Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wrong traefik rc versions at binary detection #3535

Open
witchcraze opened this issue Dec 18, 2024 · 7 comments
Open

wrong traefik rc versions at binary detection #3535

witchcraze opened this issue Dec 18, 2024 · 7 comments
Labels
bug Something isn't working needs-investigation

Comments

@witchcraze
Copy link
Contributor

witchcraze commented Dec 18, 2024
edited
Loading

What happened:

Some traefik rc versions are not shown correctlly at binary

What you expected to happen:

Proper versions are shown
(or only proper go-module versions are shown)

Steps to reproduce the issue:

$ syft -q traefik:v2.5.0-rc2 | grep traefik
github.com/traefik/gziphandler                       v1.1.2-0.20210212101304-175e0fad6888                        go-module
github.com/traefik/paerser                           v0.1.4                                                      go-module
github.com/traefik/traefik/v2                        v2.5.0-rc2                                                  go-module
github.com/traefik/yaegi                             v0.9.19                                                     go-module
traefik                                              2.5.0-rc2                                                   binary

$ syft -q traefik:v2.6.0-rc1 | grep traefik
github.com/traefik/paerser                           v0.1.4                                       go-module
github.com/traefik/traefik/v2                        v2.6.0-rc1                                   go-module
github.com/traefik/yaegi                             v0.11.1                                      go-module
traefik                                              1.17.5                                       binary

$ syft -q traefik:v2.7.0-rc1 | grep traefik
github.com/traefik/paerser                                       v0.1.5                                       go-module
github.com/traefik/traefik/v2                                    v2.7.0-rc1                                   go-module
github.com/traefik/yaegi                                         v0.11.2                                      go-module
traefik                                                          1.17.6                                       binary

$ syft -q traefik:v2.8.0-rc1 | grep traefik
github.com/traefik/paerser                                       v0.1.5                                       go-module
github.com/traefik/traefik/v2                                    v2.8.0-rc1                                   go-module
github.com/traefik/yaegi                                         v0.12.0                                      go-module
traefik                                                          2.8.0-rc1                                    binary

$ syft -q traefik:v2.9.0-rc2 | grep traefik
github.com/traefik/paerser                                       v0.1.9                                       go-module
github.com/traefik/traefik/v2                                    v2.9.0-rc2                                   go-module
github.com/traefik/yaegi                                         v0.14.2                                      go-module
traefik                                                          1.19.1                                       binary

$ syft -q traefik:v3.0.0-rc1 | grep traefik
github.com/traefik/grpc-web                                                     v0.16.0                                go-module
github.com/traefik/paerser                                                      v0.2.0                                 go-module
github.com/traefik/traefik/v3                                                   v3.0.0-rc1                             go-module
github.com/traefik/yaegi                                                        v0.15.1                                go-module
traefik                                                                         1.22.0                                 binary

$ syft -q traefik:v3.1.0-rc2 | grep traefik
github.com/traefik/grpc-web                                                           v0.16.0                                go-module
github.com/traefik/http-wasm-host-go                                                  v0.0.0-20240618100324-3c53dcaa1a70     go-module
github.com/traefik/paerser                                                            v0.2.0                                 go-module
github.com/traefik/traefik/v3                                                         v3.1.0-rc2                             go-module
github.com/traefik/yaegi                                                              v0.16.1                                go-module
traefik                                                                               1.22.4                                 binary

$ syft -q traefik:v3.2.0-rc1 | grep traefik
github.com/traefik/grpc-web                                                           v0.16.0                                 go-module
github.com/traefik/http-wasm-host-go                                                  v0.0.0-20240618100324-3c53dcaa1a70      go-module
github.com/traefik/paerser                                                            v0.2.1                                  go-module
github.com/traefik/traefik/v3                                                         v3.2.0-rc1                              go-module
github.com/traefik/yaegi                                                              v0.16.1                                 go-module
traefik                                                                               1.23.2                                  binary

$ syft -q traefik:v3.3.0-rc1 | grep traefik
github.com/traefik/grpc-web                                                           v0.16.0                                 go-module
github.com/traefik/paerser                                                            v0.2.1                                  go-module
github.com/traefik/traefik/v3                                                         v3.3.0-rc1                              go-module
github.com/traefik/yaegi                                                              v0.16.1                                 go-module
traefik                                                                               1.23.4                                  binary

Anything else we need to know?:

I think go-module detection was improved, and proper versions seem shown.
Maybe, deleteing traefik binary clasiffier is ok.
// Sorry, I do not understand improvement of go-module detection, I can not judge this.

Environment:

  • Output of syft version:
$ syft version
Application: syft
Version:    1.18.1
BuildDate:  2024-12-13T18:41:10Z
GitCommit:  5e16e5031a13f8a11057feb8544decebfc43b4ed
GitDescription: v1.18.1
Platform:   linux/amd64
GoVersion:  go1.23.4
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar):
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
@witchcraze witchcraze added the bug Something isn't working label Dec 18, 2024
@kzantow
Copy link
Contributor

kzantow commented Dec 23, 2024

Thanks for the report, @witchcraze!

It looks like there are a couple things going on here:

  • we are detecting Traefik in go mod cataloging and with a custom binary classifier
  • we are not deduplicating the binary findings

For the first point, should we remove the Traefik classifier and just use the go mod? Are there older versions of traefik that do not include go mod information? Should we tune the regex to exclude certain versions that we know will have go module information?

We deduplicate binary package findings if there are owned files by other packages: see the exclude_binaries_by_file_ownership_overlap process for the sets of package types that result in deduplicating binary findings. Should we add golang to the list of catalogers for which if we find a package from, we drop binary packages with overlapping files?

@wagoodman
Copy link
Contributor

Side note about the regex, I think since the prefix is entirely optional it's allowed to match against the go version embedded nearby:

03a940f0: 0100 0000 0400 0000 0300 0000 0000 0000  ................
03a94100: 0100 0000 0800 0000 0300 0000 0000 0000  ................
03a94110: 676f 312e 3137 2e35 0000 0000 0000 0000  go1.17.5........
03a94120: 0100 0000 0600 0000 0000 0000 0000 0000  ................
03a94130: 0100 0000 0400 0000 0100 0000 0000 0000  ................
03a94140: 0100 0000 0200 0000 0100 0000 0000 0000  ................
03a94150: 0100 0000 0200 0000 0100 0000 0000 0000  ................
03a94160: 0100 0000 0600 0000 0700 0000 0000 0000  ................
03a94170: 0100 0000 0400 0000 0300 0000 0000 0000  ................
03a94180: 0100 0000 0800 0000 0300 0000 0000 0000  ................
03a94190: 0100 0000 0a00 0000 1300 0000 0000 0000  ................
03a941a0: 0100 0000 0a00 0000 0700 0000 0000 0000  ................
03a941b0: 0100 0000 0c00 0000 0900 0000 0000 0000  ................
03a941c0: 0100 0000 0c00 0000 0900 0000 0000 0000  ................
03a941d0: 0100 0000 0c00 0000 0900 0000 0000 0000  ................
03a941e0: 0100 0000 0e00 0000 0900 0000 0000 0000  ................
03a941f0: 0100 0000 0c00 0000 0900 0000 0000 0000  ................
03a94200: 0100 0000 0e00 0000 0900 0000 0000 0000  ................
03a94210: 0100 0000 0e00 0000 0900 0000 0000 0000  ................
03a94220: 0100 0000 0e00 0000 0900 0000 0000 0000  ................
03a94230: 322e 362e 302d 7263 3100 0000 0000 0000  2.6.0-rc1.......
03a94240: 0100 0000 0c00 0000 0b00 0000 0000 0000  ................
03a94250: 0100 0000 0c00 0000 0b00 0000 0000 0000  ................
03a94260: 0100 0000 0c00 0000 0b00 0000 0000 0000  ................

maybe we could ensure that there is a non go prefix:

-(?m)(\x00|\x{FFFD})?v?(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00
+(?m)(\x00|\x{FFFD})v?(?P<version>[0-9]+\.[0-9]+\.[0-9]+(-alpha[0-9]|-beta[0-9]|-rc[0-9])?)\x00

@witchcraze
Copy link
Contributor Author

Thank you for your comments.

I checked ...

I think this is a case of #3485
Anyway, updating regex seems good, I think,

$ syft -q library/traefik:3.0 --platform linux/arm/v6 | grep traefik
github.com/traefik/grpc-web                                                           v0.16.0                                go-module
github.com/traefik/paerser                                                            v0.2.0                                 go-module
github.com/traefik/traefik/v3                                                         v0.0.0-20240702134203-d42e75bb2eab     go-module
github.com/traefik/yaegi                                                              v0.16.1                                go-module
traefik                                                                               3.0.4                                  binary

$ syft -q library/traefik:3.0 --platform linux/arm/v6 -o json | jq '.artifacts[] | select(.name == "traefik" or .name == "github.com/traefik/traefik/v3")'
{
  "id": "04c242719e570a6d",
  "name": "github.com/traefik/traefik/v3",
  "version": "v0.0.0-20240702134203-d42e75bb2eab",
  "type": "go-module",
  "foundBy": "go-module-binary-cataloger",
  "locations": [
    {
      "path": "/usr/local/bin/traefik",
      "layerID": "sha256:c5af03c66698c7486555cedce953aaa5c1743ddc2a3078ec82ee4514afa65541",
      "accessPath": "/usr/local/bin/traefik",
      "annotations": {
        "evidence": "primary"
      }
    }
  ],
  "licenses": [],
  "language": "go",
  "cpes": [
    {
      "cpe": "cpe:2.3:a:traefik:traefik\\/v3:v0.0.0-20240702134203-d42e75bb2eab:*:*:*:*:*:*:*",
      "source": "syft-generated"
    }
  ],
  "purl": "pkg:golang/github.com/traefik/[email protected]#v3",
  "metadataType": "go-module-buildinfo-entry",
  "metadata": {
    "goBuildSettings": [
      {
        "key": "-buildmode",
        "value": "exe"
      },
      {
        "key": "-compiler",
        "value": "gc"
      },
      {
        "key": "-trimpath",
        "value": "true"
      },
      {
        "key": "CGO_ENABLED",
        "value": "0"
      },
      {
        "key": "GOARCH",
        "value": "arm"
      },
      {
        "key": "GOOS",
        "value": "linux"
      },
      {
        "key": "GOARM",
        "value": "6"
      },
      {
        "key": "vcs",
        "value": "git"
      },
      {
        "key": "vcs.revision",
        "value": "d42e75bb2eabbe684809929ce96abfe09d4e50fb"
      },
      {
        "key": "vcs.time",
        "value": "2024-07-02T13:42:03Z"
      },
      {
        "key": "vcs.modified",
        "value": "false"
      }
    ],
    "goCompiledVersion": "go1.22.4",
    "architecture": "arm",
    "mainModule": "github.com/traefik/traefik/v3"
  }
}
{
  "id": "be4b3512ee88658e",
  "name": "traefik",
  "version": "3.0.4",
  "type": "binary",
  "foundBy": "binary-classifier-cataloger",
  "locations": [
    {
      "path": "/usr/local/bin/traefik",
      "layerID": "sha256:c5af03c66698c7486555cedce953aaa5c1743ddc2a3078ec82ee4514afa65541",
      "accessPath": "/usr/local/bin/traefik",
      "annotations": {
        "evidence": "primary"
      }
    }
  ],
  "licenses": [],
  "language": "",
  "cpes": [
    {
      "cpe": "cpe:2.3:a:traefik:traefik:3.0.4:*:*:*:*:*:*:*",
      "source": "nvd-cpe-dictionary"
    }
  ],
  "purl": "pkg:generic/[email protected]",
  "metadataType": "binary-signature",
  "metadata": {
    "matches": [
      {
        "classifier": "traefik-binary",
        "location": {
          "path": "/usr/local/bin/traefik",
          "layerID": "sha256:c5af03c66698c7486555cedce953aaa5c1743ddc2a3078ec82ee4514afa65541",
          "accessPath": "/usr/local/bin/traefik",
          "annotations": {
            "evidence": "primary"
          }
        }
      }
    ]
  }
}

@wagoodman wagoodman mentioned this issue Jan 8, 2025
Open
@wagoodman
Copy link
Contributor

Theme for discussion: we have a case where the "expert cataloger" (golang specific one) has less information than the binary cataloger -- what options are there here?

@westonsteimel
Copy link
Contributor

westonsteimel commented Jan 8, 2025
edited
Loading

Well, it has less useful version and CPE information, but better package name information

@westonsteimel
Copy link
Contributor

westonsteimel commented Jan 8, 2025
edited
Loading

Ideally we'd have some way of merging the two I guess? Some sort of post processing that understands a go pseudoversion with v0.0.0 prefix is less useful than a known version from a binary classifier for the same path. And that the binary classifier CPE is likely better since we took it from the NVD data when we created the classifier. it would be nice to preserve all of the data somewhere though so it could be reviewed

@wagoodman
Copy link
Contributor

We should probably stop searching within binaries with a simple semver-like pattern within binaries from within the golang cataloger -- this is the source of many FPs. In the meantime we could at least partition the set of classifiers (in the binary cataloger) out and put it into the golang cataloger, so that when there are cases where the buildinfo section is lacking we can still support version detection for a select set of projects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs-investigation
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wagoodman @westonsteimel @kzantow @witchcraze