Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

go-module-binary-cataloger and cargo-auditable-binary-cataloger still run when disabled but binary-cataloger is enabled #2031

Open
hittingray opened this issue Aug 16, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@hittingray
Copy link

hittingray commented Aug 16, 2023

What happened:

go-module-binary-cataloger and cargo-auditable-binary-cataloger still run when they are absent in the catalogers config but binary-cataloger is present. As shown in the debug log below, the former 2 catalogers are not skipped despite being absent in the catalogers section. I've removed some snippets of the log to keep it short(er).

$ syft --catalogers binary-cataloger -vv golang:latest

[0000]  INFO syft version: 0.87.0
[0000] DEBUG application config:
<excluded for brevity>
log:
  structured: false
  level: debug
  file: ""
catalogers:
- binary-cataloger
package:
  cataloger:
    enabled: true
    scope: Squashed
  search-unindexed-archives: false
  search-indexed-archives: true
<excluded for brevity>

[0014]  INFO identified distro: Debian GNU/Linux 12 (bookworm)
[0014]  INFO skipping cataloger "alpmdb-cataloger"
[0014]  INFO skipping cataloger "apkdb-cataloger"
[0014]  INFO skipping cataloger "conan-cataloger"
[0014]  INFO skipping cataloger "dartlang-lock-cataloger"
[0014]  INFO skipping cataloger "dpkgdb-cataloger"
[0014]  INFO skipping cataloger "dotnet-deps-cataloger"
[0014]  INFO skipping cataloger "dotnet-portable-executable-cataloger"
[0014]  INFO skipping cataloger "elixir-mix-lock-cataloger"
[0014]  INFO skipping cataloger "erlang-rebar-lock-cataloger"
[0014]  INFO skipping cataloger "go-mod-file-cataloger"
[0014]  INFO skipping cataloger "haskell-cataloger"
[0014]  INFO skipping cataloger "java-cataloger"
[0014]  INFO skipping cataloger "java-gradle-lockfile-cataloger"
[0014]  INFO skipping cataloger "java-pom-cataloger"
[0014]  INFO skipping cataloger "graalvm-native-image-cataloger"
[0014]  INFO skipping cataloger "javascript-lock-cataloger"
[0014]  INFO skipping cataloger "javascript-package-cataloger"
[0014]  INFO skipping cataloger "linux-kernel-cataloger"
[0014]  INFO skipping cataloger "nix-store-cataloger"
[0014]  INFO skipping cataloger "php-composer-installed-cataloger"
[0014]  INFO skipping cataloger "php-composer-lock-cataloger"
[0014]  INFO skipping cataloger "portage-cataloger"
[0014]  INFO skipping cataloger "python-index-cataloger"
[0014]  INFO skipping cataloger "python-package-cataloger"
[0014]  INFO skipping cataloger "r-package-cataloger"
[0014]  INFO skipping cataloger "rpm-file-cataloger"
[0014]  INFO skipping cataloger "rpm-db-cataloger"
[0014]  INFO skipping cataloger "ruby-gemfile-cataloger"
[0014]  INFO skipping cataloger "ruby-gemspec-cataloger"
[0014]  INFO skipping cataloger "rust-cargo-lock-cataloger"
[0014]  INFO skipping cataloger "sbom-cataloger"
[0014]  INFO skipping cataloger "cocoapods-cataloger"
[0014]  INFO skipping cataloger "spm-cataloger"
[0014] DEBUG cataloging packages catalogers=4 parallelism=1
[0014] DEBUG discovered 2 packages cataloger=binary-cataloger
[0014] DEBUG discovered 19 packages cataloger=go-module-binary-cataloger
[0014] DEBUG discovered 0 packages cataloger=cargo-auditable-binary-cataloger

NAME           VERSION  TYPE
cmd/addr2line  (devel)  go-module
cmd/asm        (devel)  go-module
cmd/buildid    (devel)  go-module
cmd/cgo        (devel)  go-module
cmd/compile    (devel)  go-module
cmd/covdata    (devel)  go-module
cmd/cover      (devel)  go-module
cmd/doc        (devel)  go-module
cmd/fix        (devel)  go-module
cmd/go         (devel)  go-module
cmd/gofmt      (devel)  go-module
cmd/link       (devel)  go-module
cmd/nm         (devel)  go-module
cmd/objdump    (devel)  go-module
cmd/pack       (devel)  go-module
cmd/pprof      (devel)  go-module
cmd/test2json  (devel)  go-module
cmd/trace      (devel)  go-module
cmd/vet        (devel)  go-module
go             1.21.0   binary
python         3.11.2   binary

What you expected to happen:

No go-module entries should be in the output above (i.e. only binary)

Steps to reproduce the issue:

Run

syft --catalogers binary-cataloger golang:latest

and there will be go-module entries in the output along with the expected binary entries

Anything else we need to know?:

It looks like there was an attempt to fix substring matching in #1582, but this still hasn't fully fixed it.

It seems like

func hasFullWord(targetPhrase, candidate string) bool {
is the culprit, where if candidate = go-module-binary and targetPhrase = binary, then it will return true. I see from relevant tests that there's some partial matching on catalogers (e.g. php-composer matches php-composer-installed-cataloger) which makes this logic tricky.

I've also noticed that a lot of the tests include -cataloger, but the only call to hasFullWord() is straight after strings.TrimSuffix(partial, "-cataloger") is called, so the test cases don't seem that useful.

Is there any reason why there's some substring matching logic here anyway and not just full string matching? The docs make no mention of enabling a cataloger with a partial name or enabling multiple catalogers with just a substring of the name. I could understand if someone wanted to, for example, enable all Go modules, but it seems like something like go-* would be a better option.

Environment:

  • Output of syft version: 0.87.0
  • OS (e.g: cat /etc/os-release or similar): macOS Ventura 13.4.1
@hittingray hittingray added the bug Something isn't working label Aug 16, 2023
@kzantow
Copy link
Contributor

kzantow commented Aug 16, 2023

Thanks for the report @hittingray , I can confirm the behavior you've described.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: Backlog
Development

No branches or pull requests

2 participants