old bitnami images without spdx files arent getting picked up correctly in the catalog

[rezmoss]

What happened:

the cataloger relies on spdx files, so when older bitnami images don’t have them, it skips over their packages and misses possible vulnerabilities

e.g

https://hub.docker.com/r/bitnamilegacy/mongodb/tags?name=4.4.11

What you expected to happen:

Steps to reproduce the issue:

Anything else we need to know?:

Environment:

• Output of syft version: latest 1.39.0
• OS (e.g: cat /etc/os-release or similar):

[kzantow]

I think depending on the image, we still pick up some of the binaries, is that right? I'm not entirely sure what else we could do here -- happy for any suggestions!

[rezmoss]

@kzantow not sure about all images yet but from what I’ve seen with older bitnami ones, that doesnt seem to happen, legacy mongodb img like bitnamilegacy/mongodb:4.4.11 dont detect mongodb at all, not with spdx or bin scanning, so the main pkg is skipped, which is why the issue came up looking into the package layout in these older bitnami imgs
trying to understand why bin detection/bitnami not working will follow up with a fix/idea soon

[rezmoss]

@kzantow found out older bitnami images include a .bitnami_components.json file to track installed software and pkgs,updated the bitnami cataloger to handle legacy imgs by adding support for more file types and package discovery

before

after