Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

linux-kernel-cataloger produces thousands of version-less components. #1781

Closed
ragaskar opened this issue May 4, 2023 · 1 comment · Fixed by #1784
Closed

linux-kernel-cataloger produces thousands of version-less components. #1781

ragaskar opened this issue May 4, 2023 · 1 comment · Fixed by #1784
Assignees
Labels
bug Something isn't working

Comments

@ragaskar
Copy link
Contributor

ragaskar commented May 4, 2023

What happened:
Scanning a disk image (mounted as a filesystem) before the linux-kernel-cataloger was added returned around 600 components. After the addition of the cataloger, scans returned around 7000 components, many of which have no versions (filesize has gone from 1MB to 37 MB). A subsequent CVE scan has doubled the amount of CVEs identified, and while I have not been able to triage them, I suspect nearly all the new CVEs are false positives.

I am not very conversant on the topic of kernel modules and did not quite follow the intent of the PR which added this functionality; it looks like the examples in the PR thread intended to use these files on disk to tie back to an actual kernel or package at a specific version. That most definitely is not happening in our case. Here is an example snippet from the resulting SBOM (syft-json format):

  {
   "id": "a1629328ee60a1d1",
   "name": "104_quad_8",
   "version": "",
   "type": "linux-kernel-module",
   "foundBy": "linux-kernel-cataloger",
   "locations": [
    {
     "path": "usr/lib/modules/5.19.0-40-generic/kernel/drivers/counter/104-quad-8.ko",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [
    "GPL v2"
   ],
   "language": "",
   "cpes": [
    "cpe:2.3:a:104-quad-8:104-quad-8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104-quad-8:104_quad_8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104_quad_8:104-quad-8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104_quad_8:104_quad_8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104-quad:104-quad-8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104-quad:104_quad_8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104_quad:104-quad-8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104_quad:104_quad_8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104:104-quad-8:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:104:104_quad_8:*:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:generic/104_quad_8",
   "metadataType": "LinuxKernelModuleMetadata",
   "metadata": {
    "name": "104_quad_8",
    "sourceVersion": "55C62F4A5D1B2412C1B85C7",
    "path": "usr/lib/modules/5.19.0-40-generic/kernel/drivers/counter/104-quad-8.ko",
    "description": "ACCES 104-QUAD-8 driver",
    "author": "William Breathitt Gray <vilhelm.gray@gmail.com>",
    "license": "GPL v2",
    "kernelVersion": "5.19.0-40-generic",
    "versionMagic": "5.19.0-40-generic SMP preempt mod_unload modversions ",
    "parameters": {
     "base": {
      "description": "ACCES 104-QUAD-8 base addresses"
     },
     "irq": {
      "description": "ACCES 104-QUAD-8 interrupt line numbers"
     }
    }
   }
  },
  {
   "id": "2a0e0f4387b2adcd",
   "name": "3c509",
   "version": "",
   "type": "linux-kernel-module",
   "foundBy": "linux-kernel-cataloger",
   "locations": [
    {
     "path": "usr/lib/modules/5.19.0-40-generic/kernel/drivers/net/ethernet/3com/3c509.ko",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [
    "GPL"
   ],
   "language": "",
   "cpes": [
    "cpe:2.3:a:3c509:3c509:*:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:generic/3c509",
   "metadataType": "LinuxKernelModuleMetadata",
   "metadata": {
    "name": "3c509",
    "sourceVersion": "D05BAE6130B1D178C163B12",
    "path": "usr/lib/modules/5.19.0-40-generic/kernel/drivers/net/ethernet/3com/3c509.ko",
    "description": "3Com Etherlink III (3c509, 3c509B, 3c529, 3c579) ethernet driver",
    "license": "GPL",
    "kernelVersion": "5.19.0-40-generic",
    "versionMagic": "5.19.0-40-generic SMP preempt mod_unload modversions ",
    "parameters": {
     "debug": {
      "description": "debug level (0-6)"
     },
     "irq": {
      "description": "IRQ number(s) (assigned)"
     },
     "max_interrupt_work": {
      "description": "maximum events handled per interrupt"
     },
     "nopnp": {
      "description": "disable ISA PnP support (0-1)"
     }
    }
   }
  },
  {
   "id": "b774a8dbcc7b639a",
   "name": "3c574_cs",
   "version": "",
   "type": "linux-kernel-module",
   "foundBy": "linux-kernel-cataloger",
   "locations": [
    {
     "path": "usr/lib/modules/5.19.0-40-generic/kernel/drivers/net/ethernet/3com/3c574_cs.ko",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [
    "GPL"
   ],
   "language": "",
   "cpes": [
    "cpe:2.3:a:3c574-cs:3c574-cs:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:3c574-cs:3c574_cs:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:3c574_cs:3c574-cs:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:3c574_cs:3c574_cs:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:3c574:3c574-cs:*:*:*:*:*:*:*:*",
    "cpe:2.3:a:3c574:3c574_cs:*:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:generic/3c574_cs",
   "metadataType": "LinuxKernelModuleMetadata",
   "metadata": {
    "name": "3c574_cs",
    "sourceVersion": "3531B1EFEF90AB882DFA03A",
    "path": "usr/lib/modules/5.19.0-40-generic/kernel/drivers/net/ethernet/3com/3c574_cs.ko",
    "description": "3Com 3c574 series PCMCIA ethernet driver",
    "author": "David Hinds <dahinds@users.sourceforge.net>",
    "license": "GPL",
    "kernelVersion": "5.19.0-40-generic",
    "versionMagic": "5.19.0-40-generic SMP preempt mod_unload modversions ",
    "parameters": {
     "auto_polarity": {
      "type": "int"
     },
     "full_duplex": {
      "type": "int"
     },
     "max_interrupt_work": {
      "type": "int"
     }
    }
   }
  },

What you expected to happen:
Output to be limited to versioned packages that are likely to match a distribution CPE.

Steps to reproduce the issue:
Scan an ubuntu filesystem.

Anything else we need to know?:

Environment:

  • Output of syft version:
    syft 0.79.0

  • OS (e.g: cat /etc/os-release or similar):
    Ubuntu 22.04.2 LTS

@ragaskar ragaskar added the bug Something isn't working label May 4, 2023
@tgerla tgerla added this to OSS May 4, 2023
@kzantow kzantow self-assigned this May 4, 2023
@ragaskar
Copy link
Contributor Author

ragaskar commented May 4, 2023

Thanks for the ping back in Slack. I have added repro steps here (this works for me on an M1 mac -- if you're not on an M1, the --platform is probably unnecessary):

open a docker container w/ necessary packages for image mounting:
docker run -it --privileged --platform linux/amd64 bosh/os-image-stemcell-builder /bin/bash

Inside that docker container, run the following:

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh > install.sh \
    && (echo "a6dfabcd60ec8b09a8269d5efda8c797ad9657567cd723306f5cfc3fcb07b79b  install.sh" | sha256sum --check --status  \
    || (echo "Checksum failed! Please review https://raw.githubusercontent.com/anchore/syft/main/install.sh, ensure it is still safe, and update the checksum" && exit 1)) \
    && chmod u+x ./install.sh && (cat ./install.sh | sh -s -- -b /usr/local/bin) && rm ./install.sh

function permit_device_control() {
  local devices_mount_info=$(cat /proc/self/cgroup | grep devices)

  local devices_subsytems=$(echo $devices_mount_info | cut -d: -f2)
  local devices_subdir=$(echo $devices_mount_info | cut -d: -f3)

  cgroup_dir=/mnt/tmp-todo-devices-cgroup

  if [ ! -e ${cgroup_dir} ]; then
    # mount our container's devices subsystem somewhere
    mkdir ${cgroup_dir}
  fi

  if ! mountpoint -q ${cgroup_dir}; then
    mount -t cgroup -o $devices_subsytems none ${cgroup_dir}
  fi

  # permit our cgroup to do everything with all devices
  # ignore failure in case something has already done this; echo appears to
  # return EINVAL, possibly because devices this affects are already in use
  echo a > ${cgroup_dir}${devices_subdir}/devices.allow || true
}

permit_device_control

for i in $(seq 0 64); do
  if ! mknod -m 0660 /dev/loop$i b 7 $i; then
    break
  fi
done

mkdir -p work

pushd work
git clone https://github.com/cloudfoundry/bosh-linux-stemcell-builder.git
chown -R ubuntu:ubuntu bosh-linux-stemcell-builder
chown -R ubuntu:ubuntu /mnt
####
wget https://storage.googleapis.com/bosh-core-stemcells/1.108/bosh-stemcell-1.108-google-kvm-ubuntu-jammy-go_agent.tgz

helpers_path="./bosh-linux-stemcell-builder/scripts/repack-helpers"
extracted_image_path=$("${helpers_path}/extract-stemcell.sh" "bosh-stemcell-1.108-google-kvm-ubuntu-jammy-go_agent.tgz" | $helpers_path/extract-image.sh)
mounted_image_path=$("${helpers_path}/mount-image.sh" <<< $extracted_image_path)
syft -q "dir:${mounted_image_path}"
popd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

2 participants