add detection of ELF security features

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
anchore · Jan 12, 2024 · 8bce64f · 8bce64f
1 parent b0ab75f
commit 8bce64f
Show file tree

Hide file tree

Showing 33 changed files with 1,041 additions and 33 deletions.
diff --git a/.github/workflows/validations.yaml b/.github/workflows/validations.yaml
@@ -36,6 +36,12 @@ jobs:
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
 
+      - name: Restore file executable test-fixture cache
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        with:
+          path: syft/file/cataloger/executable/test-fixtures/bin
+          key: ${{ runner.os }}-unit-file-executable-cache-${{ hashFiles( 'syft/file/cataloger/executable/test-fixtures/cache.fingerprint' ) }}
+
       - name: Restore Java test-fixture cache
         uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c #v3.3.3
         with:

diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -265,6 +265,7 @@ tasks:
   fingerprints:
     desc: Generate test fixture fingerprints
     generates:
+      - syft/file/cataloger/executable/test-fixtures/cache.fingerprint
       - test/integration/test-fixtures/cache.fingerprint
       - syft/pkg/cataloger/binary/test-fixtures/cache.fingerprint
       - syft/pkg/cataloger/java/test-fixtures/java-builds/cache.fingerprint
@@ -274,17 +275,19 @@ tasks:
       - test/install/cache.fingerprint
       - test/cli/test-fixtures/cache.fingerprint
     cmds:
+      # for EXECUTABLE unit test fixtures
+      - "cd syft/file/cataloger/executable/test-fixtures && make cache.fingerprint"
       # for IMAGE integration test fixtures
       - "cd test/integration/test-fixtures && make cache.fingerprint"
-      # for BINARY test fixtures
+      # for BINARY unit test fixtures
       - "cd syft/pkg/cataloger/binary/test-fixtures && make cache.fingerprint"
-      # for JAVA BUILD test fixtures
+      # for JAVA BUILD unit test fixtures
       - "cd syft/pkg/cataloger/java/test-fixtures/java-builds && make cache.fingerprint"
-      # for GO BINARY test fixtures
+      # for GO BINARY unit test fixtures
       - "cd syft/pkg/cataloger/golang/test-fixtures/archs && make binaries.fingerprint"
-      # for RPM test fixtures
+      # for RPM unit test fixtures
       - "cd syft/pkg/cataloger/redhat/test-fixtures && make rpms.fingerprint"
-      # for Kernel test fixtures
+      # for Kernel unit test fixtures
       - "cd syft/pkg/cataloger/kernel/test-fixtures && make cache.fingerprint"
       # for INSTALL integration test fixtures
       - "cd test/install && make cache.fingerprint"
@@ -294,6 +297,7 @@ tasks:
   fixtures:
     desc: Generate test fixtures
     cmds:
+      - "cd syft/file/cataloger/executable/test-fixtures && make"
       - "cd syft/pkg/cataloger/java/test-fixtures/java-builds && make"
       - "cd syft/pkg/cataloger/redhat/test-fixtures && make"
       - "cd syft/pkg/cataloger/binary/test-fixtures && make"

diff --git a/cmd/syft/cli/options/catalog.go b/cmd/syft/cli/options/catalog.go
@@ -2,6 +2,7 @@ package options
 
 import (
 	"fmt"
+	"github.com/anchore/syft/syft/file/cataloger/executable"
 	"sort"
 	"strings"
 
@@ -112,6 +113,10 @@ func (cfg Catalog) ToFilesConfig() filecataloging.Config {
 			Globs:              cfg.File.Content.Globs,
 			SkipFilesAboveSize: cfg.File.Content.SkipFilesAboveSize,
 		},
+		Executable: executable.Config{
+			MIMETypes: executable.DefaultConfig().MIMETypes,
+			Globs:     cfg.File.Executable.Globs,
+		},
 	}
 }
 

diff --git a/cmd/syft/cli/options/file.go b/cmd/syft/cli/options/file.go
@@ -8,8 +8,9 @@ import (
 )
 
 type fileConfig struct {
-	Metadata fileMetadata `yaml:"metadata" json:"metadata" mapstructure:"metadata"`
-	Content  fileContent  `yaml:"content" json:"content" mapstructure:"content"`
+	Metadata   fileMetadata   `yaml:"metadata" json:"metadata" mapstructure:"metadata"`
+	Content    fileContent    `yaml:"content" json:"content" mapstructure:"content"`
+	Executable fileExecutable `yaml:"executable" json:"executable" mapstructure:"executable"`
 }
 
 type fileMetadata struct {
@@ -22,6 +23,10 @@ type fileContent struct {
 	Globs              []string `yaml:"globs" json:"globs" mapstructure:"globs"`
 }
 
+type fileExecutable struct {
+	Globs []string `yaml:"globs" json:"globs" mapstructure:"globs"`
+}
+
 func defaultFileConfig() fileConfig {
 	return fileConfig{
 		Metadata: fileMetadata{
@@ -31,6 +36,9 @@ func defaultFileConfig() fileConfig {
 		Content: fileContent{
 			SkipFilesAboveSize: 250 * intFile.KB,
 		},
+		Executable: fileExecutable{
+			Globs: nil,
+		},
 	}
 }
 

diff --git a/internal/task/file_tasks.go b/internal/task/file_tasks.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto"
 	"fmt"
+	"github.com/anchore/syft/syft/file/cataloger/executable"
 
 	"github.com/anchore/syft/internal/sbomsync"
 	"github.com/anchore/syft/syft/artifact"
@@ -100,6 +101,27 @@ func NewFileContentCatalogerTask(cfg filecontent.Config) Task {
 	return NewTask("file-content-cataloger", fn)
 }
 
+func NewExecutableCatalogerTask(cfg executable.Config) Task {
+	cat := executable.NewCataloger(cfg)
+
+	fn := func(ctx context.Context, resolver file.Resolver, builder sbomsync.Builder) error {
+		accessor := builder.(sbomsync.Accessor)
+
+		result, err := cat.Catalog(resolver)
+		if err != nil {
+			return err
+		}
+
+		accessor.WriteToSBOM(func(sbom *sbom.SBOM) {
+			sbom.Artifacts.Executables = result
+		})
+
+		return nil
+	}
+
+	return NewTask("file-executable-cataloger", fn)
+}
+
 // TODO: this should be replaced with a fix that allows passing a coordinate or location iterator to the cataloger
 // Today internal to both cataloger this functions differently: a slice of coordinates vs a channel of locations
 func coordinatesForSelection(selection file.Selection, accessor sbomsync.Accessor) ([]file.Coordinates, bool) {

diff --git a/syft/cataloging/filecataloging/config.go b/syft/cataloging/filecataloging/config.go
@@ -4,6 +4,7 @@ import (
 	"crypto"
 	"encoding/json"
 	"fmt"
+	"github.com/anchore/syft/syft/file/cataloger/executable"
 	"strings"
 
 	intFile "github.com/anchore/syft/internal/file"
@@ -13,9 +14,10 @@ import (
 )
 
 type Config struct {
-	Selection file.Selection     `yaml:"selection" json:"selection" mapstructure:"selection"`
-	Hashers   []crypto.Hash      `yaml:"hashers" json:"hashers" mapstructure:"hashers"`
-	Content   filecontent.Config `yaml:"content" json:"content" mapstructure:"content"`
+	Selection  file.Selection     `yaml:"selection" json:"selection" mapstructure:"selection"`
+	Hashers    []crypto.Hash      `yaml:"hashers" json:"hashers" mapstructure:"hashers"`
+	Content    filecontent.Config `yaml:"content" json:"content" mapstructure:"content"`
+	Executable executable.Config  `yaml:"executable" json:"executable" mapstructure:"executable"`
 }
 
 type configMarshaledForm struct {
@@ -30,9 +32,10 @@ func DefaultConfig() Config {
 		log.WithFields("error", err).Warn("unable to create file hashers")
 	}
 	return Config{
-		Selection: file.FilesOwnedByPackageSelection,
-		Hashers:   hashers,
-		Content:   filecontent.DefaultConfig(),
+		Selection:  file.FilesOwnedByPackageSelection,
+		Hashers:    hashers,
+		Content:    filecontent.DefaultConfig(),
+		Executable: executable.DefaultConfig(),
 	}
 }
 

diff --git a/syft/create_sbom_config.go b/syft/create_sbom_config.go
@@ -185,6 +185,9 @@ func (c *CreateSBOMConfig) fileTasks() []task.Task {
 	if t := task.NewFileContentCatalogerTask(c.Files.Content); t != nil {
 		tsks = append(tsks, t)
 	}
+	if t := task.NewExecutableCatalogerTask(c.Files.Executable); t != nil {
+		tsks = append(tsks, t)
+	}
 
 	return tsks
 }