-
Notifications
You must be signed in to change notification settings - Fork 334
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add go binary scanning extractor, and use it in image scanning. This shows quite a few false positives that can be resolved with call analysis, which will be implemented in a followup PR.
- Loading branch information
1 parent
d857676
commit 0c01488
Showing
10 changed files
with
299 additions
and
51 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
package lockfile | ||
|
||
import "errors" | ||
|
||
var ErrIncompatibleFileFormat = errors.New("file format is incompatible, but this is expected") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
package lockfile | ||
|
||
import ( | ||
"bytes" | ||
"debug/buildinfo" | ||
"io" | ||
"path/filepath" | ||
"strings" | ||
) | ||
|
||
type GoBinaryExtractor struct{} | ||
|
||
func (e GoBinaryExtractor) ShouldExtract(path string) bool { | ||
if path == "" { | ||
return false | ||
} | ||
|
||
if strings.HasSuffix(path, string(filepath.Separator)) { // Don't extract directories | ||
return false | ||
} | ||
|
||
if filepath.Ext(path) != ".exe" && filepath.Ext(path) != "" { | ||
// Assume if a file has an extension (that's not exe), it is not a go binary | ||
// This also filters out hidden files on Unix | ||
// This is a heuristic to improve performance and can result in false negatives | ||
// TODO(another-rex): When we have access to the full FS interface, we can open and check | ||
// magic bytes to be more accurate | ||
return false | ||
} | ||
|
||
// Any other path can be a go binary | ||
return true | ||
} | ||
|
||
func (e GoBinaryExtractor) Extract(f DepFile) ([]PackageDetails, error) { | ||
var readerAt io.ReaderAt | ||
if fileWithReaderAt, ok := f.(io.ReaderAt); ok { | ||
readerAt = fileWithReaderAt | ||
} else { | ||
buf := bytes.NewBuffer([]byte{}) | ||
_, err := io.Copy(buf, f) | ||
if err != nil { | ||
return []PackageDetails{}, err | ||
} | ||
readerAt = bytes.NewReader(buf.Bytes()) | ||
} | ||
|
||
info, err := buildinfo.Read(readerAt) | ||
if err != nil { | ||
return []PackageDetails{}, ErrIncompatibleFileFormat | ||
} | ||
|
||
pkgs := make([]PackageDetails, 0, len(info.Deps)+1) | ||
pkgs = append(pkgs, PackageDetails{ | ||
Name: "stdlib", | ||
Version: strings.TrimPrefix(info.GoVersion, "go"), | ||
Ecosystem: GoEcosystem, | ||
CompareAs: GoEcosystem, | ||
}) | ||
|
||
for _, dep := range info.Deps { | ||
if dep.Replace != nil { // Use the replaced dep if it has been replaced | ||
dep = dep.Replace | ||
} | ||
pkgs = append(pkgs, PackageDetails{ | ||
Name: dep.Path, | ||
Version: strings.TrimPrefix(dep.Version, "v"), | ||
Ecosystem: GoEcosystem, | ||
CompareAs: GoEcosystem, | ||
}) | ||
} | ||
|
||
return pkgs, nil | ||
} | ||
|
||
var _ Extractor = GoBinaryExtractor{} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,139 @@ | ||
package lockfile_test | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/google/osv-scanner/pkg/lockfile" | ||
) | ||
|
||
func TestGoBinaryExtractor_ShouldExtract(t *testing.T) { | ||
t.Parallel() | ||
|
||
tests := []struct { | ||
name string | ||
path string | ||
want bool | ||
}{ | ||
{ | ||
name: "", | ||
path: "", | ||
want: false, | ||
}, | ||
{ | ||
name: "", | ||
path: "binary.json", | ||
want: false, | ||
}, | ||
{ | ||
name: "", | ||
path: "path/to/my/binary.json", | ||
want: false, | ||
}, | ||
{ | ||
name: "", | ||
path: "path/to/my/binary-lock.json/file", | ||
want: true, | ||
}, | ||
{ | ||
name: "", | ||
path: "path/to/my/binary", | ||
want: true, | ||
}, | ||
{ | ||
name: "", | ||
path: "path/to/my/binary.exe", | ||
want: true, | ||
}, | ||
{ | ||
name: "", | ||
path: "path/to/my/.hidden-binary", | ||
want: false, | ||
}, | ||
{ | ||
name: "", | ||
path: "path/to/my/binary.exe.1", | ||
want: false, | ||
}, | ||
} | ||
for _, tt := range tests { | ||
tt := tt | ||
t.Run(tt.name, func(t *testing.T) { | ||
t.Parallel() | ||
e := lockfile.GoBinaryExtractor{} | ||
got := e.ShouldExtract(tt.path) | ||
if got != tt.want { | ||
t.Errorf("Extract(%v) got = %v, want %v", tt.path, got, tt.want) | ||
} | ||
}) | ||
} | ||
} | ||
|
||
func TestExtractGoBinary_NoPackages(t *testing.T) { | ||
t.Parallel() | ||
|
||
file, err := lockfile.OpenLocalDepFile("fixtures/go/binaries/just-go") | ||
if err != nil { | ||
t.Fatalf("could not open file %v", err) | ||
} | ||
|
||
packages, err := lockfile.GoBinaryExtractor{}.Extract(file) | ||
if err != nil { | ||
t.Errorf("Got unexpected error: %v", err) | ||
} | ||
|
||
expectPackages(t, packages, []lockfile.PackageDetails{ | ||
{ | ||
Name: "stdlib", | ||
Version: "1.21.10", | ||
Ecosystem: lockfile.GoEcosystem, | ||
CompareAs: lockfile.GoEcosystem, | ||
}, | ||
}) | ||
} | ||
|
||
func TestExtractGoBinary_OnePackage(t *testing.T) { | ||
t.Parallel() | ||
|
||
file, err := lockfile.OpenLocalDepFile("fixtures/go/binaries/has-one-dep") | ||
if err != nil { | ||
t.Fatalf("could not open file %v", err) | ||
} | ||
|
||
packages, err := lockfile.GoBinaryExtractor{}.Extract(file) | ||
if err != nil { | ||
t.Errorf("Got unexpected error: %v", err) | ||
} | ||
|
||
expectPackages(t, packages, []lockfile.PackageDetails{ | ||
{ | ||
Name: "stdlib", | ||
Version: "1.21.10", | ||
Ecosystem: lockfile.GoEcosystem, | ||
CompareAs: lockfile.GoEcosystem, | ||
}, | ||
{ | ||
Name: "github.com/BurntSushi/toml", | ||
Version: "1.4.0", | ||
Ecosystem: lockfile.GoEcosystem, | ||
CompareAs: lockfile.GoEcosystem, | ||
}, | ||
}) | ||
} | ||
|
||
func TestExtractGoBinary_NotAGoBinary(t *testing.T) { | ||
t.Parallel() | ||
|
||
file, err := lockfile.OpenLocalDepFile("fixtures/go/one-package.mod") | ||
if err != nil { | ||
t.Fatalf("could not open file %v", err) | ||
} | ||
|
||
packages, err := lockfile.GoBinaryExtractor{}.Extract(file) | ||
if err == nil { | ||
t.Errorf("did not get expected error when extracting") | ||
} | ||
|
||
if len(packages) != 0 { | ||
t.Errorf("packages not empty") | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.