-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parser for dotnet_portable_executable using wrong attribute name. #2029
Comments
I think i have a similar problem with the prometheus-net library. The published dll has close to no meta data. and in v.0.86.0 the name is empty what cases errors in my further processing: |
@SuglBug2k are you able to provide an image or dockerfile that could be used to get some of these dotnet artifacts exhibiting this behavior? |
I have exactly the same problem. In my case the problematic assemblies are |
In case you need specific links for the OP The dockerfile The commit where we noticed the difference |
I have seen something related when scanning a Windows Server 2019 system (not an image). The code seems to rely on the fact that a I'm not sure of the internals of the I originally was going to propose a pr along the lines of: diff --git a/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable.go b/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable.go
index b57b2f06..20f2c6e3 100644
--- a/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable.go
+++ b/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable.go
@@ -3,6 +3,7 @@ package dotnet
import (
"fmt"
"io"
+ "strings"
"github.com/saferwall/pe"
@@ -41,13 +42,13 @@ func parseDotnetPortableExecutable(_ file.Resolver, _ *generic.Environment, f fi
}
name := versionResources["FileDescription"]
- if name == "" {
+ if strings.TrimSpace(name) == "" {
log.Tracef("unable to find FileDescription in PE file: %s", f.RealPath)
return nil, nil, nil
}
version := versionResources["FileVersion"]
- if version == "" {
+ if strings.TrimSpace(name) == "" {
log.Tracef("unable to find FileVersion in PE file: %s", f.RealPath)
return nil, nil, nil
}
to handle this case. However, it seems to me that this cataloger is very overly broad - it seems to look for literally any file that ends in I see tha this is in progress, happy to help test anything out on some live Windows systems or such - let me know! |
Hi all (@selzoc @Roxedus @nemchik @mytracks) - I don't happen to have a large set of files to check, but there doesn't seem to be a great answer to definitively fix this. There are a few fields that seem to be filled in some of the time, but it seems fairly arbitrary what the best field to use is for any given file. A couple examples of this: The original image in the description (
... in this case, In the set of samples from the portable executable parsing library we use, a number of these are similar to:
... in this case, the
... in this case, the I would also point out that the version to use is equally as confusing which to pick -- the last example seems to have a
I've made a draft PR to try to improve this, but would definitely like more examples / feedback, if possible! Here's some example output from the draft PR: Scanning https://www.nuget.org/packages/prometheus-net.AspNetCore/8.0.1:
Scanning
Scanning the aforementioned test data directory:
Does this look reasonable? Should we not include the Microsoft prefixes? Any feedback is greatly appreciated! |
The suggested output looks good to me. I wouldnt strip the prefixes, removes some of the transparency this tool should bring |
A good example of FileVersion (2.80.3.0) vs ProductVersion (2.80.3) for SkiaSharp. So scanning the sbom will not find the entry on osv. OSV has SkiaSharp as 2.80.3 SBOM Entry
Incorrect Curl
Correct Curl
|
We're keeping this issue open as the main issue for discussion what the future implementation should be for getting the correct data. The cases provided by these two issues were added as tests and fixed in that their packages should no longer contribute to invalid SBOM. PR is listed above this comment for the bug fix while we keep this open for better solutions. |
What happened:
As part of v0.86.0 the release, the dotnet portable executable parser were introduced, the implementation does seem to be somewhat flawed, as it uses the dontnet projects
FileDescription
attribute as the name for the item. This does not seem like the best attribute to use, as bothProductName
andInternalName
fits better.This results in scans reporting "names" that seems to require immediate action to remove.
What you expected to happen:
I would expect any project that depends on cli-prompt as PHP Composer dependency to have
Hidden Input
orhiddeninput
as a item, rather thanReads from stdin without leaking info to the terminal and outputs back to stdout
Steps to reproduce the issue:
Scan a image with said Composer dependency:
Which results in the offending result as:
Anything else we need to know?:
Assumed line causing issues: parse_dotnet_portable_executable.go#L43
Published SBOM from scan: package_versions.txt
Tracked-down project with the description: hidden-input
The text was updated successfully, but these errors were encountered: