ELF note cataloger does not pick up OS field, but should

[xnox]

What would you like to be added:

ELF note cataloger picks up the package name, and package type, but not the OS distro vendor

Why is this needed:

Without picking up OS distro vendor, there is not automatic matching to the vendor remediation feeds to provide "Fixed In" values when scanning syft json with grype

Additional context:

In Wolfi, I have this elf note:

# readelf --notes ./lib/python3.13/site-packages/cryptography.libs/libcrypto-b943a01c.so.3 
Displaying notes found in: .note.package
  Owner                Data size 	Description
  FDO                  0x0000005c	FDO_PACKAGING_METADATA
    Packaging Metadata: {"type":"apk","os":"wolfi","name":"openssl","version":"3.6.0-r0","architecture":"x86_64"}

The current syft PURL generated for this apk is:

pkg:apk/openssl@3.6.0-r0

But ideally it should be

pkg:apk/wolfi/openssl@3.6.0-r0

Or well whatever the "os" field is, ditto for example for Fedora, CentOS, RHEL, AmazonLinux 2023 all of which have similar ELF build notes too.

[kzantow]

This looks like a good enhancement, to me. It looks like it would be simple to add here. We have had a number of requests for different information in the notes, how standardized is this? would simply storing a purl be better than this bespoke JSON? Or a "full" SBOM, SPDX or otherwise? If I think of the things that should be raised about a binary, there are a lot more than just the package name that could be useful: the first of which that comes to my mind is what it is composed of: did someone embed openssl from source? that would be a great thing to know, for example.

[xnox]

FDO_PACKAGING_METADATA is a standard https://systemd.io/PACKAGE_METADATA_FOR_EXECUTABLE_FILES/

I think it is in the process of being relicensed and rehomed to uapi group.

Many fields are optional, and some distros choose slightly different set of fields to present.

But some of the interesting ones to syft / grype is the OS field, as well as os CPE and the app CPE for matching vulnerabilities.

[VictorHuu]

Hi @xnox ,did you know some binaries containing appCpe entry? like an image built from chainguard/wolfi? I'm currently writing the related test cases

[xnox]

@VictorHuu

# readelf --notes /usr/bin/strip 

Displaying notes found in: .note.package
  Owner                Data size 	Description
  FDO                  0x00000090	FDO_PACKAGING_METADATA
    Packaging Metadata: {"type":"apk","os":"wolfi","name":"binutils","version":"2.46-r0","architecture":"x86_64","appCpe":"cpe:2.3:a:gnu:binutils:2.46:*:*:*:*:*:*:*"}

It is in the binutils package in Wolfi and Chainguard OS and can be fetched at https://packages.wolfi.dev/os/x86_64/binutils-2.46-r0.apk