Skip to content

Missing secondary evidence for .NET dependency in ghcr.io/open-telemetry/demo:2.0.0-accounting image #4652

New issue
New issue
Open
Open
Missing secondary evidence for .NET dependency in ghcr.io/open-telemetry/demo:2.0.0-accounting image#4652
Labels
bugSomething isn't working
@danielpacak

Description

@danielpacak
danielpacak
opened on Mar 4, 2026

What happened:

In the ghcr.io/open-telemetry/demo:2.0.0-accounting image the artifact's locations does not include the path to the /app/OpenTelemetry.AutoInstrumentation.dll artifact as secondary evidence.

What you expected to happen:

I expect that the /app/OpenTelemetry.AutoInstrumentation.dll is catalogued similarly to /app/OpenTelemetry.Api.dll and other .NET dependencies, i.e. the absolute path is reported as supporting evidence. But there's only primary evidence.

jq '.artifacts[] | select(.type=="dotnet" and .name=="OpenTelemetry.Api")' otel-demo-accounting-2.0.0.sbom.json

{
  "id": "69411b08da27b652",
  "name": "OpenTelemetry.Api",
  "version": "1.11.1",
  "type": "dotnet",
  "foundBy": "dotnet-deps-binary-cataloger",
  "locations": [
    {
      "path": "/app/Accounting.deps.json",
      "layerID": "sha256:d66d92da565fbb6300ad1374f6eff6b81b2bcdcab08cb91e549791611d94a4f0",
      "accessPath": "/app/Accounting.deps.json",
      "annotations": {
        "evidence": "primary"
      }
    },
    {
      "path": "/app/OpenTelemetry.Api.dll",
      "layerID": "sha256:d66d92da565fbb6300ad1374f6eff6b81b2bcdcab08cb91e549791611d94a4f0",
      "accessPath": "/app/OpenTelemetry.Api.dll",
      "annotations": {
        "evidence": "supporting"
      }
    }
  ]
}

Steps to reproduce the issue:

syft -o json ghcr.io/open-telemetry/demo:2.0.0-accounting > otel-demo-accounting-2.0.0.sbom.json

jq '.artifacts[] | select(.type=="dotnet" and .name=="OpenTelemetry.AutoInstrumentation")' otel-demo-accounting-2.0.0.sbom.json

{
  "id": "9b1c500315cce85a",
  "name": "OpenTelemetry.AutoInstrumentation",
  "version": "1.10.0",
  "type": "dotnet",
  "foundBy": "dotnet-deps-binary-cataloger",
  "locations": [
    {
      "path": "/app/Accounting.deps.json",
      "layerID": "sha256:d66d92da565fbb6300ad1374f6eff6b81b2bcdcab08cb91e549791611d94a4f0",
      "accessPath": "/app/Accounting.deps.json",
      "annotations": {
        "evidence": "primary"
      }
    }
  ],
  "licenses": [],
  "language": "dotnet",
  "cpes": [
    {
      "cpe": "cpe:2.3:a:opentelemetry_autoinstrumentation:opentelemetry_autoinstrumentation_.net:1.10.0:*:*:*:*:*:*:*",
      "source": "syft-generated"
    },
    {
      "cpe": "cpe:2.3:a:opentelemetry_autoinstrumentation:opentelemetry_autoinstrumentation:1.10.0:*:*:*:*:*:*:*",
      "source": "syft-generated"
    }
  ],
  "purl": "pkg:nuget/OpenTelemetry.AutoInstrumentation@1.10.0",
  "metadataType": "dotnet-deps-entry",
  "metadata": {
    "name": "OpenTelemetry.AutoInstrumentation",
    "version": "1.10.0",
    "path": "opentelemetry.autoinstrumentation/1.10.0",
    "sha512": "sha512-EUObGbWBxL51IFKoSKQINzGH0ratQuwhaBh+qEYs9vn0Y+VDuODBThBELmOeixKXpMG5NbctQNZWHcLyYtssYg==",
    "hashPath": "opentelemetry.autoinstrumentation.1.10.0.nupkg.sha512",
    "type": "package"
  }
}

As you can see there's no secondary evidence in the locations array.

Anything else we need to know?:

N/A

Environment:

  • Output of syft version: 1.42.1
  • OS (e.g: cat /etc/os-release or similar): Ubuntu 24.04.4 LTS (Noble Numbat)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    OSS

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions