diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
index aa7a755d9d..a34745b49c 100644
--- a/.github/actions/spelling/allow.txt
+++ b/.github/actions/spelling/allow.txt
@@ -58,6 +58,8 @@ cleartext
clnt
cmdline
codecov
+commons
+compress
conda
config
conventionalcommits
diff --git a/README.md b/README.md
index fbdee29b94..5eb771e1ff 100644
--- a/README.md
+++ b/README.md
@@ -244,24 +244,24 @@ The following checkers are available for finding components in binary files:
| | | | Available checkers | | | |
-|--------------- |--------- |---------- |--------------- |------------ |--------------- |------------- |
+|--------------- |------------- |---------------- |---------- |--------------- |------------ |--------------- |
| accountsservice |avahi |bash |bind |binutils |bolt |bubblewrap |
-| busybox |bzip2 |cronie |cryptsetup |cups |curl |dbus |
-| dnsmasq |dovecot |dpkg |enscript |expat |ffmpeg |freeradius |
-| ftp |gcc |gimp |glibc |gnomeshell |gnupg |gnutls |
-| gpgme |gstreamer |gupnp |haproxy |hdf5 |hostapd |hunspell |
-| icecast |icu |irssi |jacksondatabind |kbd |kerberos |kexectools |
-| libarchive |libbpg |libdb |libebml |libgcrypt |libical |libjpeg_turbo |
-| liblas |libnss |librsvg |libseccomp |libsndfile |libsolv |libsoup |
-| libsrtp |libssh2 |libtiff |libvirt |libvncserver |libxslt |lighttpd |
-| logrotate |lua |mariadb |mdadm |memcached |mtr |mysql |
-| nano |ncurses |nessus |netpbm |nginx |node |ntp |
-| open_vm_tools |openafs |openjpeg |openldap |openssh |openssl |openswan |
-| openvpn |p7zip |pcsc_lite |pigz |png |polarssl_fedora |poppler |
-| postgresql |pspp |python |qt |radare2 |rsyslog |samba |
-| sane_backends |sqlite |strongswan |subversion |sudo |syslogng |systemd |
-| tcpdump |trousers |varnish |webkitgtk |wireshark |wpa_supplicant |xerces |
-| xml2 |zlib |zsh | | | | |
+| busybox |bzip2 |commons_compress |cronie |cryptsetup |cups |curl |
+| dbus |dnsmasq |dovecot |dpkg |enscript |expat |ffmpeg |
+| freeradius |ftp |gcc |gimp |glibc |gnomeshell |gnupg |
+| gnutls |gpgme |gstreamer |gupnp |haproxy |hdf5 |hostapd |
+| hunspell |icecast |icu |irssi |jacksondatabind |kbd |kerberos |
+| kexectools |libarchive |libbpg |libdb |libebml |libgcrypt |libical |
+| libjpeg_turbo |liblas |libnss |librsvg |libseccomp |libsndfile |libsolv |
+| libsoup |libsrtp |libssh2 |libtiff |libvirt |libvncserver |libxslt |
+| lighttpd |logrotate |lua |mariadb |mdadm |memcached |mtr |
+| mysql |nano |ncurses |nessus |netpbm |nginx |node |
+| ntp |open_vm_tools |openafs |openjpeg |openldap |openssh |openssl |
+| openswan |openvpn |p7zip |pcsc_lite |pigz |png |polarssl_fedora |
+| poppler |postgresql |pspp |python |qt |radare2 |rsyslog |
+| samba |sane_backends |sqlite |strongswan |subversion |sudo |syslogng |
+| systemd |tcpdump |trousers |varnish |webkitgtk |wireshark |wpa_supplicant |
+| xerces |xml2 |zlib |zsh | | | |
All the checkers can be found in the checkers directory, as can the
diff --git a/cve_bin_tool/checkers/__init__.py b/cve_bin_tool/checkers/__init__.py
index fbf2d8b018..5d2b4d4bd6 100644
--- a/cve_bin_tool/checkers/__init__.py
+++ b/cve_bin_tool/checkers/__init__.py
@@ -20,6 +20,7 @@
"bubblewrap",
"busybox",
"bzip2",
+ "commons_compress",
"cronie",
"cryptsetup",
"cups",
diff --git a/cve_bin_tool/checkers/commons_compress.py b/cve_bin_tool/checkers/commons_compress.py
new file mode 100644
index 0000000000..bf3f3be40d
--- /dev/null
+++ b/cve_bin_tool/checkers/commons_compress.py
@@ -0,0 +1,22 @@
+# Copyright (C) 2022 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for Apache commons-compress:
+
+https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-59066/Apache-Commons-Compress.html
+"""
+from cve_bin_tool.checkers import Checker
+
+
+class CommonsCompressChecker(Checker):
+ CONTAINS_PATTERNS = [
+ r"Apache Commons Compress software defines an API for working with",
+ r"http://commons.apache.org/proper/commons-compress/",
+ ]
+ FILENAME_PATTERNS = [r"commons-compress(-[0-9]+\.[0-9]+(\.[0-9]+)?)?.jar"]
+ VERSION_PATTERNS = [
+ r"commons-compress\r?\n ([0-9]+\.[0-9]+(\.[0-9]+)?)"
+ ]
+ VENDOR_PRODUCT = [("apache", "commons_compress")]
diff --git a/doc/MANUAL.md b/doc/MANUAL.md
index 46458f310d..a3ff40a280 100644
--- a/doc/MANUAL.md
+++ b/doc/MANUAL.md
@@ -128,24 +128,24 @@ which is useful if you're trying the latest code from
| | | | Available checkers | | | |
-|--------------- |--------- |---------- |--------------- |------------ |--------------- |------------- |
+|--------------- |------------- |---------------- |---------- |--------------- |------------ |--------------- |
| accountsservice |avahi |bash |bind |binutils |bolt |bubblewrap |
-| busybox |bzip2 |cronie |cryptsetup |cups |curl |dbus |
-| dnsmasq |dovecot |dpkg |enscript |expat |ffmpeg |freeradius |
-| ftp |gcc |gimp |glibc |gnomeshell |gnupg |gnutls |
-| gpgme |gstreamer |gupnp |haproxy |hdf5 |hostapd |hunspell |
-| icecast |icu |irssi |jacksondatabind |kbd |kerberos |kexectools |
-| libarchive |libbpg |libdb |libebml |libgcrypt |libical |libjpeg_turbo |
-| liblas |libnss |librsvg |libseccomp |libsndfile |libsolv |libsoup |
-| libsrtp |libssh2 |libtiff |libvirt |libvncserver |libxslt |lighttpd |
-| logrotate |lua |mariadb |mdadm |memcached |mtr |mysql |
-| nano |ncurses |nessus |netpbm |nginx |node |ntp |
-| open_vm_tools |openafs |openjpeg |openldap |openssh |openssl |openswan |
-| openvpn |p7zip |pcsc_lite |pigz |png |polarssl_fedora |poppler |
-| postgresql |pspp |python |qt |radare2 |rsyslog |samba |
-| sane_backends |sqlite |strongswan |subversion |sudo |syslogng |systemd |
-| tcpdump |trousers |varnish |webkitgtk |wireshark |wpa_supplicant |xerces |
-| xml2 |zlib |zsh | | | | |
+| busybox |bzip2 |commons_compress |cronie |cryptsetup |cups |curl |
+| dbus |dnsmasq |dovecot |dpkg |enscript |expat |ffmpeg |
+| freeradius |ftp |gcc |gimp |glibc |gnomeshell |gnupg |
+| gnutls |gpgme |gstreamer |gupnp |haproxy |hdf5 |hostapd |
+| hunspell |icecast |icu |irssi |jacksondatabind |kbd |kerberos |
+| kexectools |libarchive |libbpg |libdb |libebml |libgcrypt |libical |
+| libjpeg_turbo |liblas |libnss |librsvg |libseccomp |libsndfile |libsolv |
+| libsoup |libsrtp |libssh2 |libtiff |libvirt |libvncserver |libxslt |
+| lighttpd |logrotate |lua |mariadb |mdadm |memcached |mtr |
+| mysql |nano |ncurses |nessus |netpbm |nginx |node |
+| ntp |open_vm_tools |openafs |openjpeg |openldap |openssh |openssl |
+| openswan |openvpn |p7zip |pcsc_lite |pigz |png |polarssl_fedora |
+| poppler |postgresql |pspp |python |qt |radare2 |rsyslog |
+| samba |sane_backends |sqlite |strongswan |subversion |sudo |syslogng |
+| systemd |tcpdump |trousers |varnish |webkitgtk |wireshark |wpa_supplicant |
+| xerces |xml2 |zlib |zsh | | | |
For a quick overview of usage and how it works, you can also see [the readme file](README.md).
diff --git a/test/condensed-downloads/apache-commons-compress-1.21-1.fc35.noarch.rpm.tar.gz b/test/condensed-downloads/apache-commons-compress-1.21-1.fc35.noarch.rpm.tar.gz
new file mode 100644
index 0000000000..404006a436
Binary files /dev/null and b/test/condensed-downloads/apache-commons-compress-1.21-1.fc35.noarch.rpm.tar.gz differ
diff --git a/test/condensed-downloads/commons-compress-1.16.1.jar.tar.gz b/test/condensed-downloads/commons-compress-1.16.1.jar.tar.gz
new file mode 100644
index 0000000000..f84d6c7bc3
Binary files /dev/null and b/test/condensed-downloads/commons-compress-1.16.1.jar.tar.gz differ
diff --git a/test/test_data/commons_compress.py b/test/test_data/commons_compress.py
new file mode 100644
index 0000000000..764f1a2a99
--- /dev/null
+++ b/test/test_data/commons_compress.py
@@ -0,0 +1,33 @@
+# Copyright (C) 2022 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+ {
+ "product": "commons_compress",
+ "version": "1.18",
+ "version_strings": [
+ "commons-compress\r\n 1.18"
+ ],
+ },
+ {
+ "product": "commons_compress",
+ "version": "1.15.1",
+ "version_strings": [
+ "commons-compress\r\n 1.15.1"
+ ],
+ },
+]
+package_test_data = [
+ {
+ "url": "https://repo1.maven.org/maven2/org/apache/commons/commons-compress/1.16.1/",
+ "package_name": "commons-compress-1.16.1.jar",
+ "product": "commons_compress",
+ "version": "1.16.1",
+ },
+ {
+ "url": "http://rpmfind.net/linux/fedora/linux/releases/35/Everything/x86_64/os/Packages/a/",
+ "package_name": "apache-commons-compress-1.21-1.fc35.noarch.rpm",
+ "product": "commons_compress",
+ "version": "1.21",
+ },
+]