feat: Add binary version parsing for nodejs, php and python #6524
Conversation
|
Levente Kovacs seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
|
I signed the cla... Not sure why it's not triggering as signed. On my forked branch, every test passed, so if you trigger the tests it should be good. |
|
Hmm, while all tests are passing, I do not see the new binary results when I build the trivy from source and run the same experiment as in #6457, I'm not sure why that is the case. EDIT: Guess I realized that I not only need to implement the parsing, but the analyzer logic as part of fanal. I'll try that. |
|
I have spent some time with this. Now python version is detected correctly by trivy and added into the sbom in a way that xeol detects it properly according to my use case. I looked into implementing vulnerability scanning as well for standalone binaries, but I think at first only having it part of sboms is a step forward. There are a few problems regarding implementing this with standalone binaries:
The only way I see to implement this nicely is by adding CPE support and also putting together a Get function for the NVD vulnsrc linked in 3rd point. Other way: just hack together an NVD get interface since it'd be used only for the scanner as a fallback in case of generic binary is detected, not for regular vulnerability scanning. Now that I know how to implement these things, I think I can put together the remaining parts (Java, PHP, NodeJS binary as part of package detection and SBOMs) in the upcoming days and the PR would be ready. |
kovacs-levent
changed the title
|
I have added support for PHP and Nodejs standalone binaries and it works like a charm with the sboms. I'm dropping support for Java because I found that it's harder to correctly determine the package type (JRE vs. JDK), and I won't go down the rabbithole since it's not part of my usecase. Only issue I discovered yesterday is that this will break lots of integration tests which I'll have to adjust those accordingly. After I'll adjust integration tests, I think this PR can be merged. |
There was a problem hiding this comment.
Hello @kovacs-levent
Thanks for this PR.
I left some comments. Some these comments same for nodejs, php and python.
Also parsers are very similar.
I think we can merge them to 1 package. Something like this:
parser:
├── executable
│ ├── exe.go
│ ├── nodejs
│ ├── parse.go
│ ├── parse_test.go
│ └── testdata
│ ├── python
│ ├── parse.go
│ ├── parse_test.go
│ └── testdata
│ └── php
│ ├── parse.go
│ ├── parse_test.go
│ └── testdata
about analyzers:
looks like we can add new logic here - https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/analyzer/executable/executable.go
If a php/python/npm binary is found, use its parser and add the library.
wdyt?
go.mod
Outdated
| @@ -124,6 +124,7 @@ require ( | |||
| github.com/alecthomas/chroma v0.10.0 | |||
| github.com/antchfx/htmlquery v1.3.0 | |||
| github.com/apparentlymart/go-cidr v1.1.0 | |||
| github.com/aquasecurity/go-dep-parser v0.0.0-20240213093706-423cd04548a5 | |||
There was a problem hiding this comment.
go-dep-parser in Trivy now - https://github.com/aquasecurity/trivy/tree/main/pkg/dependency/parser
There was a problem hiding this comment.
I removed the go-dep-parser as a dependency, it only uses the internal package now
| return nil, err | ||
| } | ||
|
|
||
| if bytes.HasPrefix(data, []byte("\x7FELF")) { |
There was a problem hiding this comment.
What about windows and macos formats?
There was a problem hiding this comment.
Haven't thought about that yet. Will have to check on those.
There was a problem hiding this comment.
I tried testing with Windows PEs, the interface can be implemented for exe and OpenExe, but the regex based detection methods don't work on the PE files I tried (I did manual testing to confirm). I honestly don't have any experience with macos binaries 🫤 So not sure if I can implement the interface for those. I also tried to obtain files to test with, but failed, since now I don't have access to a macos system. Any idea if regex based detection would work on those?
If not, I'd rather not bother with implementing this for those binaries, even though you could implement the interface and executableAnalyzer would still run on those, the binary version detection won't give package in the AnalysisResult.
| } | ||
|
|
||
| // Python's version pattern is [NUL]3.11.2[NUL] | ||
| re := regexp.MustCompile(`^\d{1,4}\.\d{1,4}\.\d{1,4}[-._a-zA-Z0-9]*$`) |
There was a problem hiding this comment.
Can you add a comment with a link where you get this regex?
There was a problem hiding this comment.
It's from syft... Should I link that? All the regexes I used, I mostly copied them from syft. For example python regex:
https://github.com/anchore/syft/blob/b04bc0fbfe5742a970aa3f06594b1e82c87eb4a5/syft/pkg/cataloger/binary/classifiers.go#L495
|
|
||
| var libs []types.Library | ||
| libs = append(libs, types.Library{ | ||
| ID: packageID(name, vers), |
There was a problem hiding this comment.
You use dependent.ID once. So you can just use it here.
| ID: packageID(name, vers), | |
| ID: dependency.ID(ftypes.PythonGeneric, name, version), |
There was a problem hiding this comment.
Removed the packageID function from all parsers and replaced with dependency.ID call only
| } | ||
| } | ||
|
|
||
| return "python", vers |
There was a problem hiding this comment.
Is there a way to determine package name?
Looks like it might be confusing if all detected binaries are named "python"
There was a problem hiding this comment.
I don't think so unfortunately, if there was additional package information, the standalone binary detection would not be needed. But I will look into it if it's obtainable from some metadata.
There was a problem hiding this comment.
There's a way to try detect it with OS package managers, but they don't necessarily yield results unfortunately. I think if these were in package manager, then OS pkg analyzer would be scanning these, so probably also not the right way to go about it.
I wasn't able to find any way to figure out more concrete package name from the standalone binaries.
| for _, tt := range tests { | ||
| t.Run(tt.name, func(t *testing.T) { | ||
| a := pythonBinaryAnalyzer{} | ||
| fileInfo, err := os.Lstat(tt.filePath) |
There was a problem hiding this comment.
Looks like we can use 1 file and change names, permissions, etc. in test.
Then we can reduce the number of copies of test files.
There was a problem hiding this comment.
Yeah, I'll rework the tests for fanal in an upcoming commit.
There was a problem hiding this comment.
Fanal test cases were reworked. It uses the common logic of executable tests. Added test cases for Python/Node/PHP binaries.
pkg/scanner/langpkg/scan.go
Outdated
| @@ -65,7 +65,6 @@ func (s *scanner) Scan(target types.ScanTarget, _ types.ScanOptions) (types.Resu | |||
| } | |||
|
|
|||
| logger := log.WithPrefix(string(app.Type)) | |||
|
|
|||
There was a problem hiding this comment.
Looks like we don't need this change.
There was a problem hiding this comment.
Hmm, not sure why I did it, but I'll remove it in next commit, it's just some "automatic" line deletion I did I guess :)
| @@ -0,0 +1,82 @@ | |||
| // Ported from https://github.com/golang/go/blob/e9c96835971044aa4ace37c7787de231bbde05d9/src/cmd/go/internal/version/exe.go | |||
There was a problem hiding this comment.
It looks like Go 1.22 doesn't have this file. Can you please update the link and double check - we may need to add some changes.
There was a problem hiding this comment.
I unfortunately didn't find this in Go 1.22 either. I'll take a look into this in next commit.
There was a problem hiding this comment.
I have updated the link and also the implementation was changed.
It's not a 1on1 port, since they repurposed it for capturing Go main module version, but we need to read whole executable file, but I used the same ideas. It also contains interfaces for other binaries (didn't put those in, only elf).
| pythonLibNameRegex := regexp.MustCompile("^libpython[0-9]+(?:[.0-9]+)+[a-z]?[.]so.*$") | ||
| pythonBinaryNameRegex := regexp.MustCompile("(?:.*/|^)python(?P<version>[0-9]+(?:[.0-9]+)+)?$") |
There was a problem hiding this comment.
will be great if you add some comment about these regex (e.g. link to docs)
There was a problem hiding this comment.
Same as for the other regexes, it's from Syft, should I link that?
https://github.com/anchore/syft/blob/b04bc0fbfe5742a970aa3f06594b1e82c87eb4a5/syft/pkg/cataloger/binary/classifiers.go#L495
pkg/fanal/analyzer/const.go
Outdated
| TypePip Type = "pip" | ||
| TypePipenv Type = "pipenv" | ||
| TypePoetry Type = "poetry" | ||
| TypePythonGeneric Type = "python" |
There was a problem hiding this comment.
looks like we can use executable for new binaries
There was a problem hiding this comment.
Change all the types to become "TypeXExecutable".
There was a problem hiding this comment.
I understand what you meant here now, that all the new binaries could be TypeExecutable.
I use the language specific types in fanal executable.go, to figure out which binary type was detected in case of "detectable" binary. It can be localized to executable.go instead and use the common type for the "outside" return types.
There was a problem hiding this comment.
I added them as a separate, new group of variables instead in this same file.
|
Thanks for the feedback, I will make the changes when I have the time, this week’s been busy, but I’ll try to make progress when I have the time. |
|
As you can see, I finally got to finish up this PR. I'm going to work some more on this in the upcoming days, so that all the comments are reflected in the changes. I did refactor the code to have the proposed structure. |
…y into parse-binary-versions
kovacs-levent
force-pushed
the
parse-binary-versions
branch
from
1a78560
to
39c24d0
Compare
kovacs-levent
force-pushed
the
parse-binary-versions
branch
from
39c24d0
to
e6e3165
Compare
…y into parse-binary-versions
|
I had some troubles with rebasing, probably shouldn't have waited so long with that 😓 I had to force push, because other people's commits started appearing here, so I did a hard reset. Sorry for the ugly commit history 🤷 |
|
I have encountered a weird issue now... I found that if Rekor sbom source is not specificed, then ExecutableAnalyzer is getting disabled. https://github.com/aquasecurity/trivy/blob/main/pkg/commands/artifact/run.go#L514 Can someone shed some light on why is that? The commit message contains a PR... Seems like completely unrelated issue: #6163 For some reason, the whole executable analyzer was disabled, instead of only disabling Rekor queries based on the executables. Can you please provide some insight on whether it's fine to remove this, and how could I go about it to disable Rekor queries instead? @DmitriyLewen |
|
Problem is that, with Rekor enabled, it works fine for me, but it takes significantly longer to scan with Rekor, even though I'm not interested in that information. |
I fixed this issue in the following commit. Now if the Rekor flag isn't enabled, it only skips the "unpackaged" hook, so Rekor queries are only made if the Rekor is actually specified, but executable analysis still happens regardless. |
|
Hello @kovacs-levent I'm working on other priority tasks. Regards, Dmitriy |
Description
Implement binary version parsing for at least key binaries. The feature should be extended upon, but first round, I'm going to be focusing stuff which matters for my use-case (PHP, NodeJS, Python)... I'm keeping Java binary parsing since it's already been implemented by laurentdelosieresmano in the related PR👍 Since go-dep-parser was moved to this Repo, I'm reopening the PR and adding Python dep parsing.
Related issues
Related PRs
Checklist