-
Notifications
You must be signed in to change notification settings - Fork 457
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Adding locations in CycloneDX reports #3989
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3989 +/- ##
==========================================
+ Coverage 75.41% 80.43% +5.01%
==========================================
Files 808 822 +14
Lines 11983 12699 +716
Branches 1598 1978 +380
==========================================
+ Hits 9037 10214 +1177
+ Misses 2593 2062 -531
- Partials 353 423 +70
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we're heading the right direction here, but three requests:
- if we now have a minimum lib4sbom version you should indicate that in requirements.txt (if we don't do that, pip won't upgrade people who have older versions already installed)
- As well as the mocked data, I'd like at least one test that has an actual location (as in, not
location/to/product
orNotFound
) - I'd like some validation and tests so that if someone puts location like
<img url="https://evil.com">
we can be sure it won't get propagated weirdly or result in info leakage.
(edit: I can't count)
I have added a test for find_product_location functionI created a test environment by modifying sys.path to mimic potential filesystem paths, verifying if the find_product_location function correctly identifies the module's location.
Do let me know if any new addition or improvements are required, especially regarding these tests edit: The test for find_product_location seems to fail on github test config, probably due to environment mismatch.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure off the top of my head what the correct solution is for the test, but I'm flagging this as needing changes due to merge conflict anyhow.
I'm probably not going to have time to help figure out what to do with this one this week because I'm focusing on doing the 3.3 release stuff, but feel free to ping other devs for ideas on gitter or wherever/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quick heads up: you've got a merge conflict so the tests can't re-run right now.
yeah working on it 👍 |
Do let me know about any further improvements. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay sounds like this is as good as we're going to get for tests for now. Thank you so much for iterating on this; let's get it merged!
I've downloaded the latest whl file 3.3 version ..But still I'm not getting filepath in SBOM also I'm using lib4sbom 0.7.0 (latest version) why? @Mayankrai449 @terriko |
@Vishnu-2810 This feature enriches the SBOM reports, specifically in CycloneDX formats with locations of scanned products if they are available on your system.
|
Hi Mayank,
Thanks for your reply ! I’m running cve bin tool in a python virtual
environment . Generating cyclonedx format with latest lib4sbom 0.7.0 as you
have mentioned. The only difference is python virtual environment . Is this
evidence not available due to this virtual environment ?? @terriko @Mayankrai449
…On Mon, 22 Apr 2024 at 9:18 PM, Mayank Rai ***@***.***> wrote:
@Vishnu-2810 <https://github.com/Vishnu-2810> This feature enriches the
SBOM reports, specifically in CycloneDX formats with locations of scanned
products if they are available on your system.
-
Make sure you're using it for CycloneDX reports and whether you see
the evidence key being used in your SBOM report.
-
It searches for the location of a product by iterating through
directories specified in sys.path and known installation directories:
Screenshot.2024-04-22.210705.png (view on web)
<https://github.com/intel/cve-bin-tool/assets/110732414/51926466-de72-4ceb-bc59-4888bab30650>
-
Make sure the latest version of lib4sbom is used particularly in your
environment and your local codebase is updated.
-
Execution command for generating CycloneDX reports is "cve-bin-tool
--sbom-type cyclonedx --sbom-format json --sbom-output output.sbom.json
input_file"
—
Reply to this email directly, view it on GitHub
<#3989 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AVD75XI6TZMSZCYK5KSYAD3Y6UWLVAVCNFSM6AAAAABFO2JEE2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANRZHE3DQMZYG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
@Vishnu-2810 Check whether the libraries and modules are accessible within the virtual environment with required versions. Sometimes the default installation location can be different from expected locations within the environment. Other than that, I don't see the problem listed. The problem could also arise due to type of file being scanned, whether it has the necessary components or not. Can you share the screenshot of your report and execution for further clarification? |
I've created a virtual environment and installed cve-bin-tool version 3.3.1 inside the virtual environment . So all the libraries can be accessible from this location. I'm scanning an so file which is outside the virtual environment. I'm providing the command "cve-bin-tool /home/vishnu/mozjpeg_4_1_4/lib/libjpeg.so.62 --sbom-type cyclonedx --sbom-format json --sbom-output out.json" to generate SBOM and got the below mentioned json in the SBOM . @Mayankrai449 Please help me to resolve this issue |
@Vishnu-2810 Dont know if this feature covers the scanning of your filetype currently. Can you share the screenshot of your generate_sbom function in cve_bin_tool/output_engine/init.py |
I've attached the snippet of generate_sbom function of init.py file. Can you please check this @Mayankrai449 def generate_sbom(
|
@Vishnu-2810 It appears that the generate_sbom function in your local codebase has not been updated to include the recent addition of incorporating locations from this feature. It likely lacks the other recent modifications as well.
|
The update is scalable to add locations in more reports.
I have also updated the tests to include locations.
@terriko The locations are extracted using
and populated in ProductInfo class. Do update me if any necessary modifications are required