cve-bin-tool icon indicating copy to clipboard operation
cve-bin-tool copied to clipboard

Published 20 hours ago verified publisher icon intel

FileNotFoundError: [Errno 2] No such file or directory: 'Expand'

Open changlexc opened this issue 2 years ago • 5 comments

I am not sure if this is related to cve-bin-tool itself or my system is missing something. Just put the output file here for you reference. cve-scan-output.txt

changlexc avatar Jul 08 '22 01:07 changlexc

hi @changlexc can you please tell me what is the output of python -c "import sys; print(sys.platform);" in your machine?

thank you

b31ngd3v avatar Jul 08 '22 16:07 b31ngd3v

The output is "os400", as I said in #1748, I am trying the tool on IBMi(also known as OS400). Most of the folder can be scanned unless I meet this issue in some of the folders.

changlexc avatar Jul 11 '22 02:07 changlexc

i don't think we officially support any OSs other than linux and windows. so first it's checking the platform, if it's not linux it's defaulting to windows, and that's why you faced that issue, it was trying to extract cab file with Expand.

b31ngd3v avatar Jul 11 '22 07:07 b31ngd3v

We don't support os400 because I don't have access to any machines to run tests on, but that doesn't necessarily mean it can't work, just that we can't test it.

For you to fix it there's a few options:

  1. You can install cabextract (what we use on Linux) or Extract (what's used on Windows) or something else to handle extraction those files. You might need to modify the code or make an alias if what you install doesn't have the same name or command line flags to work as expected.
  2. You can change the code to disable cab extraction entirely. We don't have a flag for this but I think if you find where we allow the .cab file extension you can probably take it out of the list and it will do the right thing. Obviously .cab files won't be scanned then.
  3. You could change your scanning command line to exclude that file in some way
  4. You could scan from a machine running Linux or Windows which are our supported and tested options. Redhat may actually run on the OS400 hardware but I think changing your entire operating system is rather a lot to ask for a software bug. ;) (But cve-bin-tool should run on redhat: we test in Github Actions on ubuntu but one of my regular development machines is Fedora.)

For us:

  • We should make this fail more gracefully the way we have with other failures. That would mean logging an error saying Extract couldn't be found and the filename that didn't get scanned, but not stopping the scan. (Or possibly changing the code a level above where the Extract is called so all failures will be logged more gracefully -- I think we already have a similar bug for another missing component.)
  • We previously did research on to whether there's a python cab extraction library and we didn't find one that would work for us as a fallback, so that's probably not an option although we could look again?

In summary:

  • You probably want to install cabextract or equivalent for your OS and then the files will actually scan.
  • We probably want to fail more gracefully if Extract is not found, even though we don't support OS400 officially, because there's no reason not to improve your experience.

terriko avatar Jul 11 '22 20:07 terriko

@terriko, Thanks for the so detailed explanation. If you see my recent opened issues, I am moving forward to let this cve-bin-tool support OS400 platform. I met a few issues, but not too much. Some of them are not platform specific and may handle more gracefully as you said, I will continue investigating the running on OS400. Anyway, thanks so much for your support.

changlexc avatar Jul 12 '22 01:07 changlexc

I think this one is as resolved as it can be (given that I don't have a good way to regularly run tests on OS400), so I'm going to close it now.

terriko avatar Apr 17 '24 21:04 terriko