SBOM for MySQL:8.x doesn't include rpm packages

[davidkesoshvili]

The SBOM generated for the MySQL:8.x container does not include the RPM packages. It seems that important package information is missing

the code for generating the SBOM:

func analyzeImageUsingSyft(l *logger.Logger, imageId string) (source.Source, *sbom.SBOM, error) {

	img, err := stereoscope.GetImageFromSource(context.Background(), imageId, oci.Registry, stereoscope.WithPlatform("linux/amd64"))
	if err != nil {
		l.Error("Could not create image source object. err: %v", err)
		return nil, nil, err
	}

	imageSource := stereoscopesource.New(img, stereoscopesource.ImageConfig{Reference: imageId})
	if err != nil {
		l.Error("Could not pull image: %s. err: %v", imageId, err)
		return nil, nil, err
	}

	s, err := getSBOM(imageSource, true)
	if err != nil {
		l.Error("Could get image SBOM. image: %s. err: %v", imageId, err)
		return nil, nil, err
	}
	return imageSource, &s, nil
}

func getSBOM(src source.Source, saveToFile bool) (sbom.SBOM, error) {
	s, err := syft.CreateSBOM(context.Background(), src, cfg)
	if err != nil {
		return sbom.SBOM{}, err
	}
	return *s, nil
}

Other images with RPMs are getting scanned correctly, but this issue seems specific to MySQL:8.x.

Environment:

• syft version: 1.11.1
• OS: tested on Windows,Linux and macOS

[spiffcs]

👋 Thanks for the issue @davidkesoshvili - I tried reproducing this against an 8.x image like you specified:

Image Used

syft --platform linux/amd64 mysql:8.4
 ✔ Pulled image
 ✔ Loaded image                                                                                                                   mysql:8.4
 ✔ Parsed image                                                     sha256:f742bd39cd6b457c890bfb3761fe201d69508a68d832c0caebdb6bac3df5e60f
 ✔ Cataloged contents                                                      741ecb4ab19ec53df6ea220e10fe8cee2601d409956cef509c5386dca04cd902
   ├── ✔ Packages                        [142 packages]
   ├── ✔ File digests                    [18,608 files]
   ├── ✔ File metadata                   [18,608 locations]
   └── ✔ Executables                     [555 executables]
NAME                            VERSION                        TYPE
alternatives                    1.24-1.0.2.el9                 rpm
..........

As you can see we are able to discover 142 packages and a large number of the are of type rpm

Is your image from another source?

[davidkesoshvili]

Hi @spiffcs Thanks for the quick response.

The packages are missing only when using Syft Go module.

Running syft command using the command line works as expected.

[kzantow]

@davidkesoshvili your code does not show where cfg is populated on this line:

s, err := syft.CreateSBOM(context.Background(), src, cfg)

Generally speaking, you should obtain this with the default configuration: syft.DefaultCreateSBOMConfig(), and configure it using the corresponding .With methods. See here for how it is further populated with defaults, if you need to configuration some of the cataloging in other ways, you will similarly want to call .Default functions to obtain default values as your starting points and again further configure with the .With methods on those configuration objects.

[davidkesoshvili]

Hi @kzantow
cfg parameter is nil, which means that it will use syft.DefaultCreateSBOMConfig() behind the scenes right? I tried configuring it using .With methods too but the output is the same.

[kzantow]

@davidkesoshvili ah yes, this is right -- nil should result in defaults.

A couple suggestions: you may have better results with the syft.GetSource call. If you want to restrict this to a specific source type, like OCI registry, you can specify this in the config.

If you're getting significantly different results, I suspect it is related to the cataloger selection. Syft defaults to a different set of catalogers depending on using an image or directory scan. Perhaps look at what's happening here, though this should be the same as a default syft CLI invocation with an image... perhaps there's something else going on and these defaults are not being used?