add aws-lc classifier and update openssl classifier

[witchcraze]

Description

This PR adds aws-lc classifier, and updates openssl classifier to exclude aws-lc.

AWS-LC is a general-purpose cryptographic library maintained by the AWS Cryptography team for AWS and their customers. It іs based on code from the Google BoringSSL project and the OpenSSL project.
from https://github.com/aws/aws-lc

From NVD data, CPE 2.3:a:amazon:aws_libcrypto is used.
https://nvd.nist.gov/vuln/detail/CVE-2026-3336

Now, Syft detects aws-lc as openssl, and then Grype detects many false openssl vuluneravility,

$ for i in 2.4 2.6 3.0 3.1 3.2 3.3 3.4; do echo $i; docker run -it --rm haproxytech/haproxy-alpine:$i /opt/aws-lc/bin/openssl version; done
2.4
/docker-entrypoint.sh: exec: line 17: /opt/aws-lc/bin/openssl: not found
2.6
/docker-entrypoint.sh: exec: line 17: /opt/aws-lc/bin/openssl: not found
3.0
OpenSSL 1.1.1 (compatible; AWS-LC 1.69.0)
3.1
OpenSSL 1.1.1 (compatible; AWS-LC 1.69.0)
3.2
OpenSSL 1.1.1 (compatible; AWS-LC 1.69.0)
3.3
OpenSSL 1.1.1 (compatible; AWS-LC 1.69.0)
3.4
OpenSSL 1.1.1 (compatible; AWS-LC 1.69.0)

$ for i in 2.4 2.6 3.0 3.1 3.2 3.3 3.4; do echo $i; syft -q haproxytech/haproxy-alpine:$i | grep -e openssl -e aws-lc; done
2.4
openssl                                                           3.3.7-r0                              apk
2.6
openssl                                                           3.3.7-r0                              apk
3.0
openssl                                                        1.1.1                                       binary
3.1
openssl                                                        1.1.1                                       binary
3.2
openssl                                                           1.1.1                                       binary
3.3
openssl                                                           1.1.1                                       binary
3.4
openssl                                                           1.1.1                                       binary

$ syft -q haproxytech/haproxy-alpine:3.3.0 -o json | grype | grep -e openssl -e aws-lc
123 packages from EOL distro "alpine 3.20.8" - vulnerability data may be incomplete or outdated; consider upgrading to a supported version
openssl        1.1.1       1.0.2zg, *1.1.1t, 3.0.8                       binary     CVE-2023-0286   High      88.3% (99th)   65.8
openssl        1.1.1       1.0.2zh, *1.1.1u, 3.0.9, 3.1.1                binary     CVE-2023-2650   Medium    92.0% (99th)   52.9
openssl        1.1.1       1.0.2ze, *1.1.1o, 3.0.3                       binary     CVE-2022-1292   High      39.0% (97th)   32.2
openssl        1.1.1       1.0.2zf, *1.1.1p, 3.0.4                       binary     CVE-2022-2068   High      18.6% (95th)   15.4
openssl        1.1.1       1.1.1k                                        binary     CVE-2021-3449   Medium    9.9% (93rd)    5.0
openssl        1.1.1       1.0.2zk, *1.1.1za, 3.0.15, 3.1.7, 3.2.3, ...  binary     CVE-2024-5535   Critical  5.1% (89th)    4.6
openssl        1.1.1       1.0.2zd, *1.1.1n, 3.0.2                       binary     CVE-2022-0778   High      5.9% (90th)    4.0
openssl        1.1.1                                                     binary     CVE-2018-0734   Medium    6.1% (90th)    3.1
openssl        1.1.1                                                     binary     CVE-2019-1543   High      3.8% (88th)    2.7
openssl        1.1.1                                                     binary     CVE-2018-0735   Medium    4.8% (89th)    2.4
openssl        1.1.1       *1.1.1y, 3.0.14, 3.1.6, 3.2.2                 binary     CVE-2024-2511   Medium    4.1% (88th)    2.3
openssl        1.1.1       1.1.1l                                        binary     CVE-2021-3711   Critical  2.4% (85th)    2.1
openssl        1.1.1                                                     binary     CVE-2019-1549   Medium    3.0% (86th)    1.5
openssl        1.1.1                                                     binary     CVE-2019-1551   Medium    2.4% (85th)    1.2
openssl        1.1.1       1.0.2zh, *1.1.1u, 3.0.9, 3.1.1                binary     CVE-2023-0464   High      0.8% (74th)    0.6
openssl        1.1.1       *1.1.1w, 3.0.11, 3.1.3                        binary     CVE-2023-4807   High      0.7% (71st)    0.5
openssl        1.1.1       1.0.2y, *1.1.1j                               binary     CVE-2021-23841  Medium    1.0% (76th)    0.5
openssl        1.1.1       1.0.2zi, *1.1.1v, 3.0.10, 3.1.2               binary     CVE-2023-3446   Medium    0.9% (76th)    0.5
openssl        1.1.1                                                     binary     CVE-2019-1563   Low       1.3% (79th)    0.4
openssl        1.1.1       1.0.2zh, *1.1.1u, 3.0.9, 3.1.1                binary     CVE-2023-0466   Medium    0.8% (74th)    0.4
openssl        1.1.1       1.0.2zl, *1.1.1zb, 3.0.16, 3.1.8, 3.2.4, ...  binary     CVE-2024-9143   Medium    0.9% (75th)    0.4
openssl        1.1.1       1.0.2y, *1.1.1j                               binary     CVE-2021-23840  High      0.5% (67th)    0.4
openssl        1.1.1       1.0.2za, *1.1.1l                              binary     CVE-2021-3712   High      0.5% (66th)    0.4
openssl        1.1.1       1.0.2zj, *1.1.1x, 3.0.13, 3.1.5               binary     CVE-2023-5678   Medium    0.7% (71st)    0.3
openssl        1.1.1       1.0.2zg, *1.1.1t, 3.0.8                       binary     CVE-2023-0215   High      0.4% (62nd)    0.3
openssl        1.1.1       *1.1.1y, 3.0.14, 3.1.6, 3.2.2, 3.3.1          binary     CVE-2024-4741   High      0.4% (62nd)    0.3
openssl        1.1.1       1.0.2zh, *1.1.1u, 3.0.9, 3.1.1                binary     CVE-2023-0465   Medium    0.5% (66th)    0.3
openssl        1.1.1       *1.1.1q, 3.0.5                                binary     CVE-2022-2097   Medium    0.5% (66th)    0.3
openssl        1.1.1       *1.1.1ze, 3.0.19, 3.3.6, 3.4.4, 3.5.5, ...    binary     CVE-2025-69420  High      0.3% (53rd)    0.2
openssl        1.1.1       1.1.1m                                        binary     CVE-2021-4160   Medium    0.4% (61st)    0.2
openssl        1.1.1       1.0.2x, *1.1.1i                               binary     CVE-2020-1971   Medium    0.3% (57th)    0.2
openssl        1.1.1       *3.0.10, 3.1.2                                binary     CVE-2023-3817   Medium    0.3% (54th)    0.2
openssl        1.1.1       1.0.2zj, *1.1.1x, 3.0.13, 3.1.5               binary     CVE-2024-0727   Medium    0.2% (47th)    0.1
openssl        1.1.1       1.0.2zg, *1.1.1t, 3.0.8                       binary     CVE-2022-4304   Medium    0.2% (44th)    0.1
openssl        1.1.1       *1.1.1t, 3.0.8                                binary     CVE-2022-4450   High      0.1% (34th)    0.1
openssl        1.1.1                                                     binary     CVE-2019-1547   Medium    0.3% (49th)    0.1
openssl        1.1.1       1.0.2zn, *1.1.1ze, 3.0.19, 3.3.6, 3.4.4, ...  binary     CVE-2026-22796  Medium    0.1% (29th)    < 0.1
openssl        1.1.1       *1.1.1ze, 3.0.19, 3.3.6, 3.4.4, 3.5.5, ...    binary     CVE-2025-69419  High      < 0.1% (19th)  < 0.1
openssl        1.1.1       1.0.2zl, *1.1.1zb, 3.0.16, 3.1.8, 3.2.4, ...  binary     CVE-2024-13176  Medium    < 0.1% (21st)  < 0.1
openssl        1.1.1       *1.1.1zg, 3.0.20, 3.3.7, 3.4.5, 3.5.6, ...    binary     CVE-2026-28387  High      < 0.1% (12th)  < 0.1
openssl        1.1.1       1.0.2zp, *1.1.1zg, 3.0.20, 3.3.7, 3.4.5, ...  binary     CVE-2026-28389  High      < 0.1% (12th)  < 0.1
openssl        1.1.1       1.0.2zp, *1.1.1zg, 3.0.20, 3.3.7, 3.4.5, ...  binary     CVE-2026-28390  High      < 0.1% (12th)  < 0.1
openssl        1.1.1       1.0.2zm, *1.1.1zd, 3.0.18, 3.2.6, 3.3.5, ...  binary     CVE-2025-9230   High      < 0.1% (11th)  < 0.1
openssl        1.1.1       1.0.2zn, *1.1.1ze, 3.0.19, 3.3.6, 3.4.4, ...  binary     CVE-2025-69421  High      < 0.1% (10th)  < 0.1
openssl        1.1.1                                                     binary     CVE-2019-1552   Low       < 0.1% (22nd)  < 0.1
openssl        1.1.1       1.0.2zp, *1.1.1zg, 3.0.20, 3.3.7, 3.4.5, ...  binary     CVE-2026-28388  High      < 0.1% (5th)   < 0.1
openssl        1.1.1       1.0.2zn, *1.1.1ze, 3.0.19, 3.3.6, 3.4.4, ...  binary     CVE-2025-68160  Medium    < 0.1% (7th)   < 0.1
openssl        1.1.1       *1.1.1ze, 3.0.19, 3.3.6, 3.4.4, 3.5.5, ...    binary     CVE-2026-22795  Medium    < 0.1% (5th)   < 0.1
openssl        1.1.1       *1.1.1ze, 3.0.19, 3.3.6, 3.4.4, 3.5.5, ...    binary     CVE-2025-69418  Medium    < 0.1% (0th)   < 0.1

This PR solves this issue, and proper vulinerability will be detected by Grype.

$ for i in 2.4 2.6 3.0 3.1 3.2 3.3 3.4; do echo $i; go run ./cmd/syft -q haproxytech/haproxy-alpine:$i | grep -e openssl -e aws-lc; done
2.4
openssl                                                           3.3.7-r0                              apk
2.6
openssl                                                           3.3.7-r0                              apk
3.0
aws-lc                                                         1.69.0                                      binary
3.1
aws-lc                                                         1.69.0                                      binary
3.2
aws-lc                                                            1.69.0                                      binary
3.3
aws-lc                                                            1.69.0                                      binary
3.4
aws-lc                                                            1.69.0                                      binary

$ go run ./cmd/syft -q haproxytech/haproxy-alpine:3.3.0 -o json | grype | grep -e openssl -e aws-lc
123 packages from EOL distro "alpine 3.20.8" - vulnerability data may be incomplete or outdated; consider upgrading to a supported version
aws-lc         1.65.1      1.69.0                         binary     CVE-2026-3337   High      < 0.1% (11th)  < 0.1
aws-lc         1.65.1      1.69.0                         binary     CVE-2026-3338   High      < 0.1% (2nd)   < 0.1
aws-lc         1.65.1      1.69.0                         binary     CVE-2026-3336   High      < 0.1% (2nd)   < 0.1

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

Checklist

• I have added unit tests that cover changed behavior
• I have tested my code in common scenarios and confirmed there are no regressions
• I have added comments to my code, particularly in hard-to-understand sections

Issue references

Fixes #4539

---

$ go test -v ./syft/pkg/cataloger/binary -run Test_Cataloger_PositiveCases/aws-lc
=== RUN   Test_Cataloger_PositiveCases
=== RUN   Test_Cataloger_PositiveCases/aws-lc/1.69.0/linux-amd64
    snippet_or_binary.go:50: using snippet for "aws-lc/1.69.0/linux-amd64"
--- PASS: Test_Cataloger_PositiveCases (0.03s)
    --- PASS: Test_Cataloger_PositiveCases/aws-lc/1.69.0/linux-amd64 (0.03s)
PASS
ok      github.com/anchore/syft/syft/pkg/cataloger/binary       0.050s

$ go test -v ./syft/pkg/cataloger/binary -run Test_Cataloger_PositiveCases/aws-lc -must-use-original-binaries
=== RUN   Test_Cataloger_PositiveCases
=== RUN   Test_Cataloger_PositiveCases/aws-lc/1.69.0/linux-amd64
    snippet_or_binary.go:62: forcing the use of the original binary for "aws-lc/1.69.0/linux-amd64"
--- PASS: Test_Cataloger_PositiveCases (0.03s)
    --- PASS: Test_Cataloger_PositiveCases/aws-lc/1.69.0/linux-amd64 (0.03s)
PASS
ok      github.com/anchore/syft/syft/pkg/cataloger/binary       0.054s

$ go test -v ./syft/pkg/cataloger/binary -run Test_Cataloger_PositiveCases/openssl
=== RUN   Test_Cataloger_PositiveCases
=== RUN   Test_Cataloger_PositiveCases/openssl/3.1.4/linux-amd64
    snippet_or_binary.go:50: using snippet for "openssl/3.1.4/linux-amd64"
=== RUN   Test_Cataloger_PositiveCases/openssl/1.1.1w/linux-arm64
    snippet_or_binary.go:50: using snippet for "openssl/1.1.1w/linux-arm64"
=== RUN   Test_Cataloger_PositiveCases/openssl/1.1.1zb/linux-arm64
    snippet_or_binary.go:50: using snippet for "openssl/1.1.1zb/linux-arm64"
--- PASS: Test_Cataloger_PositiveCases (0.09s)
    --- PASS: Test_Cataloger_PositiveCases/openssl/3.1.4/linux-amd64 (0.03s)
    --- PASS: Test_Cataloger_PositiveCases/openssl/1.1.1w/linux-arm64 (0.03s)
    --- PASS: Test_Cataloger_PositiveCases/openssl/1.1.1zb/linux-arm64 (0.03s)
PASS
ok      github.com/anchore/syft/syft/pkg/cataloger/binary       0.111s

$ go test -v ./syft/pkg/cataloger/binary -run Test_Cataloger_PositiveCases/openssl -must-use-original-binaries
=== RUN   Test_Cataloger_PositiveCases
=== RUN   Test_Cataloger_PositiveCases/openssl/3.1.4/linux-amd64
    snippet_or_binary.go:68: no binary found, but is covered by a snippet. Please add this case to the 'binary/testdata/config.yaml' and recreate the snippet
=== RUN   Test_Cataloger_PositiveCases/openssl/1.1.1w/linux-arm64
    snippet_or_binary.go:62: forcing the use of the original binary for "openssl/1.1.1w/linux-arm64"
=== RUN   Test_Cataloger_PositiveCases/openssl/1.1.1zb/linux-arm64
    snippet_or_binary.go:68: no binary found, but is covered by a snippet. Please add this case to the 'binary/testdata/config.yaml' and recreate the snippet
--- PASS: Test_Cataloger_PositiveCases (0.09s)
    --- SKIP: Test_Cataloger_PositiveCases/openssl/3.1.4/linux-amd64 (0.03s)
    --- PASS: Test_Cataloger_PositiveCases/openssl/1.1.1w/linux-arm64 (0.03s)
    --- SKIP: Test_Cataloger_PositiveCases/openssl/1.1.1zb/linux-arm64 (0.03s)
PASS
ok      github.com/anchore/syft/syft/pkg/cataloger/binary       0.105s

[kzantow]

Instead of this, you could use the same pattern the java matcher does which only requires reading the bytes one time using the branching evidence matcher, which basically matches the first thing so in your case here, put the aws-lc match first and it won't fall through to the openssl default and it avoids duplicating logic by adding negative matching.

[witchcraze]

Thank you for your review. That makes sense.
I updated to use BranchingEvidenceMatcher.

[kzantow]

I forgot about the naming, I think this one should be class "openssl-binary" like the parent so these findings don't change.

[witchcraze]

Thank you for your review.
I updated class name of default openssl.

[witchcraze]

--- FAIL: TestCapabilitiesAreUpToDate (0.62s)
merge_test.go:38:
Error Trace: /home/runner/_work/syft/syft/internal/capabilities/generate/merge_test.go:38
Error: Received unexpected error:
exit status 1
Test: TestCapabilitiesAreUpToDate
Messages: cataloger/*/capabilities.yaml files have uncommitted changes after regeneration. Run 'go generate ./internal/capabilities' locally and commit the changes.

Sorry, I run 'go generate ./internal/capabilities' locally and committed the changes

[kzantow]

this is unfortunate. for the binary cataloger this might be useful to have some override

[witchcraze]

Thank you.
I updated binaryClassifierOverrides. (Sorry, I did not know this override system)

[kzantow]

Thanks for the update @witchcraze and sorry for the back-and-forth 🙏