Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for parsing .NET assemblies #1943

Merged
merged 8 commits into from
Jul 19, 2023
Merged

Conversation

luhring
Copy link
Contributor

@luhring luhring commented Jul 15, 2023

Today, to learn about installed .NET software, Syft parses *.deps.json files it discovers on the filesystem. This approach is incorrect, and it leads to Syft surfacing incorrect data about what's installed, which also leads to false positives in Grype.

This PR adds a new cataloger and parser to parse .NET assemblies themselves — which are Portable Executables — to find the correct name, version, and other metadata for the software installed on disk.

Fixes: #1799

Here's a new Syft scan of the image referenced in that bug report:

$ go run ./cmd/syft -q cgr.dev/chainguard/dotnet-sdk:7 | grep 'System\.Net\.Http'
System.Net.Http                                                 7.0.923.36201     dotnet
...

Here we see a version that we'd expect (7.0.*), given that we know .NET 7 is what's installed in this image.

@wagoodman
Copy link
Contributor

Seems like there are a few CLI test failures (adding the snippet here since the log goes on for a while):

--- FAIL: TestPackagesCmdFlags (19.62s)
...
    --- FAIL: TestPackagesCmdFlags/squashed-scope-flag (0.11s)
...
    --- FAIL: TestPackagesCmdFlags/override-default-parallelism (0.16s)
    --- FAIL: TestPackagesCmdFlags/default-parallelism (0.17s)
    --- FAIL: TestPackagesCmdFlags/password_and_key_not_in_config_output (0.17s)

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 69c33fe
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: b9d204e
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 9711c00
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 368313f
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: e42fd77
@luhring
Copy link
Contributor Author

luhring commented Jul 18, 2023

Seems like there are a few CLI test failures (adding the snippet here since the log goes on for a while):

Hmm I'm seeing CLI test failures on main as well 🤔 I think it's the same set of tests that are failing on my branch

build Outdated Show resolved Hide resolved
luhring and others added 2 commits July 19, 2023 09:54
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 95b25f8
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

Former-commit-id: fa54c0d0aef0998d5520e9f44cae51f5f9cd38a2
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
@wagoodman wagoodman merged commit 8478e0b into anchore:main Jul 19, 2023
@luhring luhring deleted the fix-dotnet branch July 19, 2023 19:48
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
* Add support for parsing .NET assemblies

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 69c33fe

* Add dll and exe files

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: b9d204e

* Add PE cataloger to directory catalogers

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 9711c00

* Don't set language to dotnet for PEs

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 368313f

* Fix spelling of cataloger in constructor

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: e42fd77

* Adjust which cases in PE parsing return errors

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 95b25f8

* remove build binary from branch

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

Former-commit-id: fa54c0d0aef0998d5520e9f44cae51f5f9cd38a2

* Fix failing CLI tests

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

---------

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version"
3 participants