bug: Syft mis-identifies binary as deb inside a snap #4486
Description
This is a redo of Grype issue 3122, that was thoughoughly discussed in the latest live stream.
What happened:
Syft is identifying a binary as a deb, which actually didn't come from a debian package. This results in Grype (when instructed via --distro ubuntu:24.04) trying to match the deb with something from the Ubuntu security feed. This is incorrect behaviour, given the binary didn't come from, and is
What you expected to happen:
Syft should be clear when a binary originated from a deb, and when it's not identified as such, and can be reported as just a "binary".
Steps to reproduce the issue:
$ syft snap:emacs | grep emacs
emacs 30.2 deb
emacsen-common 3.0.5 deb
In this case, syft is incorrect, as the binary in this snap did not originate from a deb at all.
Syft should mark this as a binary type.
Anything else we need to know?:
Snaps are squashfs files that are mounted on the target computer without being "unpacked" into the filesystem. They can contain anything including files that originated from a deb in the Ubuntu repository, but are not limited to those types of files. A snap could also contain a binary built on the developers workstation, in the cloud or random binaries "wgot" from the web.
There are numerous potential yaml files which may describe the snap contents, but also, they might not be there at all.
Consider that someone can craft a snap file with a simple snap.yaml and not much more. e.g.
$ snap download null
$ unsquashfs null_3.snap
$ tree squashfs_root
squashfs-root/
├── bin
│ └── bash
└── meta
└── snap.yaml
$ cat squashfs-root/bin/bash
#!/bin/bash
No binaries!
In the case of the emacs snap, however, there is metadata that syft could consume and parse:
$ snap download emacs
$ unsquashfs emacs_3516.snap
$ ls -l squashfs-root/snap/*.yaml squashfs-root/meta/*.yaml
-rw-r--r-- 1 alan alan 1461 Dec 17 06:13 squashfs-root/meta/snap.yaml
-rw-r--r-- 1 alan alan 31628 Dec 17 06:13 squashfs-root/snap/manifest.yaml
-rw-r--r-- 1 alan alan 10867 Dec 17 06:13 squashfs-root/snap/snapcraft.yaml
(all attached)
The snap.yaml always exists, and is a minimum for a snap. The snapcraft.yaml is optional and is often (but not always) the file that controls the build. In this case, it is, and if introspected, reveals a part which is emacs which is built from source. The manifest.yaml, also optional, is added if the snap was built in launchpad, and contains a list of software that is included in the snap.
Snaps are (typically) built against a base which is usually (but, as always, not always) is core, core18, core20, core22, or core24 which map to Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS respectively. Meaning, at build time, they're building with/on the indicated Ubuntu release, which means they usually (might) have debs pulled from that Ubuntu release archive.
The common case (which is true with emacs snap) is that the snap contains a binary built from upstream source, along with a pile of support libraries, many of which come from the Ubuntu archive as stage-packages specified in the snapcraft.yaml and (optionally) detailed in the manifest.yaml, along with (optionally) some other libraries which may have come from 3rd party repositories, the developer workstation, or pre-built binaries, who knows!?
snapcraft.yaml
manifest.yaml
snap.yaml
Environment:
- Output of
syft version:
syft version
Application: syft
Version: 1.38.2
BuildDate: 2025-12-09T21:48:47Z
GitCommit: bfe63f83dbaea88e22a5cfcd7d704c034c953730
GitDescription: v1.38.2
Platform: linux/amd64
GoVersion: go1.25.4
Compiler: gc
SchemaVersion: 16.1.0
- OS (e.g:
cat /etc/os-releaseor similar): macOS