Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Python egg packages are not parsed for SBOM #1761

Closed
Oh-Py-God opened this issue Apr 26, 2023 · 7 comments · Fixed by #2239
Closed

Python egg packages are not parsed for SBOM #1761

Oh-Py-God opened this issue Apr 26, 2023 · 7 comments · Fixed by #2239
Labels
bug Something isn't working

Comments

@Oh-Py-God
Copy link

What happened:
While trying to generate SBOM for a package containing a python package in egg form, syft is not able to capture the same in SBOM.

What you expected to happen:
egg package should have been discovered as part of SBOM.

Steps to reproduce the issue:
Create a simple python project with egg dependency shipped along.
Run the syft command on the project

Anything else we need to know?:
PFA screenshot for your reference.
image

Environment:

  • Output of syft version:
Version:            0.75.0
JsonSchemaVersion:  7.0.1
BuildDate:          2023-03-13T17:50:56Z
GitCommit:          cc0a376aba43e7f9c5fe66320643f72088533838
GitDescription:     v0.75.0
Platform:           darwin/arm64
GoVersion:          go1.19.6
Compiler:           gc
  • OS (e.g: cat /etc/os-release or similar): MacOS Ventura 13.2.1
@Oh-Py-God Oh-Py-God added the bug Something isn't working label Apr 26, 2023
@tgerla
Copy link
Contributor

tgerla commented Apr 26, 2023

Hi @Oh-Py-God, would you be able to share the .egg file you are working with so we can reproduce this issue? Thanks!

@Oh-Py-God
Copy link
Author

@tgerla attaching the egg file for your reference.

boto3-1.9.5-py2.7.egg.zip

@tgerla
Copy link
Contributor

tgerla commented Apr 26, 2023

Thank you! We will investigate and get back to you when we have an update.

What I've found so far:

This boto3 egg has an EGG-INFO/ directory that contains the PKG-INFO file we use for package detection, but Syft is looking for egg-info/PKG-INFO (lowercase). If I unpack the archive and rename EGG-INFO/ to egg-info/, the detection seems to work as expected:

tgerla@Timothys-MacBook-Pro-2 t % mv EGG-INFO egg-info
tgerla@Timothys-MacBook-Pro-2 t % syft .
 ✔ Indexed .
 ✔ Cataloged packages      [1 packages]

NAME   VERSION  TYPE
boto3  1.9.5    python

It may be the case that we need to expand our search glob to include EGG-INFO. I will let the development team know and we will do some more research.

WithParserByGlobs(parseWheelOrEgg, eggInfoGlob, "**/*dist-info/METADATA", "**/*egg-info/PKG-INFO")

@Oh-Py-God
Copy link
Author

Thanks for looking into this, @tgerla.

I have also observed that syft does not parse .egg-info directories properly. PFA screenshot and sample .egg-info for your reference.

image

python-dateutil.egg-info.zip

@tgerla
Copy link
Contributor

tgerla commented May 11, 2023

Hi @Oh-Py-God, thanks for the additional details. Do you happen to know why the boto3 egg file might have EGG-INFO in uppercase, where other eggs might be using lowercase? If you don't know, that's fine, but we thought we would ask. Thank you!

@Oh-Py-God
Copy link
Author

Hi @tgerla, apologies for the delayed response. While generating SBOM for different products in my organization, I came across certain build processes where EGG-INFO (uppercase) directories were found.

Also, referring to the setuptools page, it is evident to find this type of a structure.

Let me know if further information is needed to fix this.

@tgerla
Copy link
Contributor

tgerla commented Oct 19, 2023

Hi @Oh-Py-God, thanks for the reply! We will probably extend the glob search to include uppercase EGG-INFO and uppercase DIST-INFO to solve this problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

2 participants