diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt index bab62515f7..59b662e5af 100644 --- a/.github/actions/spelling/allow.txt +++ b/.github/actions/spelling/allow.txt @@ -38,6 +38,7 @@ bash bashrc bazel bcca +bcrypt bdbd bdist bestpractices @@ -129,6 +130,7 @@ cybersecurity cygwin d darkhttpd +datasource dav davfs dbus diff --git a/README.md b/README.md index 27393720e2..9becb2bf7c 100644 --- a/README.md +++ b/README.md @@ -163,12 +163,12 @@ We also provide an example [GitHub action](https://github.com/intel/cve-bin-tool ## Output Options -The CVE Binary Tool provides console-based output by default. If you wish to provide another format, you can specify this and a filename on the command line using `--format`. The valid formats are CSV, JSON, console, HTML and PDF. The output filename can be specified using the `--output-file` flag. +The CVE Binary Tool provides console-based output by default. If you wish to provide another format, you can specify this and a filename on the command line using `--format`. The valid formats are CSV, JSON, JSON2, console, HTML and PDF. The output filename can be specified using the `--output-file` flag. You can also specify multiple output formats by using comma (',') as separator: ```bash -cve-bin-tool file -f csv,json,html -o report +cve-bin-tool file -f csv,json,json2,html -o report ``` Note: You must not use spaces between the commas (',') and the output formats. @@ -473,7 +473,7 @@ Output: provide output filename (default: output to stdout) --html-theme HTML_THEME provide custom theme directory for HTML Report - -f {csv,json,console,html,pdf}, --format {csv,json,console,html,pdf} + -f {csv,json,json2,console,html,pdf}, --format {csv,json,json2,console,html,pdf} update output format (default: console) specify multiple output formats by using comma (',') as a separator note: don't use spaces between comma (',') and the output formats. diff --git a/doc/MANUAL.md b/doc/MANUAL.md index 6f031fb15b..c50bc8d99b 100644 --- a/doc/MANUAL.md +++ b/doc/MANUAL.md @@ -153,7 +153,7 @@ which is useful if you're trying the latest code from provide output filename (default: output to stdout) --html-theme HTML_THEME provide custom theme directory for HTML Report - -f {csv,json,console,html,pdf}, --format {csv,json,console,html,pdf} + -f {csv,json,json2,console,html,pdf}, --format {csv,json,json2,console,html,pdf} update output format (default: console) specify multiple output formats by using comma (',') as a separator note: don't use spaces between comma (',') and the output formats. @@ -573,6 +573,173 @@ EPSS bridges this gap by incorporating up-to-date threat information from CVE an ![JSON metric table](images/metric/JSON.png) +- JSON2 + +```json +{ + "$schema": "", + "metadata": { + "tool": { + "name": "cve-bin-tool", + "version": "3.4rc0" + }, + "generation_date": "2024-08-28 18:56:24", + "parameter": { + "options": { + "help": null, + "exclude": [], + "version": null, + "disable-version-check": false, + "disable-validation-check": false, + "offline": false, + "detailed": false + }, + "cve_data_download": { + "nvd": "json-mirror", + "update": "daily", + "nvd-api-key": "", + "disable-data-source": [], + "use-mirror": "" + }, + "input": { + "directory": "test/language_data/Gemfile.lock", + "input-file": "", + "config": "", + "package-list": "", + "sbom": "", + "sbom-file": "", + "vex-file": "" + }, + "output": { + "quiet": false, + "log-level": "info", + "output-file": "/tmp/gem.json", + "html-theme": "", + "format": "json2", + "generate-config": "", + "cvss": 0, + "severity": "low", + "metrics": false, + "epss-percentile": null, + "epss-probability": null, + "no-0-cve-report": false, + "available-fix": "", + "backport-fix": "", + "affected-versions": 0, + "sbom-output": "", + "sbom-type": "spdx", + "sbom-format": "tag" + }, + "vex_output": { + "vex-output": "", + "vex-type": "", + "product": "", + "release": "", + "vendor": "", + "revision-reason": "", + "filter-triage": false + }, + "merge_report": { + "append": false, + "tag": "", + "merge": null, + "filter": [] + }, + "checkers": { + "skips": "", + "runs": "" + }, + "database_management": { + "import-json": "", + "ignore-sig": false, + "log-signature-error": false, + "verify": "", + "export-json": "", + "pgp-sign": "", + "passphrase": "", + "export": "", + "import": "" + }, + "exploits": { + "exploits": false + }, + "deprecated": { + "extract": true, + "report": false + } + } + }, + "database_info": { + "last_updated": "2024-08-28 18:29:40", + "total_entries": { + "NVD": 251104, + "OSV": 172654, + "GAD": 20792, + "REDHAT": 18002 + } + }, + "vulnerabilities": { + "summary": { + "CRITICAL": 14, + "HIGH": 57, + "MEDIUM": 39, + "LOW": 8, + "UNKNOWN": 19 + }, + "report": [ + { + "datasource": "OSV", + "entries": [ + { + "vendor": "microsoft", + "product": "azure-storage-blob", + "version": "2.0.3", + "location": "test/language_data/Gemfile.lock", + "cve_number": "CVE-2022-30187", + "severity": "MEDIUM", + "score": "4.7", + "source": "OSV", + "cvss_version": "3", + "cvss_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "paths": "test/language_data/Gemfile.lock", + "remarks": "NewFound", + "comments": "" + }, + { + ... + } + ] + }, + { + "datasource": "NVD", + "entries": [ + { + "vendor": "unknown", + "product": "bcrypt", + "version": "3.1.16", + "location": "test/language_data/Gemfile.lock", + "cve_number": "CVE-2020-7689", + "severity": "HIGH", + "score": "7.5", + "source": "NVD", + "cvss_version": "3", + "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "paths": "test/language_data/Gemfile.lock", + "remarks": "NewFound", + "comments": "" + }, + { + ... + } + ] + } + ] + } +} +``` + + + ## Optional Arguments ### -e EXCLUDE, --exclude EXCLUDE