8000 Dotnet-Portable-Executable-Cataloger uses wrong component version for dotnet runtime libraries · Issue #3282 · anchore/syft · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Dotnet-Portable-Executable-Cataloger uses wrong component version for dotnet runtime libraries #3282
New issue
New issue
Closed
#3768
Closed
Dotnet-Portable-Executable-Cataloger uses wrong component version for dotnet runtime libraries#3282
#3768
Assignees
wagoodman
Labels
bugSomething isn't workingecosystem:dotnetrelating to the .NET / nuget ecosystem
@AndreasAndoerfer

Description

@AndreasAndoerfer
AndreasAndoerfer
opened on Sep 26, 2024

What happened:

When executing syft to analyse a docker image with a dotnet application it is generating component entries with the file version of the dll and not the assembly version.
This causes a wrong cpe.

In my example it is the .net 8.0 System.Security.Cryptography.Xml.dll
Nuget

Output of syft:
grafik

The library is just one example. This problem exist for all runtime libraries because the file version does not match the assembly- / runtime-version!

What you expected to happen:
I would expect to have the same version displayed in nuget and in the *.deps.json file of the project:

*.deps.json:
grafik

Output of syft with dotnet-deps-cataloger:
grafik

Steps to reproduce the issue:

  • create a docker image with an dotnet web application
  • run syft on the docker image

Anything else we need to know?:

Environment:

  • Output of syft version: 1.12.2
  • OS (e.g: cat /etc/os-release or similar): alpine image

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingecosystem:dotnetrelating to the .NET / nuget ecosystem

Type

No type

Projects

OSS

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0