Thanks to visit codestin.com
Credit goes to github.com

Skip to content

478 identify go binaries and extract mod information #534

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 28 commits into from
Oct 7, 2021
Merged

478 identify go binaries and extract mod information #534

merged 28 commits into from
Oct 7, 2021

Conversation

@spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Oct 5, 2021
edited
Loading

New output after running Syft against its own image when using this branch:

go run main.go anchore/syft:latest

New:

Screen Shot 2021-10-05 at 3 41 18 PM

Old:

Screen Shot 2021-10-05 at 3 43 00 PM

@spiffcs spiffcs changed the title 478 identify go binaries 478 identify go binaries and extract mod information Oct 5, 2021
wagoodman
wagoodman reviewed Oct 5, 2021
View reviewed changes
wagoodman
wagoodman reviewed Oct 5, 2021
View reviewed changes
wagoodman
wagoodman reviewed Oct 5, 2021
View reviewed changes
wagoodman
wagoodman reviewed Oct 5, 2021
View reviewed changes
wagoodman
wagoodman reviewed Oct 5, 2021
View reviewed changes
wagoodman
wagoodman reviewed Oct 5, 2021
View reviewed changes
wagoodman and others added 6 commits October 6, 2021 10:27
@wagoodman @spiffcs
add query by MIME type to source.FileResolver
3572ee6 
Signed-off-by: Alex Goodman <[email protected]>
@spiffcs
add small framework to ID go binary
3e703aa 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
import stereoscope lib changes to find mime type
3e8261c 
- add bin cataloger
- add bin parser
- add mime type go utils
- import new resolver

Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
update unit tests and add bin cataloger
66b40f3 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
update copied code to be closer to upstream
70aa22b 
- keep them in their own (original) files
- add note for "this code was copied from"
- comment the lines the required changing

Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
linter updates
8b199ee 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs spiffcs force-pushed the 478-identify-go-binaries branch from bf6e326 to 8b199ee Compare October 6, 2021 14:29
@github-actions
Copy link

github-actions bot commented Oct 6, 2021
edited
Loading

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
name                                                   old time/op    new time/op    delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2          1.02ms ± 5%    1.16ms ± 2%  +13.43%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2        1.75ms ± 4%    2.00ms ± 2%  +14.12%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2     501µs ± 0%     578µs ± 1%  +15.31%  (p=0.016 n=4+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                 512µs ± 2%     580µs ± 2%  +13.32%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                  529µs ± 2%     586µs ± 3%  +10.71%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                  10.4ms ± 3%    12.0ms ± 2%  +15.99%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                  822µs ± 2%     900µs ± 2%   +9.53%  (p=0.008 n=5+5)
ImagePackageCatalogers/rust-cataloger-2                   475µs ± 5%     485µs ± 2%     ~     (p=0.151 n=5+5)

name                                                   old alloc/op   new alloc/op   delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2           146kB ± 0%     146kB ± 0%     ~     (p=0.310 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2         755kB ± 0%     755kB ± 0%     ~     (p=0.310 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2     118kB ± 0%     118kB ± 0%     ~     (p=0.690 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                 133kB ± 0%     133kB ± 0%     ~     (p=0.889 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                  140kB ± 0%     140kB ± 0%   +0.00%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                  2.74MB ± 1%    2.74MB ± 0%     ~     (p=0.841 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                 1.18MB ± 0%    1.18MB ± 0%     ~     (p=0.063 n=5+5)
ImagePackageCatalogers/rust-cataloger-2                   123kB ± 0%     109kB ± 0%  -11.50%  (p=0.008 n=5+5)

name                                                   old allocs/op  new allocs/op  delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2           2.41k ± 0%     2.41k ± 0%     ~     (all equal)
ImagePackageCatalogers/python-package-cataloger-2         9.58k ± 0%     9.58k ± 0%     ~     (p=1.000 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2     1.99k ± 0%     1.99k ± 0%     ~     (all equal)
ImagePackageCatalogers/dpkgdb-cataloger-2                 2.54k ± 0%     2.54k ± 0%     ~     (all equal)
ImagePackageCatalogers/rpmdb-cataloger-2                  3.25k ± 0%     3.25k ± 0%     ~     (all equal)
ImagePackageCatalogers/java-cataloger-2                   37.5k ± 0%     37.5k ± 0%     ~     (p=0.524 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                  2.49k ± 0%     2.49k ± 0%     ~     (p=0.643 n=5+5)
ImagePackageCatalogers/rust-cataloger-2                   3.21k ± 0%     2.31k ± 0%     ~     (p=0.079 n=4+5)

spiffcs
spiffcs commented Oct 6, 2021
View reviewed changes
spiffcs added 7 commits October 6, 2021 10:51
@spiffcs
update no defer close go bin parse
ca2103e 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
typo and test updates
e910db6 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
add small test base case and refactor
2113691 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
unit test for buildGoPkgInfo
5fb24c8 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
update unit tests and add integration point
88115b2 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
remove old integration test
41423af 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
remove pinned versions breaking world
7388da3 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
spiffcs
spiffcs commented Oct 6, 2021
View reviewed changes
spiffcs
spiffcs commented Oct 6, 2021
View reviewed changes
spiffcs added 3 commits October 6, 2021 16:37
@spiffcs
add regression testing for go bin support
dd370d4 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
confirm no regression with mod directives
d5c0d04 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
clean up from PR review
7390968 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs spiffcs marked this pull request as ready for review October 6, 2021 21:04
@cburgess
Copy link

cburgess commented Oct 6, 2021
edited
Loading

This implementation is different than our internal one (we generate an anchore_hints.json file at binary build time so we use the compiler to output the result and massage it), but one issue we recently hit is that our initial implementation (now fixed) included the v in the go version strings (e.g. v1.1.1) but the CPE strings in the NVD seem to never contain the v. I see that this is including the v in the output. For the generated CPE string is the v being stripped?

wagoodman
wagoodman reviewed Oct 7, 2021
View reviewed changes
spiffcs added 3 commits October 7, 2021 09:24
@spiffcs
remove containerd
643bca0 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
pr comments
aef3ab5 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
update with test for multiple case
d430c18 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
Copy link
Contributor Author

spiffcs commented Oct 7, 2021

@wagoodman updated code inline with PR comments

spiffcs added 2 commits October 7, 2021 09:54
@spiffcs
update ex packages to be 4 now that we parse =>
1d4d783 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
remove File cataloger from Image #465
c885f3f 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
wagoodman
wagoodman reviewed Oct 7, 2021
View reviewed changes
wagoodman
wagoodman reviewed Oct 7, 2021
View reviewed changes
@spiffcs
Copy link
Contributor Author

spiffcs commented Oct 7, 2021

I'll update the failing integration tests. Looks like there was a regression covering if a cataloger was removed.

spiffcs added 2 commits October 7, 2021 10:30
@spiffcs
remove stub test and empty case branches
1fefc3e 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
integration tests
88a2005 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@cburgess
Copy link

cburgess commented Oct 7, 2021

The other thing our internal implementation does is extract the version of go used to build the binary and add that to the hints file. I believe that’s in a different location in the binary but I’m thinking it would be nice to provide that as well, possibly controlled by a flag. There have been cases in the past of a bug/vulnerability in the compiler being inherited by the binaries it produces.

wagoodman
wagoodman reviewed Oct 7, 2021
View reviewed changes
syft/pkg/cataloger/golang/parse_go_bin.go Outdated
pkgsSlice := make([]pkg.Package, 0)
fields := strings.Fields(mod)

// slice off root package info
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it seems like this block could be removed if the loop below was simplified to a line scanner:

scanner := bufio.NewScanner(strings.NewReader(mod))
for scanner.Scan() {
  fields := strings.Fields(scanner.Text())
  switch fields[0] {
  case packageIdentifier:
      ...
   }
}

wagoodman
wagoodman reviewed Oct 7, 2021
View reviewed changes
syft/pkg/cataloger/golang/parse_go_bin.go Outdated
}
}

sort.SliceStable(pkgsSlice, func(i, j int) bool {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: is this sort necessary?

wagoodman
wagoodman reviewed Oct 7, 2021
View reviewed changes
syft/pkg/cataloger/golang/parse_go_bin_test.go Outdated
{},
},
},
{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the correct answer in this case is to use the replacement value and not the original entry

spiffcs added 2 commits October 7, 2021 10:42
@spiffcs
remove unused const
6bddbda 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
code feedback
ca81c39 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
Copy link
Contributor Author

spiffcs commented Oct 7, 2021

The other thing our internal implementation does is extract the version of go used to build the binary and add that to the hints file. I believe that’s in a different location in the binary but I’m thinking it would be nice to provide that as well, possibly controlled by a flag. There have been cases in the past of a bug/vulnerability in the compiler being inherited by the binaries it produces.

Interesting - @wagoodman should we get the version of go used and add that as a package in the list?

@spiffcs
update unit tests
fd5d244 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
Copy link
Contributor Author

spiffcs commented Oct 7, 2021

@cburgess we're going to implement a custom package metadata type in a follow-on PR that captures the sha of the identified package as well as the Golang version used to compile it.

We're trying to stay open here since we have more exploration to do on the go build list side of scanning go projects. We want to make sure we get the correct metadata information lined up across mod file build list and binary unpacking.

Really appreciate your insight since it helps us make sure we are keeping the most required bits for vuln scanning front and center.

spiffcs added 2 commits October 7, 2021 12:00
@spiffcs
prune go mod from integration changes
2a87bd5 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@spiffcs
update with clause to protect bad access path
3bd5eb8 
Signed-off-by: Christopher Angelo Phillips <[email protected]>
@cburgess
Copy link

cburgess commented Oct 7, 2021

@spiffcs makes sense. As I said, just excited to see some of this making its way into the product.

wagoodman
wagoodman approved these changes Oct 7, 2021
View reviewed changes
Copy link
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice job!

@spiffcs spiffcs merged commit 3462e18 into main Oct 7, 2021
@spiffcs spiffcs deleted the 478-identify-go-binaries branch October 7, 2021 16:16
@wagoodman wagoodman mentioned this pull request Oct 7, 2021
Closed
@spiffcs spiffcs added the enhancement New feature or request label Oct 7, 2021
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@spiffcs @wagoodman
478 identify go binaries and extract mod information (anchore#534)
272283f 
* add query by MIME type to source.FileResolver

Signed-off-by: Alex Goodman <[email protected]>

* import stereoscope lib changes to find mime type

- add bin cataloger
- add bin parser
- add mime type go utils
- import new resolver

Signed-off-by: Christopher Angelo Phillips <[email protected]>

* add go std library code to unpack bin

- keep them in their own (original) files
- add note for "this code was copied from"
- comment the lines the required changing

Signed-off-by: Christopher Angelo Phillips <[email protected]>
Co-authored-by: Alex Goodman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Catalog Go modules used in Go binaries

3 participants

@spiffcs @cburgess @wagoodman