Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python binary matching not returning all python versions #2153

Closed
noqcks opened this issue Sep 19, 2023 · 1 comment
Closed

Python binary matching not returning all python versions #2153

noqcks opened this issue Sep 19, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@noqcks
Copy link
Contributor

noqcks commented Sep 19, 2023

What happened:

This PR introduced a regression in Python binary matching #1648 there was a subsequent PR to fix it with #1667 but it still seems unresolved

What you expected to happen:

Syft v0.74.0

syft -q python:3.4 | grep binary
python                        2.7.13                          binary
python                        3.4.10                          binary
python                        3.5.3                           binary

Syft v0.90.0 (should show python 2.7.x)

syft -q python:3.4 | grep binary
python                        3.4.10                          binary

Docker image inspection

docker run --rm -it python:3.4 /bin/bash
root@1f88ce1edd2f:/# which python2
/usr/bin/python2
root@1f88ce1edd2f:/# python2 --version
Python 2.7.13
root@1f88ce1edd2f:/# python3 --version
Python 3.4.10
root@1f88ce1edd2f:/#

Steps to reproduce the issue:

Please see commands above.

Anything else we need to know?:

Environment:

  • Output of syft version:
Application:     syft
Version:         0.90.0
BuildDate:       2023-09-11T21:22:00Z
GitCommit:       b82c0ffc3417bdc8c38f4633af95a668ec29fa35
GitDescription:  v0.90.0
Platform:        darwin/arm64
GoVersion:       go1.21.0
Compiler:        gc
  • OS (e.g: cat /etc/os-release or similar): macOS
@noqcks noqcks added the bug Something isn't working label Sep 19, 2023
@wagoodman
Copy link
Contributor

@noqcks what you're describing is an intentional change introduced by #1948 . The goal of syft is to raise up as much packaging information as possible for the user. Binaries are a bit in a gray area since they aren't technically packages, however, we raise up information about select binaries since it is ultimately useful (we treat them like a package found anyway). This new PR makes an exception: any binaries already owned by another package should be suppressed, as it is already represented as a package.

So the missing python 2.7.13 and 3.5.3 packages you mentioned are already represented as debian packages:

$ docker run --rm -it --entrypoint '' python:3.4 apt list --installed | grep python
dh-python/now 2.20170125 all [installed,local]
libpython-stdlib/now 2.7.13-2 amd64 [installed,local]
libpython2.7-minimal/now 2.7.13-2+deb9u3 amd64 [installed,local]
libpython2.7-stdlib/now 2.7.13-2+deb9u3 amd64 [installed,local]
libpython3-stdlib/now 3.5.3-1 amd64 [installed,local]
libpython3.5-minimal/now 3.5.3-1+deb9u1 amd64 [installed,local]
libpython3.5-stdlib/now 3.5.3-1+deb9u1 amd64 [installed,local]
python/now 2.7.13-2 amd64 [installed,local]
python-bzrlib/now 2.7.0+bzr6619-7+deb9u1 amd64 [installed,local]
python-configobj/now 5.0.6-2 all [installed,local]
python-minimal/now 2.7.13-2 amd64 [installed,local]
python-six/now 1.10.0-3 all [installed,local]
python2.7/now 2.7.13-2+deb9u3 amd64 [installed,local]
python2.7-minimal/now 2.7.13-2+deb9u3 amd64 [installed,local]
python3/now 3.5.3-1 amd64 [installed,local]
python3-minimal/now 3.5.3-1 amd64 [installed,local]
python3.5/now 3.5.3-1+deb9u1 amd64 [installed,local]
python3.5-minimal/now 3.5.3-1+deb9u1 amd64 [installed,local]

And syft also reflects this:

$ syft python:3.4
...
python                        2.7.13-2                        deb
python                        3.4.10                          binary
python-bzrlib                 2.7.0+bzr6619-7+deb9u1          deb
python-configobj              5.0.6-2                         deb
python-minimal                2.7.13-2                        deb
python-six                    1.10.0-3                        deb
python2.7                     2.7.13-2+deb9u3                 deb          <---
python2.7-minimal             2.7.13-2+deb9u3                 deb
python3                       3.5.3-1                         deb
python3-minimal               3.5.3-1                         deb
python3.5                     3.5.3-1+deb9u1                  deb          <---
python3.5-minimal             3.5.3-1+deb9u1                  deb
...

Note that this behavior can be overridden with a configuration switch to get the original behavior of including all binaries:

# allows users to exclude synthetic binary packages from the sbom
# these packages are removed if an overlap with a non-synthetic package is found.
# env var SYFT_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP
exclude-binary-overlap-by-ownership: true

I'll close this issue for now since it is working as intended.

@wagoodman wagoodman closed this as not planned Won't fix, can't repro, duplicate, stale Sep 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wagoodman @noqcks