Skip to content

Commit

Permalink
ROX-8803: Resolve symbolic links before checking the files map (#577)
Browse files Browse the repository at this point in the history
  • Loading branch information
@c-du
c-du authored Jan 20, 2022
1 parent 5d0042d commit 4822306
Show file tree
Hide file tree
Showing 37 changed files with 650 additions and 298 deletions.
4 changes: 3 additions & 1 deletion benchmarks/detectcontent/detect_content_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"github.com/stackrox/scanner/benchmarks"
"github.com/stackrox/scanner/database"
"github.com/stackrox/scanner/pkg/features"
"github.com/stackrox/scanner/pkg/tarutil"
"github.com/stackrox/scanner/pkg/testutils"
"github.com/stretchr/testify/require"

Expand Down Expand Up @@ -56,8 +57,9 @@ func runBenchmarkDetectContent(b *testing.B, imageName string) {
for i := 0; i < b.N; i++ {
var namespace *database.Namespace
var err error
var files *tarutil.LayerFiles
for _, l := range layers {
namespace, _, _, _, _, _, err = clair.DetectContentFromReader(l, "Docker", l.Name, &database.Layer{Namespace: namespace}, false)
namespace, _, _, _, _, files, err = clair.DetectContentFromReader(l, "Docker", l.Name, &database.Layer{Namespace: namespace}, files, false)
require.NoError(b, err)
}
}
Expand Down
118 changes: 118 additions & 0 deletions e2etests/testcase_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,50 @@ var testCases = []testCase{
{Name: "apt", Version: "1.0.9.8.4"},
},
},
{
Path: "/usr/lib/apt/methods/xz",
RequiredFeatures: []*v1.FeatureNameVersion{
{Name: "apt", Version: "1.0.9.8.4"},
{Name: "bzip2", Version: "1.0.6-7"},
{Name: "gcc-4.9", Version: "4.9.2-10"},
{Name: "glibc", Version: "2.19-18+deb8u10"},
{Name: "xz-utils", Version: "5.1.1alpha+20120614-2"},
{Name: "zlib", Version: "1:1.2.8.dfsg-2"},
},
},
{
Path: "/usr/lib/apt/methods/bzip2",
RequiredFeatures: []*v1.FeatureNameVersion{
{Name: "apt", Version: "1.0.9.8.4"},
{Name: "bzip2", Version: "1.0.6-7"},
{Name: "gcc-4.9", Version: "4.9.2-10"},
{Name: "glibc", Version: "2.19-18+deb8u10"},
{Name: "xz-utils", Version: "5.1.1alpha+20120614-2"},
{Name: "zlib", Version: "1:1.2.8.dfsg-2"},
},
},
{
Path: "/usr/lib/apt/methods/lzma",
RequiredFeatures: []*v1.FeatureNameVersion{
{Name: "apt", Version: "1.0.9.8.4"},
{Name: "bzip2", Version: "1.0.6-7"},
{Name: "gcc-4.9", Version: "4.9.2-10"},
{Name: "glibc", Version: "2.19-18+deb8u10"},
{Name: "xz-utils", Version: "5.1.1alpha+20120614-2"},
{Name: "zlib", Version: "1:1.2.8.dfsg-2"},
},
},
{
Path: "/usr/lib/apt/methods/ssh",
RequiredFeatures: []*v1.FeatureNameVersion{
{Name: "apt", Version: "1.0.9.8.4"},
{Name: "bzip2", Version: "1.0.6-7"},
{Name: "gcc-4.9", Version: "4.9.2-10"},
{Name: "glibc", Version: "2.19-18+deb8u10"},
{Name: "xz-utils", Version: "5.1.1alpha+20120614-2"},
{Name: "zlib", Version: "1:1.2.8.dfsg-2"},
},
},
{
Path: "/usr/lib/dpkg/methods/apt/update",
RequiredFeatures: []*v1.FeatureNameVersion{
Expand Down Expand Up @@ -493,9 +537,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
Expand All @@ -511,9 +558,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
Expand All @@ -529,9 +579,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
Expand All @@ -547,9 +600,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
Expand All @@ -565,9 +621,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
Expand All @@ -583,9 +642,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
Expand All @@ -601,9 +663,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
Expand All @@ -619,9 +684,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "ncurses-libs", Version: "5.9-14.20130511.el7_4"},
Expand All @@ -638,9 +706,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
Expand All @@ -656,9 +727,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
Expand All @@ -674,9 +748,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "ncurses-libs", Version: "5.9-14.20130511.el7_4"},
Expand All @@ -693,9 +770,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
Expand All @@ -711,9 +791,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
Expand All @@ -729,9 +812,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
Expand All @@ -747,9 +833,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "ncurses-libs", Version: "5.9-14.20130511.el7_4"},
Expand All @@ -766,9 +855,33 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
{Name: "procps-ng", Version: "3.3.10-26.el7"},
{Name: "systemd-libs", Version: "219-67.el7_7.1"},
{Name: "xz-libs", Version: "5.2.2-1.el7"},
{Name: "zlib", Version: "1.2.7-18.el7"},
},
},
{
Path: "/usr/lib64/libprocps.so.4",
RequiredFeatures: []*v1.FeatureNameVersion{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
Expand All @@ -784,9 +897,12 @@ var testCases = []testCase{
{Name: "bzip2-libs", Version: "1.0.6-13.el7"},
{Name: "elfutils-libelf", Version: "0.176-2.el7"},
{Name: "elfutils-libs", Version: "0.176-2.el7"},
{Name: "glibc", Version: "2.17-292.el7"},
{Name: "libattr", Version: "2.4.46-13.el7"},
{Name: "libcap", Version: "2.22-10.el7"},
{Name: "libgcc", Version: "4.8.5-39.el7"},
{Name: "libgcrypt", Version: "1.5.3-14.el7"},
{Name: "libgpg-error", Version: "1.12-3.el7"},
{Name: "libselinux", Version: "2.5-14.1.el7"},
{Name: "lz4", Version: "1.7.5-3.el7"},
{Name: "pcre", Version: "8.32-17.el7"},
Expand Down Expand Up @@ -1868,6 +1984,8 @@ var testCases = []testCase{
{
Path: "/usr/bin/vi",
RequiredFeatures: []*v1.FeatureNameVersion{
{Name: "glibc", Version: "2.17-307.el7.1.i686"},
{Name: "glibc", Version: "2.17-307.el7.1.x86_64"},
{Name: "libacl", Version: "2.2.51-15.el7.x86_64"},
{Name: "libattr", Version: "2.4.46-13.el7.i686"},
{Name: "libattr", Version: "2.4.46-13.el7.x86_64"},
Expand Down
11 changes: 7 additions & 4 deletions ext/featurefmt/apk/apk.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,8 @@ func init() {

type lister struct{}

func (l lister) ListFeatures(files tarutil.FilesMap) ([]database.FeatureVersion, error) {
file, exists := files[dbPath]
func (l lister) ListFeatures(files tarutil.LayerFiles) ([]database.FeatureVersion, error) {
file, exists := files.Get(dbPath)
if !exists {
return []database.FeatureVersion{}, nil
}
Expand Down Expand Up @@ -106,8 +106,11 @@ func (l lister) ListFeatures(files tarutil.FilesMap) ([]database.FeatureVersion,
dir = line[2:]
case line[:2] == "R:" && features.ActiveVulnMgmt.Enabled():
filename := fmt.Sprintf("/%s/%s", dir, line[2:])
// The first character is always "/", which is removed when inserted into the files maps.
featurefmt.AddToDependencyMap(filename, files[filename[1:]], execToDeps, libToDeps)
// The first character is always "/", which is removed when inserted into the layer files.
fileData, hasFile := files.Get(filename[1:])
if hasFile {
featurefmt.AddToDependencyMap(filename, fileData, execToDeps, libToDeps)
}
}
}

Expand Down
22 changes: 11 additions & 11 deletions ext/featurefmt/apk/apk_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,9 +78,9 @@ func TestAPKFeatureDetection(t *testing.T) {
Version: "0.7-r0",
},
},
Files: tarutil.FilesMap{
"lib/apk/db/installed": tarutil.FileData{Contents: featurefmt.LoadFileForTest("apk/testdata/installed")},
},
Files: tarutil.CreateNewLayerFiles(map[string]tarutil.FileData{
"lib/apk/db/installed": {Contents: featurefmt.LoadFileForTest("apk/testdata/installed")},
}),
},
}
featurefmt.TestLister(t, &lister{}, testData)
Expand Down Expand Up @@ -154,14 +154,14 @@ func TestAPKFeatureDetectionWithActiveVulnMgmt(t *testing.T) {
Version: "0.7-r0",
},
},
Files: tarutil.FilesMap{
"lib/apk/db/installed": tarutil.FileData{Contents: featurefmt.LoadFileForTest("apk/testdata/installed")},
"lib/libc.musl-x86_64.so.1": tarutil.FileData{Executable: true, ELFMetadata: &elf.Metadata{Sonames: []string{"c.so.1"}, ImportedLibraries: []string{"ld.so.1"}}},
"lib/ld-musl-x86_64.so.1": tarutil.FileData{Executable: true, ELFMetadata: &elf.Metadata{Sonames: []string{"ld.so.1"}}},
"bin/busybox": tarutil.FileData{Executable: true, ELFMetadata: &elf.Metadata{Sonames: []string{}, ImportedLibraries: []string{"c.so.1", "ld.so.1"}}},
"etc/hosts": tarutil.FileData{Executable: true},
"etc/crontabs/root": tarutil.FileData{Executable: true},
},
Files: tarutil.CreateNewLayerFiles(map[string]tarutil.FileData{
"lib/apk/db/installed": {Contents: featurefmt.LoadFileForTest("apk/testdata/installed")},
"lib/libc.musl-x86_64.so.1": {Executable: true, ELFMetadata: &elf.Metadata{Sonames: []string{"c.so.1"}, ImportedLibraries: []string{"ld.so.1"}}},
"lib/ld-musl-x86_64.so.1": {Executable: true, ELFMetadata: &elf.Metadata{Sonames: []string{"ld.so.1"}}},
"bin/busybox": {Executable: true, ELFMetadata: &elf.Metadata{Sonames: []string{}, ImportedLibraries: []string{"c.so.1", "ld.so.1"}}},
"etc/hosts": {Executable: true},
"etc/crontabs/root": {Executable: true},
}),
},
}
featurefmt.TestLister(t, &lister{}, testData)
Expand Down
Loading

0 comments on commit 4822306

Please sign in to comment.