search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.19k stars 457 forks source link

bug: error scanning apache-airflow requirements #4355

Open terriko opened 1 month ago

terriko commented 1 month ago

I was trying to do a scan on the requirements for apache-airflow, which is currently a pretty long list of pinned dependencies:

[13:33:59] ERROR    cve_bin_tool.VersionScanner - b'  error:                              python.py:72
                    subprocess-exited-with-error\n  \n  \xc3\x97 Getting requirements to              
                    build wheel did not run successfully.\n  \xe2\x94\x82 exit code: 1\n              
                    \xe2\x95\xb0\xe2\x94\x80> [25 lines of output]\n      /bin/sh: line               
                    1: krb5-config: command not found\n      Traceback (most recent call              
                    last):\n        File                                                              
                    "/home/terri/venv-airflow/lib/python3.12/site-packages/pip/_vendor/py             
                    project_hooks/_in_process/_in_process.py", line 353, in <module>\n                
                    main()\n        File                                                              
                    "/home/terri/venv-airflow/lib/python3.12/site-packages/pip/_vendor/py             
                    project_hooks/_in_process/_in_process.py", line 335, in main\n                    
                    json_out[\'return_val\'] = hook(**hook_input[\'kwargs\'])\n                       
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n        File                                        
                    "/home/terri/venv-airflow/lib/python3.12/site-packages/pip/_vendor/py             
                    project_hooks/_in_process/_in_process.py", line 118, in                           
                    get_requires_for_build_wheel\n          return                                    
                    hook(config_settings)\n                 ^^^^^^^^^^^^^^^^^^^^^\n                   
                    File                                                                              
                    "/tmp/pip-build-env-jn2xk8xz/overlay/lib/python3.12/site-packages/set             
                    uptools/build_meta.py", line 327, in get_requires_for_build_wheel\n               
                    return self._get_build_requires(config_settings, requirements=[])\n               
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n                      
                    File                                                                              
                    "/tmp/pip-build-env-jn2xk8xz/overlay/lib/python3.12/site-packages/set             
                    uptools/build_meta.py", line 297, in _get_build_requires\n                        
                    self.run_setup()\n        File                                                    
                    "/tmp/pip-build-env-jn2xk8xz/overlay/lib/python3.12/site-packages/set             
                    uptools/build_meta.py", line 313, in run_setup\n          exec(code,              
                    locals())\n        File "<string>", line 109, in <module>\n                       
                    File "<string>", line 22, in get_output\n        File                             
                    "/usr/lib64/python3.12/subprocess.py", line 466, in check_output\n                
                    return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,\n                
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n                       
                    File "/usr/lib64/python3.12/subprocess.py", line 571, in run\n                    
                    raise CalledProcessError(retcode, process.args,\n                                 
                    subprocess.CalledProcessError: Command \'krb5-config --libs gssapi\'              
                    returned non-zero exit status 127.\n      [end of output]\n  \n                   
                    note: This error originates from a subprocess, and is likely not a                
                    problem with pip.\nerror: subprocess-exited-with-error\n\n\xc3\x97                
                    Getting requirements to build wheel did not run                                   
                    successfully.\n\xe2\x94\x82 exit code: 1\n\xe2\x95\xb0\xe2\x94\x80>               
                    See above for output.\n\nnote: This error originates from a                       
                    subprocess, and is likely not a problem with pip.\n'

I'm attaching the file I was using for the scan.

airflow-requirements.txt

Note that this isn't exactly the way airflow wants the install to work, I just wanted to get some scan results to answer a question someone had about the security of apache-airflow. cve-bin-tool does give me some output, but it's missing a lot of components that I would expect to see.

Pinging @anthonyharrison for his expertise on python dependency weirdness and @inosmeet for his recent delving into the language parser code in case they've got any ideas on what we could do better here.

inosmeet commented 1 month ago

It's a dependency problem, works as expected after installing libmysqlclient-dev, libkbr5-dev and pkg-config. Screenshot from 2024-08-16 09-38-26