Merge branch 'main' into pr-1655

Author: terriko

.github/PULL_REQUEST_TEMPLATE/new_checker.md

@@ -0,0 +1,20 @@
+### Description
+
+Website: WEBSITE_LINK_OF_THE_PRODUCT
+
+CVEs: CVEDETAILS_PRODUCT_PAGE
+
+closes #ISSUE_NUMBER
+
+
+### Checklist
+
+- [ ]  Add checker
+- [ ]  Add test
+- [ ]  Make sure long tests are passing
+- [ ]  Add condensed downloads to the commit
+- [ ]  Make sure all tests are passing
+- [ ]  Make sure black/isort tests are passing
+- [ ]  Run a manual test with a vulnerable version of the product
+- [ ]  Update the template for this checker
+- [ ]  Update the reference links

.github/actions/spelling/allow.txt

@@ -58,6 +58,8 @@ cleartext
 clnt
 cmdline
 codecov
+commons
+compress
 conda
 config
 conventionalcommits

README.md

@@ -248,24 +248,24 @@ The following checkers are available for finding components in binary files:
 
 <!--CHECKERS TABLE BEGIN-->
 |   |  |  | Available checkers |  |  |  |
-|--------------- |--------- |---------- |--------------- |------------ |--------------- |------------- |
+|--------------- |------------- |---------------- |---------- |--------------- |------------ |--------------- |
 | accountsservice |avahi |bash |bind |binutils |bolt |bubblewrap |
-| busybox |bzip2 |cronie |cryptsetup |cups |curl |dbus |
-| dnsmasq |dovecot |dpkg |enscript |expat |ffmpeg |freeradius |
-| ftp |gcc |gimp |glibc |gnomeshell |gnupg |gnutls |
-| gpgme |gstreamer |gupnp |haproxy |hdf5 |hostapd |hunspell |
-| icecast |icu |irssi |jacksondatabind |kbd |kerberos |kexectools |
-| libarchive |libbpg |libdb |libebml |libgcrypt |libical |libjpeg_turbo |
-| liblas |libnss |librsvg |libseccomp |libsndfile |libsolv |libsoup |
-| libsrtp |libssh2 |libtiff |libvirt |libvncserver |libxslt |lighttpd |
-| logrotate |lua |mariadb |mdadm |memcached |mtr |mysql |
-| nano |ncurses |nessus |netpbm |nginx |node |ntp |
-| open_vm_tools |openafs |openjpeg |openldap |openssh |openssl |openswan |
-| openvpn |p7zip |pcsc_lite |pigz |png |polarssl_fedora |poppler |
-| postgresql |pspp |python |qt |radare2 |rsyslog |samba |
-| sane_backends |sqlite |strongswan |subversion |sudo |syslogng |systemd |
-| tcpdump |trousers |varnish |webkitgtk |wireshark |wpa_supplicant |xerces |
-| xml2 |zlib |zsh | | | | |
+| busybox |bzip2 |commons_compress |cronie |cryptsetup |cups |curl |
+| dbus |dnsmasq |dovecot |dpkg |enscript |expat |ffmpeg |
+| freeradius |ftp |gcc |gimp |glibc |gnomeshell |gnupg |
+| gnutls |gpgme |gstreamer |gupnp |haproxy |hdf5 |hostapd |
+| hunspell |icecast |icu |irssi |jacksondatabind |kbd |kerberos |
+| kexectools |libarchive |libbpg |libdb |libebml |libgcrypt |libical |
+| libjpeg_turbo |liblas |libnss |librsvg |libseccomp |libsndfile |libsolv |
+| libsoup |libsrtp |libssh2 |libtiff |libvirt |libvncserver |libxslt |
+| lighttpd |logrotate |lua |mariadb |mdadm |memcached |mtr |
+| mysql |nano |ncurses |nessus |netpbm |nginx |node |
+| ntp |open_vm_tools |openafs |openjpeg |openldap |openssh |openssl |
+| openswan |openvpn |p7zip |pcsc_lite |pigz |png |polarssl_fedora |
+| poppler |postgresql |pspp |python |qt |radare2 |rsyslog |
+| samba |sane_backends |sqlite |strongswan |subversion |sudo |syslogng |
+| systemd |tcpdump |trousers |varnish |webkitgtk |wireshark |wpa_supplicant |
+| xerces |xml2 |zlib |zsh | | | |
 <!--CHECKERS TABLE END-->
 
 All the checkers can be found in the checkers directory, as can the

cve_bin_tool/checkers/README.md

@@ -451,3 +451,6 @@ the product. We have done this in the checkers of `python`, `sqlite` and `kerber
 ## Updating checker table
 You do not need to run format_checkers.py to update the checker table in documentation.
 A pull request with updated checker table is created automatically when a new checker is merged. 
+
+## Pull Request Template
+When you are ready to share your code, you can go to [our pull request page](https://github.com/intel/cve-bin-tool/pulls) to make a new pull request from the web interface and to use the guided template for new checker, click on the `Compare & pull request` button and add `?template=new_checker.md` at the end of the url.

cve_bin_tool/checkers/__init__.py

@@ -20,6 +20,7 @@
     "bubblewrap",
     "busybox",
     "bzip2",
+    "commons_compress",
     "cronie",
     "cryptsetup",
     "cups",

cve_bin_tool/checkers/avahi.py

@@ -15,6 +15,8 @@ class AvahiChecker(Checker):
     CONTAINS_PATTERNS = [
         r"avahi_free",
         r"avahi_strerror",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"avahi_string_list_free",
         # r"libavahi-common.so.3",
     ]

cve_bin_tool/checkers/bash.py

@@ -15,6 +15,8 @@ class BashChecker(Checker):
     CONTAINS_PATTERNS = [
         r"save_bash_input: buffer already exists for new fd %d",
         r"cannot allocate new file descriptor for bash input from fd %d",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"bash manual page for the complete specification.",
         # r"bash_execute_unix_command: cannot find keymap for command",
     ]

cve_bin_tool/checkers/bind.py

@@ -15,6 +15,8 @@ class BindChecker(Checker):
     CONTAINS_PATTERNS = [
         r"bind9_check_key",
         r"bind9_check_namedconf",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"/bind9.xsl",
     ]
     FILENAME_PATTERNS = [r"named"]

cve_bin_tool/checkers/busybox.py

@@ -15,6 +15,8 @@ class BusyboxChecker(Checker):
     CONTAINS_PATTERNS = [
         r"BusyBox is a multi-call binary that combines many common Unix",
         r"link to busybox for each function they wish to use and BusyBox",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"BusyBox is copyrighted by many authors between 1998-2015.",
     ]
     FILENAME_PATTERNS = [r"busybox"]

cve_bin_tool/checkers/bzip2.py

@@ -15,6 +15,8 @@ class Bzip2Checker(Checker):
     CONTAINS_PATTERNS = [
         r"bzip2recover ([0-9]+\.[0-9]+\.[0-9]+): extracts blocks from damaged .bz2 files.",
         r"%s: BZ_MAX_HANDLED_BLOCKS in bzip2recover.c, and recompile.",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"in the bzip2-1.0.6 source distribution.", # present only .rpm
     ]
     FILENAME_PATTERNS = [r"bzip2"]

cve_bin_tool/checkers/commons_compress.py

@@ -0,0 +1,22 @@
+# Copyright (C) 2022 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for Apache commons-compress:
+
+https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-59066/Apache-Commons-Compress.html
+"""
+from cve_bin_tool.checkers import Checker
+
+
+class CommonsCompressChecker(Checker):
+    CONTAINS_PATTERNS = [
+        r"Apache Commons Compress software defines an API for working with",
+        r"<url>http://commons.apache.org/proper/commons-compress/</url>",
+    ]
+    FILENAME_PATTERNS = [r"commons-compress(-[0-9]+\.[0-9]+(\.[0-9]+)?)?.jar"]
+    VERSION_PATTERNS = [
+        r"<artifactId>commons-compress</artifactId>\r?\n  <version>([0-9]+\.[0-9]+(\.[0-9]+)?)</version>"
+    ]
+    VENDOR_PRODUCT = [("apache", "commons_compress")]

cve_bin_tool/checkers/cups.py

@@ -16,6 +16,8 @@ class CupsChecker(Checker):
     CONTAINS_PATTERNS = [
         r"No limit for CUPS-Get-Document defined in policy %s and no suitable template found.",
         r"\*%%%%%%%% Created by the CUPS PPD Compiler CUPS v([0-9]+\.[0-9]+\.[0-9]+)"
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"Unable to edit cupsd.conf files larger than 1MB",
         # r"The web interface is currently disabled. Run \"cupsctl WebInterface=yes\" to enable it.",
         # r"cupsdAddSubscription: Reached MaxSubscriptions %d \(count=%d\)",

cve_bin_tool/checkers/curl.py

@@ -20,6 +20,8 @@ class CurlChecker(Checker):
     CONTAINS_PATTERNS = [
         r"Dump libcurl equivalent code of this command line",
         r"a specified protocol is unsupported by libcurl",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"curl failed to verify the legitimacy of the server and therefore could not",
         # r"error retrieving curl library information",
         # r"ignoring --proxy-capath, not supported by libcurl",

cve_bin_tool/checkers/dbus.py

@@ -16,6 +16,8 @@ class DbusChecker(Checker):
     CONTAINS_PATTERNS = [
         r"dbus_connection_get_adt_audit_session_data",
         r"dbus_connection_set_dispatch_status_function",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"dbus_connection_set_max_received_unix_fds",
         # r"dbus_connection_set_windows_user_function",
         # r"_dbus_connection_get_linux_security_label",

cve_bin_tool/checkers/dnsmasq.py

@@ -13,6 +13,8 @@
 class DnsmasqChecker(Checker):
     CONTAINS_PATTERNS = [
         r"Dnsmasq is free software, and you are welcome to redistribute it",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"Allow access only to files owned by the user running dnsmasq\.",
         # r"Display dnsmasq version and copyright information\.",
     ]

cve_bin_tool/checkers/dovecot.py

@@ -15,6 +15,8 @@ class DovecotChecker(Checker):
     CONTAINS_PATTERNS = [
         r"BUG: Authentication client %u requested invalid authentication mechanism %s \(DOVECOT-TOKEN required\)",
         r"DOVECOT_SRAND is not available in non-debug builds",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"Dovecot is already running with PID %s \(read from %s\)",
         # r"Dovecot is already running\? Socket already exists: %s",
         # r"Must be started by dovecot master process",

cve_bin_tool/checkers/freeradius.py

@@ -15,6 +15,8 @@ class FreeradiusChecker(Checker):
     CONTAINS_PATTERNS = [
         r"Application and libfreeradius-server magic number (commit) mismatch.  application: %lx library: %lx",
         r"Application and libfreeradius-server magic number (prefix) mismatch.  application: %x library: %x",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"Application and libfreeradius-server magic number (version) mismatch.  application: %lx library: %lx",
         # r"FreeRADIUS Version ([0-9]+\.[0-9]+\.[0-9]+), for host aarch64-redhat-linux-gnu",
     ]

cve_bin_tool/checkers/gcc.py

@@ -16,6 +16,8 @@ class GccChecker(Checker):
     CONTAINS_PATTERNS = [
         r"Do not predefine system-specific and GCC-specific macros\.",
         r"Dump detailed information on GCC's internal representation of source code locations\.",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"GCC is not configured to support %s as offload target",
         # r"IPA lattices after constant propagation, before gcc_unreachable:",
         # r"Record gcc command line switches in DWARF DW_AT_producer\.",

cve_bin_tool/checkers/gnupg.py

@@ -14,6 +14,8 @@ class GnupgChecker(Checker):
     CONTAINS_PATTERNS = [
         r"# \(Use \"gpg --import-ownertrust\" to restore them\)",
         r"Comment: Use \"gpg --dearmor\" for unpacking",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"standalone revocation - use \"gpg --import\" to apply",
         # r"you can update your preferences with: gpg --edit-key %s updpref save",
     ]

cve_bin_tool/checkers/hdf5.py

@@ -15,6 +15,8 @@ class Hdf5Checker(Checker):
     CONTAINS_PATTERNS = [
         r"### HDF5 metadata cache trace file version 1 ###",
         r"%s'HDF5_DISABLE_VERSION_CHECK' environment variable is set to %d, application will",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"The HDF5 header files used to compile this application do not match",
         # r"The HDF5 library version information are not consistent in its source code.",
         # r"This can happen when an application was compiled by one version of HDF5 but",

cve_bin_tool/checkers/irssi.py

@@ -15,6 +15,8 @@ class IrssiChecker(Checker):
     CONTAINS_PATTERNS = [
         r"Configuration file was modified since irssi was last started - do you want to overwrite the possible changes\?",
         r"# The real text formats that irssi uses are the ones you can find with",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"# %%s : must be second - use Irssi; use Irssi::Irc; etc\.\.",
         # r"# When irssi expands the templates in \"format\", the final string would be:",
         # r"# When irssi sees this kind of text, it goes to find \"name\" from abstracts",

cve_bin_tool/checkers/liblas.py

@@ -14,6 +14,8 @@ class LiblasChecker(Checker):
     CONTAINS_PATTERNS = [
         r"N5boost6detail17sp_counted_impl_pIN6liblas5PointEEE",
         r"detail::liblas::read_n<T> input stream is not readable",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"N5boost6detail17sp_counted_impl_pIN6liblas6detail10ReaderImplEEE",
         # r"liblas::detail::ReadeVLRData_str: array index out of range",
     ]

cve_bin_tool/checkers/libsndfile.py

@@ -15,6 +15,8 @@ class LibsndfileChecker(Checker):
     CONTAINS_PATTERNS = [
         r"No error defined for this error number. This is a bug in libsndfile.",
         r"NULL SF_INFO pointer passed to libsndfile.",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"MATLAB 5.0 MAT-file, written by libsndfile-(\d+\.\d+\.\d+),",
     ]
     FILENAME_PATTERNS = [r"libsndfile.so"]

cve_bin_tool/checkers/varnish.py

@@ -13,6 +13,8 @@ class VarnishChecker(Checker):
     CONTAINS_PATTERNS = [
         r"\(pthread_create\(&v->tp, \(\(void \*\)0\), varnish_thread, v\)\) == 0",
         r"\(pthread_create\(&v->tp_vsl, \(\(void \*\)0\), varnishlog_thread, v\)\) == 0",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"Clients that do not support gzip will have their Accept-Encoding header removed\. For more information on how gzip is implemented please see the chapter on gzip in the Varnish reference\.",
     ]
     FILENAME_PATTERNS = [r"varnish"]

cve_bin_tool/checkers/zsh.py

@@ -18,6 +18,8 @@ class ZshChecker(Checker):
     CONTAINS_PATTERNS = [
         r"zsh: sure you want to delete all %d files in",
         r"zsh: sure you want to delete all the files in",
+        # Alternate optional contains patterns,
+        # see https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers#helper-script for more details
         # r"--version  show zsh version number, then exit",
         # r"zsh: sure you want to delete more than %d files in",
         # r"zsh: sure you want to delete the only file in",

cve_bin_tool/helper_script.py

@@ -32,18 +32,13 @@ class HelperScript:
 
     def __init__(
         self,
-        filename: str,
         product_name: str | None = None,
         version_number: str | None = None,
         string_length: int = 40,
     ):
-        self.filename = filename
         self.extractor: TempDirExtractorContext = Extractor()
-        self.product_name, self.version_number = self.parse_filename(filename)
-        if product_name:
-            self.product_name = product_name
-        if version_number:
-            self.version_number = version_number
+        self.product_name = product_name
+        self.version_number = version_number
         self.string_length = string_length
 
         # for setting the database
@@ -57,14 +52,16 @@ def __init__(
         self.contains_patterns: list[str] = []
         self.filename_pattern: list[str] = []
         self.version_pattern: list[str] = []
-        self.vendor_product: list[tuple[str, str]] | None = self.find_vendor_product()
+        self.vendor_product: list[tuple[str, str]] | None = []
 
         # for scanning files versions
         self.version_scanner = VersionScanner()
 
     def extract_and_parse_file(self, filename: str) -> list[str] | None:
         """extracts and parses the file for common patterns, version strings and common filename patterns"""
 
+        self.parse_filename(filename)
+
         with self.extractor as ectx:
             if ectx.can_extract(filename):
                 binary_string_list: list[str] = []
@@ -175,8 +172,16 @@ def parse_filename(self, filename: str) -> tuple[str, str]:
                 product_name = filename.rsplit("-", 2)[0]
                 version_number = filename.rsplit("-", 2)[1]
 
+            if not self.product_name:
+                self.product_name = product_name
+
+            if not self.version_number:
+                self.version_number = version_number
+
+            self.vendor_product = self.find_vendor_product()
+
             LOGGER.debug(
-                f"Parsing file '{self.filename}': Results: product_name='{product_name}', version_number='{version_number}'"
+                f"Parsing file '{filename}': Results: product_name='{self.product_name}', version_number='{self.version_number}'"
             )
             return product_name, version_number
         else:
@@ -255,7 +260,7 @@ def output_single(self) -> None:
         rprint(
             textwrap.dedent(
                 f"""
-                [bright_black]# Copyright (C) 2021 Intel Corporation
+                [bright_black]# Copyright (C) 2022 Intel Corporation
                 # SPDX-License-Identifier: GPL-3.0-or-later[/]
 
 
@@ -357,12 +362,11 @@ def scan_files(args) -> None:
 
     hs_list: list[HelperScript] = [
         HelperScript(
-            args["filenames"][x],
             product_name=args["product_name"],
             version_number=args["version_number"],
             string_length=args["string_length"],
         )
-        for x, _ in enumerate(args["filenames"])
+        for _ in args["filenames"]
     ]
 
     if len(hs_list) > 1:  # more than one files are given - output common strings
@@ -377,8 +381,8 @@ def scan_files(args) -> None:
                 "VERSION_NUMBER in arguments, common strings may not be found if files have different versions"
             )
 
-        for hs in hs_list:
-            hs.extract_and_parse_file(hs.filename)
+        for i, hs in enumerate(hs_list):
+            hs.extract_and_parse_file(args["filenames"][i])
 
         common_strings = hs_list[0].contains_patterns
 
@@ -389,9 +393,8 @@ def scan_files(args) -> None:
         HelperScript.output_common(common_strings, hs_list[0].product_name)
 
     else:  # one file is given
-        for hs in hs_list:
-            hs.extract_and_parse_file(hs.filename)
-            hs.output_single()
+        hs_list[0].extract_and_parse_file(args["filenames"][0])
+        hs_list[0].output_single()
 
 
 def main(argv=None) -> None:

cve_bin_tool/output_engine/__init__.py

@@ -313,6 +313,7 @@ def output_pdf(
         products_with_cve,
         outfile,
         merge_report,
+        exploits: bool = False,
     ):
         LOGGER.warn("PDF output requires install of reportlab")