kernel scan and inclusion

[deitch]

What would you like to be added:

If I scan an image/directory/etc. with a kernel in it, capture kernel information

Why is this needed:

If my software includes a kernel, then that kernel is part of the software I am shipping

Additional context:

To be fair, I am not completely sure how a kernel's info should be scanned, or where it should be included in an SBoM. Those, however, are implementation considerations. From the perspective of answering the question, "Is this a valid and reasonably complete SBoM?", then the answer definitely is no, if it does not include the kernel and other dependencies.

To replicate this, I did something straightforward:

1. Downloaded the Ubuntu 5.15 kernel deb from here
2. Unpacked the .deb file, untarred the data.tar.zst to get the kernel file vmlinuz-5.15.0-051500-generic
3. Created a directory for it /tmp/kernel/ and put the kernel file in there
4. Scanned: syft packages dir:/tmp/kernel/

The result, of course, is:

$ syft packages dir:/tmp/kernel
 ✔ Indexed /tmp/kernel
 ✔ Cataloged packages      [0 packages]

No packages discovered

[spiffcs]

This feature just landed in the cataloger package: https://github.com/anchore/syft/tree/main/syft/pkg/cataloger/binary

Right now we use glob matching to find specific files that we want to do extra analysis against to generate some package struct.

What we want to avoid is scanning every file when generating the SBOM. Is there a good heuristic we could use to identify the kernel files for given distros to make the SBOM more complete?

I did the above steps you mentioned and found a couple lines from strings on the binary that would help us categorize the kernel:

strings boot/vmlinuz-5.15.0-051500-generic | grep 5.15        
5.15.0-051500-generic (kernel@sita) #202110312130 SMP Sun Oct 31 21:33:20 UTC 2021
5.15.0-0H
5.15.0-051500-generic (kernel@sita) (gcc (Ubuntu 11.2.0-7ubuntu2) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.37) #202110312130 SMP Sun Oct 31 21:33:20 UTC 2021

[deitch]

In theory, the kernel could be any file at all, as it is called by the boot loader. Practically, it mostly is called kernel or kernel-*, vmlinux or vmlinux-*, vmlinuz or vmlinuz-* (for compressed), maybe a few others. They also normally (but not always) are in /boot/. I don't think filename and/or directory is quite enough, but maybe a start?

Additionally, is there a way to configure or flag a run, "include the following files"? At the least, that can give people who know, "my kernels are here" or "my kernels follow this naming pattern" to ensure that they get scanned.

An alternative might be to use what file uses, i.e. magic numbers and such.

I don't know if a native implementation in go, but I imagine there is one. If not, could be interesting to add. I would do it if I had free time.

This feature just landed in the cataloger package: https://github.com/anchore/syft/tree/main/syft/pkg/cataloger/binary
Right now we use glob matching to find specific files that we want to do extra analysis against to generate some package struct.

Is there a way I can use it?

[deitch]

I actually opened this, forgot about it, and then asked in Slack 🤦‍♂️

Where does this stand now, and how do I use it?

I did the above steps you mentioned and found a couple lines from strings on the binary that would help us categorize the kernel:
Practically, it mostly is called kernel or kernel-, vmlinux or vmlinux-, vmlinuz or vmlinuz-*
An alternative might be to use what file uses, i.e. magic numbers and such

I would go down that path. See binary, check filename and file magic numbers.

Here is from a kernel I just checked:

$ file kernel
kernel: Linux kernel x86 boot executable bzImage, version 5.10.121-linuxkit (root@buildkitsandbox) #1 SMP Fri Dec 2 10:35:42 UTC 2022, RO-rootFS, swap_dev 0xA, Normal VGA

[deitch]

If you want a hand with this one, tell me.

[kzantow]

This hasn't bubbled up as a priority for the team yet, so if you feel like contributing, that would be great! I can point you in the right direction if you feel like working on this, just ping me on Slack.

[deitch]

If you have those 2 golang ones in hand, sure, I am happy to attack this. It is pretty easy.

[wagoodman]

closing this as completed by #1694