linux-kernel-cataloger produces thousands of version-less components.

[ragaskar]

What happened:
Scanning a disk image (mounted as a filesystem) before the linux-kernel-cataloger was added returned around 600 components. After the addition of the cataloger, scans returned around 7000 components, many of which have no versions (filesize has gone from 1MB to 37 MB). A subsequent CVE scan has doubled the amount of CVEs identified, and while I have not been able to triage them, I suspect nearly all the new CVEs are false positives.

I am not very conversant on the topic of kernel modules and did not quite follow the intent of the PR which added this functionality; it looks like the examples in the PR thread intended to use these files on disk to tie back to an actual kernel or package at a specific version. That most definitely is not happening in our case. Here is an example snippet from the resulting SBOM (syft-json format):

  {
   "id": "a1629328ee60a1d1",
   "name": "104_quad_8",
   "version": "",
   "type": "linux-kernel-module",
   "foundBy": "linux-kernel-cataloger",
   "locations": [
    {
     "path": "usr/lib/modules/5.19.0-40-generic/kernel/drivers/counter/104-quad-8.ko",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [
    "GPL v2"
   ],
   "language": "",
   "cpes": [
    "cpe:2.3:a:104-quad-8:104-quad-8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104-quad-8:104_quad_8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104_quad_8:104-quad-8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104_quad_8:104_quad_8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104-quad:104-quad-8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104-quad:104_quad_8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104_quad:104-quad-8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104_quad:104_quad_8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104:104-quad-8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104:104_quad_8:*:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:generic/104_quad_8",
   "metadataType": "LinuxKernelModuleMetadata",
   "metadata": {
    "name": "104_quad_8",
    "sourceVersion": "55C62F4A5D1B2412C1B85C7",
    "path": "usr/lib/modules/5.19.0-40-generic/kernel/drivers/counter/104-quad-8.ko",
    "description": "ACCES 104-QUAD-8 driver",
    "author": "William Breathitt Gray <vilhelm.gray@gmail.com>",
    "license": "GPL v2",
    "kernelVersion": "5.19.0-40-generic",
    "versionMagic": "5.19.0-40-generic SMP preempt mod_unload modversions ",
    "parameters": {
     "base": {
      "description": "ACCES 104-QUAD-8 base addresses"
     },
     "irq": {
      "description": "ACCES 104-QUAD-8 interrupt line numbers"
     }
    }
   }
  },
  {
   "id": "2a0e0f4387b2adcd",
   "name": "3c509",
   "version": "",
   "type": "linux-kernel-module",
   "foundBy": "linux-kernel-cataloger",
   "locations": [
    {
     "path": "usr/lib/modules/5.19.0-40-generic/kernel/drivers/net/ethernet/3com/3c509.ko",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [
    "GPL"
   ],
   "language": "",
   "cpes": [
    "cpe:2.3:a:3c509:3c509:*:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:generic/3c509",
   "metadataType": "LinuxKernelModuleMetadata",
   "metadata": {
    "name": "3c509",
    "sourceVersion": "D05BAE6130B1D178C163B12",
    "path": "usr/lib/modules/5.19.0-40-generic/kernel/drivers/net/ethernet/3com/3c509.ko",
    "description": "3Com Etherlink III (3c509, 3c509B, 3c529, 3c579) ethernet driver",
    "license": "GPL",
    "kernelVersion": "5.19.0-40-generic",
    "versionMagic": "5.19.0-40-generic SMP preempt mod_unload modversions ",
    "parameters": {
     "debug": {
      "description": "debug level (0-6)"
     },
     "irq": {
      "description": "IRQ number(s) (assigned)"
     },
     "max_interrupt_work": {
      "description": "maximum events handled per interrupt"
     },
     "nopnp": {
      "description": "disable ISA PnP support (0-1)"
     }
    }
   }
  },
  {
   "id": "b774a8dbcc7b639a",
   "name": "3c574_cs",
   "version": "",
   "type": "linux-kernel-module",
   "foundBy": "linux-kernel-cataloger",
   "locations": [
    {
     "path": "usr/lib/modules/5.19.0-40-generic/kernel/drivers/net/ethernet/3com/3c574_cs.ko",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [
    "GPL"
   ],
   "language": "",
   "cpes": [
    "cpe:2.3:a:3c574-cs:3c574-cs:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:3c574-cs:3c574_cs:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:3c574_cs:3c574-cs:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:3c574_cs:3c574_cs:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:3c574:3c574-cs:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:3c574:3c574_cs:*:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:generic/3c574_cs",
   "metadataType": "LinuxKernelModuleMetadata",
   "metadata": {
    "name": "3c574_cs",
    "sourceVersion": "3531B1EFEF90AB882DFA03A",
    "path": "usr/lib/modules/5.19.0-40-generic/kernel/drivers/net/ethernet/3com/3c574_cs.ko",
    "description": "3Com 3c574 series PCMCIA ethernet driver",
    "author": "David Hinds <dahinds@users.sourceforge.net>",
    "license": "GPL",
    "kernelVersion": "5.19.0-40-generic",
    "versionMagic": "5.19.0-40-generic SMP preempt mod_unload modversions ",
    "parameters": {
     "auto_polarity": {
      "type": "int"
     },
     "full_duplex": {
      "type": "int"
     },
     "max_interrupt_work": {
      "type": "int"
     }
    }
   }
  },

What you expected to happen:
Output to be limited to versioned packages that are likely to match a distribution CPE.

Steps to reproduce the issue:
Scan an ubuntu filesystem.

Anything else we need to know?:

Environment:

• Output of syft version:
  syft 0.79.0

• OS (e.g: cat /etc/os-release or similar):
  Ubuntu 22.04.2 LTS

[ragaskar]

Thanks for the ping back in Slack. I have added repro steps here (this works for me on an M1 mac -- if you're not on an M1, the --platform is probably unnecessary):

open a docker container w/ necessary packages for image mounting:
docker run -it --privileged --platform linux/amd64 bosh/os-image-stemcell-builder /bin/bash

Inside that docker container, run the following:

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh > install.sh \
    && (echo "a6dfabcd60ec8b09a8269d5efda8c797ad9657567cd723306f5cfc3fcb07b79b  install.sh" | sha256sum --check --status  \
    || (echo "Checksum failed! Please review https://raw.githubusercontent.com/anchore/syft/main/install.sh, ensure it is still safe, and update the checksum" && exit 1)) \
    && chmod u+x ./install.sh && (cat ./install.sh | sh -s -- -b /usr/local/bin) && rm ./install.sh

function permit_device_control() {
  local devices_mount_info=$(cat /proc/self/cgroup | grep devices)

  local devices_subsytems=$(echo $devices_mount_info | cut -d: -f2)
  local devices_subdir=$(echo $devices_mount_info | cut -d: -f3)

  cgroup_dir=/mnt/tmp-todo-devices-cgroup

  if [ ! -e ${cgroup_dir} ]; then
    # mount our container's devices subsystem somewhere
    mkdir ${cgroup_dir}
  fi

  if ! mountpoint -q ${cgroup_dir}; then
    mount -t cgroup -o $devices_subsytems none ${cgroup_dir}
  fi

  # permit our cgroup to do everything with all devices
  # ignore failure in case something has already done this; echo appears to
  # return EINVAL, possibly because devices this affects are already in use
  echo a > ${cgroup_dir}${devices_subdir}/devices.allow || true
}

permit_device_control

for i in $(seq 0 64); do
  if ! mknod -m 0660 /dev/loop$i b 7 $i; then
    break
  fi
done

mkdir -p work

pushd work
git clone https://github.com/cloudfoundry/bosh-linux-stemcell-builder.git
chown -R ubuntu:ubuntu bosh-linux-stemcell-builder
chown -R ubuntu:ubuntu /mnt
####
wget https://storage.googleapis.com/bosh-core-stemcells/1.108/bosh-stemcell-1.108-google-kvm-ubuntu-jammy-go_agent.tgz

helpers_path="./bosh-linux-stemcell-builder/scripts/repack-helpers"
extracted_image_path=$("${helpers_path}/extract-stemcell.sh" "bosh-stemcell-1.108-google-kvm-ubuntu-jammy-go_agent.tgz" | $helpers_path/extract-image.sh)
mounted_image_path=$("${helpers_path}/mount-image.sh" <<< $extracted_image_path)
syft -q "dir:${mounted_image_path}"
popd