Getting many warnings (empty ID, unable to read golang buildinfo, bin parsing) when running grype from command line and directing stderr to file

[shulmda]

When running grype from the command line and directing the stderr to a file, I am getting many warnings about "WARN found package with empty ID while adding to the catalog" and "unable to read golang buildinfo" and "golang cataloger: bin parsing: number of builds and readers doesn't match"

....
�[0;90m[0002]�[0m �[0;33m WARN�[0m found package with empty ID while adding to the catalog: Pkg(name="libintl-debian" version="" type="java-archive" id="") �[0;33mform-lib�[0m=syft
�[0;90m[0002]�[0m �[0;33m WARN�[0m unable to read golang buildinfo �[0;33merror�[0m=not a Go executable �[0;33mfile�[0m=/bin/bash �[0;33mform-lib�[0m=syft
�[0;90m[0002]�[0m �[0;33m WARN�[0m golang cataloger: bin parsing: number of builds and readers doesn't match �[0;33mform-lib�[0m=syft
�[0;90m[0002]�[0m �[0;33m WARN�[0m unable to read golang buildinfo �[0;33merror�[0m=not a Go executable �[0;33mfile�[0m=/bin/cat �[0;33mform-lib�[0m=syft
.....

I would not expect these warnings in stderr, unless it is in indication of a problem that would cause a library to not be scanned.

I don't know if this is a problem, or a warning that I can ignore

This is VERY easy to reproduce....
grype nginx:latest 1>nginx.out 2>nginx.err
Look at the nginx.err file

I am running on MacOS Venture, but it happens on my linux server too.
Application: grype
Version: 0.54.0
Syft Version: v0.63.0
BuildDate: 2022-12-13T15:02:51Z
GitCommit: 93499ee
GitDescription: v0.54.0
Platform: darwin/amd64
GoVersion: go1.18.8
Compiler: gc
Supported DB Schema: 5
and
Application: syft
Version: 0.64.0
JsonSchemaVersion: 6.0.0
BuildDate: 2022-12-23T18:09:02Z
GitCommit: e1e489a2849c8432781a7cb58b257fa935efa1cf
GitDescription: v0.64.0
Platform: darwin/amd64
GoVersion: go1.18.9
Compiler: gc

[kzantow]

There have been a couple fixes for this in Syft, it looks like we just need to get some releases of Syft/Grype done to fix this!

[kzantow]

We've released Syft and updated and released Grype v0.55.0 which should solve this issue for you. Please let us know if it doesn't!

[shulmda]

OK. I have updated to the latest version of syft and grype and the logs are much smaller, so that is an improvement! Thanks. However, there is still a warning for example... When I run
grype nginx:latest 1>nginx.out 2>nginx.err

I get the warning.
[0002] WARN found package with empty ID while adding to the catalog: Pkg(name="libintl" version="" type="java-archive" id="") form-lib=syft

Is this even important?

[kzantow]

Odd. If I run: grype nginx:latest, I get this output, which does not seem to have the warning you mention:

 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [143 packages]
 ✔ Scanned image           [144 vulnerabilities]
NAME              INSTALLED                FIXED-IN     TYPE  VULNERABILITY     SEVERITY   
apt               2.2.4                                 deb   CVE-2011-3374     Negligible  
...

However, running with -vv, I do see this:

[0004]  WARN found package with empty ID while adding to the catalog: Pkg(name="libintl" version="0.21" type="java-archive" id="") form-lib=syft

Do you have a configuration file or environment variable increasing the verbosity? You should be able to safely ignore warnings which are not displayed by default.

[shulmda]

I am just running grype from the command line with the latest version of grype and syft BUT I am redirecting the output to a file the command is "grype nginx:latest 1>nginx.out 2>nginx.err". No other environment variables or parameters are being specified. In the nginx.err I am seeing this warning, like you are. My question is whether I should worry about this particular warning or not. Does it impact the vulnerability check? Or is it just informational.

FYI, here are the versions of grype and syft I have installed.
Application: grype
Version: 0.55.0
and
Application: syft
Version: 0.65.0

[shulmda]

Oh, sorry, I did't see that you answered the question that I can safely ignore the warnings. Thanks!!!