Merge branch 'main' into issue_781

Author: XDRAGON2002

.github/actions/spelling/allow.txt

@@ -260,6 +260,7 @@ pacman
 palletsprojects
 pcsc
 pdf
+PDFs
 pdftotext
 pdxjohnny
 peb
@@ -296,6 +297,7 @@ realpython
 rebasing
 refactoring
 regex
+reportlab
 Romi
 rossburton
 rpmfile

README.md

@@ -98,6 +98,38 @@ Vulnerability Exchange (VEX) format by specifying `--vex` command line option.
 The generated VEX file can then be used as an `--input-file` to support
 a triage process.
 
+If you wish to use PDF support, you will need to install the `reportlab`
+library separately.
+
+If you intend to use PDF support when you install cve-bin-tool you can specify it and report lab will be installed as part of the cve-bin-tool install:
+```console
+pip install cve-bin-tool[PDF]
+```
+
+If you've already installed cve-bin-tool you can add reportlab after the fact
+using pip:
+
+```console
+pip install --upgrade reportlab
+```
+
+Note that reportlab was taken out of the default cve-bin-tool install because
+it has a known CVE associated with it
+([CVE-2020-28463](https://nvd.nist.gov/vuln/detail/CVE-2020-28463)).  The
+cve-bin-tool code uses the recommended mitigations to limit which resources
+added to PDFs, as well as additional input validation.  This is a bit of a
+strange CVE because it describes core functionality of PDFs: external items,
+such as images, can be embedded in them, and thus anyone viewing a PDF could
+load an external image (similar to how viewing a web page can trigger external
+loads).  There's no inherent "fix" for that, only mitigations where users of
+the library must ensure only expected items are added to PDFs at the time of
+generation.
+
+Since users may not want to have software installed with an open, unfixable CVE
+associated with it, we've opted to make PDF support only available to users who
+have installed the library themselves.  Once the library is installed, the PDF
+report option will function.
+
 ## Full option list
 
 Usage:
@@ -110,6 +142,8 @@ Usage:
       --disable-version-check
                             skips checking for a new version
       --detailed            display detailed report
+      --disable-validation-check
+                            skips checking xml files against schema
       --offline             operate in offline mode							
 
     CVE Data Download:

cve_bin_tool/checkers/xml2.py

@@ -60,7 +60,7 @@ def guess_xml2_version(lines):
                 new_guess2 = match.group(1).strip()
                 if len(new_guess2) > len(new_guess):
                     new_guess = new_guess2
-        # If no version guessed, set version to UNKNOWN
+        # If no version guessed, set version to "UNKNOWN"
         return new_guess or "UNKNOWN"
 
     def get_version(self, lines, filename):

cve_bin_tool/cli.py

@@ -261,6 +261,11 @@ def main(argv=None):
         help="skips checking for a new version",
         default=False,
     )
+    parser.add_argument(
+        "--disable-validation-check",
+        action="store_true",
+        help="skips checking xml files against schema",
+    )
     parser.add_argument(
         "--offline",
         action="store_true",
@@ -559,6 +564,7 @@ def main(argv=None):
                 should_extract=args["extract"],
                 exclude_folders=args["exclude"],
                 error_mode=error_mode,
+                validate=not args["disable_validation_check"],
             )
             version_scanner.remove_skiplist(skips)
             LOGGER.info(f"Number of checkers: {version_scanner.number_of_checkers()}")
@@ -579,7 +585,10 @@ def main(argv=None):
         if args["sbom_file"]:
             # Process SBOM file
             sbom_list = SBOMManager(
-                args["sbom_file"], sbom_type=args["sbom"], logger=LOGGER
+                args["sbom_file"],
+                sbom_type=args["sbom"],
+                logger=LOGGER,
+                validate=not args["disable_validation_check"],
             )
             parsed_data = sbom_list.scan_file()
             LOGGER.info(