6c68d105d0cd/syft/format/internal/cyclonedxutil/helpers/component.go#L195 should probably not run for dpkgs, and there are probably other things missing in the switch statement there. We should probably refactor this so that populating the metadata and...