Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using whitelist fails when buildroot contains virtual packages #5

Open
jkeller-astro opened this issue Feb 9, 2023 · 1 comment
Open

Using whitelist fails when buildroot contains virtual packages #5

jkeller-astro opened this issue Feb 9, 2023 · 1 comment
Assignees
@iancampbell
Labels
bug Something isn't working

Comments

@jkeller-astro
Copy link

jkeller-astro commented Feb 9, 2023
edited
Loading

I tried using the package exclude function in vigiles but get the following error:

Traceback (most recent call last):
  File "/home/jkeller/platform/vigiles-buildroot/scripts/vigiles-buildroot.py", line 197, in <module>
    __main__()
  File "/home/jkeller/platform/vigiles-buildroot/scripts/vigiles-buildroot.py", line 191, in __main__
    write_manifest(vgls)
  File "/home/jkeller/platform/vigiles-buildroot/scripts/manifest.py", line 120, in write_manifest
    amend_manifest(vgls, final)
  File "/home/jkeller/platform/vigiles-buildroot/scripts/amendments.py", line 178, in amend_manifest
    _filter_excluded_packages(manifest['packages'], excld_pkgs)
  File "/home/jkeller/platform/vigiles-buildroot/scripts/amendments.py", line 112, in _filter_excluded_packages
    pkg_matches = list(set([
  File "/home/jkeller/platform/vigiles-buildroot/scripts/amendments.py", line 115, in <listcomp>
    if v['name'] in excld_pkgs
KeyError: 'name'

When inspecting the manifest generated by the tool, it looks like there is at least one member that doesn't have the 'name' key. For me, the udev virtual package doesn't have a name key, tripping up amendments.py

While the patch below keeps things moving, I couldn't find out why udev doesn't have a 'name' key.

I can repro this bug using pc_x86_64_efi_defconfig from buildroot 2022.05 and a package exclude file containing just zlib.

diff --git a/scripts/amendments.py b/scripts/amendments.py
index e6fb561..9a6b29d 100644
--- a/scripts/amendments.py
+++ b/scripts/amendments.py
@@ -111,7 +111,7 @@ def _filter_excluded_packages(vgls_pkgs, excld_pkgs):
     pkg_matches = list(set([
         k
         for k, v in vgls_pkgs.items()
-        if v['name'] in excld_pkgs
+        if 'name' in v and v['name'] in excld_pkgs
     ]))
 
     info("Vigiles: Excluding Packages: %s" % sorted(pkg_matches))
@iancampbell
Copy link
Contributor

Thanks for reporting this. Our team was able to reproduce this issue based on the information that you provided.

We are now working on a fix to improve the handling of virtual packages as our main interest is in capturing the provider of the virtual package(which should also be in the SBOM already), as the provider is the package that would be subject to vulnerabilities in this case. In its default configuration udev is provided by either eudev or systemd.

@iancampbell iancampbell self-assigned this Feb 10, 2023
@iancampbell iancampbell added the bug Something isn't working label Feb 10, 2023
@schiller-jfn schiller-jfn mentioned this issue Jun 1, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iancampbell iancampbell

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iancampbell @jkeller-astro