Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Unable to include python as a dependency in SBOM generation #4003

Closed
jananir640 opened this issue Apr 5, 2024 · 3 comments
Closed

fix: Unable to include python as a dependency in SBOM generation #4003

jananir640 opened this issue Apr 5, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@jananir640
Copy link
Contributor

Description

Unable to include python as a dependency in SBOM generation for an artifact that contains python but is able to include it as a dependency on other files

To reproduce

Steps to reproduce the behaviour:

  1. scan using these flags/this config --log debug --sbom-output <some_file.json> --sbom-type cyclonedx --sbom-format json
  2. on this file https://s3.amazonaws.com/ddagent-windows-stable/datadog-agent-7-latest.amd64.msi
  3. and on this file https://s3.amazonaws.com/apt.datadoghq.com/pool/d/da/datadog-agent_7.48.1-1_amd64.deb

Expected behaviour: python to be included as a dependency in both SBOMs
Actual behaviour: only included in SBOM for file from step 3

Version/platform info

Version of CVE-bin-tool: 3.3rc2
Installed from GitHub
Operating system: Linux
Python version (e.g. python3 --version): 3.8 or 3.9
@jananir640 jananir640 added the bug Something isn't working label Apr 5, 2024
@terriko
Copy link
Contributor

terriko commented Apr 8, 2024

Interesting. We had a recently filed fix for python 3.10 detection but that seems unlikely to be the problem here since you're talking python 3.8 and 3.9.

Some potential ideas:

  • could be something wrong with .msi support, though I think it's basically just a zip file so that seems a little unlikely
  • could be something weird about the way python strings are on windows
  • they could be packaged in such a way that one of them expects to use a system python rather than containing a copy of python, which would potentially change the strings

If someone else wants to start working on this: I'd probably start by grabbing that .msi file and opening it and seeing what you find inside and running strings on the contents to see if they're hugely different than what you find inside the .deb file.

I'm also probably going to set up a 3.3rc3 release this week, so you could try that when it's out (or try now from main), but I can't immediately think of anything that's likely to change the result.

@jananir640
Copy link
Contributor Author

I just double checked and it seems the .msi has python3.11, whereas the .deb may not. Could that be the reason for lack of detection?

@jananir640
Copy link
Contributor Author

I also just ran cve-bin-tool on https://s3.amazonaws.com/apt.datadoghq.com/pool/d/da/datadog-agent_7.51.0-1_amd64.deb which has python3.11 on it and it is able to identify python version 3.11.5. So this probably isn't an issue with detecting python3.11 specifically, more to do with detection on the .msi perhaps.

@jananir640 jananir640 mentioned this issue Apr 12, 2024
Merged
@terriko terriko closed this as completed Apr 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@terriko @jananir640