go-module-binary-cataloger and cargo-auditable-binary-cataloger still run when disabled but binary-cataloger is enabled

[hittingray]

What happened:

go-module-binary-cataloger and cargo-auditable-binary-cataloger still run when they are absent in the catalogers config but binary-cataloger is present. As shown in the debug log below, the former 2 catalogers are not skipped despite being absent in the catalogers section. I've removed some snippets of the log to keep it short(er).

$ syft --catalogers binary-cataloger -vv golang:latest

[0000]  INFO syft version: 0.87.0
[0000] DEBUG application config:
<excluded for brevity>
log:
  structured: false
  level: debug
  file: ""
catalogers:
- binary-cataloger
package:
  cataloger:
    enabled: true
    scope: Squashed
  search-unindexed-archives: false
  search-indexed-archives: true
<excluded for brevity>

[0014]  INFO identified distro: Debian GNU/Linux 12 (bookworm)
[0014]  INFO skipping cataloger "alpmdb-cataloger"
[0014]  INFO skipping cataloger "apkdb-cataloger"
[0014]  INFO skipping cataloger "conan-cataloger"
[0014]  INFO skipping cataloger "dartlang-lock-cataloger"
[0014]  INFO skipping cataloger "dpkgdb-cataloger"
[0014]  INFO skipping cataloger "dotnet-deps-cataloger"
[0014]  INFO skipping cataloger "dotnet-portable-executable-cataloger"
[0014]  INFO skipping cataloger "elixir-mix-lock-cataloger"
[0014]  INFO skipping cataloger "erlang-rebar-lock-cataloger"
[0014]  INFO skipping cataloger "go-mod-file-cataloger"
[0014]  INFO skipping cataloger "haskell-cataloger"
[0014]  INFO skipping cataloger "java-cataloger"
[0014]  INFO skipping cataloger "java-gradle-lockfile-cataloger"
[0014]  INFO skipping cataloger "java-pom-cataloger"
[0014]  INFO skipping cataloger "graalvm-native-image-cataloger"
[0014]  INFO skipping cataloger "javascript-lock-cataloger"
[0014]  INFO skipping cataloger "javascript-package-cataloger"
[0014]  INFO skipping cataloger "linux-kernel-cataloger"
[0014]  INFO skipping cataloger "nix-store-cataloger"
[0014]  INFO skipping cataloger "php-composer-installed-cataloger"
[0014]  INFO skipping cataloger "php-composer-lock-cataloger"
[0014]  INFO skipping cataloger "portage-cataloger"
[0014]  INFO skipping cataloger "python-index-cataloger"
[0014]  INFO skipping cataloger "python-package-cataloger"
[0014]  INFO skipping cataloger "r-package-cataloger"
[0014]  INFO skipping cataloger "rpm-file-cataloger"
[0014]  INFO skipping cataloger "rpm-db-cataloger"
[0014]  INFO skipping cataloger "ruby-gemfile-cataloger"
[0014]  INFO skipping cataloger "ruby-gemspec-cataloger"
[0014]  INFO skipping cataloger "rust-cargo-lock-cataloger"
[0014]  INFO skipping cataloger "sbom-cataloger"
[0014]  INFO skipping cataloger "cocoapods-cataloger"
[0014]  INFO skipping cataloger "spm-cataloger"
[0014] DEBUG cataloging packages catalogers=4 parallelism=1
[0014] DEBUG discovered 2 packages cataloger=binary-cataloger
[0014] DEBUG discovered 19 packages cataloger=go-module-binary-cataloger
[0014] DEBUG discovered 0 packages cataloger=cargo-auditable-binary-cataloger

NAME           VERSION  TYPE
cmd/addr2line  (devel)  go-module
cmd/asm        (devel)  go-module
cmd/buildid    (devel)  go-module
cmd/cgo        (devel)  go-module
cmd/compile    (devel)  go-module
cmd/covdata    (devel)  go-module
cmd/cover      (devel)  go-module
cmd/doc        (devel)  go-module
cmd/fix        (devel)  go-module
cmd/go         (devel)  go-module
cmd/gofmt      (devel)  go-module
cmd/link       (devel)  go-module
cmd/nm         (devel)  go-module
cmd/objdump    (devel)  go-module
cmd/pack       (devel)  go-module
cmd/pprof      (devel)  go-module
cmd/test2json  (devel)  go-module
cmd/trace      (devel)  go-module
cmd/vet        (devel)  go-module
go             1.21.0   binary
python         3.11.2   binary

What you expected to happen:

No go-module entries should be in the output above (i.e. only binary)

Steps to reproduce the issue:

Run

syft --catalogers binary-cataloger golang:latest

and there will be go-module entries in the output along with the expected binary entries

Anything else we need to know?:

It looks like there was an attempt to fix substring matching in #1582, but this still hasn't fully fixed it.

It seems like

syft/syft/pkg/cataloger/cataloger.go

Line 186 in 5910732

func hasFullWord(targetPhrase, candidate string) bool {

is the culprit, where if candidate = go-module-binary and targetPhrase = binary, then it will return true. I see from relevant tests that there's some partial matching on catalogers (e.g. php-composer matches php-composer-installed-cataloger) which makes this logic tricky.

I've also noticed that a lot of the tests include -cataloger, but the only call to hasFullWord() is straight after strings.TrimSuffix(partial, "-cataloger") is called, so the test cases don't seem that useful.

Is there any reason why there's some substring matching logic here anyway and not just full string matching? The docs make no mention of enabling a cataloger with a partial name or enabling multiple catalogers with just a substring of the name. I could understand if someone wanted to, for example, enable all Go modules, but it seems like something like go-* would be a better option.

Environment:

• Output of syft version: 0.87.0
• OS (e.g: cat /etc/os-release or similar): macOS Ventura 13.4.1

[kzantow]

Thanks for the report @hittingray , I can confirm the behavior you've described.