8000 CPE target_sw not being set consistency for Rust crates · Issue #3956 · anchore/syft · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
CPE target_sw not being set consistency for Rust crates #3956
New issue
New issue
Open
Open
CPE target_sw not being set consistency for Rust crates#3956
Labels
bugSomething isn't working
@jayvdb

Description

@jayvdb
jayvdb
opened on Jun 4, 2025

What happened:

When I use syft on binaries built with cargo-auditable, the CPEs always have a language = *.

When I use syft on the Cargo.lock or binaries built with cargo-auditable, the language is set to rust for these 25 CPEs in my project

            <cpe>cpe:2.3:a:actix:actix-codec:0.5.2:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:actix:actix-http:3.10.0:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:actix:actix-service:2.0.3:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:actix:actix-utils:3.0.1:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:actix:actix-web:4.10.2:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:bzip2_project:bzip2:0.5.2:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:crossbeam-channel_project:crossbeam-channel:0.5.15:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:rust-lang:futures-task:0.3.31:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:generic-array_project:generic-array:0.14.7:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:getrandom_project:getrandom:0.2.15:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:getrandom_project:getrandom:0.3.2:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:heapless_project:heapless:0.7.17:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:lock_api_project:lock_api:0.4.12:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:dimforge:nalgebra:0.32.6:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:nix_project:nix:0.23.2:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:rand_core_project:rand_core:0.6.4:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:rand_core_project:rand_core:0.9.3:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:rusqlite_project:rusqlite:0.34.0:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:sha2_project:sha2:0.10.8:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:servo:smallvec:1.14.0:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:tar_project:tar:0.4.44:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:tokio:tokio:1.44.2:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:tokio:tokio-rustls:0.24.1:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:tokio:tokio-rustls:0.26.2:*:*:*:*:rust:*:*</cpe>
            <cpe>cpe:2.3:a:zeroize_derive_project:zeroize_derive:1.4.2:*:*:*:*:rust:*:*</cpe>

but is set to * for 952 other entries in the lock file, such as these:

            <cpe>cpe:2.3:a:ab-glyph:ab-glyph:0.2.29:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:ab-glyph-rasterizer:ab-glyph-rasterizer:0.1.8:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-cors:actix-cors:0.7.1:*:*:*:*:*:*:*</cpe>
            
            <cpe>cpe:2.3:a:actix-files:actix-files:0.6.6:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-http-test:actix-http-test:3.2.0:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-macros:actix-macros:0.2.4:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-multipart:actix-multipart:0.6.2:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-multipart:actix-multipart:0.7.2:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-multipart-derive:actix-multipart-derive:0.6.1:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-multipart-derive:actix-multipart-derive:0.7.0:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-router:actix-router:0.5.3:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-rt:actix-rt:2.10.0:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-server:actix-server:2.5.1:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-session:actix-session:0.10.1:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-test:actix-test:0.1.5:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-tls:actix-tls:3.4.0:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-web-codegen:actix-web-codegen:4.3.0:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-web-httpauth:actix-web-httpauth:0.8.2:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-web-thiserror:actix-web-thiserror:0.2.7:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:actix-web-thiserror-derive:actix-web-thiserror-derive:0.2.7:*:*:*:*:*:*:*</cpe>
            <cpe>cpe:2.3:a:addr2line:addr2line:0.24.2:*:*:*:*:*:*:*</cpe>
...

i.e. only 2% have the correct language for my project.

What you expected to happen:

All SBOM entries about Rust crates should have CPE language correctly set.

Steps to reproduce the issue:

% cargo new syft-test
% cd syft-test
syft-test % cargo add actix-web
syft-test % syft scan -o cyclonedx Cargo.lock > lock.xml
...
syft-test % grep '<cpe.*\*:\*:\*<' lock.xml | wc -l
       1
syft-test % grep '<cpe.*rust:\*:\*<' lock.xml | wc -l
       1
syft-test % cargo auditable build
% syft scan -o cyclonedx target/debug/syft-test > bin.xml
...
syft-test % grep '<cpe.*\*:\*
62A2
:\*<' bin.xml | wc -l
       1
syft-test % grep '<cpe.*rust:\*:\*<' bin.xml | wc -l
       1

Anything else we need to know?:

Environment:

  • Output of syft version:
 % syft version
Application: syft
Version:    1.26.1
BuildDate:  2025-05-22T01:28:40Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/arm64
GoVersion:  go1.24.3
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar):
% uname -a
Darwin ... 24.5.0 Darwin Kernel Version 24.5.0: Tue Apr 22 19:53:27 PDT 2025; root:xnu-11417.121.6~2/RELEASE_ARM64_T6041 arm64

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    OSS

    Status

    Ready

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0