Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

binary detection: openbsd OpenSSH and portable OpenSSH #3216

Open
krysgor opened this issue Sep 10, 2024 · 3 comments
Open

binary detection: openbsd OpenSSH and portable OpenSSH #3216

krysgor opened this issue Sep 10, 2024 · 3 comments
Labels
binary-analysis enhancement New feature or request

Comments

@krysgor
Copy link
Contributor

krysgor commented Sep 10, 2024

Hi,

(Not sure if i'm right here, because it's a contributor question and i'm not so familiar with go)

I would like to implement openbsd OpenSSH and portable OpenSSH binary detection with correct cpe's in one classifier.

So openbsd have two OpenSSH products with different cpe's:

  • normal cpe:2.3:a:openbsd:openssh:9.6:-:*:*:*:*:*:*
  • portable cpe:2.3:a:openbsd:openssh:9.6:p1:*:*:*:*:*:*

I alrady have the regex to match the version \x00OpenSSH_(?P<version>[0-9]+\.[0-9]+)(p[0-9])?\x00 (is also match the optional portable p1 information).

The question ist: how can I build this two different cpe in one classifier?
Is it possible to implement this with one classifier? If not I will make simply two classifyers: openssh-binary and openssh-portable-binary.

Thanks

@krysgor krysgor added the enhancement New feature or request label Sep 10, 2024
krysgor pushed a commit to krysgor/syft that referenced this issue Sep 10, 2024
@spiffcs
Copy link
Contributor

spiffcs commented Sep 11, 2024

👋 Thanks for the issue @krysgor and question about classifiers!.

I'll point you to a recent PR that just landed that has a few examples in it:
#3078

Note the classifiers being added here:
https://github.com/anchore/syft/pull/3078/files#diff-962c0bf8d15912f4f2b27bb43392f4ec0ab0d535cd5848ec6da96e8c251f9017R450-R479

On the Classifier struct there is a field called CPEs. While this PR uses a convenience function for singleCPE that field is flexible to contain multiple CPE so long as Class/Package match is the same.

If you wanted two classifiers that resulted in two different packages you would just use a single cpe and do something like:

		{
			Class:    "openbsd-OpenSSH-binary",
			Package: "openSSH/openbsd",
			CPEs:    singleCPE("cpe:2.3:a:openbsd:openssh:9.6:-:*:*:*:*:*:*"),
		},
		{
			Class:    "portable-OpenSSH",
			Package: "openSSH/portable",
			CPEs:    singleCPE("cpe:2.3:a:openbsd:openssh:9.6:p1:*:*:*:*:*:*"),
		},

The other path is to just do this as one classifier with one package where you add multiple CPE at the bottom of that struct.

Happy to talk more about this or review some code if you've already written something 👍

krysgor pushed a commit to krysgor/syft that referenced this issue Sep 19, 2024
krysgor pushed a commit to krysgor/syft that referenced this issue Sep 19, 2024
@krysgor
Copy link
Contributor Author

krysgor commented Sep 19, 2024

Hi @spiffcs ,
I have already made a commit for it, here: 778437f, so your can review it.

It ends up being just the detection of the main version (without the portable binary). The reason for ignoring the portable version is that the portable executables have both version identifiers. For example the output of the make add-snippet command:

Multiple string matches found in the binary:

1)  69432 OpenSSH_9.7p1
2)  78969 OpenSSH_9.7

Please select a match: 

So after implementing the two-classifier solution, syft match both classifiers for the portable binary:

openssh                                                     9.7           binary
openssh                                                     9.7p1         binary

The non-portable binary always looks good:

openssh                                                     9.7           binary

I'm not sure what to do in this situation. But creating an sbom that contains two entries for openssh is (probably) wrong. So I decided to just match the main version of the binary.

krysgor pushed a commit to krysgor/syft that referenced this issue Sep 24, 2024
Issue/question: anchore#3216

* Conflicts:
*	syft/pkg/cataloger/binary/classifiers.go
*	syft/pkg/cataloger/binary/test-fixtures/config.yaml
@wagoodman
Copy link
Contributor

But creating an sbom that contains two entries for openssh is (probably) wrong

agreed -- mind posting the code for the two regexes that were used in the dual-classifier approach? There might be more options, I think you really need one classifier with multiple evidence matchers, see an example here

EvidenceMatcher: evidenceMatchers(
// try to find version information from libpython shared libraries
sharedLibraryLookup(
`^libpython[0-9]+(?:\.[0-9]+)+[a-z]?\.so.*$`,
libpythonMatcher),
// check for version information in the binary
fileNameTemplateVersionMatcher(
`(?:.*/|^)python(?P<version>[0-9]+(?:\.[0-9]+)+)$`,
pythonVersionTemplate),
),

This way we would never be finding duplicate packages since there would be one classifier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
binary-analysis enhancement New feature or request
Projects
Status: No status
Development

No branches or pull requests

4 participants