fix: correctly report supporting evidence for binary packages#4558
Merged
kzantow merged 7 commits intoanchore:mainfrom Jan 23, 2026
Merged
Conversation
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
kzantow
commented
Jan 22, 2026
| t.Fatalf("locations do not match; expected: %v got: %v", expectedLocations, gotLocations) | ||
| } | ||
| } | ||
|
|
Contributor
Author
There was a problem hiding this comment.
Locations are already being tested below, in assertPackagesAreEqual 👇
kzantow
commented
Jan 22, 2026
Comment on lines
2012
to
+2019
| if len(expectedLocations) != len(gotLocations) { | ||
| failMessages = append(failMessages, "locations are not equal length") | ||
| failMessages = append(failMessages, fmt.Sprintf("locations are not equal: %v != %v", expectedLocations, gotLocations)) | ||
| } else { | ||
| for i, expectedLocation := range expectedLocations { | ||
| gotLocation := gotLocations[i] | ||
| if expectedLocation.RealPath != gotLocation.RealPath { | ||
| failMessages = append(failMessages, fmt.Sprintf("locations do not match; expected: %v got: %v", expectedLocation.RealPath, gotLocation.RealPath)) | ||
| for _, expectedLocation := range expectedLocations { | ||
| if !slices.ContainsFunc(gotLocations, func(gotLocation file.Location) bool { | ||
| return gotLocation.RealPath == expectedLocation.RealPath | ||
| }) { | ||
| failMessages = append(failMessages, fmt.Sprintf("location not found; expected: %v in set: %v", expectedLocation.RealPath, gotLocations)) |
Contributor
Author
There was a problem hiding this comment.
These locations are not sorted identically in .ToSlice(), above, due to expected differences in evidence annotations. This change just asserts the sets contain the same elements, not the same order.
spiffcs
approved these changes
Jan 23, 2026
Contributor
spiffcs
left a comment
There was a problem hiding this comment.
Approved with comment about a potential test typo
| classifier: Classifier{ | ||
| FileGlob: "**/some-binary", | ||
| EvidenceMatcher: SupportingEvidenceMatcher("../version.txt", | ||
| FileContentsVersionMatcher("cataloger-name", `(?m)my-verison:(?P<version>[0-9.]+)`)), |
Contributor
There was a problem hiding this comment.
Is this a typo in the regex? my-verison vs my-version
Contributor
Author
There was a problem hiding this comment.
Sorta... a bit of a systemic typo, apparently! Fixed 👍
Signed-off-by: Keith Zantow <kzantow@gmail.com>
kzantow
added a commit
that referenced
this pull request
Jan 26, 2026
Signed-off-by: Keith Zantow <kzantow@gmail.com>
spiffcs
added a commit
to patrickpichler/syft
that referenced
this pull request
Jan 30, 2026
* main: (114 commits) fix: lookup alternate scheme on url->licenseID (anchore#4588) chore(deps): bump the go-minor-patch group with 2 updates (anchore#4583) feat: add Qt6 binary detection (anchore#4550) chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates (anchore#4584) fix: snap cataloger incorrectly identifies snap container as deb package (anchore#4500) chore(deps): update tools to latest versions (anchore#4577) fix: update mixed case dependencies in python to be normalized (anchore#4573) chore(deps): update anchore dependencies (anchore#4575) chore(deps): update tools to latest versions (anchore#4570) feat: detect Debian version from /etc/debian_version (anchore#4569) fix: correctly report supporting evidence for binary packages (anchore#4558) chore(deps): bump the actions-minor-patch group across 2 directories with 3 updates (anchore#4568) chore(deps): bump the go-minor-patch group with 6 updates (anchore#4567) chore(deps): update tools to latest versions (anchore#4565) chore(deps): bump github.com/spdx/tools-golang (anchore#4557) ci: enable zizmor to fail PRs (anchore#4556) Chore new slack action (anchore#4553) chore(deps): update anchore dependencies (anchore#4552) chore(deps): update tools to latest versions (anchore#4551) chore(deps): update tools to latest versions (anchore#4545) ... Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
westonsteimel
added a commit
to anchore/vulnerability-match-labels
that referenced
this pull request
Feb 2, 2026
…o longer considered Due to the following PRs in syft, some matches which were previously TPs should now be considered FPs: - anchore/syft#4231 - anchore/syft#4558 Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
westonsteimel
added a commit
to anchore/vulnerability-match-labels
that referenced
this pull request
Feb 2, 2026
…o longer considered (#179) Due to the following PRs in syft, some matches which were previously TPs should now be considered FPs: - anchore/syft#4231 - anchore/syft#4558 Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adjusts the binary classifier to more appropriately return "supporting" evidence locations marked as such rather than being marked as "primary". This primarily affects go, ruby, and python binary classifiers, where each of these looks at files beyond the binary executable if it can't find version information in the executable directly, for example: python searches for a matching libpython and go searches for a VERSION file containing something that looks like a go version. The logic has also been tweaked slightly so a VERSION file without a go binary does not return a package.
Before this change, multiple locations would be returned all with primary evidence e.g.:
After this PR, a user may see:
Type of change
Checklist
Issue references