Intermittent binary listings, different results every time

[aptalca]

What happened:
When I run syft multiple times on the same docker image, I get a different list every time because the binary results change every time.

What you expected to happen:
I expect to get the same results every time.

Steps to reproduce the issue:
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock:ro ghcr.io/anchore/syft:latest ghcr.io/linuxserver/mastodon:glitch | grep binary
Run this back to back after pulling ghcr.io/linuxserver/mastodon:glitch

Anything else we need to know?:
The binaries for node, nginx, php-cli and php-fpm are intermittently included in the list.
The first run results in:

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock:ro  ghcr.io/anchore/syft:latest ghcr.io/linuxserver/mastodon:glitch | grep binary
[0019]  WARN cataloger failed cataloger=javascript-package-cataloger error=failed to parse package.json file: unable to parse package.json author: json: cannot unmarshal array into Go value of type map[string]string location=/app/www/node_modules/react-motion/package.json
@babel/helper-builder-binary-assignment-operator-visitor                       7.22.10                              npm           
binary-extensions                                                              1.13.1                               npm           
binary-extensions                                                              2.2.0                                npm           
is-binary-path                                                                 1.0.1                                npm           
is-binary-path                                                                 2.1.0                                npm           
nginx                                                                          1.24.0                               binary        
php-cli                                                                        8.2.8                                binary

Second run results in:

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock:ro  ghcr.io/anchore/syft:latest ghcr.io/linuxserver/mastodon:glitch | grep binary
[0018]  WARN cataloger failed cataloger=javascript-package-cataloger error=failed to parse package.json file: unable to parse package.json author: json: cannot unmarshal array into Go value of type map[string]string location=/app/www/node_modules/react-motion/package.json
@babel/helper-builder-binary-assignment-operator-visitor                       7.22.10                              npm           
binary-extensions                                                              1.13.1                               npm           
binary-extensions                                                              2.2.0                                npm           
is-binary-path                                                                 1.0.1                                npm           
is-binary-path                                                                 2.1.0                                npm           
node                                                                           18.17.0                              binary        
php-cli                                                                        8.2.8                                binary

Third run results in:

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock:ro  ghcr.io/anchore/syft:latest ghcr.io/linuxserver/mastodon:glitch | grep binary
[0018]  WARN cataloger failed cataloger=javascript-package-cataloger error=failed to parse package.json file: unable to parse package.json author: json: cannot unmarshal array into Go value of type map[string]string location=/app/www/node_modules/react-motion/package.json
@babel/helper-builder-binary-assignment-operator-visitor                       7.22.10                              npm           
binary-extensions                                                              1.13.1                               npm           
binary-extensions                                                              2.2.0                                npm           
is-binary-path                                                                 1.0.1                                npm           
is-binary-path                                                                 2.1.0                                npm           
node                                                                           18.17.0                              binary

You can see the binaries listed change every time even though it's the same image that's being scanned.

Environment:

• Output of syft version: Latest syft docker image

Application:        syft
Version:            0.87.0
JsonSchemaVersion:  10.0.0
BuildDate:          2023-08-14T18:02:28Z
GitCommit:          b3d7ba569b64376cf33df717e3bc40d8375e033b
GitDescription:     v0.87.0
Platform:           linux/amd64
GoVersion:          go1.20.7
Compiler:           gc

• OS (e.g: cat /etc/os-release or similar):
  Ubuntu Jammy

[kzantow]

Thanks for the report @aptalca. I've been able to reproduce this on the latest Syft (same as you indicated: 0.87.0)

[aptalca]

It's been causing havoc for our ci, which commits the package list to our repo and triggers another build. It's been looping all morning 😅
https://github.com/linuxserver/docker-mastodon/commits/glitch

[kzantow]

Sorry for the inconvenience! This should be fixed now in the latest release: https://github.com/anchore/syft/releases/tag/v0.87.1