better untracked files handling

e-m-b-a · Dec 12, 2024 · 6d7d50c · 6d7d50c
1 parent cda556e
commit 6d7d50c
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 4 deletions.
diff --git a/helpers/helpers_emba_sbom_helpers.sh b/helpers/helpers_emba_sbom_helpers.sh
@@ -169,7 +169,7 @@ build_sbom_json_hashes_arr() {
 
   if [[ "${lPACKAGING_SYSTEM}" != "unhandled_file" && -d "${SBOM_LOG_PATH}" ]]; then
     # Finally, we check if there is another "unhandled_file_*.json" with the same hash. If we find such a file we can remove it now
-    mapfile -t lDUP_CHECK_FILE_ARR < <(grep -lr '"alg":"SHA-512","content":"'"${lSHA512_CHECKSUM}" "${SBOM_LOG_PATH}"/unhandled_file_*.json || true)
+    mapfile -t lDUP_CHECK_FILE_ARR < <(grep -lr '"alg":"SHA-512","content":"'"${lSHA512_CHECKSUM}" "${SBOM_LOG_PATH}"/unhandled_file_*.json 2>/dev/null || true)
     for lDUP_CHECK_FILE in "${lDUP_CHECK_FILE_ARR[@]}"; do
       print_output "[*] Duplicate unhandled_file sbom entry detected for ${lAPP_NAME} - ${lDUP_CHECK_FILE}" "no_log"
       if ! grep -q "${lDUP_CHECK_FILE}" "${SBOM_LOG_PATH}"/duplicates_to_delete.txt 2>/dev/null; then

diff --git a/modules/F15_cyclonedx_sbom.sh b/modules/F15_cyclonedx_sbom.sh
@@ -105,7 +105,11 @@ F15_cyclonedx_sbom() {
     [[ -v HASHES_ARR ]] && lFW_COMPONENT_DATA_ARR+=( "hashes=$(jo -a "${HASHES_ARR[@]}")" )
 
     # build the component array for final sbom build:
-    mapfile -t lCOMP_FILES_ARR < <(find "${SBOM_LOG_PATH}" -maxdepth 1 -type f -name "*.json" | sort -u)
+    mapfile -t lCOMP_FILES_ARR < <(find "${SBOM_LOG_PATH}" -maxdepth 1 -type f -name "*.json" -not -name "unhandled_file_*" | sort -u)
+    if [[ "${SBOM_UNTRACKED_FILES}" -gt 0 ]]; then
+      mapfile -t lCOMP_FILES_ARR_UNHANDLED < <(find "${SBOM_LOG_PATH}" -maxdepth 1 -type f -name "unhandled_file_*.json" | sort -u)
+     lCOMP_FILES_ARR+=("${lCOMP_FILES_ARR_UNHANDLED[@]}")
+    fi
 
     # as we can have so many components that everything goes b00m we need to build the
     # components json manually:
@@ -168,7 +172,7 @@ F15_cyclonedx_sbom() {
           "${lFW_COMPONENT_DATA_ARR[@]}")")" \
       components=:"${lSBOM_LOG_FILE}_components.json" \
       dependencies=:"${lSBOM_LOG_FILE}_dependencies.json" \
-      vulnerabilities="null" \
+      vulnerabilities="[]" \
       > "${lSBOM_LOG_FILE}.json" || print_error "[-] SBOM builder error!"
 
     # I am sure there is a much cleaner way but for now I am stuck and don't get it in a different way :(

diff --git a/modules/S09_firmware_base_version_check.sh b/modules/S09_firmware_base_version_check.sh
@@ -92,7 +92,8 @@ S09_firmware_base_version_check() {
     print_output "[*] Found package manager with ${ORANGE}${#lFILE_ARR_PKG[@]}${NC} package files - testing against a limited file array ${ORANGE}${#FILE_ARR[@]}${NC}" "${LOG_PATH_MODULE}/pkg_known_files.txt"
     local lPKG_FILE=""
     for lPKG_FILE in "${lFILE_ARR_PKG[@]}"; do
-      (grep -E "${lPKG_FILE@Q};" "${P99_CSV_LOG}" | cut -d ';' -f1 >> "${LOG_PATH_MODULE}"/known_system_pkg_files.txt || true)&
+      lPKG_FILE=$(printf "%q\n" "${lPKG_FILE}")
+      (grep -E "${lPKG_FILE};" "${P99_CSV_LOG}" | cut -d ';' -f1 >> "${LOG_PATH_MODULE}"/known_system_pkg_files.txt || true)&
     done
 
     print_output "[*] Waiting for grepping jobs" "no_log"
@@ -153,6 +154,7 @@ S09_firmware_base_version_check() {
   print_output "[*] Waiting for strings generator" "no_log"
   wait_for_pid "${WAIT_PIDS_S09_1[@]}"
   print_output "[*] Proceeding with version detection for ${ORANGE}${#FILE_ARR[@]}${NC} binary files"
+  echo "S09_strings_generated" > "${TMP_DIR}/S09_strings_generated.tmp"
   print_ln
 
   lOS_IDENTIFIED=$(distri_check)

diff --git a/modules/S115_usermode_emulator.sh b/modules/S115_usermode_emulator.sh
@@ -107,6 +107,12 @@ S115_usermode_emulator() {
         # we emulate every binary only once. So calculate the checksum and store it for checking
         local lBIN_MD5_=""
         lBIN_MD5_=$(md5sum "${R_PATH}"/"${lBINARY}" | cut -d\  -f1)
+        if [[ -d "${SBOM_LOG_PATH}" ]]; then
+          if grep -lr '"alg":"MD5","content":"'"${lBIN_MD5_}" "${SBOM_LOG_PATH}"/* | grep -qv "unhandled_file"; then
+            print_output "[*] Already found SBOM results for ${lBINARY} ... skip emulation tests" "no_log"
+            continue
+          fi
+        fi
         if [[ ! " ${lMD5_DONE_INT_ARR[*]} " =~ ${lBIN_MD5_} ]]; then
           lBIN_EMU_ARR+=( "${lBINARY}" )
           lMD5_DONE_INT_ARR+=( "${lBIN_MD5_}" )

diff --git a/modules/S116_qemu_version_detection.sh b/modules/S116_qemu_version_detection.sh
@@ -29,6 +29,16 @@ S116_qemu_version_detection() {
     # check emba.log for S115_usermode_emulator
     module_wait "S115_usermode_emulator"
 
+    # if module s09 is in our running modules array we wait until this module created the unhandled_files entries
+    # otherwise we can't delete the irrelevant entries
+    while ! [[ -f "${TMP_DIR}/S09_strings_generated.tmp" ]]; do
+      if ! [[ " ${MODULES_EXPORTED[*]} " == *S09* ]]; then
+        break
+      fi
+      print_output "[*] Waiting for S09 module - strings and unhandled file generaation ..." "no_log"
+      sleep 1
+    done
+
     local lLOG_PATH_S115="${LOG_DIR}"/s115_usermode_emulator.txt
     if [[ -f "${lLOG_PATH_S115}" && -d "${LOG_DIR}/s115_usermode_emulator" ]]; then
       local lVERSION_IDENTIFIER_CFG="${CONFIG_DIR}"/bin_version_strings.cfg

diff --git a/modules/S25_kernel_check.sh b/modules/S25_kernel_check.sh
@@ -381,6 +381,7 @@ module_analyzer() {
     lPROP_ARRAY_INIT_ARR+=( "source_arch:${lK_ARCH}" )
     lPROP_ARRAY_INIT_ARR+=( "source_details:${lK_FILE_OUT}" )
     lPROP_ARRAY_INIT_ARR+=( "confidence:high" )
+    lPROP_ARRAY_INIT_ARR+=( "dependency:linux_kernel" )
 
     build_sbom_json_properties_arr "${lPROP_ARRAY_INIT_ARR[@]}"