fluidattacks / makes

A software supply chain framework powered by Nix.
https://makes.fluidattacks.tech/
MIT License
454 stars 43 forks source link

Dependency error: auto-patchelf failed to find all the required dependencies #1324

Closed erik-lab closed 5 months ago

erik-lab commented 6 months ago

Attempting to run against my python/flask repo - after lots of log output with no errors, I get to the following: I am complete newbie at this so not sure where to turn:

. . . error: auto-patchelf could not satisfy dependency libtbb.so.12 wanted by /nix/store/iih2zsnv5iy24ziqbnkh8d7pjwx9zgkk-python3.11-numba-0.59.1/lib/python3.11/site-packages/numba/np/ufunc/tbbpool.cpython-311-x86_64-linux-gnu.so auto-patchelf failed to find all the required dependencies. Add the missing dependencies to --libs or use --ignore-missing="foo.so.1 bar.so etc.so". /nix/store/v5irq7wvkr7kih0hhnch5nnv2dcq8c4f-stdenv-linux/setup: line 74: pop_var_context: head of shell_variables not a function context /nix/store/v5irq7wvkr7kih0hhnch5nnv2dcq8c4f-stdenv-linux/setup: line 1454: pop_var_context: head of shell_variables not a function context /nix/store/v5irq7wvkr7kih0hhnch5nnv2dcq8c4f-stdenv-linux/setup: line 1557: pop_var_context: head of shell_variables not a function context error: builder for '/nix/store/m93245gk21712an8ljxb9lyla6msx5d2-python3.11-numba-0.59.1.drv' failed with exit code 1 error: 1 dependencies of derivation '/nix/store/cj20w56pqqvlimx6n67sbd5biss7siwv-python3-3.11.7-env.drv' failed to build error: 1 dependencies of derivation '/nix/store/xh7fd7d13fiq4k5bcsdv5js3azjyd39f-make-template-for-make-search-paths.drv' failed to build error: 1 dependencies of derivation '/nix/store/p9qkhi75fq8jywvx0w8hrjpdldp2kg7l-make-template-for-make-search-paths.drv' failed to build error: 1 dependencies of derivation '/nix/store/2jb36d2hm6hnhy7ndrvd4581j227svmv-make-template-for-sorts-config-runtime.drv' failed to build error: 1 dependencies of derivation '/nix/store/7j27dar00l20067gf53rz2rf7hkansfn-make-template-for-make-search-paths.drv' failed to build error: 1 dependencies of derivation '/nix/store/2wa2wddig9gmvvbpnxicy7c712crwj2d-make-template-for-make-script-for-sorts.drv' failed to build error: 1 dependencies of derivation '/nix/store/gfs7vim0hbak41ppsb85h633657hf0ch-sorts.drv' failed to build

───────────────────────── 🐛 Failed with exit code 100 ─────────────────────────

dsalaza4 commented 6 months ago

Hi @erik-lab,

This error means you must provide libtbb.so.12 as a buildInput for patchelf to be able to find it.

Here are some nixpkgs packages related to tbb: https://search.nixos.org/packages?channel=23.11&from=0&size=50&sort=relevance&type=packages&query=tbb

Please provide relevant code so we can further assist you.

erik-lab commented 6 months ago

I am more than a bit lost. I am trying to complete a static scan for initial Google app validation. I was following the instructions provided to build then run a docker image of FluidAttacks on my Windows 10 dev machine against a Python/Flask repo. The Docker built fine, but the run failed. I have no idea what the scanner software is doing specifically, have little experience monitoring a docker image, and am not sure what the things are you suggest that I provide (or how to provide them, or why). (really sorry for the newbiness !)

This is the run command I used: docker run -v D:\edahl\Documents\eme_code_scan\eme_vector:/repo/eme_vector ghcr.io/fluidattacks/makes/amd64:latest m gitlab:fluidattacks/universe@trunk /sorts /repo/eme_vector

The run started, followed by several hundred rows of output and finally the error pasted above.

I shared my private Repo to you (https://github.com/erik-lab/eme_vector.git). Is there anything else that would help? Like the full log of the aborted run?

Thanks for your patience! :-)

jgomezb11 commented 6 months ago

Hi @erik-lab,

I am curious about where you found that command.

If you want to scan your app for CASA Tier 2 compliance, you should follow this official guide: CASA Tier 2 Compliance Guide.

If you could let us know where you found a guide that recommends that specific command that you are using, it would help us prevent further misinformation.

erik-lab commented 6 months ago

The Google notification I received during validation included a link to the App Defense Alliance site (https://appdefensealliance.dev/casa) which includes instructions on performing static and dynamic scans. I tried to follow the static scan guide to get to this point.

I have been underwater for a bit, but I skimmed the Compliance guide site you shared and it seemed clearer. I will give it a try tonight when I resurface. Back to the day job for now.

Erik

erik-lab commented 6 months ago

Hi @jgomezb11 , Thanks for the updated instructions!! I have worked through them and run the scanner, but I am not seeing any response from the commands (I have tried several variations). The command runs (apparently) but there are no errors no logging or other indicators that something is happening. I waited about 10 minutes for something but now have to assume that nothing is happening. Any thoughts on what I did wrong, or should I just be more patient :-) ?

Below is the command I used and my local directory structure. I am running windows 10 pro.

Command: docker run -v D:\edahl\Documents\eme_code_scan:/eme_vector_scan fluidattacks/cli:amd64 skims scan /eme_vector_scan/fluid-config.yaml I run the command while in the eme_code_scan directory with the yaml file.

My Directory structure:

D:\edahl\Documents
    - eme_code_scan
        - eme_vector
            - eme_package
            - run_eme.py
            etc
        - fluid-config.yaml

fluid-config.yaml contains:

# Description:
#   Pick a name you like, normally the name of the repository.
# Example:
namespace: eme_vector_scan

# Description:
#   Omit if you want pretty-printed results,
#   Set to a path if you want CSV results.
# Optional:
#   Yes
# Example:
output:
  file_path: /eme_vector_scan/EME-Fluid-Attacks-Results.csv
  format: CSV

# Description:
#   Working directory, normally used as the path to the repository.
# Example:
working_dir: /eme_vector_scan/eme_vector

# Description:
#   SAST for source code.
# Example:
path:
  # Description:
  #   Target files used in the analysis.
  # Example:
  include:
    # Absolute path
    - .
    # Relative path to `working_dir`
    - .

sast:
    include: 
      - .

# Description:
#  Reversing checks for Android APKs.
apk:
  # Description:
  #   Target files used in the analysis.
  # Example:
  include:
    # Absolute paths
    # - /app/app-arm-debug-Android5.apk
    # - /app/app-arm-debug.apk
    # - /app/app-x86-debug-Android5.apk
    # - /app/app-x86-debug.apk
    - glob(**/*.apk)
  exclude:
    - glob(**/node_modules/**)

sca:
  include:
    - .

# Description:
#   Language to use, valid values are: EN, ES.
# Optional:
#   Yes, defaults to: EN.
language: EN
jgomezb11 commented 6 months ago

Hi @erik-lab

With the information you have provided, I am not able to pinpoint a specific issue. If you could kindly share the output generated by the command, I will gladly help you out.

The only thing I noticed is that you are not using the config.yaml file we recommended in the guide. It is not a problem per se, but you should use it as is (changing only the path you defined) because it has the correct exclusions that could enhance the scan performance.

Note: If the output reaches a point and shows something like this:

image

and stays there for a while, it means the scan is in progress, and you should wait a bit longer.

If it takes too much or your code base is big enough, I recommend you to make use of the recursion-limit key as described here. https://help.fluidattacks.com/portal/en/kb/articles/configure-the-tests-by-the-standalone-scanner#sast

erik-lab commented 6 months ago

Hi @jgomezb11 - I reverted to the default config, I modified the sast recursion-limit to be 1000 and turned off the file_size_limit after I saw errors with a couple large js files I had included, and the scan ran (woo hoo) - it took a while but I got my results. While I am not thrilled with 99 vulnerabilities, at least I have a path forward now. Thank you for your help! I may be back after I digest the vulnerabilities, I am sure I will need some help remediating some of them.