fix: Unable to include python as a dependency in SBOM generation

[jananir640]

Description

Unable to include python as a dependency in SBOM generation for an artifact that contains python but is able to include it as a dependency on other files

To reproduce

Steps to reproduce the behaviour:

1. scan using these flags/this config --log debug --sbom-output <some_file.json> --sbom-type cyclonedx --sbom-format json
2. on this file https://s3.amazonaws.com/ddagent-windows-stable/datadog-agent-7-latest.amd64.msi
3. and on this file https://s3.amazonaws.com/apt.datadoghq.com/pool/d/da/datadog-agent_7.48.1-1_amd64.deb

Expected behaviour: python to be included as a dependency in both SBOMs
Actual behaviour: only included in SBOM for file from step 3

Version/platform info

Version of CVE-bin-tool: 3.3rc2
Installed from GitHub
Operating system: Linux
Python version (e.g. python3 --version): 3.8 or 3.9

[terriko]

Interesting. We had a recently filed fix for python 3.10 detection but that seems unlikely to be the problem here since you're talking python 3.8 and 3.9.

Some potential ideas:

• could be something wrong with .msi support, though I think it's basically just a zip file so that seems a little unlikely
• could be something weird about the way python strings are on windows
• they could be packaged in such a way that one of them expects to use a system python rather than containing a copy of python, which would potentially change the strings

If someone else wants to start working on this: I'd probably start by grabbing that .msi file and opening it and seeing what you find inside and running strings on the contents to see if they're hugely different than what you find inside the .deb file.

I'm also probably going to set up a 3.3rc3 release this week, so you could try that when it's out (or try now from main), but I can't immediately think of anything that's likely to change the result.

[jananir640]

I just double checked and it seems the .msi has python3.11, whereas the .deb may not. Could that be the reason for lack of detection?

[jananir640]

I also just ran cve-bin-tool on https://s3.amazonaws.com/apt.datadoghq.com/pool/d/da/datadog-agent_7.51.0-1_amd64.deb which has python3.11 on it and it is able to identify python version 3.11.5. So this probably isn't an issue with detecting python3.11 specifically, more to do with detection on the .msi perhaps.