search

TimesysGit / vigiles-buildroot

Vulnerability management tool that provides Buildroot SBOM generation and CVE Analysis of target images.
https://www.timesys.com/vigiles/
9 stars 3 forks source link

Using whitelist fails when buildroot contains virtual packages #5

Open jkeller-astro opened 1 year ago

jkeller-astro commented 1 year ago

I tried using the package exclude function in vigiles but get the following error:

Traceback (most recent call last):
  File "/home/jkeller/platform/vigiles-buildroot/scripts/vigiles-buildroot.py", line 197, in <module>
    __main__()
  File "/home/jkeller/platform/vigiles-buildroot/scripts/vigiles-buildroot.py", line 191, in __main__
    write_manifest(vgls)
  File "/home/jkeller/platform/vigiles-buildroot/scripts/manifest.py", line 120, in write_manifest
    amend_manifest(vgls, final)
  File "/home/jkeller/platform/vigiles-buildroot/scripts/amendments.py", line 178, in amend_manifest
    _filter_excluded_packages(manifest['packages'], excld_pkgs)
  File "/home/jkeller/platform/vigiles-buildroot/scripts/amendments.py", line 112, in _filter_excluded_packages
    pkg_matches = list(set([
  File "/home/jkeller/platform/vigiles-buildroot/scripts/amendments.py", line 115, in <listcomp>
    if v['name'] in excld_pkgs
KeyError: 'name'

When inspecting the manifest generated by the tool, it looks like there is at least one member that doesn't have the 'name' key. For me, the udev virtual package doesn't have a name key, tripping up amendments.py

While the patch below keeps things moving, I couldn't find out why udev doesn't have a 'name' key.

I can repro this bug using pc_x86_64_efi_defconfig from buildroot 2022.05 and a package exclude file containing just zlib.

diff --git a/scripts/amendments.py b/scripts/amendments.py
index e6fb561..9a6b29d 100644
--- a/scripts/amendments.py
+++ b/scripts/amendments.py
@@ -111,7 +111,7 @@ def _filter_excluded_packages(vgls_pkgs, excld_pkgs):
     pkg_matches = list(set([
         k
         for k, v in vgls_pkgs.items()
-        if v['name'] in excld_pkgs
+        if 'name' in v and v['name'] in excld_pkgs
     ]))

     info("Vigiles: Excluding Packages: %s" % sorted(pkg_matches))
iancampbell commented 1 year ago

Thanks for reporting this. Our team was able to reproduce this issue based on the information that you provided.

We are now working on a fix to improve the handling of virtual packages as our main interest is in capturing the provider of the virtual package(which should also be in the SBOM already), as the provider is the package that would be subject to vulnerabilities in this case. In its default configuration udev is provided by either eudev or systemd.