Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support to detect bash binaries #1963

Closed
captn3m0 opened this issue Jul 27, 2023 · 1 comment · Fixed by #2055
Closed

Add support to detect bash binaries #1963

captn3m0 opened this issue Jul 27, 2023 · 1 comment · Fixed by #2055
Labels
binary-analysis enhancement New feature or request

Comments

@captn3m0
Copy link

What happened: Bash isn't detected on the official bash docker images.

What you expected to happen:

Bash should be included in the returned list of packages.

Steps to reproduce the issue:

syft -q packages library/bash:5|grep bash

The output includes bash dependencies, but not bash itself:

.bash-rundeps 20230615.045102 apk

Anything else we need to know?:

I re-checked all of the images mentioned in #1197, and this seems to be the only still non-functional.

Environment:

  • Output of syft version: syft 0.85.0
  • OS (e.g: cat /etc/os-release or similar): "Ubuntu 20.04.5 LTS"
@captn3m0 captn3m0 added the bug Something isn't working label Jul 27, 2023
@kzantow kzantow added enhancement New feature or request and removed bug Something isn't working labels Jul 27, 2023
@kzantow kzantow changed the title Syft doesn't detect bash from official bash image Add support to detect bash binaries Jul 27, 2023
@witchcraze
Copy link
Contributor

note


NVD uses cpe:2.3:a:gnu:bash:
https://nvd.nist.gov/vuln/detail/CVE-2019-18276


Docker official image bash:5.2

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 5.2.15(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 5\.2\.15
@(#)Bash version 5.2.15(1) release GNU

Docker official image bash:5.2-alpha

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 5.2.0(1)-alpha (x86_64-pc-linux-musl)
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 5\.2\.0
@(#)Bash version 5.2.0(1) alpha GNU

Docker official image bash:5.2-beta

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 5.2.0(1)-beta (x86_64-pc-linux-musl)
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 5\.2\.0
@(#)Bash version 5.2.0(1) beta GNU

Docker official image bash:5.2-rc

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 5.2.0(1)-rc4 (x86_64-pc-linux-musl)
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

$ docker run -it --rm bash:5.2-alpha strings /usr/local/bin/bash | grep 5\.2\.0
@(#)Bash version 5.2.0(1) rc4 GNU

Docker official image bash:5.1

# which bash
/usr/local/bin/bash

#  bash -version
GNU bash, version 5.1.16(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 5\.1\.16
@(#)Bash version 5.1.16(1) release GNU

Docker official image bash:5.0

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 5.0.18(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 5\.0\.18
@(#)Bash version 5.0.18(1) release GNU

Docker official image bash:4.4

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 4.4.23(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 4\.4\.23
@(#)Bash version 4.4.23(1) release GNU

Docker official image bash:4.3

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 4.3.48(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 4\.3\.48
@(#)Bash version 4.3.48(1) release GNU

Docker official image bash:4.2

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 4.2.53(2)-release (x86_64-pc-linux-musl)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 4\.2\.53
@(#)Bash version 4.2.53(2) release GNU

Docker official image bash:4.1

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 4.1.17(2)-release (x86_64-pc-linux-musl)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 4\.1\.17
@(#)Bash version 4.1.17(2) release GNU

Docker official image bash:4.0

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 4.0.44(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 4\.0\.44
@(#)Bash version 4.0.44(1) release GNU

Docker official image bash:3.2

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 3.2.57(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2007 Free Software Foundation, Inc.

# strings /usr/local/bin/bash | grep 3\.2\.57
@(#)Bash version 3.2.57(1) release GNU

Docker official image bash:3.1

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 3.1.23(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2005 Free Software Foundation, Inc.

# strings /usr/local/bin/bash | grep 3\.1\.23
@(#)Bash version 3.1.23(1) release GNU

Docker official image bash:3.0

# which bash
/usr/local/bin/bash

#  bash -version
GNU bash, version 3.00.22(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2004 Free Software Foundation, Inc.

# strings /usr/local/bin/bash | grep 3\.00\.22
@(#)Bash version 3.00.22(1) release GNU

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
binary-analysis enhancement New feature or request
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

4 participants