fix: Location in SBOM field shows local filepath instead of location in binary #4396
Comments
|
Thanks. I think this is a issue. The location of the file is based on known locations of key binaries. These known locations are for a Linux based system only. . This is why /usr/bin/openssl is reported; the location has been assumed to be the location on the scanning machine. If the binary is a Windows executable (which I assume it is), the reported location should probably be a Windows path (or not reported if scanning a Windows binary on a Linux machine) I can't get the sample msi file to scan on my Linux system (it fails to extract) so I can't see the generated SBOM. |
|
Yeah, I'm not sure why it's doing it that way now that I'm looking at this again. I would have expected it to report the filename where the issue was found, and if that file is an archive ideally we'd report the path within that archive. Probably my bad for approving it. I guess the good news is that probably we can just replace |
|
The evidence should be the file which has been scanned. So we should report the archive/executable which has been scanned which contains the component which is being reported. |
Do not use find_product_location to set the location field in version_scanner.py as otherwise cve-bin-tool will try to find the location of the product on the host system (which is obviously wrong). Instead, set the location to be the file_path relative to the rootdir that was given to cve-bin-tool Fix intel#4396 and intel#4676 Signed-off-by: Fabrice Fontaine <[email protected]>
Do not use find_product_location to set the location field in version_scanner.py as otherwise cve-bin-tool will try to find the location of the product on the host system (which is obviously wrong). Instead, set the location to be the file_path relative to the rootdir that was given to cve-bin-tool Fix intel#4396 and intel#4676 Signed-off-by: Fabrice Fontaine <[email protected]>
Do not use find_product_location to set the location field in version_scanner.py as otherwise cve-bin-tool will try to find the location of the product on the host system (which is obviously wrong). Instead, set the location to be the file_path relative to the rootdir that was given to cve-bin-tool Fix intel#4396 Signed-off-by: Fabrice Fontaine <[email protected]>
Do not use find_product_location to set the location field in version_scanner.py as otherwise cve-bin-tool will try to find the location of the product on the host system (which is obviously wrong). Instead, set the location to be the file_path relative to the rootdir that was given to cve-bin-tool Fix intel#4396 Signed-off-by: Fabrice Fontaine <[email protected]>
Do not use find_product_location to set the location field in version_scanner.py as otherwise cve-bin-tool will try to find the location of the product on the host system (which is obviously wrong). Instead, set the location to be the file_path Fix intel#4396 Signed-off-by: Fabrice Fontaine <[email protected]>
Do not use find_product_location to set the location field in version_scanner.py as otherwise cve-bin-tool will try to find the location of the product on the host system (which is obviously wrong). Instead, set the location to be the file_path Fix #4396 Signed-off-by: Fabrice Fontaine <[email protected]>
|
Re-opening because #4769 fixes this in version_scanner, but does not fix it in sbom_manager. We still need to remove the find_product_location function from util.py (yes, remove it entirely, it's a bad function) and fix sbom_manager/parse.py before this will be completely fixed. |
|
Okay, I think we've fixed this now. There may be room for more fine tuning like telling people what line of an sbom has the relevant component, but at least we're no longer reporting an incorrect location. |
Description
It seems that sometimes when cve-bin-tool detects the location/filepath of a dependency, it provides the path where that dependency is locally installed in the environment rather than where the dependency exists on the binary it is scanning. To my understanding, the location field is meant to help users understand where to go to patch, but the existing logic does not necessarily provide that. I see that this issue #3815 added this enhancement, so I am also wondering if this was the intended use.
To reproduce
Steps to reproduce the behaviour:
--sbom-output sbom_out.json --sbom-type cyclonedx --sbom-format jsonhttps://s3.amazonaws.com/ddagent-windows-stable/ddagent-cli-7.55.2.msisbom_out.jsonExpected behaviour: the location of
opensslon the binaryActual behaviour: the SBOM shows that the location of
opensslis /usr/bin/openssl whereas this is not a valid path on the binary, but rather is the path whereopensslis locally installedVersion/platform info
Version of CVE-bin-tool( e.g. output of
cve-bin-tool --version): v3.3.1dev0Installed from GitHub
Operating system: Linux
Python version (e.g.
python3 --version): 3.18.17Anything else?
Feel free to add any other context here.
The text was updated successfully, but these errors were encountered: