gsutil error - Githubissues

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.

GNU General Public License v3.0

1.14k stars 444 forks source link

Hi @terriko on the venv part, I saw the same error for gsutil mentioned here. I.e.:
$ python -m venv venv
$ venv/bin/pip install cve-bin-tool
$ venv/bin/cve-bin-tool ...
...
FileNotFoundError: [Errno 2] No such file or directory: 'gsutil'
On debugging, I noticed that the tool currently expects gsutil on the PATH while I was running my command with an > absolute path for venv and not "activating" it. So, doing the following worked:
$ PATH=venv/bin venv/bin/cve-bin-tool
OR
$ source activate venv/bin/activate
$ cve-bin-tool ...
From a technical perspective, something that could be done here is to automatically add the sys.prefix to the PATH Or attempt to find gsutil with shutil.which('gsutil') and if not available ... check if {sys.prefix}/bin/gsutil exists ? Somewhere around: https://github.com/intel/cve-bin-tool/blob/v3.3/cve_bin_tool/data_sources/osv_source.py#L57

Originally posted by @AbdealiLoKo in https://github.com/intel/cve-bin-tool/issues/2869#issuecomment-2173256516

Moving this out of the original (closed) issue so it might actually get found and fixed by someone.

Now that I've moved this out of the closed thread, some more personal commentary:

I think not activating a venv is an incredibly bad idea and you should never do this. A large portion of the point of a venv is to do this kind of automatic adjustment of sys.prefix; if you don't activate it that's exactly the part you're missing and you're going to have problems like this all the time.
I think what we've got documented with respect to venvs is probably sufficient.
We should NOT automatically adjust sys.prefix, especially not by just searching for a file named gsutil. Modifying your PATH to arbitrary disk locations is potentially very dangerous and would be very bad security practice.

But given that this has come up at least twice now, I do think we could consider catching the FileNotFound error here and giving a more lightly user-friendly message something like "gsutil not found. Did you need to install requirements or activate a venv where gsutil is installed?"

intel / cve-bin-tool

gsutil error #4220