Merge branch 'main' into change_xml_schem

Author: terriko

.github/actions/spelling/allow.txt

@@ -60,6 +60,7 @@ busybox
 bzip
 c
 cabextract
+capnproto
 CDNs
 cfea
 cff
@@ -315,6 +316,7 @@ meflin
 memcached
 metadata
 microsoft
+mingw
 minicom
 minidlna
 miniupnpc
@@ -329,6 +331,7 @@ mpv
 msgid
 msgstr
 msi
+msys
 mtr
 mutt
 myfork

.github/workflows/testing.yml

@@ -248,7 +248,7 @@ jobs:
   windows_tests:
     name: Windows tests
     runs-on: windows-latest
-    timeout-minutes: 30
+    timeout-minutes: 45
     env:
       NO_EXIT_CVE_NUM: 1
       PYTHONIOENCODING: 'utf8'
@@ -266,7 +266,7 @@ jobs:
         uses: actions/cache@v3
         with:
           path: ~/.cache/cve-bin-tool
-          key: ${{ runner.os }}-cve-bin-tool-${{ steps.get-date.outputs.DATE }}
+          key: linux-cve-bin-tool-${{ steps.get-date.outputs.DATE }}
       - name: Install cve-bin-tool
         run: |
           python -m pip install --upgrade pip
@@ -298,7 +298,7 @@ jobs:
   windows_long_tests:
     name: Windows long tests
     runs-on: windows-latest
-    timeout-minutes: 50
+    timeout-minutes: 60
     env:
       LONG_TESTS: 1
       NO_EXIT_CVE_NUM: 1
@@ -317,7 +317,7 @@ jobs:
         uses: actions/cache@v3
         with:
           path: ~/.cache/cve-bin-tool
-          key: ${{ runner.os }}-cve-bin-tool-${{ steps.get-date.outputs.DATE }}
+          key: linux-cve-bin-tool-${{ steps.get-date.outputs.DATE }}
       - name: Install cve-bin-tool
         run: |
           python -m pip install --upgrade pip
@@ -376,4 +376,5 @@ jobs:
           files: ./coverage.xml
           flags: win-longtests
           name: codecov-umbrella
-          fail_ci_if_error: false
+          fail_ci_if_error: false
+

README.md

@@ -8,13 +8,12 @@
 [![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/python/black)
 [![Imports: isort](https://img.shields.io/badge/%20imports-isort-%231674b1?style=flat&labelColor=ef8336)](https://pycqa.github.io/isort/)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5380/badge)](https://bestpractices.coreinfrastructure.org/projects/5380)
-[![Language grade: Python](https://img.shields.io/lgtm/grade/python/g/intel/cve-bin-tool.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/intel/cve-bin-tool/context:python)
 
 The CVE Binary Tool is a free, open source tool to help you find known vulnerabilities in software, using data from the [National Vulnerability Database](https://nvd.nist.gov/) (NVD) list of [Common Vulnerabilities and Exposures](<https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures#:~:text=Common%20Vulnerabilities%20and%20Exposures%20(CVE)%20is%20a%20dictionary%20of%20common,publicly%20known%20information%20security%20vulnerabilities.>) (CVEs).
 
 The tool has two main modes of operation:
 
-1. A binary scanner which helps you determine which packages may have been included as part of a piece of software.  There are <!-- NUMBER OF CHECKERS START-->250<!--NUMBER OF CHECKERS END--> checkers which focus on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
+1. A binary scanner which helps you determine which packages may have been included as part of a piece of software.  There are <!-- NUMBER OF CHECKERS START-->251<!--NUMBER OF CHECKERS END--> checkers which focus on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
 2. Tools for scanning known component lists in various formats, including .csv, several linux distribution package lists, language specific package scanners and several Software Bill of Materials (SBOM) formats.
 
 It is intended to be used as part of your continuous integration system to enable regular vulnerability scanning and give you early warning of known issues in your supply chain.
@@ -310,43 +309,43 @@ The following checkers are available for finding components in binary files:
 
 <!--CHECKERS TABLE BEGIN-->
 |   |  |  | Available checkers |  |  |  |
-|--------------- |------------- |------------------ |----------------- |---------------- |--------------- |------------ |
+|--------------- |--------------- |------------------ |------------ |----------------- |---------------- |--------------- |
 | accountsservice |acpid |apache_http_server |apcupsd |asn1c |assimp |asterisk |
 | atftp |avahi |bash |bind |binutils |bird |bison |
 | boinc |bolt |bro |bubblewrap |busybox |bzip2 |c_ares |
-| chess |chrony |clamav |collectd |commons_compress |connman |cronie |
-| cryptsetup |cups |curl |cvs |darkhttpd |davfs2 |dbus |
-| dhcpcd |dnsmasq |domoticz |dovecot |doxygen |dpkg |dropbear |
-| e2fsprogs |elfutils |enscript |exim |exiv2 |expat |faad2 |
-| fastd |ffmpeg |file |firefox |flac |freeradius |freerdp |
-| fribidi |ftp |gcc |gdb |gimp |git |glib |
-| glibc |gmp |gnomeshell |gnupg |gnutls |gpgme |gpsd |
-| graphicsmagick |grub2 |gstreamer |gupnp |gvfs |haproxy |haserl |
-| hdf5 |hostapd |hunspell |i2pd |icecast |icu |iperf3 |
-| ipsec_tools |iptables |irssi |iucode_tool |jack2 |jacksondatabind |janus |
-| jhead |json_c |kbd |keepalived |kerberos |kexectools |kubernetes |
-| lftp |libarchive |libbpg |libconfuse |libdb |libebml |libgcrypt |
-| libgit2 |libical |libinput |libjpeg |libjpeg_turbo |libksba |liblas |
-| libnss |libpcap |librsvg |librsync |libsamplerate |libseccomp |libsndfile |
-| libsolv |libsoup |libsrtp |libssh |libssh2 |libtiff |libtomcrypt |
-| libupnp |libvirt |libvncserver |libvorbis |libxslt |lighttpd |lldpd |
-| logrotate |lua |luajit |lynx |lz4 |mailx |mariadb |
-| mdadm |memcached |minicom |minidlna |miniupnpc |miniupnpd |mosquitto |
-| motion |mpv |mtr |mutt |mysql |nano |nbd |
-| ncurses |neon |nessus |netatalk |netpbm |nettle |nghttp2 |
-| nginx |nmap |node |ntp |ntpsec |open_vm_tools |openafs |
-| opencv |openjpeg |openldap |openssh |openssl |openswan |openvpn |
-| p7zip |pango |patch |pcsc_lite |perl |pigz |png |
-| polarssl_fedora |poppler |postgresql |ppp |privoxy |procps_ng |proftpd |
-| pspp |pure_ftpd |putty |python |qemu |qt |quagga |
-| radare2 |radvd |rdesktop |rsync |rsyslog |rtl_433 |rust |
-| samba |sane_backends |seahorse |shadowsocks_libev |snort |sofia_sip |spice |
-| sqlite |squashfs |squid |strongswan |stunnel |subversion |sudo |
-| suricata |sylpheed |syslogng |sysstat |systemd |tcpdump |thrift |
-| thttpd |thunderbird |timescaledb |tinyproxy |tor |tpm2_tss |transmission |
-| trousers |unbound |unixodbc |upx |util_linux |varnish |vsftpd |
-| webkitgtk |wget |wireshark |wolfssl |wpa_supplicant |xerces |xml2 |
-| xscreensaver |zeek |zlib |znc |zsh | | |
+| capnproto |chess |chrony |clamav |collectd |commons_compress |connman |
+| cronie |cryptsetup |cups |curl |cvs |darkhttpd |davfs2 |
+| dbus |dhcpcd |dnsmasq |domoticz |dovecot |doxygen |dpkg |
+| dropbear |e2fsprogs |elfutils |enscript |exim |exiv2 |expat |
+| faad2 |fastd |ffmpeg |file |firefox |flac |freeradius |
+| freerdp |fribidi |ftp |gcc |gdb |gimp |git |
+| glib |glibc |gmp |gnomeshell |gnupg |gnutls |gpgme |
+| gpsd |graphicsmagick |grub2 |gstreamer |gupnp |gvfs |haproxy |
+| haserl |hdf5 |hostapd |hunspell |i2pd |icecast |icu |
+| iperf3 |ipsec_tools |iptables |irssi |iucode_tool |jack2 |jacksondatabind |
+| janus |jhead |json_c |kbd |keepalived |kerberos |kexectools |
+| kubernetes |lftp |libarchive |libbpg |libconfuse |libdb |libebml |
+| libgcrypt |libgit2 |libical |libinput |libjpeg |libjpeg_turbo |libksba |
+| liblas |libnss |libpcap |librsvg |librsync |libsamplerate |libseccomp |
+| libsndfile |libsolv |libsoup |libsrtp |libssh |libssh2 |libtiff |
+| libtomcrypt |libupnp |libvirt |libvncserver |libvorbis |libxslt |lighttpd |
+| lldpd |logrotate |lua |luajit |lynx |lz4 |mailx |
+| mariadb |mdadm |memcached |minicom |minidlna |miniupnpc |miniupnpd |
+| mosquitto |motion |mpv |mtr |mutt |mysql |nano |
+| nbd |ncurses |neon |nessus |netatalk |netpbm |nettle |
+| nghttp2 |nginx |nmap |node |ntp |ntpsec |open_vm_tools |
+| openafs |opencv |openjpeg |openldap |openssh |openssl |openswan |
+| openvpn |p7zip |pango |patch |pcsc_lite |perl |pigz |
+| png |polarssl_fedora |poppler |postgresql |ppp |privoxy |procps_ng |
+| proftpd |pspp |pure_ftpd |putty |python |qemu |qt |
+| quagga |radare2 |radvd |rdesktop |rsync |rsyslog |rtl_433 |
+| rust |samba |sane_backends |seahorse |shadowsocks_libev |snort |sofia_sip |
+| spice |sqlite |squashfs |squid |strongswan |stunnel |subversion |
+| sudo |suricata |sylpheed |syslogng |sysstat |systemd |tcpdump |
+| thrift |thttpd |thunderbird |timescaledb |tinyproxy |tor |tpm2_tss |
+| transmission |trousers |unbound |unixodbc |upx |util_linux |varnish |
+| vsftpd |webkitgtk |wget |wireshark |wolfssl |wpa_supplicant |xerces |
+| xml2 |xscreensaver |zeek |zlib |znc |zsh | |
 <!--CHECKERS TABLE END-->
 
 All the checkers can be found in the checkers directory, as can the
@@ -453,9 +452,10 @@ On windows systems, you may need:
 - `Expand`
 - `pdftotext`
 
-Windows has `ar` and `Expand` installed by default, but `7z` in particular might need to be installed.
+Windows has `Expand` installed by default, but `ar` and `7z` might need to be installed.
 If you want to run our test-suite or scan a zstd compressed file, We recommend installing this [7-zip-zstd](https://github.com/mcmilk/7-Zip-zstd)
 fork of 7zip. We are currently using `7z` for extracting `jar`, `apk`, `msi`, `exe` and `rpm` files.
+To install `ar` you can install MinGW (which has binutils as a part of it) from [here](https://www.mingw-w64.org/downloads/#msys2) and run the downloaded .exe file.
 
 If you get an error about building libraries when you try to install from pip,
 you may need to install the Windows build tools. The Windows build tools are

cve_bin_tool/checkers/__init__.py

@@ -34,6 +34,7 @@
     "busybox",
     "bzip2",
     "c_ares",
+    "capnproto",
     "chess",
     "chrony",
     "clamav",
@@ -149,6 +150,7 @@
     "logrotate",
     "lua",
     "luajit",
+    "lxc",
     "lynx",
     "lz4",
     "mailx",
@@ -166,6 +168,7 @@
     "mutt",
     "mysql",
     "nano",
+    "nasm",
     "nbd",
     "ncurses",
     "neon",
@@ -318,7 +321,7 @@ def guess_contains(self, lines):
     def get_version(self, lines, filename):
         version_info = dict()
 
-        if any(pattern.search(filename) for pattern in self.FILENAME_PATTERNS):
+        if any(pattern.match(filename) for pattern in self.FILENAME_PATTERNS):
             version_info["is_or_contains"] = "is"
 
         if "is_or_contains" not in version_info and self.guess_contains(lines):

cve_bin_tool/checkers/capnproto.py

@@ -0,0 +1,23 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for capnproto:
+
+https://www.cvedetails.com/product/37224/Capnproto-Capnproto.html?vendor_id=16364
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class CapnprotoChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [
+        r"Cap'n Proto version ([0-9]+\.[0-9]+\.[0-9]+)",
+        r"libcapnp-([0-9]+\.[0-9]+\.[0-9]+)",
+    ]
+    VENDOR_PRODUCT = [("capnproto", "capnproto")]

cve_bin_tool/checkers/gstreamer.py

@@ -1,12 +1,12 @@
 # Copyright (C) 2021 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-# !/usr/bin/env python3
 """
 CVE checker for Gstreamer
 
 References:
 https://www.cvedetails.com/vulnerability-list/vendor_id-9481/Gstreamer.html
+https://www.cvedetails.com/product/35669/Gstreamer-Project-Gstreamer.html?vendor_id=16047
 """
 from cve_bin_tool.checkers import Checker
 
@@ -16,5 +16,9 @@ class GstreamerChecker(Checker):
         r"http://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer",
     ]
     FILENAME_PATTERNS = [r"gstreamer"]
-    VERSION_PATTERNS = [r"libgstreamer-((\d+\.)+\d+)"]
-    VENDOR_PRODUCT = [("gstreamer_project", "gstreamer")]
+    VERSION_PATTERNS = [
+        r"((\d+\.)+\d+)[a-zA-Z \r\n]*GStreamer ",
+        r"gstreamer[a-zA-Z \r\n]*((\d+\.)+\d+)",
+        r"libgstreamer-((\d+\.)+\d+)",
+    ]
+    VENDOR_PRODUCT = [("gstreamer", "gstreamer"), ("gstreamer_project", "gstreamer")]

cve_bin_tool/checkers/icecast.py

@@ -6,6 +6,7 @@
 CVE checker for icecast
 
 https://www.cvedetails.com/product/1194/Icecast-Icecast.html?vendor_id=693
+https://www.cvedetails.com/product/31619/Xiph-Icecast.html?vendor_id=7966
 
 """
 from __future__ import annotations
@@ -17,4 +18,4 @@ class IcecastChecker(Checker):
     CONTAINS_PATTERNS: list[str] = []
     FILENAME_PATTERNS = [r"icecast"]
     VERSION_PATTERNS = [r"Icecast ([0-9]+\.[0-9]+\.[0-9]+)"]
-    VENDOR_PRODUCT = [("icecast", "icecast")]
+    VENDOR_PRODUCT = [("icecast", "icecast"), ("xiph", "icecast")]

cve_bin_tool/checkers/libarchive.py

@@ -5,6 +5,7 @@
 """
 CVE checker for libarchive
 
+https://www.cvedetails.com/product/11632/Freebsd-Libarchive.html?vendor_id=6
 https://www.cvedetails.com/product/26168/Libarchive-Libarchive.html?vendor_id=12872
 
 """
@@ -17,4 +18,4 @@ class LibarchiveChecker(Checker):
     CONTAINS_PATTERNS: list[str] = []
     FILENAME_PATTERNS = [r"libarchive.so"]
     VERSION_PATTERNS = [r"libarchive ([0-9]+\.[0-9]+\.[0-9]+)"]
-    VENDOR_PRODUCT = [("libarchive", "libarchive")]
+    VENDOR_PRODUCT = [("freebsd", "libarchive"), ("libarchive", "libarchive")]

cve_bin_tool/checkers/libjpeg_turbo.py

@@ -3,9 +3,10 @@
 
 
 """
-CVE checker for libjpg-turbo
+CVE checker for libjpeg-turbo
 
 References:
+https://www.cvedetails.com/product/22813/D.r.commander-Libjpeg-turbo.html?vendor_id=12120
 https://www.cvedetails.com/vulnerability-list/vendor_id-17075/product_id-40849/Libjpeg-turbo-Libjpeg-turbo.html
 """
 from cve_bin_tool.checkers import Checker
@@ -18,9 +19,8 @@ class LibjpegTurboChecker(Checker):
         r"Invalid JPEG file structure: two SOF markers",
     ]
     FILENAME_PATTERNS = [r"libjpg.so."]
-    VERSION_PATTERNS = [
-        r"libjpeg-turbo version ([0-9]\.[0-9]\.[0-9])",
-        r"LIBJPEGTURBO_([0-9]+\.[0-9]+\.?[0-9]?)",
-        r"LIBJPEG_([0-9]+\.[0-9]+\.?[0-9]?)",
+    VERSION_PATTERNS = [r"libjpeg-turbo version ([0-9]\.[0-9]\.[0-9])"]
+    VENDOR_PRODUCT = [
+        ("d.r.commander", "libjpeg-turbo"),
+        ("libjpeg-turbo", "libjpeg-turbo"),
     ]
-    VENDOR_PRODUCT = [("libjpeg-turbo", "libjpeg-turbo")]

cve_bin_tool/checkers/lxc.py

@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for lxc
+
+https://www.cvedetails.com/product/27105/Linuxcontainers-LXC.html?vendor_id=13134
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class LxcChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [r"([0-9]+\.[0-9]+\.[0-9]+)[a-zA-Z:./ %\r\n]*lxc"]
+    VENDOR_PRODUCT = [("linuxcontainers", "lxc")]

cve_bin_tool/checkers/nasm.py

@@ -0,0 +1,20 @@
+# Copyright (C) 2022 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for nasm:
+
+https://www.cvedetails.com/product/14272/Nasm-Netwide-Assembler.html?vendor_id=2638
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class NasmChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [r"NASM ([0-9]+\.[0-9]+\.[0-9]+)"]
+    VENDOR_PRODUCT = [("nasm", "netwide_assembler")]

cve_bin_tool/checkers/openjpeg.py

@@ -5,7 +5,7 @@
 """
 CVE checker for openjpeg
 
-https://www.cvedetails.com/product/22664/Openjpeg-Openjpeg.html?vendor_id=12064
+https://www.cvedetails.com/product/50039/Uclouvain-Openjpeg.html?vendor_id=19248
 
 """
 from . import Checker
@@ -26,5 +26,6 @@ class OpenjpegChecker(Checker):
     ]
     VERSION_PATTERNS = [
         r"openjpeg-([0-9]+\.[0-9]+\.[0-9]+)",
+        r"openjpeg2-([0-9]+\.[0-9]+\.[0-9]+)",
     ]
-    VENDOR_PRODUCT = [("openjpeg", "openjpeg")]
+    VENDOR_PRODUCT = [("uclouvain", "openjpeg")]

cve_bin_tool/checkers/sqlite.py

@@ -61,8 +61,8 @@ class SqliteChecker(Checker):
     VENDOR_PRODUCT = [("sqlite", "sqlite")]
     VERSION_PATTERNS = [
         r"Id: SQLite version (\d+\.\d+\.\d+)",
-        r"sqlite(\d+)\.debug",
-    ]  # patterns like the second one aren't ideal (check the end of the file)
+        r"(\d{4}-\d{2}-\d{2} \d+:\d+:\d+ [\w]+)\r?\n(?:SQLite|SQLITE|DESC)",
+    ]
     FILENAME_PATTERNS = [r"sqlite", r"sqlite3"]
 
     mapdb = VersionSignatureDb("sqlite", get_version_map, 30)
@@ -90,7 +90,6 @@ def get_version(self, lines, filename):
 
         The most correct way to do this is to search for the sha1 sums per release.
         Fedora rpms have a simpler SQLite version string.
-        If neither of those work, try to at least guess the major version
         """
 
         version_info = super().get_version(lines, filename)
@@ -105,10 +104,3 @@ def get_version(self, lines, filename):
                 version_info["version"] = mapping[0]
 
         return version_info
-
-
-"""
-Using filenames (containing patterns like '.so' etc.) in the binaries as VERSION_PATTERNS aren't ideal.
-The reason behind this is that these might depend on who packages the file (like it
-might work on fedora but not on ubuntu)
-"""