Add support to detect bash binaries #1963

captn3m0 · 2023-07-27T07:29:21Z

What happened: Bash isn't detected on the official bash docker images.

What you expected to happen:

Bash should be included in the returned list of packages.

Steps to reproduce the issue:

syft -q packages library/bash:5|grep bash

The output includes bash dependencies, but not bash itself:

.bash-rundeps 20230615.045102 apk

Anything else we need to know?:

I re-checked all of the images mentioned in #1197, and this seems to be the only still non-functional.

Environment:

Output of syft version: syft 0.85.0
OS (e.g: cat /etc/os-release or similar): "Ubuntu 20.04.5 LTS"

The text was updated successfully, but these errors were encountered:

witchcraze · 2023-08-24T05:22:24Z

note

NVD uses cpe:2.3:a:gnu:bash:
https://nvd.nist.gov/vuln/detail/CVE-2019-18276

Docker official image bash:5.2

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 5.2.15(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 5\.2\.15
@(#)Bash version 5.2.15(1) release GNU

Docker official image bash:5.2-alpha

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 5.2.0(1)-alpha (x86_64-pc-linux-musl)
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 5\.2\.0
@(#)Bash version 5.2.0(1) alpha GNU

Docker official image bash:5.2-beta

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 5.2.0(1)-beta (x86_64-pc-linux-musl)
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 5\.2\.0
@(#)Bash version 5.2.0(1) beta GNU

Docker official image bash:5.2-rc

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 5.2.0(1)-rc4 (x86_64-pc-linux-musl)
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

$ docker run -it --rm bash:5.2-alpha strings /usr/local/bin/bash | grep 5\.2\.0
@(#)Bash version 5.2.0(1) rc4 GNU

Docker official image bash:5.1

# which bash
/usr/local/bin/bash

#  bash -version
GNU bash, version 5.1.16(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 5\.1\.16
@(#)Bash version 5.1.16(1) release GNU

Docker official image bash:5.0

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 5.0.18(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 5\.0\.18
@(#)Bash version 5.0.18(1) release GNU

Docker official image bash:4.4

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 4.4.23(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 4\.4\.23
@(#)Bash version 4.4.23(1) release GNU

Docker official image bash:4.3

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 4.3.48(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 4\.3\.48
@(#)Bash version 4.3.48(1) release GNU

Docker official image bash:4.2

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 4.2.53(2)-release (x86_64-pc-linux-musl)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 4\.2\.53
@(#)Bash version 4.2.53(2) release GNU

Docker official image bash:4.1

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 4.1.17(2)-release (x86_64-pc-linux-musl)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 4\.1\.17
@(#)Bash version 4.1.17(2) release GNU

Docker official image bash:4.0

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 4.0.44(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

# strings /usr/local/bin/bash | grep 4\.0\.44
@(#)Bash version 4.0.44(1) release GNU

Docker official image bash:3.2

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 3.2.57(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2007 Free Software Foundation, Inc.

# strings /usr/local/bin/bash | grep 3\.2\.57
@(#)Bash version 3.2.57(1) release GNU

Docker official image bash:3.1

# which bash
/usr/local/bin/bash

# bash -version
GNU bash, version 3.1.23(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2005 Free Software Foundation, Inc.

# strings /usr/local/bin/bash | grep 3\.1\.23
@(#)Bash version 3.1.23(1) release GNU

Docker official image bash:3.0

# which bash
/usr/local/bin/bash

#  bash -version
GNU bash, version 3.00.22(1)-release (x86_64-pc-linux-musl)
Copyright (C) 2004 Free Software Foundation, Inc.

# strings /usr/local/bin/bash | grep 3\.00\.22
@(#)Bash version 3.00.22(1) release GNU

captn3m0 added the bug Something isn't working label Jul 27, 2023

captn3m0 mentioned this issue Jul 27, 2023

Syft does not detect some software in Docker Official Images #1197

Closed

kzantow added enhancement New feature or request and removed bug Something isn't working labels Jul 27, 2023

kzantow changed the title ~~Syft doesn't detect bash from official bash image~~ Add support to detect bash binaries Jul 27, 2023

wagoodman added the binary-analysis label Jul 27, 2023

witchcraze mentioned this issue Aug 24, 2023

feat: add bash classifier #2055

Merged

kzantow closed this as completed in #2055 Aug 24, 2023

dependabot bot mentioned this issue Sep 4, 2023

Bump github.com/anchore/syft from 0.86.1 to 0.89.0 jetstack/tally#98

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support to detect bash binaries #1963

Add support to detect bash binaries #1963

captn3m0 commented Jul 27, 2023

witchcraze commented Aug 24, 2023

Add support to detect bash binaries #1963

Add support to detect bash binaries #1963

Comments

captn3m0 commented Jul 27, 2023

witchcraze commented Aug 24, 2023