Description
The CVE Binary tool team is hoping to participate in Google Summer of Code (GSoC) under the Python Software Foundation umbrella. You can read all about what this means at http://python-gsoc.org/. This issue, and any others tagged 'gsoc' are not generally available bugs, but related to project ideas for GSoC.
Project Idea : Add new checkers to the CVE Binary Tool
Project description: The CVE Binary Tool, at launch, only had checkers for 10 different open source libraries. But if you look through our issues (search for new checkers) you can see that there are lots of others we'd like to have. For this project, you'll implement as many of those as you can, including producing tests. (This was also a project idea last year but there are always new checkers!)
(Don't worry that we're going to run out of checkers -- if we exhaust the current list, we can definitely find more to add.)
Skills: Python, git, experience reading source code for other languages a bonus
Difficulty level: Easy
Related Readings/Links: How to add new checkers
Potential mentors: @terriko @pdxjohnny
Getting Started: Python requires that all students submit a code sample as part of your application. For your first pull request, we recommend you write a new test case for an existing checker. The easiest one to do as a first pull request is a scanner test for a new version of a library we can already detect, but there are there are two types of easy tests you might want to try: CVE mapping test and CVE file test. Note: the way we add tests has changed recently, so please make sure to read the instructions!
Here's the instructions for the easier mapping test:
- Existing tests are in
test/ - You can see the scanner tests in 'tests/test_scanner.py'
- To add a new one, make a new test case that detects a few CVEs known to occur in this version, and a few that are known not to occur in that version. For example, this is how the current tests look like. You should add the details of the new test case in the
@pytest.mark.parametrizedecorator of test_binaries test::
@pytest.mark.parametrize(
"binary, package, version, are_in, not_in",
[
(
"test-bluetoothctl-5.42libbluetooth.so.out",
"bluetoothctl",
"5.42",
[
# for known CVE
"CVE-2016-9797",
"CVE-2016-9798",
"CVE-2016-9799",
"CVE-2016-9800",
"CVE-2016-9801",
"CVE-2016-9802",
"CVE-2016-9803",
"CVE-2016-9804",
"CVE-2016-9917",
# "CVE-2016-9918",
],
[
# for older version
"CVE-2016-7837"
],
),
(
"test-icu-3.8.1.out",
"international_components_for_unicode",
"3.8.1",
["CVE-2007-4770", "CVE-2007-4771"],
["CVE-2019-3823"],
),
(
"test-icu-dos.out",
"international_components_for_unicode",
"3.8.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1",
["CVE-2014-9911"],
["CVE-2019-3823"],
),
(
"test-curl-7.34.0.out",
"curl",
"7.34.0",
[
"CVE-2019-3823",
"CVE-2018-14618",
"CVE-2017-1000101",
], # CVE-2017-1000101 needs supplemental data
[],
),
.....
.....
.....
def test_binaries(self, binary, package, version, are_in, not_in):
self._binary_test(binary, package, version, are_in, not_in)
- Not sure what CVEs apply to a version? The checkers themselves often have links, and have the vendor/product pair so you can find them in the national vulnerability database as well. Here's a link to the openssl checker for you to look at and the rest are in
cve-bin-tool/checkers/ - You'll also need to make a fake file designed to trick the checker into thinking it has found that version of the library. You can see these files in
test/binaries/ - Please note that sometimes the database we're using doesn't have perfect mapping between CVEs and product versions -- if you try to write a test that doesn't work because of that mapping but the description in the CVE says that version should be vulnerable, don't discard it! Instead, please make a note of it in a github issue can investigate and maybe report it upstream.
Extra credit: Got your test working and want to try something more? You can also try adding a checker before the project starts. See the related readings above for instructions.