Open jananir640 opened 2 months ago
Thanks. I think this is a issue.
The location of the file is based on known locations of key binaries. These known locations are for a Linux based system only. . This is why /usr/bin/openssl is reported; the location has been assumed to be the location on the scanning machine.
If the binary is a Windows executable (which I assume it is), the reported location should probably be a Windows path (or not reported if scanning a Windows binary on a Linux machine)
I can't get the sample msi file to scan on my Linux system (it fails to extract) so I can't see the generated SBOM.
cc @terriko @mastersans
Yeah, I'm not sure why it's doing it that way now that I'm looking at this again. I would have expected it to report the filename where the issue was found, and if that file is an archive ideally we'd report the path within that archive. Probably my bad for approving it.
I guess the good news is that probably we can just replace find_product_location()
with something that does the right thing?
The evidence should be the file which has been scanned. So we should report the archive/executable which has been scanned which contains the component which is being reported.
Description
It seems that sometimes when cve-bin-tool detects the location/filepath of a dependency, it provides the path where that dependency is locally installed in the environment rather than where the dependency exists on the binary it is scanning. To my understanding, the location field is meant to help users understand where to go to patch, but the existing logic does not necessarily provide that. I see that this issue https://github.com/intel/cve-bin-tool/issues/3815 added this enhancement, so I am also wondering if this was the intended use.
To reproduce
Steps to reproduce the behaviour:
--sbom-output sbom_out.json --sbom-type cyclonedx --sbom-format json
https://s3.amazonaws.com/ddagent-windows-stable/ddagent-cli-7.55.2.msi
sbom_out.json
Expected behaviour: the location of
openssl
on the binary Actual behaviour: the SBOM shows that the location ofopenssl
is /usr/bin/openssl whereas this is not a valid path on the binary, but rather is the path whereopenssl
is locally installedVersion/platform info
Version of CVE-bin-tool( e.g. output of
cve-bin-tool --version
): v3.3.1dev0 Installed from GitHub Operating system: Linux Python version (e.g.python3 --version
): 3.18.17Anything else?
Feel free to add any other context here.