Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add native support for flatpak and snap images #1088

Open
ciphernaut-rh opened this issue Jul 7, 2022 · 9 comments
Open

add native support for flatpak and snap images #1088

ciphernaut-rh opened this issue Jul 7, 2022 · 9 comments
Labels
enhancement New feature or request needs-investigation

Comments

@ciphernaut-rh
Copy link

What would you like to be added: support for pulling flatpak and snap images from repos for scanning

Why is this needed: scan packages from snap and flatpak without needing to install them first

Additional context:

It is possible to scan flatpak and snap images with some level of success once they have been installed using the dir: specifier. It would be neat if syft (and grype) knew how to fetch these packages directly (from original and alternative sources) and generate an sbom without needing to 'install' them first.
@ciphernaut-rh ciphernaut-rh added the enhancement New feature or request label Jul 7, 2022
@spiffcs spiffcs added this to OSS Jul 7, 2022
@spiffcs
Copy link
Contributor

spiffcs commented Sep 29, 2022
edited
Loading

Thanks for filling the issue @ciphernaut-rh!

I think we have to do some preliminary investigation on if the images support OCI and fit nicely in with the https://github.com/anchore/stereoscope library that supports how syft breaks apart and pulls information from a given container image.

Do you have any good references we could use to start digging into flatpak and snap images that could help with the design surrounding this issue?

@spiffcs spiffcs moved this to Parking Lot (Comments or Progress) in OSS Sep 29, 2022
@wagoodman
Copy link
Contributor

Clarifying question: is the ask to report the flatpaks themselves? or the flatpaks + what's inside of the flatpaks?

If it's the latter case, this is related to #246 , where we need to run all of the enabled catalogers within the unpacked flatpack.

@ciphernaut-rh
Copy link
Author

Clarifying question: is the ask to report the flatpaks themselves? or the flatpaks + what's inside of the flatpaks?

Yes please, include all of the components that make up the flatpak.

If it's the latter case, this is related to #246 , where we need to run all of the enabled catalogers within the unpacked flatpack.

@ciphernaut-rh
Copy link
Author

$ snap info core18
name: core18
summary: Runtime environment based on Ubuntu 18.04
publisher: Canonical✓
store-url: https://snapcraft.io/core18
license: unset
description: |
The base snap based on the Ubuntu 18.04 release.
type: base
snap-id: CSO04Jhav2yK0uz97cr0ipQRyqg0qQL6
tracking: latest/stable
refresh-date: 18 days ago, at 19:29 AEST
channels:
latest/stable: 20220831 2022-09-14 (2566) 58MB -
latest/candidate: 20220831 2022-09-07 (2566) 58MB -
latest/beta: 20220831 2022-09-05 (2566) 58MB -
latest/edge: 20220915 2022-09-20 (2590) 58MB -
installed: 20220831 (2566) 58MB base

$ syft packages dir:/snap/core18/
✔ Indexed /var/lib/snapd/snap/core18
✔ Cataloged packages [99 packages]
< errors truncated >
NAME VERSION TYPE
Jinja2 2.10 python
MarkupSafe 1.0 python
PyJWT 1.5.3 python
PyYAML 3.12 python
asn1crypto 0.24.0 python
blinker 1.4 python
certifi 2018.1.18 python
chardet 3.0.4 python
cloud-init 22.2 python
configobj 5.0.6 python
cryptography 2.1.4 python
github.com/canonical/go-efilib v0.0.0-20210909101908-41435fa545d4 go-module
github.com/canonical/go-sp800.108-kdf v0.0.0-20210314145419-a3359f2d21b9 go-module
github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 go-module
github.com/canonical/go-tpm2 v0.0.0-20210827151749-f80ff5afff61 go-module
github.com/canonical/tcglog-parser v0.0.0-20210824131805-69fa1e9f0ad2 go-module
github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7 go-module
github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 go-module
github.com/gorilla/mux v1.7.4-0.20190701202633-d83b6ffe499a go-module
github.com/jessevdk/go-flags v1.4.1-0.20180927143258-7309ec74f752 go-module
github.com/juju/ratelimit v1.0.1 go-module
github.com/mvo5/goconfigparser v0.0.0-20200803085309-72e476556adb go-module
github.com/snapcore/bolt v1.3.2-0.20210908134111-63c8bfcf7af8 go-module
github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785 go-module
github.com/snapcore/secboot v0.0.0-20211018143212-802bb19ca263 go-module
github.com/snapcore/snapd (devel) go-module
go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 go-module
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 go-module
golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365 go-module
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 go-module
gopkg.in/macaroon.v1 v1.0.0-20150121114231-ab3940c6c165 go-module
gopkg.in/retry.v1 v1.0.3 go-module
gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637 go-module
gopkg.in/yaml.v2 v2.3.0 go-module
idna 2.6 python
jsonpatch 1.16 python
jsonpointer 1.10 python
jsonschema 2.6.0 python
maze.io/x/crypto v0.0.0-20190131090603-9b94c9afe066 go-module
netifaces 0.10.4 python
oauthlib 2.0.6 python
probert 0.0.12 python
pyserial 3.4 python
pyudev 0.21.0 python
requests 2.18.4 python
requests-unixsocket 0.1.5 python
six 1.11.0 python
urllib3 1.22 python
urwid 2.0.1 python

@ciphernaut-rh
Copy link
Author

$ flatpak info org.gnome.Platform/x86_64/42

GNOME Application Platform version 42 - Shared libraries used by GNOME
applications

      ID: org.gnome.Platform
     Ref: runtime/org.gnome.Platform/x86_64/42
    Arch: x86_64
  Branch: 42
 License: GPL-2.0+
  Origin: flathub

Collection: org.flathub.Stable
Installation: system
Installed: 758.2 MB

  Commit: e8380d976dc7b39cc9307cc1c92a75d1caf6d10d7b2a7e2b9bc45e2d66133566
  Parent: e461129c14120dcf8801bf1bb25257a651cee3f2fd0ebd1a31c1d51db1da9e9c
 Subject: Export org.gnome.Platform
    Date: 2022-09-27 21:49:11 +0000

$ syft dir:/var/lib/flatpak/runtime/org.gnome.Platform/x86_64/42/active/files/
✔ Indexed /var/lib/flatpak/runtime/org.gnome.Platform/x86_64/42/e8380d976dc7b39cc9307cc1c92a75d1caf6d10d7b2a7e2b9bc45e2d66133566/files
✔ Cataloged packages [7 packages]
< errors truncated >
NAME VERSION TYPE
Mako 1.2.0 python
Markdown 3.3.4 python
MarkupSafe 2.1.1 python
PyGObject 3.42.2 python
pycairo 1.21.0 python
setuptools 59.8.0 python
six 1.16.0 python

@ciphernaut-rh
Copy link
Author

both of these examples are from installed items. Ideally it would be nice to scan them with syft and grype without having to install them

@tgerla tgerla removed the status in OSS Sep 14, 2023
@wagoodman
Copy link
Contributor

At a first glance it doesn't seem like flatpaks are stored in an OCI repo flatpak/flatpak#4744 (or snaps either, but am still looking around). For that reason I don't think it makes sense to have syft do the work of pulling the packages (in the same way that we don't interact with rpm, dpk, apk registries / repos).

Are there ways to get flatpaks downloaded in a distribution format? say like a single tar.gz or zip? If so, I feel that syft being able to open up the archive / container image / distribution format and running the scan correctly makes sense. This would save the user from having to know where on /var/lib/... on the system.

@tgerla tgerla moved this to Awaiting Response in OSS Sep 21, 2023
@wagoodman wagoodman removed the status in OSS Feb 7, 2024
@popey
Copy link
Contributor

popey commented Sep 26, 2024
edited
Loading

For snaps - they're squashfs files, which the user can download, unpack and then scan with syft, like any other directory.

Download snap package

If the user is on a machine with the snapd package installed:

$ SNAPNAME="hello-world"
$ CHANNEL="stable"
$ snap download "$SNAPNAME" --channel="$CHANNEL"

If they're not on a machine with snapd installed:

$ SNAPNAME="hello-world"
$ CHANNEL="stable"
$ curl -sL --output "$SNAPNAME".snap $(curl -s -H 'Snap-Device-Series: 16' http://api.snapcraft.io/v2/snaps/info/$SNAPNAME | jq -r '.["channel-map"][] | select(.channel.architecture == "amd64" and .channel.name == "'$CHANNEL'") | .download.url')

Unpack it

$ unsquashfs "$SNAPNAME"*.snap
$ tree squashfs-root/
squashfs-root/
├── bin
│   ├── echo
│   ├── env
│   ├── evil
│   └── sh
└── meta
    ├── gui
    │   └── icon.png
    └── snap.yaml

Scan it

$ syft scan dir:squashfs-root
 ✔ Indexed file system squashfs-root
 ✔ Cataloged contents 371b4bb9660cd5035e57c09aff807bcee3de0f71b912e498818153684b206f8e
   ├── ✔ Packages                        [0 packages]
   └── ✔ Executables                     [0 executables]
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
No packages discovered

I should have picked a more interesting snap, to be fair.

Edit:

Libreoffice is more 'interesting'

$ snap download libreoffice
$ unsquashfs libreoffice*.snap
syft dir:squashfs-root/
 ✔ Indexed file system squashfs-root
 ✔ Cataloged contents 371b4bb9660cd5035e57c09aff807bcee3de0f71b912e498818153684b206f8e
   ├── ✔ Packages                        [57 packages]
   ├── ✔ File digests                    [110 files]
   ├── ✔ File metadata                   [110 locations]
   └── ✔ Executables                     [929 executables]
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME                         VERSION                         TYPE
HelloWorld                   UNKNOWN                         java-archive
Highlight                    UNKNOWN                         java-archive
MemoryUsage                  UNKNOWN                         java-archive
ScriptFramework              UNKNOWN                         java-archive
ScriptProviderForBeanShell   UNKNOWN                         java-archive
ScriptProviderForJava        UNKNOWN                         java-archive
ScriptProviderForJavaScript  UNKNOWN                         java-archive
XMergeBridge                 UNKNOWN                         java-archive
bsh                          2.0b6 2024-09-05 06:18:45       java-archive
ca-certificates-java         UNKNOWN                         java-archive
commonwizards                UNKNOWN                         java-archive
el-api                       3.0.0                           java-archive
flow-engine                  UNKNOWN                         java-archive
flute                        1.1.6                           java-archive
form                         UNKNOWN                         java-archive
hsqldb1.8.0                  1.8.0.10+dfsg                   java-archive
hsqldbutil1.8.0              1.8.0.10+dfsg                   java-archive
java_uno                     UNKNOWN                         java-archive
java_websocket               UNKNOWN                         java-archive
javax.el-api                 3.0.0                           java-archive
javax.servlet-api            4.0.1                           java-archive
javax.servlet.jsp-api        2.3.4-SNAPSHOT                  java-archive
javax.websocket-api          1.1                             java-archive
javax.websocket-client-api   1.1                             java-archive
jrt-fs                       17.0.12                         java-archive
js                           UNKNOWN                         java-archive
jsp-api                      2.3.4-SNAPSHOT                  java-archive
juh                          UNKNOWN                         java-archive
jurt                         UNKNOWN                         java-archive
libbase                      1.1.6                           java-archive
libfonts                     1.1.6                           java-archive
libformula                   1.1.7                           java-archive
liblayout                    UNKNOWN                         java-archive
libloader                    1.1.6                           java-archive
libreoffice                  UNKNOWN                         java-archive
librepository                1.1.6                           java-archive
libserializer                1.1.6                           java-archive
libxml                       1.1.7                           java-archive
mediawiki                    UNKNOWN                         java-archive
officebean                   UNKNOWN                         java-archive
openjdk                      17.0.12+7-Ubuntu-1ubuntu222.04  binary
python                       3.10.12                         binary
query                        UNKNOWN                         java-archive
report                       UNKNOWN                         java-archive
reportbuilder                UNKNOWN                         java-archive
reportbuilderwizard          UNKNOWN                         java-archive
ridl                         UNKNOWN                         java-archive
sac                          UNKNOWN                         java-archive
sdbc_hsqldb                  UNKNOWN                         java-archive
servlet-api                  4.0.1                           java-archive
smoketest                    UNKNOWN                         java-archive
table                        UNKNOWN                         java-archive
unoil                        UNKNOWN                         java-archive
unoloader                    UNKNOWN                         java-archive
websocket-api                1.1                             java-archive
websocket-client-api         UNKNOWN                         java-archive
xmerge                       #IMPL-VERSION#                  java-archive

@wagoodman
Copy link
Contributor

I think github.com/sylabs/squashfs would be great for this 👍

@wagoodman wagoodman moved this to Ready in OSS Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request needs-investigation
Projects
OSS
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
5 participants
@wagoodman @popey @willmurphyscode @spiffcs @ciphernaut-rh