valkey is detected as both of valkey and redis

[witchcraze]

What happened:

valkey is detected as both of valkey and redis.
This will lead some false positive results at downstream softwares.

What you expected to happen:

valkey is NOT detected as redis

Steps to reproduce the issue:

$ syft -q valkey/valkey:8.1.4 -o json | jq '.artifacts.[] | select(.name == "
valkey" or .name == "redis")'
{
  "id": "1336f25395d26748",
  "name": "redis",
  "version": "8.1.4",
  "type": "binary",
  "foundBy": "binary-classifier-cataloger",
  "locations": [
    {
      "path": "/usr/local/bin/valkey-server",
      "layerID": "sha256:4dacb74b29f376018a70bfb412693a07dc7c235f01460f5020428c30fe7d99c2",
      "accessPath": "/usr/local/bin/redis-server",
      "annotations": {
        "evidence": "primary"
      }
    }
  ],
  "licenses": [],
  "language": "",
  "cpes": [
    {
      "cpe": "cpe:2.3:a:redislabs:redis:8.1.4:*:*:*:*:*:*:*",
      "source": "nvd-cpe-dictionary"
    },
    {
      "cpe": "cpe:2.3:a:redis:redis:8.1.4:*:*:*:*:*:*:*",
      "source": "nvd-cpe-dictionary"
    }
  ],
  "purl": "pkg:generic/redis@8.1.4",
  "metadataType": "binary-signature",
  "metadata": {
    "matches": [
      {
        "classifier": "redis-binary",
        "location": {
          "path": "/usr/local/bin/valkey-server",
          "layerID": "sha256:4dacb74b29f376018a70bfb412693a07dc7c235f01460f5020428c30fe7d99c2",
          "accessPath": "/usr/local/bin/redis-server",
          "annotations": {
            "evidence": "primary"
          }
        }
      }
    ]
  }
}
{
  "id": "8f7ad0a2e846e8c8",
  "name": "valkey",
  "version": "8.1.4",
  "type": "binary",
  "foundBy": "binary-classifier-cataloger",
  "locations": [
    {
      "path": "/usr/local/bin/valkey-server",
      "layerID": "sha256:4dacb74b29f376018a70bfb412693a07dc7c235f01460f5020428c30fe7d99c2",
      "accessPath": "/usr/local/bin/valkey-server",
      "annotations": {
        "evidence": "primary"
      }
    }
  ],
  "licenses": [],
  "language": "",
  "cpes": [
    {
      "cpe": "cpe:2.3:a:lfprojects:valkey:8.1.4:*:*:*:*:*:*:*",
      "source": "nvd-cpe-dictionary"
    },
    {
      "cpe": "cpe:2.3:a:linuxfoundation:valkey:8.1.4:*:*:*:*:*:*:*",
      "source": "nvd-cpe-dictionary"
    },
    {
      "cpe": "cpe:2.3:a:valkey-io:valkey:8.1.4:*:*:*:*:*:*:*",
      "source": "nvd-cpe-dictionary"
    }
  ],
  "purl": "pkg:generic/valkey@8.1.4",
  "metadataType": "binary-signature",
  "metadata": {
    "matches": [
      {
        "classifier": "valkey-binary",
        "location": {
          "path": "/usr/local/bin/valkey-server",
          "layerID": "sha256:4dacb74b29f376018a70bfb412693a07dc7c235f01460f5020428c30fe7d99c2",
          "accessPath": "/usr/local/bin/valkey-server",
          "annotations": {
            "evidence": "primary"
          }
        }
      }
    ]
  }
}

Anything else we need to know?:

anchore/grype#3134 will be related impact.

[kzantow]

Hey @witchcraze,

One observation is that redis appears to be a symlink to valkey-server, we could potentially add some logic to the binary classifiers to ensure that the file found by the **/redis glob isn't a symlink, which would take an enhancement.

We also have some facilities to require multiple conditions, for example the java classifiers are getting a bit more complex to avoid detecting incorrect things for similar reasons.

We certainly welcome any PRs here!