Skip to content

Qt6 binary detection#4550

Merged
spiffcs merged 6 commits intoanchore:mainfrom
rezmoss:qt6-binary-detection
Jan 30, 2026
Merged

Qt6 binary detection#4550
spiffcs merged 6 commits intoanchore:mainfrom
rezmoss:qt6-binary-detection

Conversation

@rezmoss
Copy link
Contributor

@rezmoss rezmoss commented Jan 13, 2026

Description

Qt6 binary detection fixed #4467

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (please discuss with the team first; Syft is 1.0 software and we won't accept breaking changes without going to 2.0)
  • Documentation (updates the documentation)
  • Chore (improve the developer experience, fix a test flake, etc, without changing the visible behavior of Syft)
  • Performance (make Syft run faster or use less memory, without changing visible behavior much)

Checklist

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

Issue references

@rezmoss
qt bin classifier, fixed anchore#4467
873173d 
Signed-off-by: Rez Moss <hi@rezmoss.com>
@rezmoss
qt bin classifier, fixed anchore#4467
af3503f 
Signed-off-by: Rez Moss <hi@rezmoss.com>
@rezmoss rezmoss mentioned this pull request Jan 13, 2026
Closed
@misery
Copy link

misery commented Jan 14, 2026

Thanks for the PR!
I created a report on Qt bug tracker. Seems that the cpe needs to be adjusted for different libraries.
https://qt-project.atlassian.net/issues/?selectedIssue=QTBUG-142724

If you look into the SBOMs of Qt they have different cpe for their files.

PackageName: qtbase
ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qtbase:6.10.1:*:*:*:*:*:*:*

PackageName: qtconnectivity
ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qtconnectivity:6.10.1:*:*:*:*:*:*:*

PackageName: qtsvg
ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qtsvg:6.10.1:*:*:*:*:*:*:*

PackageName: qttools
ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qttools:6.10.1:*:*:*:*:*:*:*

PackageName: qtwebsockets
ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qtwebsockets:6.10.1:*:*:*:*:*:*:*

PackageName: qtscxml
ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qtscxml:6.10.1:*:*:*:*:*:*:*

PackageName: qtshadertools
ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qtshadertools:6.10.1:*:*:*:*:*:*:*

PackageName: qtimageformats
ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qtimageformats:6.10.1:*:*:*:*:*:*:*

PackageName: qttranslations
ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qttranslations:6.10.1:*:*:*:*:*:*:*

PackageName: qtdeclarative
ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qtdeclarative:6.10.1:*:*:*:*:*:*:*

@rezmoss
qt bin classifier, fixed anchore#4467
93ede85 
Signed-off-by: Rez Moss <hi@rezmoss.com>
@rezmoss
Copy link
Contributor Author

rezmoss commented Jan 14, 2026

good catch, just updated the PR to emit the right cpe , qtbase for libqtcore & sim

@kzantow
Copy link
Contributor

kzantow commented Jan 15, 2026

I'm a little confused what the right thing to use for the CPE is -- all of the NVD records referenced in the JIRA issue seem to have qt:qt, don't they? It looks like most of the records on NVD are qt:qt, so we should probably at least have that CPE, maybe multiple, I would think.

kzantow pushed a commit to kzantow-anchore/syft that referenced this pull request Jan 16, 2026
@rezmoss
Feat/catalog mongodb bin (anchore#4541)
2f3a504 
* fixed anchore#4550, catalog mongodb bin

Signed-off-by: Rez Moss <hi@rezmoss.com>

* fixed anchore#4550, catalog mongodb bin

Signed-off-by: Rez Moss <hi@rezmoss.com>

---------

Signed-off-by: Rez Moss <hi@rezmoss.com>
@alcroito
Copy link

alcroito commented Jan 19, 2026

Hi, I work on Qt.

Personally, I think the main CPE to add is qt:qt.

Older Qt versions had some vulnerabilities reported against repo specific CPEs, e.g. qt:qtbase in

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=CPEURI&keyword=cpe%3A2.3%3Aa%3Aqt%3Aqtbase&status=FINAL&startIndex=100

If that's not much work, the repo-specific ones should be added as well.

@rezmoss
qt bin classifier, fixed anchore#4467
2d52c78 
Signed-off-by: Rez Moss <hi@rezmoss.com>
@rezmoss
Copy link
Contributor Author

rezmoss commented Jan 19, 2026

cool, cpe:2.3:a:qt:qt goes as main one, qt:qtbase stays secondary

@spiffcs spiffcs self-assigned this Jan 29, 2026
@spiffcs
Copy link
Contributor

spiffcs commented Jan 30, 2026

I'm going to get the snippets added to https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/binary/test-fixtures/config.yaml. After that this should be 🟢

@spiffcs
chore: update snippets to be managed by config
49a57a0 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs
Merge branch 'main' into qt6-binary-detection
9b7220d 
Signed-off-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs spiffcs enabled auto-merge (squash) January 30, 2026 15:33
@spiffcs spiffcs merged commit 94c8088 into anchore:main Jan 30, 2026
10 checks passed
spiffcs added a commit to patrickpichler/syft that referenced this pull request Jan 30, 2026
@spiffcs
Merge branch 'main' into report-java-archive-metadata
169ded1 
* main: (114 commits)
  fix: lookup alternate scheme on url->licenseID (anchore#4588)
  chore(deps): bump the go-minor-patch group with 2 updates (anchore#4583)
  feat: add Qt6 binary detection (anchore#4550)
  chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates (anchore#4584)
  fix: snap cataloger incorrectly identifies snap container as deb package (anchore#4500)
  chore(deps): update tools to latest versions (anchore#4577)
  fix: update mixed case dependencies in python to be normalized (anchore#4573)
  chore(deps): update anchore dependencies (anchore#4575)
  chore(deps): update tools to latest versions (anchore#4570)
  feat: detect Debian version from /etc/debian_version (anchore#4569)
  fix: correctly report supporting evidence for binary packages (anchore#4558)
  chore(deps): bump the actions-minor-patch group across 2 directories with 3 updates (anchore#4568)
  chore(deps): bump the go-minor-patch group with 6 updates (anchore#4567)
  chore(deps): update tools to latest versions (anchore#4565)
  chore(deps): bump github.com/spdx/tools-golang (anchore#4557)
  ci: enable zizmor to fail PRs (anchore#4556)
  Chore new slack action (anchore#4553)
  chore(deps): update anchore dependencies (anchore#4552)
  chore(deps): update tools to latest versions (anchore#4551)
  chore(deps): update tools to latest versions (anchore#4545)
  ...

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@BrewTestBot BrewTestBot mentioned this pull request Feb 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees

@spiffcs spiffcs

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Cannot detect installation of Qt6

5 participants

@rezmoss @misery @kzantow @alcroito @spiffcs