Merge pull request #48 from owasp-dep-scan/feature/sbom

sbom + android support

.github/workflows/linux.yml

@@ -7,6 +7,10 @@ on:
 jobs:
   Blint-GNU-Build:
     runs-on: ubuntu-20.04
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
     steps:
     - uses: actions/checkout@v4
       with:

.github/workflows/publish.yml

@@ -4,6 +4,8 @@ on:
   push:
     branches:
       - main
+      - feature/*
+      - release/*
     tags:
       - 'v*'
   workflow_dispatch:
@@ -14,6 +16,10 @@ env:
 jobs:
   docker:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
 
@@ -40,35 +46,37 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha,scope=blint
           cache-to: type=gha,mode=max,scope=blint
-          provenance: true
-          sbom: true
 
   pypi:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.12'
+          python-version: '3.11'
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
           pip install poetry
-          
+
       - name: Verify Project TOML Version
         id: prep
         if: startsWith(github.ref, 'refs/tags/')
         run: |
           poetry install --no-cache --without dev
           echo "version=$(poetry version -s)" >> $GITHUB_OUTPUT
-      
+
       - name: Release PyPI
         if: steps.prep.outcome == 'success'
         run: |
@@ -77,14 +85,14 @@ jobs:
         env:
           PYPI_USERNAME: ${{ secrets.PYPI_USERNAME }}
           PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-    
+
   # release:
     # runs-on: ubuntu-latest
     # steps:
       # - uses: actions/checkout@v3
       # - name: Create Release
         # id: create_release
-        # if: startsWith(github.ref, 'refs/tags/')        
+        # if: startsWith(github.ref, 'refs/tags/')
         # uses: actions/create-release@v1
         # env:
           # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/win.yml

@@ -7,13 +7,17 @@ on:
 jobs:
   Blint-Build:
     runs-on: windows-latest
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
     steps:
     - uses: actions/checkout@v4
       with:
         path: blint
     - uses: actions/setup-python@v5
       with:
-        python-version: '3.12'
+        python-version: '3.11'
     - name: Install poetry
       id: poetry
       run: |

Dockerfile

@@ -2,52 +2,44 @@ FROM almalinux:9.3-minimal
 
 LABEL maintainer="appthreat" \
       org.opencontainers.image.authors="Team AppThreat <[email protected]>" \
-      org.opencontainers.image.source="https://github.com/OWASP-dep-scan/blint" \
-      org.opencontainers.image.url="https://github.com/OWASP-dep-scan/blint" \
-      org.opencontainers.image.version="2.0.0" \
+      org.opencontainers.image.source="https://github.com/owasp-dep-scan/blint" \
+      org.opencontainers.image.url="https://github.com/owasp-dep-scan/blint" \
+      org.opencontainers.image.version="2.0.x" \
       org.opencontainers.image.vendor="AppThreat" \
       org.opencontainers.image.licenses="Apache-2.0" \
       org.opencontainers.image.title="blint" \
-      org.opencontainers.image.description="BLint is a Binary Linter to check the security properties, and capabilities in your executables. It is powered by lief." \
-      org.opencontainers.docker.cmd="docker run --rm -it -v /tmp:/tmp -v $(pwd):/app:rw -w /app -t ghcr.io/OWASP-dep-scan/blint"
+      org.opencontainers.image.description="BLint is a Binary Linter and SBOM generator." \
+      org.opencontainers.docker.cmd="docker run --rm -it -v /tmp:/tmp -v $(pwd):/app:rw -w /app -t ghcr.io/owasp-dep-scan/blint"
 
-ARG TARGETPLATFORM
-ARG JAVA_VERSION=22.3.r19-grl
-ARG SBT_VERSION=1.9.0
-ARG MAVEN_VERSION=3.9.2
-ARG GRADLE_VERSION=8.1.1
-ARG ARCH_NAME=x86_64
-
-ENV GOPATH=/opt/app-root/go \
-    GO_VERSION=1.20.4 \
-    JAVA_VERSION=$JAVA_VERSION \
-    SBT_VERSION=$SBT_VERSION \
-    MAVEN_VERSION=$MAVEN_VERSION \
-    GRADLE_VERSION=$GRADLE_VERSION \
-    GRADLE_OPTS="-Dorg.gradle.daemon=false" \
-    JAVA_HOME="/opt/java/${JAVA_VERSION}" \
-    MAVEN_HOME="/opt/maven/${MAVEN_VERSION}" \
-    GRADLE_HOME="/opt/gradle/${GRADLE_VERSION}" \
-    SBT_HOME="/opt/sbt/${SBT_VERSION}" \
-    COMPOSER_ALLOW_SUPERUSER=1 \
+ENV COMPOSER_ALLOW_SUPERUSER=1 \
+    ANDROID_HOME=/opt/android-sdk-linux \
     PYTHONUNBUFFERED=1 \
     PYTHONIOENCODING="utf-8"
-ENV PATH=${PATH}:${JAVA_HOME}/bin:${MAVEN_HOME}/bin:${GRADLE_HOME}/bin:${SBT_HOME}/bin:${GOPATH}/bin:/usr/local/go/bin:/usr/local/bin/:/root/.local/bin:
-
-COPY . /opt/blint
+ENV PATH=${PATH}:/usr/local/bin/:/root/.local/bin:${ANDROID_HOME}/cmdline-tools/latest/bin:${ANDROID_HOME}/tools:${ANDROID_HOME}/tools/bin:${ANDROID_HOME}/platform-tools:
 
-RUN microdnf install -y python3.11 python3.11-devel python3.11-pip \
+RUN microdnf install -y python3.11 python3.11-devel python3.11-pip java-21-openjdk-headless make gcc \
+        which tar gzip zip unzip sudo ncurses \
     && alternatives --install /usr/bin/python3 python /usr/bin/python3.11 1 \
     && python3 --version \
     && python3 -m pip install --upgrade pip \
     && python3 -m pip install setuptools --upgrade \
-    && python3 -m pip install poetry
-
+    && python3 -m pip install poetry \
+    && microdnf install -y epel-release \
+    && mkdir -p ${ANDROID_HOME}/cmdline-tools \
+    && curl -L https://dl.google.com/android/repository/commandlinetools-linux-11076708_latest.zip -o ${ANDROID_HOME}/cmdline-tools/android_tools.zip \
+    && unzip ${ANDROID_HOME}/cmdline-tools/android_tools.zip -d ${ANDROID_HOME}/cmdline-tools/ \
+    && rm ${ANDROID_HOME}/cmdline-tools/android_tools.zip \
+    && mv ${ANDROID_HOME}/cmdline-tools/cmdline-tools ${ANDROID_HOME}/cmdline-tools/latest \
+    && yes | /opt/android-sdk-linux/cmdline-tools/latest/bin/sdkmanager --licenses --sdk_root=/opt/android-sdk-linux \
+    && /opt/android-sdk-linux/cmdline-tools/latest/bin/sdkmanager 'platform-tools' --sdk_root=/opt/android-sdk-linux \
+    && /opt/android-sdk-linux/cmdline-tools/latest/bin/sdkmanager 'platforms;android-34' --sdk_root=/opt/android-sdk-linux \
+    && /opt/android-sdk-linux/cmdline-tools/latest/bin/sdkmanager 'build-tools;34.0.0' --sdk_root=/opt/android-sdk-linux
+COPY . /opt/blint
 RUN cd /opt/blint \
     && poetry config virtualenvs.create false \
     && poetry install --no-cache --without dev \
     && chmod a-w -R /opt \
+    && microdnf remove make gcc -y \
     && microdnf clean all
 
-
 ENTRYPOINT [ "blint" ]

README.md

@@ -2,12 +2,13 @@
 
 ![blint logo](blint.png)
 
-BLint is a Binary Linter to check the security properties, and capabilities in your executables. It is powered by [lief](https://github.com/lief-project/LIEF)
+BLint is a Binary Linter to check the security properties, and capabilities in your executables. It is powered by [lief](https://github.com/lief-project/LIEF). Since version 2, blint can also generate Software Bill-of-Materials (SBOM) for supported binaries.
 
 [![BLint Demo](https://asciinema.org/a/438138.png)](https://asciinema.org/a/438138)
 
 Supported binary formats:
 
+- Android (apk, aab)
 - ELF (GNU, musl)
 - PE (exe, dll)
 - Mach-O (x64, arm64)
@@ -33,7 +34,7 @@ NOTE: The presence of capabilities doesn't imply that the operations are always
 - Install python 3.10, 3.11, or 3.12
 
 ```bash
-pip3 install blint
+pip install blint
 ```
 
 ### Single binary releases
@@ -42,21 +43,42 @@ You can download single binary builds from the [blint-bin releases](https://gith
 
 ## Usage
 
-```bash
-usage: blint [-h] [-i SRC_DIR_IMAGE] [-o REPORTS_DIR] [--no-error] [--no-banner] [--no-reviews]
+```shell
+usage: blint [-h] [-i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]] [-o REPORTS_DIR] [--no-error] [--no-banner]
+             [--no-reviews] [--suggest-fuzzable]
+             {sbom} ...
 
-Linting tool for binary files powered by lief.
+Binary linter and SBOM generator.
 
-optional arguments:
+options:
   -h, --help            show this help message and exit
   -i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...], --src SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]
                         Source directories, container images or binary files. Defaults to current directory.
   -o REPORTS_DIR, --reports REPORTS_DIR
-                        Reports directory
-  --no-error            Continue on error to prevent build from breaking
-  --no-banner           Do not display banner
-  --no-reviews          Do not perform method reviews
-  --suggest-fuzzable    Suggest functions and symbols for fuzzing based on a dictionary
+                        Reports directory. Defaults to reports.
+  --no-error            Continue on error to prevent build from breaking.
+  --no-banner           Do not display banner.
+  --no-reviews          Do not perform method reviews.
+  --suggest-fuzzable    Suggest functions and symbols for fuzzing based on a dictionary.
+
+sub-commands:
+  Additional sub-commands
+
+  {sbom}
+    sbom                Command to generate SBOM for supported binaries.
+```
+
+### SBOM sub-command
+
+```shell
+usage: blint sbom [-h] [-i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]] [--output-file SBOM_OUTPUT]
+
+options:
+  -h, --help            show this help message and exit
+  -i SRC_DIR_IMAGE [SRC_DIR_IMAGE ...], --src SRC_DIR_IMAGE [SRC_DIR_IMAGE ...]
+                        Source directories, container images or binary files. Defaults to current directory.
+  --output-file SBOM_OUTPUT
+                        SBOM output file. Defaults to bom.json in current directory.
 ```
 
 To test any binary including default commands
@@ -77,6 +99,16 @@ Pass `--suggest-fuzzable` to get suggestions for fuzzing. A dictionary containin
 blint -i ~/ngrok -o /tmp/blint --suggest-fuzzable
 ```
 
+To generate SBOM in [CycloneDX format](https://cyclonedx.org/) for supported binaries, use the sbom sub-command.
+
+```shell
+blint sbom -i /path/to/apk -o bom.json
+```
+
+```shell
+blint sbom -i /directory/with/apk/aab -o bom.json
+```
+
 PowerShell example
 
 ![PowerShell](./docs/blint-powershell.jpg)
@@ -91,6 +123,8 @@ Blint produces the following json artifacts in the reports directory:
 - reviews.json - Contains information from the capability reviews. Useful for further analysis
 - fuzzables.json - Contains a suggested list of methods for fuzzing
 
+sbom command generates CycloneDX json.
+
 ## References
 
 - [lief examples](https://github.com/lief-project/LIEF/tree/master/examples/python)