Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Comments

fix: snap cataloger incorrectly identifies snap container as deb package#4500

Merged
kzantow merged 2 commits intoanchore:mainfrom
popey:improve-snap-cataloger
Jan 30, 2026
Merged

fix: snap cataloger incorrectly identifies snap container as deb package#4500
kzantow merged 2 commits intoanchore:mainfrom
popey:improve-snap-cataloger

Conversation

@popey
Copy link
Contributor

@popey popey commented Dec 24, 2025

The parseSnapYaml function was creating a DebPkg entry from meta/snap.yaml, which describes the snap container itself, not a debian package inside.

This caused snaps like emacs (built from source) to incorrectly appear as debian packages in the SBOM output.

Changes:

  • parseSnapYaml now returns an empty package list (snap.yaml is container metadata, not package info)
  • Actual packages inside snaps are still correctly identified by other parsers (manifest.yaml for primed-stage-packages) and catalogers (binary cataloger for binaries)
  • Moved readAll() usage to io.ReadAll() in parse_kernel_changelog.go

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

Issue references

Fixes #4486

🤖 Generated with Claude Code (with the kindly guiding hands of @popey )

@popey @claude
fix: snap cataloger incorrectly identifies snap container as deb package
879e251 
The parseSnapYaml function was creating a DebPkg entry from meta/snap.yaml,
which describes the snap container itself, not a debian package inside.

This caused snaps like emacs (built from source) to incorrectly appear as
debian packages in the SBOM output.

Changes:
- parseSnapYaml now returns an empty package list (snap.yaml is container
  metadata, not package info)
- Actual packages inside snaps are still correctly identified by other
  parsers (manifest.yaml for primed-stage-packages) and catalogers
  (binary cataloger for binaries)
- Moved readAll() usage to io.ReadAll() in parse_kernel_changelog.go

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
Signed-off-by: Alan Pope <[email protected]>
kzantow
kzantow reviewed Dec 24, 2025
View reviewed changes
syft/pkg/cataloger/snap/parse_snap_yaml.go Outdated
// the actual contents (binaries, debs) are cataloged by their respective
// catalogers (binary cataloger for binaries built from source, and other snap
// parsers like parse_system_manifest.go for debian packages from primed-stage-packages).
func parseSnapYaml(_ context.Context, _ file.Resolver, _ *generic.Environment, _ file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {
Copy link
Contributor

@kzantow kzantow Dec 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any reason to keep the function here or the related test, since we are not changing any configurable or API-level behavior, only removing this erroneous portion of the lookup. We might as well just remove the parse function and related things, since it's not exported and the cataloger will continue to function properly with removal, note: you will probably need to update the capabilities.yaml.

@spiffcs spiffcs self-assigned this Jan 29, 2026
kzantow
kzantow approved these changes Jan 30, 2026
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for getting this one cleaned up @spiffcs !

@kzantow kzantow merged commit 0bca34f into anchore:main Jan 30, 2026
10 checks passed
spiffcs added a commit to patrickpichler/syft that referenced this pull request Jan 30, 2026
@spiffcs
Merge branch 'main' into report-java-archive-metadata
169ded1 
* main: (114 commits)
  fix: lookup alternate scheme on url->licenseID (anchore#4588)
  chore(deps): bump the go-minor-patch group with 2 updates (anchore#4583)
  feat: add Qt6 binary detection (anchore#4550)
  chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates (anchore#4584)
  fix: snap cataloger incorrectly identifies snap container as deb package (anchore#4500)
  chore(deps): update tools to latest versions (anchore#4577)
  fix: update mixed case dependencies in python to be normalized (anchore#4573)
  chore(deps): update anchore dependencies (anchore#4575)
  chore(deps): update tools to latest versions (anchore#4570)
  feat: detect Debian version from /etc/debian_version (anchore#4569)
  fix: correctly report supporting evidence for binary packages (anchore#4558)
  chore(deps): bump the actions-minor-patch group across 2 directories with 3 updates (anchore#4568)
  chore(deps): bump the go-minor-patch group with 6 updates (anchore#4567)
  chore(deps): update tools to latest versions (anchore#4565)
  chore(deps): bump github.com/spdx/tools-golang (anchore#4557)
  ci: enable zizmor to fail PRs (anchore#4556)
  Chore new slack action (anchore#4553)
  chore(deps): update anchore dependencies (anchore#4552)
  chore(deps): update tools to latest versions (anchore#4551)
  chore(deps): update tools to latest versions (anchore#4545)
  ...

Signed-off-by: Christopher Phillips <[email protected]>
@BrewTestBot BrewTestBot mentioned this pull request Feb 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kzantow kzantow kzantow approved these changes

Assignees

@spiffcs spiffcs

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: Syft mis-identifies binary as deb inside a snap

3 participants

@popey @kzantow @spiffcs