search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.18k stars 455 forks source link

test: python windows dll pattern tests #4032

Open terriko opened 5 months ago

terriko commented 5 months ago

In #4023, @jananir640 has added a pattern to detect python3 DLLs for windows correctly.

It would be good to have a pair of tests using this new pattern:

  1. Add some mapping test data to https://github.com/intel/cve-bin-tool/blob/main/test/test_data/python.py that triggers this pattern
  2. Add a file test, potentially using https://s3.amazonaws.com/ddagent-windows-stable/datadog-agent-7-latest.amd64.msi which was the file that originally triggered the bug

This should be doable by a new user, so I'm flagging it as a good first issue. But now that we're not in the middle of gsoc applications (and thus trying to save good first issues for gsoc applicants), anyone should feel free to work on this.

ranjanmangla1 commented 4 months ago

I am working on this. It'd be fun to work on this

terriko commented 4 months ago

@ranjanmangla1 have fun! Let us know if you get stuck anywhere.

ranjanmangla1 commented 2 months ago

@terriko sorry for the late response

the mapping test is working fine, package test/file test: 

{
        "url": "https://s3.amazonaws.com/ddagent-windows-stable/",
        "package_name": "datadog-agent-7-latest.amd64.msi",
        "product": "python",
        "version": "3.11.8",
}

, is giving an error about python not being found

actually it is creating an empty tar file in condensed_downloads directory, i tried giving an already downloaded file in downloads dir. but still getting test case failed for this one

I manually verified the python version in the file using msiextract & got this:

agent 7.54.1
agent-dependencies                            7.54.1              
datadog-agent                                 7.54.1              
datadog-agent-dependencies                    7.54.1              
datadog-agent-finalize                        1.0.0               
datadog-agent-integrations-py3                7.54.1                  
datadog-agent-integrations-py3-dependencies   7.54.1              
datadog-agent-prepare                         1.0.0               
datadog-cf-finalize                           1.0.0               
datadog-security-agent-policies               v0.54.1               
jmxfetch                                      0.49.1  
pip3                                          23.3.1   
python3                                       3.11.8

what can be done to solve this issue?

terriko commented 2 months ago

Hmm, the condensed downloads code I don't think has been changed recently, but the fact that it's making an empty file is suspicious because that implies it's not extracting strings correctly. My first guess would be that it might be because our condensed download code doens't understand msi, but that's really a guess and could be completely off track.