Python egg packages are not parsed for SBOM

[Oh-Py-God]

What happened:
While trying to generate SBOM for a package containing a python package in egg form, syft is not able to capture the same in SBOM.

What you expected to happen:
egg package should have been discovered as part of SBOM.

Steps to reproduce the issue:
Create a simple python project with egg dependency shipped along.
Run the syft command on the project

Anything else we need to know?:
PFA screenshot for your reference.

Environment:

• Output of syft version:

Version:            0.75.0
JsonSchemaVersion:  7.0.1
BuildDate:          2023-03-13T17:50:56Z
GitCommit:          cc0a376aba43e7f9c5fe66320643f72088533838
GitDescription:     v0.75.0
Platform:           darwin/arm64
GoVersion:          go1.19.6
Compiler:           gc

• OS (e.g: cat /etc/os-release or similar): MacOS Ventura 13.2.1

[tgerla]

Hi @Oh-Py-God, would you be able to share the .egg file you are working with so we can reproduce this issue? Thanks!

[Oh-Py-God]

@tgerla attaching the egg file for your reference.

boto3-1.9.5-py2.7.egg.zip

[tgerla]

Thank you! We will investigate and get back to you when we have an update.

What I've found so far:

This boto3 egg has an EGG-INFO/ directory that contains the PKG-INFO file we use for package detection, but Syft is looking for egg-info/PKG-INFO (lowercase). If I unpack the archive and rename EGG-INFO/ to egg-info/, the detection seems to work as expected:

tgerla@Timothys-MacBook-Pro-2 t % mv EGG-INFO egg-info
tgerla@Timothys-MacBook-Pro-2 t % syft .
 ✔ Indexed .
 ✔ Cataloged packages      [1 packages]

NAME   VERSION  TYPE
boto3  1.9.5    python

It may be the case that we need to expand our search glob to include EGG-INFO. I will let the development team know and we will do some more research.

syft/syft/pkg/cataloger/python/cataloger.go

Line 21 in c038f13

WithParserByGlobs(parseWheelOrEgg, eggInfoGlob, "**/*dist-info/METADATA", "**/*egg-info/PKG-INFO")

[Oh-Py-God]

Thanks for looking into this, @tgerla.

I have also observed that syft does not parse .egg-info directories properly. PFA screenshot and sample .egg-info for your reference.

python-dateutil.egg-info.zip

[tgerla]

Hi @Oh-Py-God, thanks for the additional details. Do you happen to know why the boto3 egg file might have EGG-INFO in uppercase, where other eggs might be using lowercase? If you don't know, that's fine, but we thought we would ask. Thank you!

[Oh-Py-God]

Hi @tgerla, apologies for the delayed response. While generating SBOM for different products in my organization, I came across certain build processes where EGG-INFO (uppercase) directories were found.

Also, referring to the setuptools page, it is evident to find this type of a structure.

Let me know if further information is needed to fix this.

[tgerla]

Hi @Oh-Py-God, thanks for the reply! We will probably extend the glob search to include uppercase EGG-INFO and uppercase DIST-INFO to solve this problem.