Capabilities

Binary

Binary package analysis and vulnerability scanning capabilities

File analysis

Within the .files[].executable sections of the Syft JSON there is an analysis of what features and claims were found within a binary file.

This includes:

  • Imported libraries (use of shared libraries)
  • Exported symbols
  • Security features (like NX, PIE, RELRO, etc)

Security features that can be detected include:

  • if debugging symbols have been stripped
  • presence of Stack Canaries to protect against stack smashing (which lead to buffer overflows)
  • NoExecute (NX) bit support to prevent execution of code on the stack or heap
  • Relocation Read-Only (RelRO) to protect the Global Offset Table (GOT) from being overwritten (can be “partial” or “full”)
  • Position Independent Executable (PIE) support such that offsets are used instead of absolute addresses
  • if it is a Dynamic Shared Object (DSO) (not a security feature, but important for analysis)
  • LLVM SafeStack partitioning is in use, which separates unsafe stack objects from safe stack objects to mitigate stack-based memory corruption vulnerabilities
  • LLVM Control Flow Integrity (CFI) is in use, which adds runtime checks to ensure that indirect function calls only target valid functions, helping to prevent control-flow hijacking attacks
  • Clang Fortified Builds is enabled, which adds additional runtime checks for certain standard library functions to detect buffer overflows and other memory errors

When it comes to shared library requirement claims and exported symbol claims, these are used by Syft to:

  • associate file-to-file relationships (in the case of executables/shared libraries being distributed without a package manager)
  • associate file-to-package relationships (when an executable imports a shared library that is managed by a package manager)

Syft can synthesize a dependency graph from the imported libraries and exported symbols found within a set of binaries, even if all package manager information has been removed, allowing for a more complete SBOM to be generated. In a mixed case, where there are some packages managed by package managers and some binaries without package manager metadata, Syft can still use the binary analysis to fill in the gaps. Package-level relationships are preferred over file-level relationships when both are available, which simplifies the dependency graph.

Package analysis

ELF package notes

Syft is capable of looking at ELF formatted binaries, specifically the .note.package note, that are formatted using the convention established by the systemd project. This spec requires a PE/COFF section that wraps a json payload describing the package metadata for the binary, however, syft does not require the PE/COFF wrapping and can extract the json payload directly from the ELF note.

Here’s an example of what the json payload looks like:

{
  "name": "my-application",
  "version": "1.2.3",
  "purl": "pkg:deb/debian/my-application@1.2.3?arch=amd64&distro=debian-12",
  "cpe": "cpe:2.3:a:vendor:my-application:1.2.3:*:*:*:*:*:*:*",
  "license": "Apache-2.0",
  "type": "deb"
}

Which, if stored in payload.json, can be injected into an existing ELF binary using the following command:

objcopy --add-section .note.package=payload.json --set-section-flags .note.package=noload,readonly

Known patterns

Cataloger + EvidenceLicenseDependenciesPackage Manager Claims
DepthEdgesKindsFilesDigestsIntegrity Hash
binary-classifier-cataloger
(see table below)
elf-binary-package-cataloger
application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable (mimetype)
pe-binary-package-cataloger
*.dll, *.exe

Binary Package Details
ClassFilesPURLCPEs
arangodb-binaryarangoshpkg:generic/arangodbcpe:2.3:a:arangodb:arangodb:*:*:*:*:*:*:*:*
bash-binarybashpkg:generic/bashcpe:2.3:a:gnu:bash:*:*:*:*:*:*:*:*
busybox-binarybusyboxpkg:generic/busyboxcpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*
chrome-binarychromepkg:generic/chromecpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
consul-binaryconsulpkg:golang/github.com/hashicorp/consulcpe:2.3:a:hashicorp:consul:*:*:*:*:*:*:*:*
curl-binarycurlpkg:generic/curlcpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
dart-binarydartpkg:generic/dartcpe:2.3:a:dart:dart_software_development_kit:*:*:*:*:*:*:*:*
elixir-binaryelixirpkg:generic/elixircpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*
elixir-libraryelixir/ebin/elixir.apppkg:generic/elixircpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:*
erlang-alpine-binarybeam.smppkg:generic/erlangcpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:*
erlang-binaryerlexecpkg:generic/erlangcpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:*
erlang-libraryliberts_internal.apkg:generic/erlangcpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:*
ffmpeg-binaryffmpegpkg:generic/ffmpegcpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*
ffmpeg-librarylibav*pkg:generic/ffmpegcpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*
ffmpeg-librarylibswresample*pkg:generic/ffmpegcpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*
fluent-bit-binaryfluent-bitpkg:github/fluent/fluent-bitcpe:2.3:a:treasuredata:fluent_bit:*:*:*:*:*:*:*:*
gcc-binarygccpkg:generic/gcccpe:2.3:a:gnu:gcc:*:*:*:*:*:*:*:*
go-binarygopkg:generic/gocpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
go-binary-hintVERSION*pkg:generic/gocpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
gzip-binarygzippkg:generic/gzipcpe:2.3:a:gnu:gzip:*:*:*:*:*:*:*:*
haproxy-binaryhaproxypkg:generic/haproxycpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*
hashicorp-vault-binaryvaultpkg:golang/github.com/hashicorp/vaultcpe:2.3:a:hashicorp:vault:*:*:*:*:*:*:*:*
haskell-cabal-binarycabalpkg:generic/haskell/cabalcpe:2.3:a:haskell:cabal:*:*:*:*:*:*:*:*
haskell-ghc-binaryghc*pkg:generic/haskell/ghccpe:2.3:a:haskell:ghc:*:*:*:*:*:*:*:*
haskell-stack-binarystackpkg:generic/haskell/stackcpe:2.3:a:haskell:stack:*:*:*:*:*:*:*:*
helmhelmpkg:golang/helm.sh/helmcpe:2.3:a:helm:helm:*:*:*:*:*:*:*:*
httpd-binaryhttpdpkg:generic/httpdcpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
java-binaryjavapkg:generic/oracle/graalvm
pkg:generic/azul/zulu
pkg:generic/oracle/openjdk
pkg:generic/oracle/openjdk
pkg:generic/ibm/java
pkg:generic/oracle/jre
pkg:generic/oracle/jre		cpe:2.3:a:oracle:graalvm:*:*:*:*:*:*:*:*
cpe:2.3:a:azul:zulu:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:openjdk:{{.primary}}:update{{.update}}:*:*:*:*:*:*
cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:java:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:*:*:*:*:*:*:*:*
java-jdb-binaryjdbpkg:generic/oracle/graalvm
pkg:generic/azul/zulu
pkg:generic/oracle/openjdk
pkg:generic/ibm/java_sdk
pkg:generic/oracle/openjdk
pkg:generic/oracle/jdk		cpe:2.3:a:oracle:graalvm_for_jdk:*:*:*:*:*:*:*:*
cpe:2.3:a:azul:zulu:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*
cpe:2.3:a:ibm:java_sdk:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:*:*:*:*:*:*:*:*
jq-binaryjqpkg:generic/jqcpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:*
julia-binarylibjulia-internal.sopkg:generic/juliacpe:2.3:a:julialang:julia:*:*:*:*:*:*:*:*
lighttpd-binarylighttpdpkg:generic/lighttpdcpe:2.3:a:lighttpd:lighttpd:*:*:*:*:*:*:*:*
mariadb-binary{mariadb,mysql}pkg:generic/mariadbcpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*
memcached-binarymemcachedpkg:generic/memcachedcpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*
mysql-binarymysqlpkg:generic/mysqlcpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
mysql-binarymysqlpkg:generic/percona-servercpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
cpe:2.3:a:percona:percona_server:*:*:*:*:*:*:*:*
mysql-binarymysqlpkg:generic/percona-xtradb-clustercpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
cpe:2.3:a:percona:percona_server:*:*:*:*:*:*:*:*
cpe:2.3:a:percona:xtradb_cluster:*:*:*:*:*:*:*:*
nginx-binarynginxpkg:generic/nginxcpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*
cpe:2.3:a:nginx:nginx:*:*:*:*:*:*:*:*
nodejs-binarynodepkg:generic/nodecpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*
openssl-binaryopensslpkg:generic/opensslcpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
perl-binaryperlpkg:generic/perlcpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*
php-composer-binarycomposer*pkg:generic/composercpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*
postgresql-binarypostgrespkg:generic/postgresqlcpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
proftpd-binaryproftpdpkg:generic/proftpdcpe:2.3:a:proftpd:proftpd:*:*:*:*:*:*:*:*
pypy-binary-liblibpypy*.so*pkg:generic/pypy-
python-binarypython*pkg:generic/pythoncpe:2.3:a:python_software_foundation:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
python-binary-liblibpython*.so*pkg:generic/pythoncpe:2.3:a:python_software_foundation:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
redis-binaryredis-serverpkg:generic/rediscpe:2.3:a:redislabs:redis:*:*:*:*:*:*:*:*
cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
ruby-binaryrubypkg:generic/rubycpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
rust-standard-library-linuxlibstd-*.sopkg:generic/rustcpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*
rust-standard-library-macoslibstd-*.dylibpkg:generic/rustcpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*
sqlcipher-binarysqlcipherpkg:generic/sqlciphercpe:2.3:a:zetetic:sqlcipher:*:*:*:*:*:*:*:*
swipl-binaryswiplpkg:generic/swiplcpe:2.3:a:erlang:erlang/otp:*:*:*:*:*:*:*:*
traefik-binarytraefikpkg:generic/traefikcpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
util-linux-binarygetoptpkg:generic/util-linuxcpe:2.3:a:kernel:util-linux:*:*:*:*:*:*:*:*
wordpress-cli-binarywppkg:generic/wp-clicpe:2.3:a:wp-cli:wp-cli:*:*:*:*:*:*:*:*
xtrabackup-binaryxtrabackuppkg:generic/percona-xtrabackupcpe:2.3:a:percona:xtrabackup:*:*:*:*:*:*:*:*
xz-binaryxzpkg:generic/xzcpe:2.3:a:tukaani:xz:*:*:*:*:*:*:*:*
zstd-binaryzstdpkg:generic/zstdcpe:2.3:a:facebook:zstandard:*:*:*:*:*:*:*:*

Vulnerability scanning

Data SourceDisclosuresFixesTrack by
Source
Package
AffectedDateVersionsDate
National Vulnerability Database (NVD)

Grype Configuration
Configuration KeyDescription
match.stock.using-cpesUse CPE package identifiers to find vulnerabilities

Next steps

Last modified November 26, 2025: allow local too invocation (d20d613)