owasp-dep-scan · prabhu · Mar 1, 2024 · Feb 27, 2024 · Feb 27, 2024 · Feb 27, 2024
diff --git a/.github/workflows/bintests.yml b/.github/workflows/bintests.yml
@@ -0,0 +1,38 @@
+name: binary tests
+
+on:
+  pull_request:
+  workflow_dispatch:
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: false
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ['3.10', '3.11', '3.12']
+      fail-fast: false
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Display Python version
+      run: python -c "import sys; print(sys.version)"
+    - name: Install poetry
+      run: |
+        python3 -m pip install poetry
+        poetry install
+    - name: Test binaries
+      run: |
+        mkdir -p bintests
+        cd bintests
+        wget -q https://github.com/owasp-dep-scan/dosai/releases/download/v0.1.1/Dosai.exe
+        wget -q https://github.com/owasp-dep-scan/dosai/releases/download/v0.1.1/Dosai
+        wget -q https://github.com/owasp-dep-scan/dosai/releases/download/v0.1.1/Dosai-osx-arm64
+        cd ..
+        poetry run blint sbom -i bintests -o reports/bom.json --deep
+      env:
+        SCAN_DEBUG_MODE: "debug"
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM almalinux:9.3-minimal
+FROM ghcr.io/appthreat/base-lang:main
 
 LABEL maintainer="appthreat" \
       org.opencontainers.image.authors="Team AppThreat <[email protected]>" \
@@ -11,14 +11,12 @@ LABEL maintainer="appthreat" \
       org.opencontainers.image.description="BLint is a Binary Linter and SBOM generator." \
       org.opencontainers.docker.cmd="docker run --rm -it -v /tmp:/tmp -v $(pwd):/app:rw -w /app -t ghcr.io/owasp-dep-scan/blint"
 
-ENV COMPOSER_ALLOW_SUPERUSER=1 \
-    ANDROID_HOME=/opt/android-sdk-linux \
+ENV ANDROID_HOME=/opt/android-sdk-linux \
     PYTHONUNBUFFERED=1 \
     PYTHONIOENCODING="utf-8"
 ENV PATH=${PATH}:/usr/local/bin/:/root/.local/bin:${ANDROID_HOME}/cmdline-tools/latest/bin:${ANDROID_HOME}/tools:${ANDROID_HOME}/tools/bin:${ANDROID_HOME}/platform-tools:
 
-RUN microdnf install -y python3.11 python3.11-devel python3.11-pip java-21-openjdk-headless make gcc \
-        which tar gzip zip unzip sudo ncurses \
+RUN microdnf install -y make gcc ncurses \
     && alternatives --install /usr/bin/python3 python /usr/bin/python3.11 1 \
     && python3 --version \
     && python3 -m pip install --upgrade pip \

diff --git a/README.md b/README.md
@@ -141,3 +141,9 @@ sbom command generates CycloneDX json.
 ## Discord support
 
 The developers could be reached via the [discord](https://discord.gg/DCNxzaeUpd) channel.
+
+## Sponsorship wishlist
+
+If you love blint, you should consider [donating](https://owasp.org/donate?reponame=www-project-dep-scan&title=OWASP+dep-scan) to our project. In addition, consider donating to the below projects which make blint possible.
+
+- [LIEF](https://github.com/sponsors/lief-project/)
diff --git a/blint/analysis.py b/blint/analysis.py
@@ -15,13 +15,13 @@
 from rich.terminal_theme import MONOKAI
 
 from blint.binary import parse
-from blint.logger import LOG, console
-from blint.utils import (create_findings_table, is_fuzzable_name, print_findings_table, )
 from blint.checks import (check_nx, check_pie,  # noqa, pylint: disable=unused-import
                           check_relro, check_canary, check_rpath,
                           check_virtual_size, check_authenticode,
                           check_dll_characteristics, check_codesign,
                           check_trust_info)
+from blint.logger import LOG, console
+from blint.utils import (create_findings_table, is_fuzzable_name, print_findings_table)
 
 try:
     import importlib.resources  # pylint: disable=ungrouped-imports
@@ -299,6 +299,13 @@ def print_reviews_table(reviews, files):
     console.print(table)
 
 
+def json_serializer(obj):
+    if isinstance(obj, bytes):
+        return obj.decode('utf-8')
+
+    return obj
+
+
 def report(src_dir, reports_dir, findings, reviews, files, fuzzables):
     """Generates a report based on the analysis results.
 
@@ -322,20 +329,20 @@ def report(src_dir, reports_dir, findings, reviews, files, fuzzables):
         LOG.info(f"Findings written to {findings_file}")
         with open(findings_file, mode="w", encoding="utf-8") as ffp:
             json.dump(
-                {**common_metadata, "findings": findings}, ffp, indent=True
+                {**common_metadata, "findings": findings}, ffp, default=json_serializer
             )
     if reviews:
         print_reviews_table(reviews, files)
         reviews_file = Path(reports_dir) / "reviews.json"
         LOG.info(f"Review written to {reviews_file}")
         with open(reviews_file, mode="w", encoding="utf-8") as rfp:
-            json.dump({**common_metadata, "reviews": reviews}, rfp, indent=True)
+            json.dump({**common_metadata, "reviews": reviews}, rfp, default=json_serializer)
     if fuzzables:
         fuzzables_file = Path(reports_dir) / "fuzzables.json"
         LOG.info(f"Fuzzables data written to {fuzzables_file}")
         with open(fuzzables_file, mode="w", encoding="utf-8") as rfp:
             json.dump(
-                {**common_metadata, "fuzzables": fuzzables}, rfp, indent=True
+                {**common_metadata, "fuzzables": fuzzables}, rfp, default=json_serializer
             )
     else:
         LOG.debug("No suggestion available for fuzzing")
@@ -351,6 +358,7 @@ def report(src_dir, reports_dir, findings, reviews, files, fuzzables):
 
 class AnalysisRunner:
     """Class to analyze binaries."""
+
     def __init__(self):
         self.findings = []
         self.reviews = []
@@ -405,7 +413,7 @@ def _process_files(self, f, reports_dir, no_reviews, suggest_fuzzables):
                                              f"-metadata.json")
         LOG.debug(f"Metadata written to {metadata_file}")
         with open(metadata_file, mode="w", encoding="utf-8") as ffp:
-            json.dump(metadata, ffp, indent=True)
+            json.dump(metadata, ffp, default=json_serializer)
         self.progress.update(
             self.task,
             description=f"Checking [bold]{f}[/bold] against rules")

diff --git a/blint/binary.py b/blint/binary.py
@@ -1,5 +1,7 @@
 # pylint: disable=too-many-lines,consider-using-f-string
+import codecs
 import contextlib
+import json
 import sys
 
 import lief
@@ -216,6 +218,15 @@ def parse_strings(parsed_obj):
 
 
 def ignorable_symbol(symbol_name: str | None) -> bool:
+    """
+    Determines if a symbol is ignorable.
+
+    Args:
+        symbol_name (str): The name of the symbol to check.
+
+    Returns:
+        bool: True if the symbol is ignorable, False otherwise.
+    """
     if not symbol_name:
         return True
     for pref in ("$f64.", "__"):
@@ -380,6 +391,13 @@ def process_pe_resources(parsed_obj):
     if not rm or isinstance(rm, lief.lief_errors):
         return {}
     resources = {}
+    version_metadata = {}
+    version_info: lief.PE.ResourceVersion = rm.version if rm.has_version else None
+    if version_info and version_info.has_string_file_info:
+        string_file_info: lief.PE.ResourceStringFileInfo = version_info.string_file_info
+        for lc_item in string_file_info.langcode_items:
+            if lc_item.items:
+                version_metadata.update(lc_item.items)
     try:
         resources = {
             "has_accelerator": rm.has_accelerator,
@@ -393,6 +411,8 @@ def process_pe_resources(parsed_obj):
             "version_info": str(rm.version) if rm.has_version else None,
             "html": rm.html if rm.has_html else None,
         }
+        if version_metadata:
+            resources["version_metadata"] = version_metadata
     except (AttributeError, UnicodeError):
         return resources
     return resources
@@ -737,9 +757,8 @@ def add_elf_metadata(exe_file, metadata, parsed_obj):
     if exe_type:
         metadata["exe_type"] = exe_type
     metadata["functions"] = parse_functions(parsed_obj.functions)
-
     metadata["ctor_functions"] = parse_functions(parsed_obj.ctor_functions)
-
+    metadata["dotnet_dependencies"] = parse_overlay(parsed_obj)
     return metadata
 
 
@@ -875,7 +894,40 @@ def determine_elf_flags(header):
     return eflags_str
 
 
-def add_pe_metadata(exe_file, metadata, parsed_obj):
+def parse_overlay(parsed_obj: lief.Binary) -> dict[str, dict]:
+    """
+    Parse the overlay section to extract dotnet dependencies
+    Args:
+        parsed_obj (lief.Binary): The parsed object representing the PE binary.
+
+    Returns:
+        dict: Dict representing the deps.json if available.
+    """
+    deps = {}
+    if hasattr(parsed_obj, "overlay"):
+        overlay = parsed_obj.overlay
+        overlay_str = (
+            codecs.decode(overlay.tobytes(), encoding="utf-8", errors="backslashreplace")
+            .replace("\0", "")
+            .replace("\r\n", "")
+            .replace("\n", "")
+            .replace("  ", "")
+        )
+        if overlay_str.find('{"runtimeTarget') > -1:
+            start_index = overlay_str.find('{"runtimeTarget')
+            end_index = overlay_str.rfind("}}}")
+            if end_index > -1:
+                overlay_str = overlay_str[start_index: end_index + 3]
+                try:
+                    # deps should have runtimeTarget, compilationOptions, targets, and libraries
+                    # Use libraries to construct BOM components and targets for the dependency tree
+                    deps = json.loads(overlay_str)
+                except json.JSONDecodeError:
+                    pass
+    return deps
+
+
+def add_pe_metadata(exe_file: str, metadata: dict, parsed_obj: lief.PE.Binary):
     """Adds PE metadata to the given metadata dictionary.
 
     Args:
@@ -911,10 +963,21 @@ def add_pe_metadata(exe_file, metadata, parsed_obj):
             metadata["imports"],
             metadata["dynamic_entries"],
         ) = parse_pe_imports(parsed_obj.imports)
+        # Attempt to detect if this PE is a driver
+        if metadata["dynamic_entries"]:
+            for e in metadata["dynamic_entries"]:
+                if e["name"] == "ntoskrnl.exe":
+                    metadata["is_driver"] = True
+                    break
         metadata["exports"] = parse_pe_exports(parsed_obj.get_export())
         metadata["functions"] = parse_functions(parsed_obj.functions)
         metadata["ctor_functions"] = parse_functions(parsed_obj.ctor_functions)
         metadata["exception_functions"] = parse_functions(parsed_obj.exception_functions)
+        # Detect if this PE might be dotnet
+        for i, dd in enumerate(parsed_obj.data_directories):
+            if i == 14 and dd.type.value == lief.PE.DataDirectory.TYPES.CLR_RUNTIME_HEADER.value:
+                metadata["is_dotnet"] = True
+        metadata["dotnet_dependencies"] = parse_overlay(parsed_obj)
         tls = parsed_obj.tls
         if tls and tls.sizeof_zero_fill:
             metadata["tls_address_index"] = tls.addressof_index
@@ -997,6 +1060,9 @@ def add_pe_optional_headers(metadata, optional_header):
                 for chara in optional_header.dll_characteristics_lists
             ]
         )
+        # Detect if this binary is a driver
+        if "WDM_DRIVER" in metadata["dll_characteristics"]:
+            metadata["is_driver"] = True
         metadata["subsystem"] = str(optional_header.subsystem).rsplit(".", maxsplit=1)[-1]
         metadata["is_gui"] = metadata["subsystem"] == "WINDOWS_GUI"
         metadata["exe_type"] = "PE32" if optional_header.magic == lief.PE.PE_TYPE.PE32 else "PE64"

diff --git a/blint/cli.py b/blint/cli.py
@@ -119,10 +119,12 @@ def parse_input(src):
     Returns:
         list: A list containing the parsed path.
     """
-    path = src[0]
-    result = path.split("\n")
-    result.pop()
-    return result
+    if isinstance(src, list):
+        path = src[0]
+        result = path.split("\n")
+        result = [res for res in result if os.path.exists(res)]
+        return result
+    return [src]
 
 
 def handle_args():
@@ -165,10 +167,13 @@ def main():
             sbom_output = args.sbom_output
         else:
             sbom_output = os.path.join(os.getcwd(), "bom.json")
+        sbom_output_dir = os.path.dirname(sbom_output)
+        if sbom_output_dir and not os.path.exists(sbom_output_dir):
+            os.makedirs(sbom_output_dir)
         generate(src_dirs, sbom_output, args.deep_mode)
     # Default case
     else:
-        if not os.path.exists(reports_dir):
+        if reports_dir and not os.path.exists(reports_dir):
             os.makedirs(reports_dir)
         files = gen_file_list(src_dirs)
         analyzer = AnalysisRunner()