SBOM for PE dotnet binaries

[prabhu]

Tested with https://github.com/owasp-dep-scan/dosai/releases/download/v0.1.1/Dosai.exe
https://github.com/owasp-dep-scan/dosai/releases/download/v0.1.1/Dosai

Overlay attribute seems to be missing for MachO so raised a ticket here
lief-project/LIEF#1028

Testing

Find some PE (Windows) and ELF (Linux) binaries generated by dotnet. Alternatively, build any dotnet application using the dotnet build command.

Generate SBOM using the sbom command.

git clone https://github.com/owasp-dep-scan/blint.git
cd blint
git checkout feature/pe-sbom
python -m pip install poetry
poetry install

poetry run blint sbom -i <dotnet generated binary> -o bom.json --deep

The resulting SBOM must include several nuget packages in addition to dll files.

On Windows, manually inspect the various .csproj files to check if all libraries used are reported.
On Linux, run strings command to check if we have captured all the packages reported.

strings -a -t x <binary name>

[timmyteo]

Hi @prabhu - I tested this per your instructions above for Dosai.exe and also another dotnet project. I may be doing something wrong or just not understanding this. For instance, when I test Dosai.exe, I am seeing the following dependencies in the BOM instead of the expected Dosai Dependencies:

"dependencies": [
    {
      "ref": "pkg:generic/Dosai.exe@latest",
      "dependsOn": [
        "pkg:file/api-ms-win-crt-math-l1-1-0.dll",
        "pkg:file/api-ms-win-crt-convert-l1-1-0.dll",
        "pkg:file/USER32.dll",
        "pkg:file/SHELL32.dll",
        "pkg:file/ADVAPI32.dll",
        "pkg:file/api-ms-win-crt-stdio-l1-1-0.dll",
        "pkg:file/api-ms-win-crt-locale-l1-1-0.dll",
        "pkg:file/api-ms-win-crt-heap-l1-1-0.dll",
        "pkg:file/api-ms-win-crt-string-l1-1-0.dll",
        "pkg:file/api-ms-win-crt-runtime-l1-1-0.dll",
        "pkg:file/api-ms-win-crt-time-l1-1-0.dll",
        "pkg:file/KERNEL32.dll"
      ]
    }

And although the bom.json is generated, I do see these errors at the command line as well:

[prabhu]

@timmyteo, this was indeed a bug. Have fixed now. Could you kindly retest by updating the branch?

[timmyteo]

I think it is getting close :)

[prabhu]

Thanks @timmyteo. Could you update and try again?

[timmyteo]

Nice work @prabhu, it looks to be working now! I tried with Dosai and the expected dependencies are listed in the BOM. Here is what it produced for Dosai:
"dependsOn": [
"pkg:file/ADVAPI32.dll",
"pkg:nuget/System.Runtime.CompilerServices.Unsafe@6.0.0",
"pkg:file/USER32.dll",
"pkg:file/api-ms-win-crt-stdio-l1-1-0.dll",
"pkg:file/api-ms-win-crt-time-l1-1-0.dll",
"pkg:nuget/Dosai@0.1.1",
"pkg:file/api-ms-win-crt-runtime-l1-1-0.dll",
"pkg:file/api-ms-win-crt-locale-l1-1-0.dll",
"pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
"pkg:file/KERNEL32.dll",
"pkg:file/api-ms-win-crt-string-l1-1-0.dll",
"pkg:nuget/System.CommandLine@2.0.0-beta4.22272.1",
"pkg:file/api-ms-win-crt-convert-l1-1-0.dll",
"pkg:nuget/Microsoft.CodeAnalysis.CSharp@4.8.0",
"pkg:nuget/Microsoft.CodeAnalysis.Analyzers@3.3.4",
"pkg:file/api-ms-win-crt-math-l1-1-0.dll",
"pkg:nuget/System.Collections.Immutable@7.0.0",
"pkg:nuget/System.Reflection.Metadata@7.0.0",
"pkg:nuget/Microsoft.CodeAnalysis.Common@4.8.0",
"pkg:nuget/Microsoft.CodeAnalysis.VisualBasic@4.8.0",
"pkg:file/SHELL32.dll",
"pkg:file/api-ms-win-crt-heap-l1-1-0.dll"
]

I did also try with a simple HelloWorld program with one dependency, but the dependency didn't show up in the BOM as I expected, so not sure if I am doing something wrong there.

[prabhu]

@timmyteo, fixed again. The exe produced on Windows uses \r\n as the line endings!