Syft incorrectly identifies NuGet package "Newtonsoft.Json" as "Json.NET" with incorrect version

[100tomer]

What happened:
When scanning the NuGet package Newtonsoft.Json version 12.0.3, Syft incorrectly identifies the package as Json.NET instead of Newtonsoft.Json. Additionally, the version includes build metadata as 12.0.3.23909 instead of the correct 12.0.3.

What you expected to happen:

• The package should be detected as Newtonsoft.Json, not Json.NET.
• The version should be reported as 12.0.3.

Steps to reproduce the issue:

1. Download the Newtonsoft.Json NuGet package (version 12.0.3) - https://www.nuget.org/packages/Newtonsoft.Json/12.0.3
2. Run Syft to scan the extracted package directory.

   syft ./newtonsoft.json.12.0.3 --output json

Anything else we need to know?:
No

Environment:

• Syft version: 1.19.0
• OS: macOS Sequoia

[kzantow]

It was mentioned on the livestream this week, but I'll reiterate here so it doesn't get lost: the reason this package is showing up as Json.NET is because it's currently finding this in the "productName" field in the DLL(s). For example, download the package here and run:

syft -o json lib/net45/Newtonsoft.Json.dll

then look in the Syft-generated JSON, it shows the properties read from the DLL:

    {
      "name": "Json.NET",
...
      "metadata": {
        "assemblyVersion": "12.0.0.0",
        "legalCopyright": "Copyright © James Newton-King 2008",
        "comments": "Json.NET is a popular high-performance JSON framework for .NET",
        "internalName": "Newtonsoft.Json.dll",
        "companyName": "Newtonsoft",
        "productName": "Json.NET",
        "productVersion": "12.0.3+7c3d7f8da7e35dde8fa74188b0decff70f8f10e3"
      }
    }

It looks like the Json.NET name is used in quite a few places in the Newtonsoft.JSON project documentation and repository. If "Json.NET" is incorrect, it could be worth pointing this out to the Newtonsoft folks to see if it should be updated. It's quite unclear to us what the right thing to do here is.

[100tomer]

It was mentioned on the livestream this week, but I'll reiterate here so it doesn't get lost: the reason this package is showing up as Json.NET is because it's currently finding this in the "productName" field in the DLL(s). For example, download the package here and run:

syft -o json lib/net45/Newtonsoft.Json.dll

then look in the Syft-generated JSON, it shows the properties read from the DLL:

    {
      "name": "Json.NET",
...
      "metadata": {
        "assemblyVersion": "12.0.0.0",
        "legalCopyright": "Copyright © James Newton-King 2008",
        "comments": "Json.NET is a popular high-performance JSON framework for .NET",
        "internalName": "Newtonsoft.Json.dll",
        "companyName": "Newtonsoft",
        "productName": "Json.NET",
        "productVersion": "12.0.3+7c3d7f8da7e35dde8fa74188b0decff70f8f10e3"
      }
    }

It looks like the Json.NET name is used in quite a few places in the Newtonsoft.JSON project documentation and repository. If "Json.NET" is incorrect, it could be worth pointing this out to the Newtonsoft folks to see if it should be updated. It's quite unclear to us what the right thing to do here is.

Thanks for responding!

Is there a way to explicitly specify the package name or version when running Syft? That might help ensure the correct name is captured.

Also, would it be possible for Syft to scan the NuGet .nuspec file? As far as I know, the .nuspec is the source of truth for the package name, so using it might provide a more accurate result.