Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recover from bad parsing of golang binary #1371

Merged
merged 1 commit into from
Nov 29, 2022
Merged

Recover from bad parsing of golang binary #1371

merged 1 commit into from
Nov 29, 2022

Conversation

wagoodman
Copy link
Contributor

The llvm project has some great examples of malformed binaries which currently panic in the go stdlib:

Screen Shot 2022-11-29 at 10 09 34 AM

file: https://github.com/llvm/llvm-project/blob/llvmorg-15.0.6/llvm/test/Object/Inputs/macho-invalid-dysymtab-bad-size

This PR adjusts the golang binary cataloger to at least survive these cases. Additionally more trace logging has been added to help expose what syft is parsing when bad crashes occur.

@wagoodman wagoodman requested a review from a team November 29, 2022 15:39
@wagoodman wagoodman self-assigned this Nov 29, 2022
kzantow
kzantow approved these changes Nov 29, 2022
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@github-actions
Copy link

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
name                                                       old time/op    new time/op    delta
ImagePackageCatalogers/alpmdb-cataloger-2                    14.4ms ± 3%    12.9ms ±26%     ~     (p=0.151 n=5+5)
ImagePackageCatalogers/ruby-gemspec-cataloger-2              1.75ms ±13%    1.27ms ± 0%  -27.06%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2            4.11ms ± 1%    3.33ms ± 2%  -18.91%  (p=0.008 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2    1.35ms ± 0%    1.05ms ± 0%  -22.32%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         965µs ± 2%     730µs ± 0%  -24.38%  (p=0.008 n=5+5)
ImagePackageCatalogers/node-binary-cataloger-2               7.80µs ± 2%    6.35µs ± 1%  -18.58%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                    1.12ms ± 1%    0.83ms ± 0%  -25.82%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpm-db-cataloger-2                    1.62ms ± 1%    1.22ms ± 1%  -24.50%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      18.0ms ± 2%    14.4ms ± 2%  -19.72%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.13ms ± 3%    0.85ms ± 0%  -24.92%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2          7.83µs ± 3%    6.47µs ± 1%  -17.38%  (p=0.008 n=5+5)
ImagePackageCatalogers/dotnet-deps-cataloger-2               1.75ms ± 1%    1.38ms ± 1%  -21.20%  (p=0.008 n=5+5)
ImagePackageCatalogers/portage-cataloger-2                    916µs ± 1%     683µs ± 1%  -25.43%  (p=0.008 n=5+5)
ImagePackageCatalogers/sbom-cataloger-2                      5.53ms ± 2%    4.27ms ± 0%  -22.92%  (p=0.008 n=5+5)

name                                                       old alloc/op   new alloc/op   delta
ImagePackageCatalogers/alpmdb-cataloger-2                    5.27MB ± 0%    5.27MB ± 0%     ~     (p=0.690 n=5+5)
ImagePackageCatalogers/ruby-gemspec-cataloger-2               205kB ± 0%     205kB ± 0%   +0.28%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2             961kB ± 0%     963kB ± 0%   +0.13%  (p=0.008 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     217kB ± 0%     218kB ± 0%   +0.21%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         159kB ± 0%     159kB ± 0%   +0.19%  (p=0.008 n=5+5)
ImagePackageCatalogers/node-binary-cataloger-2               1.12kB ± 0%    1.12kB ± 0%     ~     (all equal)
ImagePackageCatalogers/dpkgdb-cataloger-2                     199kB ± 0%     200kB ± 0%   +0.30%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpm-db-cataloger-2                     302kB ± 0%     303kB ± 0%   +0.22%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      3.49MB ± 0%    3.49MB ± 0%     ~     (p=0.841 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                      182kB ± 0%     182kB ± 0%     ~     (p=0.095 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2          1.12kB ± 0%    1.12kB ± 0%     ~     (all equal)
ImagePackageCatalogers/dotnet-deps-cataloger-2                375kB ± 0%     375kB ± 0%     ~     (p=0.841 n=5+5)
ImagePackageCatalogers/portage-cataloger-2                    138kB ± 0%     138kB ± 0%     ~     (p=0.151 n=5+5)
ImagePackageCatalogers/sbom-cataloger-2                       721kB ± 0%     722kB ± 0%   +0.02%  (p=0.008 n=5+5)

name                                                       old allocs/op  new allocs/op  delta
ImagePackageCatalogers/alpmdb-cataloger-2                     85.7k ± 0%     85.7k ± 0%   +0.00%  (p=0.008 n=5+5)
ImagePackageCatalogers/ruby-gemspec-cataloger-2               4.24k ± 0%     4.25k ± 0%   +0.14%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2             16.5k ± 0%     16.5k ± 0%     ~     (p=0.317 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     5.50k ± 0%     5.50k ± 0%   +0.05%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         3.33k ± 0%     3.33k ± 0%   +0.09%  (p=0.008 n=5+5)
ImagePackageCatalogers/node-binary-cataloger-2                 38.0 ± 0%      38.0 ± 0%     ~     (all equal)
ImagePackageCatalogers/dpkgdb-cataloger-2                     4.46k ± 0%     4.47k ± 0%   +0.20%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpm-db-cataloger-2                     8.11k ± 0%     8.12k ± 0%   +0.04%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                       57.5k ± 0%     57.5k ± 0%     ~     (p=0.310 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                      5.22k ± 0%     5.23k ± 0%   +0.06%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            38.0 ± 0%      38.0 ± 0%     ~     (all equal)
ImagePackageCatalogers/dotnet-deps-cataloger-2                7.12k ± 0%     7.12k ± 0%   +0.04%  (p=0.016 n=4+5)
ImagePackageCatalogers/portage-cataloger-2                    3.58k ± 0%     3.58k ± 0%   +0.08%  (p=0.008 n=5+5)
ImagePackageCatalogers/sbom-cataloger-2                       24.4k ± 0%     24.4k ± 0%     ~     (all equal)

@wagoodman wagoodman enabled auto-merge (squash) November 29, 2022 15:49
@wagoodman wagoodman merged commit 7a69e21 into main Nov 29, 2022
@wagoodman wagoodman deleted the golang-panic-recover branch November 29, 2022 15:56
@wagoodman wagoodman added the bug Something isn't working label Nov 29, 2022
This was referenced Nov 30, 2022
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Dec 13, 2022
Closed
Closed
Closed
Closed
Closed
Closed
spiffcs added a commit to raboof/syft that referenced this pull request Dec 20, 2022
@spiffcs
Merge branch 'main' into prefer-known-vendor
160c7fe 
* main: (87 commits)
  feat: Add license parsing for java (anchore#1385)
  fix: cyclonedx component type for binaries (anchore#1406)
  fix: openjdk detection pattern (anchore#1415)
  bug: spdx checksum empty array; allow syft to generate SHA1 for spdx-tag-value documents (anchore#1404)
  Add NetBSD support. (anchore#1412)
  feat: add catalog delete (anchore#1377)
  docs: remove file classifier (anchore#1397)
  chore: update latest cyclonedx library (anchore#1390)
  feat: Add Java binary catalogers (anchore#1392)
  chore: Update SPDX license list to 3.19 (anchore#1389)
  fix: add manual vendor/product removal to fix false flags (anchore#1070)
  Update Stereoscope to c5ff155d72f166e2332e160a75c3ff2b8e9c7e2e (anchore#1395)
  chore: fix test busybox image sha (anchore#1393)
  fix: go version not properly identified in binary (anchore#1384)
  Update Stereoscope to 3b80d983223f6e6fc2d33b0ffa003d30268418e9 (anchore#1376)
  fix: Update node binary package name (anchore#1375)
  feat: Generic Binary Cataloger (anchore#1336)
  recover from bad parsing of golang binary (anchore#1371)
  Fix parsing of apk databases with large entries (anchore#1365)
  Update syft bootstrap tools to latest versions. (anchore#1369)
  ...
spiffcs added a commit to cpendery/syft that referenced this pull request Dec 20, 2022
@spiffcs
Merge branch 'main' into feat-mix
5828268 
* main: (189 commits)
  feat: add h1digest when scanning go.mod (anchore#1405)
  feat: Add license parsing for java (anchore#1385)
  fix: cyclonedx component type for binaries (anchore#1406)
  fix: openjdk detection pattern (anchore#1415)
  bug: spdx checksum empty array; allow syft to generate SHA1 for spdx-tag-value documents (anchore#1404)
  Add NetBSD support. (anchore#1412)
  feat: add catalog delete (anchore#1377)
  docs: remove file classifier (anchore#1397)
  chore: update latest cyclonedx library (anchore#1390)
  feat: Add Java binary catalogers (anchore#1392)
  chore: Update SPDX license list to 3.19 (anchore#1389)
  fix: add manual vendor/product removal to fix false flags (anchore#1070)
  Update Stereoscope to c5ff155d72f166e2332e160a75c3ff2b8e9c7e2e (anchore#1395)
  chore: fix test busybox image sha (anchore#1393)
  fix: go version not properly identified in binary (anchore#1384)
  Update Stereoscope to 3b80d983223f6e6fc2d33b0ffa003d30268418e9 (anchore#1376)
  fix: Update node binary package name (anchore#1375)
  feat: Generic Binary Cataloger (anchore#1336)
  recover from bad parsing of golang binary (anchore#1371)
  Fix parsing of apk databases with large entries (anchore#1365)
  ...
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@wagoodman
recover from bad parsing of golang binary (anchore#1371)
d9db8dd 
Signed-off-by: Alex Goodman <[email protected]>

Signed-off-by: Alex Goodman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

Assignees

@wagoodman wagoodman

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wagoodman @kzantow