Binary copied to image omitted from SBOM

[officerNordberg]

What happened:
SBOM is missing principle binary artifact from image
https://github.com/envoyproxy/envoy/blob/release/v1.27/ci/Dockerfile-envoy

ARG ENVOY_BINARY=envoy
ARG ENVOY_BINARY_PREFIX=
COPY --from=binary --chown=0:0 --chmod=755 \
    "/usr/local/bin/${ENVOY_BINARY_PREFIX}${ENVOY_BINARY}" /usr/local/bin/envoy

What you expected to happen:

NAME                 VERSION                       TYPE
adduser              3.118ubuntu2                  deb
apt                  2.0.10                        deb
base-files           11ubuntu5.8                   deb
base-passwd          3.5.47                        deb
bash                 5.0-6ubuntu1.2                deb
bash                 5.0.17                        binary
...
envoy                 1.27.5                        binary

Steps to reproduce the issue:
syft scan --from registry envoyproxy/envoy:v1.27-latest

Environment:

• syft 1.3.0
• OS: attempted on macOS and Centos

[tgerla]

Hi @officerNordberg, thanks for the report! It doesn't look as though Syft currently knows anything about Envoy binaries. Syft's binary cataloger needs to know how to match each individual app: https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/binary/classifiers.go

If you're interested in adding support for envoy detection, please let us know and we can help get started, otherwise I will move this into our backlog for future consideration. Thanks!

[officerNordberg]

@tgerla I'm your reluctant huckleberry. Sure, where do I start?

[tgerla]

Great! First please take a quick look at our contributor's guide: https://github.com/anchore/syft/blob/main/CONTRIBUTING.md and our developer's guide: https://github.com/anchore/syft/blob/main/DEVELOPING.md -- you will probably want to make sure you can run Syft out of a checkout like step 4 in DEVELOPING.md.

From there, you will add a new classifier to the list here: https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/binary/classifiers.go

You will need to determine a file glob and "EvidenceMatcher" which is basically a regular expression designed to reliably identify the binary artifact you're classifying. It's often helpful to run "strings" on your binary and look for possible fragments of plain text that you can match against. You can take a look at some of the other classifiers to get an idea of what to look for.

If you want, please feel free to join our Slack (https://get.anchore.com/join-anchore-community/) and post to the #syft-help channel and we will be happy to help you through the process.

Thank you for giving it a shot! Much appreciated.

[wagoodman]

There are two approaches to getting arbitrary binaries detected by syft:

• as @tgerla mentioned, adding the right regex to syft for the binary cataloger to pick up on it. We have a good readme just for how to add these regexes. This is great in circumstances where you don't have control over the build of the artifact you want detected and the binary has sufficient data to pick up on.
• another approach that is more suited if you do control the build would be to add a JSON payload as a .note.package ELF section. Syft recently added support to pick up on such payloads with further enhancements inbound. It looks like there are already bazel rules in envoy that add ELF notes, another rule could be added during the release to include name and version information.