Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for parsing .NET assemblies #1943

Merged
merged 8 commits into from
Jul 19, 2023
Merged

Add support for parsing .NET assemblies #1943

merged 8 commits into from
Jul 19, 2023

Conversation

luhring
Copy link
Contributor

@luhring luhring commented Jul 15, 2023

Today, to learn about installed .NET software, Syft parses *.deps.json files it discovers on the filesystem. This approach is incorrect, and it leads to Syft surfacing incorrect data about what's installed, which also leads to false positives in Grype.

This PR adds a new cataloger and parser to parse .NET assemblies themselves — which are Portable Executables — to find the correct name, version, and other metadata for the software installed on disk.

Fixes: #1799

Here's a new Syft scan of the image referenced in that bug report:

$ go run ./cmd/syft -q cgr.dev/chainguard/dotnet-sdk:7 | grep 'System\.Net\.Http'
System.Net.Http                                                 7.0.923.36201     dotnet
...

Here we see a version that we'd expect (7.0.*), given that we know .NET 7 is what's installed in this image.

@wagoodman
Copy link
Contributor

Seems like there are a few CLI test failures (adding the snippet here since the log goes on for a while):

--- FAIL: TestPackagesCmdFlags (19.62s)
...
    --- FAIL: TestPackagesCmdFlags/squashed-scope-flag (0.11s)
...
    --- FAIL: TestPackagesCmdFlags/override-default-parallelism (0.16s)
    --- FAIL: TestPackagesCmdFlags/default-parallelism (0.17s)
    --- FAIL: TestPackagesCmdFlags/password_and_key_not_in_config_output (0.17s)

@luhring
Add support for parsing .NET assemblies
7691a4c 
Signed-off-by: Dan Luhring <[email protected]>

Former-commit-id: 69c33fe
@luhring
Add dll and exe files
3deed54 
Signed-off-by: Dan Luhring <[email protected]>

Former-commit-id: b9d204e
@luhring
Add PE cataloger to directory catalogers
1573877 
Signed-off-by: Dan Luhring <[email protected]>

Former-commit-id: 9711c00
@luhring
Don't set language to dotnet for PEs
5351d0b 
Signed-off-by: Dan Luhring <[email protected]>

Former-commit-id: 368313f
@luhring
Fix spelling of cataloger in constructor
3752142 
Signed-off-by: Dan Luhring <[email protected]>

Former-commit-id: e42fd77
@luhring
Copy link
Contributor Author

luhring commented Jul 18, 2023

Seems like there are a few CLI test failures (adding the snippet here since the log goes on for a while):

Hmm I'm seeing CLI test failures on main as well 🤔 I think it's the same set of tests that are failing on my branch

wagoodman
wagoodman reviewed Jul 19, 2023
View reviewed changes
build Outdated Show resolved Hide resolved
luhring and others added 2 commits July 19, 2023 09:54
@luhring
Adjust which cases in PE parsing return errors
fa13cbb 
Signed-off-by: Dan Luhring <[email protected]>

Former-commit-id: 95b25f8
@wagoodman
remove build binary from branch
707d863 
Signed-off-by: Alex Goodman <[email protected]>

Former-commit-id: fa54c0d0aef0998d5520e9f44cae51f5f9cd38a2
@luhring
Fix failing CLI tests
8305902 
Signed-off-by: Dan Luhring <[email protected]>
@wagoodman wagoodman merged commit 8478e0b into anchore:main Jul 19, 2023
9 checks passed
@luhring luhring deleted the fix-dotnet branch July 19, 2023 19:48
This was referenced Jul 31, 2023
Closed
Closed
Closed
Closed
Closed
Closed
Merged
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@luhring @wagoodman
Add support for parsing .NET assemblies (anchore#1943)
2b6cb25 
* Add support for parsing .NET assemblies

Signed-off-by: Dan Luhring <[email protected]>

Former-commit-id: 69c33fe

* Add dll and exe files

Signed-off-by: Dan Luhring <[email protected]>

Former-commit-id: b9d204e

* Add PE cataloger to directory catalogers

Signed-off-by: Dan Luhring <[email protected]>

Former-commit-id: 9711c00

* Don't set language to dotnet for PEs

Signed-off-by: Dan Luhring <[email protected]>

Former-commit-id: 368313f

* Fix spelling of cataloger in constructor

Signed-off-by: Dan Luhring <[email protected]>

Former-commit-id: e42fd77

* Adjust which cases in PE parsing return errors

Signed-off-by: Dan Luhring <[email protected]>

Former-commit-id: 95b25f8

* remove build binary from branch

Signed-off-by: Alex Goodman <[email protected]>

Former-commit-id: fa54c0d0aef0998d5520e9f44cae51f5f9cd38a2

* Fix failing CLI tests

Signed-off-by: Dan Luhring <[email protected]>

---------

Signed-off-by: Dan Luhring <[email protected]>
Co-authored-by: Alex Goodman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaniini kaniini kaniini left review comments

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version"
3 participants
@luhring @wagoodman @kaniini