Detect ELF security features (#2443)

* add detection of ELF security features Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix linting Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update json schema with file executable data Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update expected fixure when no tty present Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * more detailed differ Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * use json differ Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix tests Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove json schema addition Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * regenerate json schema Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix mimtype set ref Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
anchore · Feb 2, 2024 · 3023a5a · 3023a5a
1 parent 3da6790
commit 3023a5a
Show file tree

Hide file tree

Showing 39 changed files with 3,377 additions and 46 deletions.
diff --git a/.github/workflows/validations.yaml b/.github/workflows/validations.yaml
@@ -36,6 +36,12 @@ jobs:
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
 
+      - name: Restore file executable test-fixture cache
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        with:
+          path: syft/file/cataloger/executable/test-fixtures/bin
+          key: ${{ runner.os }}-unit-file-executable-cache-${{ hashFiles( 'syft/file/cataloger/executable/test-fixtures/cache.fingerprint' ) }}
+
       - name: Restore Java test-fixture cache
         uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 #v4.0.0
         with:

diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -266,6 +266,7 @@ tasks:
     desc: Generate test fixture fingerprints
     generates:
       - cmd/syft/internal/test/integration/test-fixtures/cache.fingerprint
+      - syft/file/cataloger/executable/test-fixtures/cache.fingerprint
       - syft/pkg/cataloger/binary/test-fixtures/cache.fingerprint
       - syft/pkg/cataloger/java/test-fixtures/java-builds/cache.fingerprint
       - syft/pkg/cataloger/golang/test-fixtures/archs/binaries.fingerprint
@@ -274,17 +275,19 @@ tasks:
       - test/install/cache.fingerprint
       - test/cli/test-fixtures/cache.fingerprint
     cmds:
+      # for EXECUTABLE unit test fixtures
+      - "cd syft/file/cataloger/executable/test-fixtures && make cache.fingerprint"
       # for IMAGE integration test fixtures
       - "cd cmd/syft/internal/test/integration/test-fixtures && make cache.fingerprint"
-      # for BINARY test fixtures
+      # for BINARY unit test fixtures
       - "cd syft/pkg/cataloger/binary/test-fixtures && make cache.fingerprint"
-      # for JAVA BUILD test fixtures
+      # for JAVA BUILD unit test fixtures
       - "cd syft/pkg/cataloger/java/test-fixtures/java-builds && make cache.fingerprint"
-      # for GO BINARY test fixtures
+      # for GO BINARY unit test fixtures
       - "cd syft/pkg/cataloger/golang/test-fixtures/archs && make binaries.fingerprint"
-      # for RPM test fixtures
+      # for RPM unit test fixtures
       - "cd syft/pkg/cataloger/redhat/test-fixtures && make rpms.fingerprint"
-      # for Kernel test fixtures
+      # for Kernel unit test fixtures
       - "cd syft/pkg/cataloger/kernel/test-fixtures && make cache.fingerprint"
       # for INSTALL test fixtures
       - "cd test/install && make cache.fingerprint"
@@ -294,6 +297,7 @@ tasks:
   fixtures:
     desc: Generate test fixtures
     cmds:
+      - "cd syft/file/cataloger/executable/test-fixtures && make"
       - "cd syft/pkg/cataloger/java/test-fixtures/java-builds && make"
       - "cd syft/pkg/cataloger/redhat/test-fixtures && make"
       - "cd syft/pkg/cataloger/binary/test-fixtures && make"

diff --git a/cmd/syft/internal/options/catalog.go b/cmd/syft/internal/options/catalog.go
@@ -15,6 +15,7 @@ import (
 	"github.com/anchore/syft/syft/cataloging"
 	"github.com/anchore/syft/syft/cataloging/filecataloging"
 	"github.com/anchore/syft/syft/cataloging/pkgcataloging"
+	"github.com/anchore/syft/syft/file/cataloger/executable"
 	"github.com/anchore/syft/syft/file/cataloger/filecontent"
 	"github.com/anchore/syft/syft/pkg/cataloger/binary"
 	"github.com/anchore/syft/syft/pkg/cataloger/golang"
@@ -111,6 +112,10 @@ func (cfg Catalog) ToFilesConfig() filecataloging.Config {
 			Globs:              cfg.File.Content.Globs,
 			SkipFilesAboveSize: cfg.File.Content.SkipFilesAboveSize,
 		},
+		Executable: executable.Config{
+			MIMETypes: executable.DefaultConfig().MIMETypes,
+			Globs:     cfg.File.Executable.Globs,
+		},
 	}
 }
 

diff --git a/cmd/syft/internal/options/file.go b/cmd/syft/internal/options/file.go
@@ -11,8 +11,9 @@ import (
 )
 
 type fileConfig struct {
-	Metadata fileMetadata `yaml:"metadata" json:"metadata" mapstructure:"metadata"`
-	Content  fileContent  `yaml:"content" json:"content" mapstructure:"content"`
+	Metadata   fileMetadata   `yaml:"metadata" json:"metadata" mapstructure:"metadata"`
+	Content    fileContent    `yaml:"content" json:"content" mapstructure:"content"`
+	Executable fileExecutable `yaml:"executable" json:"executable" mapstructure:"executable"`
 }
 
 type fileMetadata struct {
@@ -25,6 +26,10 @@ type fileContent struct {
 	Globs              []string `yaml:"globs" json:"globs" mapstructure:"globs"`
 }
 
+type fileExecutable struct {
+	Globs []string `yaml:"globs" json:"globs" mapstructure:"globs"`
+}
+
 func defaultFileConfig() fileConfig {
 	return fileConfig{
 		Metadata: fileMetadata{
@@ -34,6 +39,9 @@ func defaultFileConfig() fileConfig {
 		Content: fileContent{
 			SkipFilesAboveSize: 250 * intFile.KB,
 		},
+		Executable: fileExecutable{
+			Globs: nil,
+		},
 	}
 }
 

diff --git a/internal/constants.go b/internal/constants.go
@@ -3,5 +3,5 @@ package internal
 const (
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "16.0.0"
+	JSONSchemaVersion = "16.0.1"
 )
diff --git a/internal/task/file_tasks.go b/internal/task/file_tasks.go
@@ -8,6 +8,7 @@ import (
 	"github.com/anchore/syft/internal/sbomsync"
 	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/file/cataloger/executable"
 	"github.com/anchore/syft/syft/file/cataloger/filecontent"
 	"github.com/anchore/syft/syft/file/cataloger/filedigest"
 	"github.com/anchore/syft/syft/file/cataloger/filemetadata"
@@ -100,6 +101,31 @@ func NewFileContentCatalogerTask(cfg filecontent.Config) Task {
 	return NewTask("file-content-cataloger", fn)
 }
 
+func NewExecutableCatalogerTask(selection file.Selection, cfg executable.Config) Task {
+	if selection == file.NoFilesSelection {
+		return nil
+	}
+
+	cat := executable.NewCataloger(cfg)
+
+	fn := func(ctx context.Context, resolver file.Resolver, builder sbomsync.Builder) error {
+		accessor := builder.(sbomsync.Accessor)
+
+		result, err := cat.Catalog(resolver)
+		if err != nil {
+			return err
+		}
+
+		accessor.WriteToSBOM(func(sbom *sbom.SBOM) {
+			sbom.Artifacts.Executables = result
+		})
+
+		return nil
+	}
+
+	return NewTask("file-executable-cataloger", fn)
+}
+
 // TODO: this should be replaced with a fix that allows passing a coordinate or location iterator to the cataloger
 // Today internal to both cataloger this functions differently: a slice of coordinates vs a channel of locations
 func coordinatesForSelection(selection file.Selection, accessor sbomsync.Accessor) ([]file.Coordinates, bool) {