Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: improved Python binary detection #1648

Merged
merged 7 commits into from
Mar 7, 2023
Merged

fix: improved Python binary detection #1648

merged 7 commits into from
Mar 7, 2023

Conversation

kzantow
Copy link
Contributor

@kzantow kzantow commented Mar 3, 2023
edited
Loading

Originally, when Python binary detection was added, it checked 3 sources:

  • python* binaries directly
  • libpython* shared libraries
  • patchlevel.h source file

The reason for the latter 2 - especially the last one, is that some Python binaries do not actually contain version information but instead load a libpython* shared library, which contains this.

This has caused some confusion for users and did not necessarily prove to be the most accurate. This PR changes the behavior such that patchlevel.h is never looked for, as there is no guarantee this would be applicable to the particular python binary file found. Additionally, when inspecting Python binaries, the behavior is now:

  1. look for version information in the file and use this if found
  2. look for the corresponding libpython* shared library in the binary dynamic library list, and extract version information from that file

With this change, Syft does still look for libpython* files independently, and these may or may not show up as the primary location for a package.

The result is a few different cases:

  • A Python binary is found, with version information and a libpython shared library is found. If the versions are the same, both locations will be merged to the same package. If the versions are different, there will be 2 distinct packages with the corresponding location information.

  • A Python binary is found, without version information and a libpython shared library is found. If the libpython library is referenced from the Python binary, the primary location is the Python binary, and secondary location information includes the libpython library.

  • No Python binary is found but a libpython shared library is found. This will continue to surface Python findings, with the primary location of the libpython library.

The reason for the last described case is that there are situations a container may have libpython without a binary -- for example an Apache HTTP Server image with a Python module. In this case, it is important to surface the fact that there may be Python execution with library and version found.

Fixes: #1643
Also fixes: #1646

@kzantow
fix: improved Python binary detection
a63e11d 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow marked this pull request as draft March 3, 2023 19:38
@kzantow
chore: only scan executables for sharedLibraryLookup, fix evidenceMat…
6ad83e9 
…chers

Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow mentioned this pull request Mar 3, 2023
Closed
@kzantow kzantow marked this pull request as ready for review March 3, 2023 20:23
@kzantow
chore: refactor to avoid closed readers
387eb30 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: reduce nesting
73c0252 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: slight cleanup
73eb9b2 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
fix: add more tests and update python version regexes
1ce4669 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow requested a review from a team March 7, 2023 15:14
wagoodman
wagoodman approved these changes Mar 7, 2023
View reviewed changes
Copy link
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My only blocking comment is the note about mode as an indicator for parsing, other than that 💯 !

@kzantow
chore: address PR feedback
4ef121d 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow merged commit 7714bc0 into anchore:main Mar 7, 2023
@kzantow kzantow deleted the fix/improved-python-binary-detection branch March 7, 2023 15:52
@westonsteimel westonsteimel mentioned this pull request Mar 9, 2023
Merged
This was referenced Mar 9, 2023
Open
Open
Closed
Closed
Merged
@noqcks
Copy link
Contributor

noqcks commented Mar 11, 2023
edited
Loading

we lost some information on python binaries after this PR:

syft v0.74.0

➜  ~ syft -q python:3.4 | grep binary
python                        2.7.13                          binary
python                        3.4.10                          binary
python                        3.5.3                           binary

syft v0.74.1

➜  ~ syft -q python:3.4 | grep binary
python                        2.7.13                          binary
python                        35                              binary

@kzantow
Copy link
Contributor Author

kzantow commented Mar 11, 2023

@noqcks could you give the json output for those packages between the versions?

@noqcks
Copy link
Contributor

noqcks commented Mar 11, 2023

@dependabot dependabot bot mentioned this pull request Mar 13, 2023
Closed
@kzantow kzantow mentioned this pull request Mar 13, 2023
Merged
@kzantow
Copy link
Contributor Author

kzantow commented Mar 13, 2023

Thanks for this report @noqcks!

This has led me to uncover a couple issues with the python matching and I've fixed them here: #1667

@dependabot dependabot bot mentioned this pull request Mar 14, 2023
Closed
This was referenced Mar 14, 2023
Merged
Closed
spiffcs added a commit to deitch/syft that referenced this pull request Mar 21, 2023
@spiffcs
Merge branch 'main' into proper-license-expression
fef61e1 
* main: (47 commits)
  Deprecate config.yaml as valid config source; Add unit regression for correct config paths (anchore#1640)
  chore: Update syft bootstrap tools to latest versions. (anchore#1682)
  Update documentation: (anchore#1680)
  chore: Update Stereoscope to 7928713c391e20abaede6a029f4ce37b628a4c8b (anchore#1681)
  fix: reduce logging for bad dpkg lines (anchore#1675)
  fix ruby classifier (anchore#1678)
  feat: add shared dir for easier cleanup (anchore#1676)
  chore(deps): bump github.com/google/go-containerregistry (anchore#1672)
  chore(deps): bump actions/setup-go from 3 to 4 (anchore#1671)
  fix: move defer after error to protect panic case (anchore#1670)
  feat: add argocd, helm, kustomize and kubectl binary classifiers (anchore#1663)
  defer closing file (anchore#1668)
  fix: remove author contributing to javascript CPEs (anchore#1669)
  fix: more python matching support (anchore#1667)
  Update syft bootstrap tools to latest versions. (anchore#1666)
  feat: add ruby classifier (anchore#1665)
  Update syft bootstrap tools to latest versions. (anchore#1658)
  fix: improved Python binary detection (anchore#1648)
  fix: suppress some known incorrect vendor candidates for npm CPEs (anchore#1659)
  fix: sanitize SPDX LicenseRefs (anchore#1657)
  ...

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@noqcks noqcks mentioned this pull request Sep 19, 2023
Closed
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@kzantow
fix: improved Python binary detection (anchore#1648)
81aebd2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update haproxy binary matcher Improve Python binary scanning
3 participants
@kzantow @noqcks @wagoodman