Detect embedded deps.json in .NET binaries#4375
Conversation
Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
wagoodman
left a comment
There was a problem hiding this comment.
This is a great start, but there is more to do. The approach is a good PoC, but I think we should be subsetting what we are searching within the binary for a more fool-proof search (for instance, what if there is a dep.json-like content in other bundled files?).
I'm going to push up adjustments here to this branch in a little bit -- I'll shout out on the progress in a bit.
syft/pkg/cataloger/dotnet/test-fixtures/embedded-deps/dotnet-single-file-embed-deps-json.exe
Outdated
Show resolved
Hide resolved
syft/pkg/cataloger/dotnet/pe.go
Outdated
| }, nil | ||
| } | ||
|
|
||
| func extractEmbeddedDepsJSONFromBytes(data []byte) string { |
There was a problem hiding this comment.
This is a good start, however, we might want to find the bundle header/manifest to search for where in the binary the deps.json offset is. I need to do a little more research on the details here.
There was a problem hiding this comment.
found some info https://github.com/0xced/SingleFileAppDependencyContext and https://github.com/dotnet/runtime/blob/main/src/installer/managed/Microsoft.NET.HostModel/Bundle/Manifest.cs and https://github.com/dotnet/designs/blob/main/accepted/2020/single-file/bundler.md
maybe i can work on that tmr using the same approach
There was a problem hiding this comment.
really nice find on the 0xced material!
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
wagoodman
left a comment
There was a problem hiding this comment.
OK, I've added some code to handle parsing bundles explicitly in order to get the deps.json from an embedded binary. This is more work than the initial approach, but I think it's worth it. The first implementation searched the whole PE binary for a 'runtimeTarget' string, however, that is not guaranteed to be uniquely in the deps.json section of the binary and we have to search potentially a large portion of the binary in order to find it.
This takes a different approach: first search for a known bundle signature within the standard sections in the PE binary, then use the offset in that location to jump to the bundled files. This will search a much smaller area of the binary and side steps the guaranteed uniqueness issue described above.
* main: (76 commits) feat: snap can be queried by revision and ```track/risk/branch``` (#4439) fix: 4423 dotnet-deps cataloger skips project type by def signpost to docs site (#4483) chore(deps): bump github/codeql-action from 4.31.8 to 4.31.9 (#4481) chore(deps): bump github.com/goccy/go-yaml from 1.19.0 to 1.19.1 (#4482) Detect embedded deps.json in .NET binaries (#4375) chore(deps): bump actions/cache from 5.0.0 to 5.0.1 (#4476) chore(deps): bump actions/cache in /.github/actions/bootstrap (#4477) chore(deps): update tools to latest versions (#4473) unapply base path for resolver inbound requests (#4478) fix: golang PURL should include full module (#4395) fix:best effort to get the os info of an ELF binary (#4438) Improve PR template (#4472) feat: add support for Gemfile.next.lock (#4457) chore:cancel in-progress workflows for new commits on same PR (#4465) chore(deps): update tools to latest versions (#4466) chore(deps): bump github/codeql-action from 4.31.7 to 4.31.8 (#4468) chore(deps): bump actions/cache from 4.3.0 to 5.0.0 (#4469) chore(deps): bump github.com/anchore/stereoscope from 0.1.14 to 0.1.16 (#4470) chore(deps): bump actions/cache in /.github/actions/bootstrap (#4471) ... Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Description
detect embedded deps.json metadata in single-file .NET exec
Type of change
Checklist: