xeol icon indicating copy to clipboard operation
xeol copied to clipboard
verified publisher icon xeol-io

xeol fails to identify php?

Open kosztyua opened this issue 9 months ago • 0 comments

What happened: Running latest (0.10.8) with current db (2025-03-21 00:00:45.663187 +0000 UTC) against an SBOM (generated with syft as cyclondx-json) that contains generic PHP, but with universal CPE identifier. Xeol does not find this, even though it is in the endoflife.date tables https://github.com/endoflife-date/endoflife.date/blob/master/products/php.md?plain=1#L18

        {
            "bom-ref": "pkg:generic/[email protected]?package-id=ba2d3ee5349f3d9b",
            "cpe": "cpe:2.3:a:php:php:8.2.7:*:*:*:*:*:*:*",
            "name": "php-cli",
            "properties": [
                {
                    "name": "syft:package:foundBy",
                    "value": "binary-classifier-cataloger"
                },
                {
                    "name": "syft:package:type",
                    "value": "binary"
                },
                {
                    "name": "syft:package:metadataType",
                    "value": "binary-signature"
                },
                {
                    "name": "syft:location:0:layerID",
                    "value": "sha256:59fd45b8638204bbb06b0ff009e56fdd5303d91aed77578552677dd03f312fa5"
                },
                {
                    "name": "syft:location:0:path",
                    "value": "/usr/local/bin/php"
                }
            ],
            "purl": "pkg:generic/[email protected]",
            "type": "application",
            "version": "8.2.7"
        },
        {
            "bom-ref": "pkg:generic/[email protected]?package-id=9e2275063aa27200",
            "cpe": "cpe:2.3:a:php:php:8.2.7:*:*:*:*:*:*:*",
            "name": "php-fpm",
            "properties": [
                {
                    "name": "syft:package:foundBy",
                    "value": "binary-classifier-cataloger"
                },
                {
                    "name": "syft:package:type",
                    "value": "binary"
                },
                {
                    "name": "syft:package:metadataType",
                    "value": "binary-signature"
                },
                {
                    "name": "syft:location:0:layerID",
                    "value": "sha256:59fd45b8638204bbb06b0ff009e56fdd5303d91aed77578552677dd03f312fa5"
                },
                {
                    "name": "syft:location:0:path",
                    "value": "/usr/local/sbin/php-fpm"
                }
            ],
            "purl": "pkg:generic/[email protected]",
            "type": "application",
            "version": "8.2.7"
        },

What you expected to happen: I would expect Xeol to identify PHP based on the CPE identifier.

How to reproduce it (as minimally and precisely as possible): I can share an SBOM if needed

Anything else we need to know?: This relates probably to my other ticket at https://github.com/xeol-io/xeol/issues/361, but that was handled as maven specific case, but probably this is more generic issue now

I have submitted a PR to endoflife.date to also include the purl identifier to see what happens when xeol database is rebuilt.

Environment:

  • Output of xeol version: 0.10.8
  • OS (e.g: cat /etc/os-release or similar): Ubuntu 22.04.5 LTS

kosztyua avatar Mar 21 '25 18:03 kosztyua