Redis modules (.so) in redis:latest are not included in Syft SBOM

[sieunni]

Hello,

I was analyzing SBOM completeness for container images using Syft and noticed that Redis modules present in the redis:latest image are not included in the generated SBOM.

Inside the container, the following Redis modules exist:

/usr/local/lib/redis/modules/

Files:

• redisbloom.so
• redisearch.so
• redistimeseries.so
• rejson.so

I verified this by running:

docker run -it redis:latest bash
ls /usr/local/lib/redis/modules/

However, when generating an SBOM using Syft, these modules do not appear in the component list.

Example commands:

syft redis:latest -o table | grep redis

Output:

redis 8.6.1 binary

CycloneDX output:

syft redis:latest -o cyclonedx-json | jq '.components[].name' | grep redis

Output:

"redis"
"/usr/local/bin/redis-server"

The Redis modules are not included in the SBOM.

Environment:

Syft version: 1.42.2
Image: redis:latest

Question:

Is this expected behavior because these modules are standalone shared libraries (.so) that are not associated with a package manager?

Or would it be useful for Syft to detect such modules as components in the SBOM?

Thanks for your work on Syft!

[kzantow]

We talked about this on our livestream last week and I'm having a hard time remembering the specifics, but it seemed as though there has been a lot of change to the way redis modules have been packaged, distributed, and had vulnerabilities reported. If there are some specific suggestions you have to do a better job cataloging and ultimately reporting vulnerabilities here, we would love to know!