Releases: intel/cve-bin-tool
Releases · intel/cve-bin-tool
CVE Binary Tool pre-release 3.3a0
Preview release for 3.3, which will hopefully be coming in December.
There's a lot of changes in this release (see below, more curated release notes to come), but I'm particularly eager to have people try out the new version compare function and make sure it is sufficiently robust for arbitrary versions, as we needed to migrate away from the function provided in python packaging as it could not handle some of the versions we see in the NVD data.
What's Changed
- fix: java parser failing to match vendor on product without '-' by @bcieszko in #2961
- feat(checker): New checker request - GNU emacs by @bcieszko in #2941
- chore: update SBOM for Python 3.7 by @github-actions in #3025
- chore: update SBOM for Python 3.10 by @github-actions in #3024
- chore: update SBOM for Python 3.9 by @github-actions in #3023
- chore: update SBOM for Python 3.8 by @github-actions in #3022
- chore: update SBOM for Python 3.11 by @github-actions in #3021
- [StepSecurity] Apply security best practices by @step-security-bot in #3031
- fix: Enhance SBOM docs (fixes #2922) by @offsake in #3029
- ci: adjust dependabot config to limit false positives by @terriko in #3033
- chore: update checkers table by @github-actions in #3026
- chore: bump to dev version 3.2.2dev0 by @terriko in #3019
- chore(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by @dependabot in #3034
- chore: update SBOM for Python 3.7 by @github-actions in #3040
- chore: update SBOM for Python 3.8 by @github-actions in #3039
- chore: update SBOM for Python 3.9 by @github-actions in #3038
- chore: update SBOM for Python 3.11 by @github-actions in #3037
- chore: update SBOM for Python 3.10 by @github-actions in #3036
- feat(checker): add mini_httpd checker by @ffontaine in #3020
- feat(checker): add libmicrohttpd checker by @ffontaine in #3014
- ci: fix dependabot config by @terriko in #3041
- chore: update pre-commit config by @github-actions in #2968
- feat(checker): add cpio checker by @ffontaine in #3013
- ci: Harden GitHub Actions [StepSecurity] by @step-security-bot in #3043
- feat(checker): add sngrep checker by @ffontaine in #3035
- feat(checker): add fluidsynth checker by @ffontaine in #3012
- feat(checker): add pixman checker by @ffontaine in #3010
- feat(checker): add ldns checker by @ffontaine in #3004
- feat(checker): add gzip checker by @ffontaine in #2998
- chore: update checkers table by @github-actions in #3044
- ci: Dependabot "duplicated" lines and ignore "*" by @terriko in #3045
- chore(deps): bump github/codeql-action from 2.1.27 to 2.3.5 by @dependabot in #3049
- chore(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by @dependabot in #3051
- chore(deps): bump actions/checkout from 3.1.0 to 3.5.2 by @dependabot in #3050
- chore: update pre-commit config by @github-actions in #3048
- ci: pin dependency-review linux, fix dependabot by @terriko in #3055
- feat(checker): add gdk-pixbuf checker by @ffontaine in #3011
- feat(checker): add libtasn1 checker by @ffontaine in #3000
- feat(checker): add dmidecode checker by @ffontaine in #2997
- feat(checker): add libgd checker by @ffontaine in #2978
- feat: merged report content change and comments added in html reports by @gvozzolo in #2913
- feat: add support for pgp signing (#2577) by @b31ngd3v in #2882
- chore: update checkers table by @github-actions in #3061
- chore: update SBOM for Python 3.8 by @github-actions in #3070
- chore: update SBOM for Python 3.7 by @github-actions in #3069
- chore: update SBOM for Python 3.10 by @github-actions in #3068
- chore: update SBOM for Python 3.9 by @github-actions in #3067
- chore: update SBOM for Python 3.11 by @github-actions in #3066
- ci: up timeouts on short and long tests by @terriko in #3072
- feat(checker): add udisks checker by @ffontaine in #2999
- feat(scanner): slight update in version display by @ffontaine in #3063
- feat(checker): add readline checker by @ffontaine in #2976
- feat(checker): add ntfs-3g checker by @ffontaine in #2973
- feat(checker): add ngircd checker by @ffontaine in #3003
- feat(checker): add libmodbus checker by @ffontaine in #3002
- feat(checker): add coreutils checker by @ffontaine in #3001
- fix: improve openssl checker by @ffontaine in #2987
- chore(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by @dependabot in #3052
- chore: update SBOM for Python 3.8 by @github-actions in #3082
- fix: root file path of vulnerable component is missing by @b31ngd3v in #3088
- chore: update SBOM for Python 3.9 by @github-actions in #3081
- chore: update SBOM for Python 3.10 by @github-actions in #3080
- chore: update SBOM for Python 3.11 by @github-actions in #3079
- chore: update SBOM for Python 3.7 by @github-actions in #3078
- chore: update checkers table by @github-actions in #3073
- chore(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by @dependabot in #3090
- chore(deps-dev): bump pre-commit from 3.3.2 to 3.3.3 by @dependabot in #3087
- chore(deps): bump github/codeql-action from 2.3.5 to 2.20.0 by @dependabot in #3086
- chore(deps): bump peter-evans/create-pull-request from 5.0.1 to 5.0.2 by @dependabot in #3085
- chore(deps): bump actions/checkout from 3.5.2 to 3.5.3 by @dependabot in #3084
- fix: improve luajit checker by @ffontaine in #2993
- fix: improve gimp checker by @ffontaine in #2992
- ci: Automatically committing/suggesting linter fixes for PRs by @metabiswadeep in #3017
- chore(deps): bump sphinx from 4.4.0 to 7.0.1 in /doc by @dependabot in #3056
- fix: improve nghttp2 checker by @ffontaine in #2991
- docs: adding database schema by @Rexbeast2 in #3097
- chore(deps): bump github/codeql-action from 2.20.0 to 2.20.1 by @dependabot in #3098
- fix: fix xerces CPE ID by @ffontaine in #2932
- docs: including doc in build by @Rexbeast2 in #3102
- chore: update SBOM for Python 3.8 by @github-actions in #3111
- chore: update SBOM for Python 3.11 by @github-actions in #3110
- chore: update SBOM for Python 3.7 by @github-actions in #3109
- chore: update SBOM for Python 3.10 by @github-actions in #3108
- chore: update SBOM for Python 3.9 by @github-actions in #3107
- fix: report is not generated when no CVEs detected (#3028) by @b31ngd3v in #3075
- ci: dedeuplicate usage of codeql by @metabiswadeep in #3100
- feat: adding epss data by @Rexbeast...
Contributors
terriko, ffontaine, and 41 other contributors
Assets 2
CVE Binary Tool 3.2.1
Due to a change in the data used for the curl data source, we're issuing a slightly out of band point release for users unable to use 3.2.
There are a number of checker updates to address false positives, new checkers, and other bug fixes and features as described below.
One commonly requested feature has made it into this release: generation of SBOMs. Please try it out and let us know where it can be improved!
Thanks especially to the many new contributors in this release (you can see the list at the bottom)
- Many of you joined us via the Google Summer of Code 2023 selection process: I wish we'd had mentors and slots available to have more of you as paid contributors this year!
- Some of you also joined us via the Intel Open Source Hackathon: thank you so much for taking the time to work with us and it's been a delight to work with so many experienced coders during the event.
- And some of you just stopped by on your own with great ideas and fixes. Thank you!
What's Changed
- feat(checker): Added Mozilla Thunderbird checker by @metabiswadeep in #2429
- feat(checker): add dropbear checker by @ffontaine in #2452
- chore: update checkers table by @github-actions in #2454
- ci: Switching version of python used for long tests by @metabiswadeep in #2438
- feat(checker): add doxygen checker by @ffontaine in #2455
- feat(checker): add faad2 checker by @ffontaine in #2458
- feat(checker): add flac checker by @ffontaine in #2459
- feat(checker): Added qemu checker by @metabiswadeep in #2460
- feat(checker): Added kubernetes checker by @metabiswadeep in #2462
- chore: bump version to 3.2.1dev0 by @terriko in #2468
- chore: update checkers table by @github-actions in #2467
- docs: Add short new contributor tips for copying into pull requests by @terriko in #2466
- fix: Improve firefox checker pattern by @metabiswadeep in #2469
- chore: update spdx header by @github-actions in #2478
- ci: remove pdf tests from windows short tests by @DangerChamp in #2465
- fix: improve output of cve-scan github action for cve by @ayushthe1 in #2475
- ci(SBOM): better SBOM maintenance by @Molkree in #2481
- ci: test on Python 3.11 by @Molkree in #2419
- fix: gad_source error while updating cache by @b31ngd3v in #2484
- ci(js): update workflow for updating JS by @Molkree in #2479
- ci: add mypy for type checking by @Molkree in #2488
- fix(tests): use importlib_metadata.version on 3.7 by @Molkree in #2482
- chore: update js dependencies by @github-actions in #2491
- chore: update SBOM for Python 3.7 by @github-actions in #2506
- chore: update SBOM for Python 3.8 by @github-actions in #2505
- chore: update SBOM for Python 3.9 by @github-actions in #2503
- chore: update SBOM for Python 3.10 by @github-actions in #2502
- chore: update SBOM for Python 3.11 by @github-actions in #2504
- fix: encoding issues on Windows by @Molkree in #2499
- fix: improve sqlite pattern by @ffontaine in #2497
- fix: update cve count of mit.kerberos_5 by @b31ngd3v in #2531
- Let 'cve-bin-tool --version' return success by @raboof in #2524
- feat(checker): add capnproto checker by @ffontaine in #2510
- fix: fix false positives with filename patterns by @ffontaine in #2521
- fix: type for capnproto checker by @metabiswadeep in #2535
- chore: update SBOM for Python 3.8 by @github-actions in #2555
- chore: update SBOM for Python 3.7 by @github-actions in #2554
- chore: update SBOM for Python 3.11 by @github-actions in #2553
- chore: update SBOM for Python 3.10 by @github-actions in #2552
- chore: update SBOM for Python 3.9 by @github-actions in #2551
- chore: update checkers table by @github-actions in #2534
- fix: Fail more gracefully when pip --dry-run doesn't work by @metabiswadeep in #2476
- fix: fix recursively typo by @ffontaine in #2536
- ci: use linux cache since windows is broken by @terriko in #2558
- fix: test_update_flags and pdf encoding error by @terriko in #2557
- fix: replace space in test filename by @ffontaine in #2537
- fix: Remove LGTM badge by @metabiswadeep in #2561
- chore: update SBOM for Python 3.7 by @github-actions in #2572
- chore: update SBOM for Python 3.9 by @github-actions in #2571
- chore: update SBOM for Python 3.8 by @github-actions in #2570
- chore: update SBOM for Python 3.11 by @github-actions in #2569
- chore: update SBOM for Python 3.10 by @github-actions in #2568
- feat: add php language parser by @Rexbeast2 in #2567
- test: improve test_csv2cve_valid_file for future failures by @b31ngd3v in #2548
- docs: Docs claim that ar is installed by default on Windows by @metabiswadeep in #2496
- feat(cve_scanner): add vendor to affected by @ffontaine in #2512
- fix: commonmark no longer a dependency by @terriko in #2574
- test: Improve testing to include checkers that should not match by @metabiswadeep in #2560
- ci: extend windows timeouts by @terriko in #2578
- feat: Integration with NVD API 2.0 (#2542) by @anthonyharrison in #2562
- feat: Check database schema for cve_exploits table by @metabiswadeep in #2566
- feat(checker): add lxc checker by @ffontaine in #2538
- fix: improve gstreamer checker by @ffontaine in #2541
- fix: improve sudo checker by @ffontaine in #2527
- fix: improve openjpeg checker by @ffontaine in #2526
- fix: improve libarchive checker by @ffontaine in #2523
- fix: improve libjpeg-turbo checker by @ffontaine in #2514
- fix: improve systemd checker by @ffontaine in #2507
- feat(checker): add nasm checker by @ffontaine in #2470
- fix: improve icecast checker by @ffontaine in #2545
- fix: improve ftp checker by @ffontaine in #2544
- fix: Remove bogus comment by @metabiswadeep in #2585
- fix: improve logrotate checker by @ffontaine in #2528
- feat(checker): add msmtp checker by @ffontaine in #2588
- ci: removed windows-specific cache by @singh-anushka in #2587
- fix: xmlschema log msg by @ayushthe1 in #2546
- fix: improve libnss checker by @ffontaine in #2539
- fix: improve other_products by @ffontaine in #2579
- fix: improve avahi checker by @ffontaine in #2592
- fix: improve netpbm checker by @ffontaine in #2522
- fix: improve libsolv checker by @ffontaine in #2520
- chore: update checkers table by @github-actions in #2581
- fix: improve kerberos checker by @ffontaine in #2509
- fix: improve libvirt checker by @ffontaine in #2540
- chore: update SBOM for Python 3.8 by @github-actions in #2613
- chor...
Contributors
raboof, jarebear6expepjozn6rakjq5iczi3irqwphcvb, and 28 other contributors
Assets 4
CVE Bin Tool pre-release 3.2.1rc0
Due to a change in the data used for the curl data source, we're issuing a slightly out of band point release for users unable to use 3.2.
There are a number of checker updates to address false positives, new checkers, and other bug fixes and features as described below.
One commonly requested feature has made it into this release: generation of SBOMs. Please try it out and let us know where it can be improved!
What's Changed
- feat(checker): Added Mozilla Thunderbird checker by @metabiswadeep in #2429
- feat(checker): add dropbear checker by @ffontaine in #2452
- chore: update checkers table by @github-actions in #2454
- ci: Switching version of python used for long tests by @metabiswadeep in #2438
- feat(checker): add doxygen checker by @ffontaine in #2455
- feat(checker): add faad2 checker by @ffontaine in #2458
- feat(checker): add flac checker by @ffontaine in #2459
- feat(checker): Added qemu checker by @metabiswadeep in #2460
- feat(checker): Added kubernetes checker by @metabiswadeep in #2462
- chore: bump version to 3.2.1dev0 by @terriko in #2468
- chore: update checkers table by @github-actions in #2467
- docs: Add short new contributor tips for copying into pull requests by @terriko in #2466
- fix: Improve firefox checker pattern by @metabiswadeep in #2469
- chore: update spdx header by @github-actions in #2478
- ci: remove pdf tests from windows short tests by @DangerChamp in #2465
- fix: improve output of cve-scan github action for cve by @ayushthe1 in #2475
- ci(SBOM): better SBOM maintenance by @Molkree in #2481
- ci: test on Python 3.11 by @Molkree in #2419
- fix: gad_source error while updating cache by @b31ngd3v in #2484
- ci(js): update workflow for updating JS by @Molkree in #2479
- ci: add mypy for type checking by @Molkree in #2488
- fix(tests): use importlib_metadata.version on 3.7 by @Molkree in #2482
- chore: update js dependencies by @github-actions in #2491
- chore: update SBOM for Python 3.7 by @github-actions in #2506
- chore: update SBOM for Python 3.8 by @github-actions in #2505
- chore: update SBOM for Python 3.9 by @github-actions in #2503
- chore: update SBOM for Python 3.10 by @github-actions in #2502
- chore: update SBOM for Python 3.11 by @github-actions in #2504
- fix: encoding issues on Windows by @Molkree in #2499
- fix: improve sqlite pattern by @ffontaine in #2497
- fix: update cve count of mit.kerberos_5 by @b31ngd3v in #2531
- Let 'cve-bin-tool --version' return success by @raboof in #2524
- feat(checker): add capnproto checker by @ffontaine in #2510
- fix: fix false positives with filename patterns by @ffontaine in #2521
- fix: type for capnproto checker by @metabiswadeep in #2535
- chore: update SBOM for Python 3.8 by @github-actions in #2555
- chore: update SBOM for Python 3.7 by @github-actions in #2554
- chore: update SBOM for Python 3.11 by @github-actions in #2553
- chore: update SBOM for Python 3.10 by @github-actions in #2552
- chore: update SBOM for Python 3.9 by @github-actions in #2551
- chore: update checkers table by @github-actions in #2534
- fix: Fail more gracefully when pip --dry-run doesn't work by @metabiswadeep in #2476
- fix: fix recursively typo by @ffontaine in #2536
- ci: use linux cache since windows is broken by @terriko in #2558
- fix: test_update_flags and pdf encoding error by @terriko in #2557
- fix: replace space in test filename by @ffontaine in #2537
- fix: Remove LGTM badge by @metabiswadeep in #2561
- chore: update SBOM for Python 3.7 by @github-actions in #2572
- chore: update SBOM for Python 3.9 by @github-actions in #2571
- chore: update SBOM for Python 3.8 by @github-actions in #2570
- chore: update SBOM for Python 3.11 by @github-actions in #2569
- chore: update SBOM for Python 3.10 by @github-actions in #2568
- feat: add php language parser by @Rexbeast2 in #2567
- test: improve test_csv2cve_valid_file for future failures by @b31ngd3v in #2548
- docs: Docs claim that ar is installed by default on Windows by @metabiswadeep in #2496
- feat(cve_scanner): add vendor to affected by @ffontaine in #2512
- fix: commonmark no longer a dependency by @terriko in #2574
- test: Improve testing to include checkers that should not match by @metabiswadeep in #2560
- ci: extend windows timeouts by @terriko in #2578
- feat: Integration with NVD API 2.0 (#2542) by @anthonyharrison in #2562
- feat: Check database schema for cve_exploits table by @metabiswadeep in #2566
- feat(checker): add lxc checker by @ffontaine in #2538
- fix: improve gstreamer checker by @ffontaine in #2541
- fix: improve sudo checker by @ffontaine in #2527
- fix: improve openjpeg checker by @ffontaine in #2526
- fix: improve libarchive checker by @ffontaine in #2523
- fix: improve libjpeg-turbo checker by @ffontaine in #2514
- fix: improve systemd checker by @ffontaine in #2507
- feat(checker): add nasm checker by @ffontaine in #2470
- fix: improve icecast checker by @ffontaine in #2545
- fix: improve ftp checker by @ffontaine in #2544
- fix: Remove bogus comment by @metabiswadeep in #2585
- fix: improve logrotate checker by @ffontaine in #2528
- feat(checker): add msmtp checker by @ffontaine in #2588
- ci: removed windows-specific cache by @singh-anushka in #2587
- fix: xmlschema log msg by @ayushthe1 in #2546
- fix: improve libnss checker by @ffontaine in #2539
- fix: improve other_products by @ffontaine in #2579
- fix: improve avahi checker by @ffontaine in #2592
- fix: improve netpbm checker by @ffontaine in #2522
- fix: improve libsolv checker by @ffontaine in #2520
- chore: update checkers table by @github-actions in #2581
- fix: improve kerberos checker by @ffontaine in #2509
- fix: improve libvirt checker by @ffontaine in #2540
- chore: update SBOM for Python 3.8 by @github-actions in #2613
- chore: update SBOM for Python 3.7 by @github-actions in #2612
- chore: update SBOM for Python 3.9 by @github-actions in #2611
- chore: update SBOM for Python 3.11 by @github-actions in #2610
- chore: update SBOM for Python 3.10 by @github-actions in #2609
- fix: libjpeg-turbo not found in gimp by @metabiswadeep in #2606
- ci: fix running isort using pre-commit ...
Contributors
raboof, jarebear6expepjozn6rakjq5iczi3irqwphcvb, and 28 other contributors
Assets 2
CVE Binary Tool 3.2
New features from our GSoC 2022 participants:
- @yashugarg added a large number of tests and work on fuzzing our interfaces
- @rhythmrx9 aded new data sources (we now support advisories from Gitlab, OSV and Redhat as well as NVD)
- @XDRAGON2002 for the new parsers that allow us to scan things like Ruby Gemfiles, Rust cargo files, and more.
Other interesting features in this release:
- @ffontaine has added a large number of new checkers, pushing us well over 200 binary checkers.
- @anthonyharrison has added initial support for NVD API 2.0. Note that at the time this was added the 2.0 version didn't work with their API keys, so the code behaves accordingly.
Thanks also to @BreadGenie for code review and mentoring support as well as a number of contributions listed below. A special shout out to @b31ngd3v and @metabiswadeep whose first contributions are in this release but they've been the first of many, as well as the many other folk who got their first commits in via Hacktoberfest or GSoC or goodfirstissue.dev or however you found us. Thanks to everyone for being part of this release!
Full change list
- fix: check return on re.search by @wyattearp in #1643
- chore: update pre-commit config by @github-actions in #1629
- refactor: add type hints in cvedb.py by @rhythmrx9 in #1603
- feat: add detailed flag (#781) by @XDRAGON2002 in #1588
- refactor: added type hints to csv2cve by @gaurav879 in #1636
- fix: broken quiet mode in main branch (#1587) by @b31ngd3v in #1648
- fix: improve excel macro filter (#1644) by @b31ngd3v in #1647
- fix: Improved debug output (fixes #1653) by @anthonyharrison in #1654
- chore: update pre-commit config by @github-actions in #1652
- fix: add debug statement if checkers didn't load (#1440) by @b31ngd3v in #1650
- docs: update checkers/README.md by @b31ngd3v in #1651
- test: Add Atheris fuzzing setup for cve-bin-tool by @terriko in #1661
- feat(checker): added jackson-databind checker (#1387) by @b31ngd3v in #1663
- fix: mismatch between cvedb.cve_count and nvd_api.total_results (#1669) by @b31ngd3v in #1670
- test:Updated libvncserver test by @gaurav879 in #1664
- feat: flag exploited cves (#1454) by @XDRAGON2002 in #1520
- test: add test for CLI output dependant on reportlab existence by @onyxcherry in #1641
- fix: add urllib3 explicitly to avoid CVEs by @terriko in #1628
- feat: add new checker pr template (#1268) by @b31ngd3v in #1671
- fix: broken test_console_output_depending_reportlab_existence (#1675) by @b31ngd3v in #1676
- refactor: helper script
filename(#1351) by @b31ngd3v in #1672 - feat(checker): add Apache commons-compress checker (#1040) by @b31ngd3v in #1666
- refactor: add link to helper docs when alternate contains patterns by @snosratiershad in #1674
- fix: licence in setup.py (#1673) by @b31ngd3v in #1677
- feat: improve usability when --input_file is missing (#1649) by @b31ngd3v in #1668
- feat(checker): add rust checker by @b31ngd3v in #1679
- feat: console output to a file by @rhythmrx9 in #1632
- chore(deps): bump html5lib from 0.99 to 0.99999999 (#1686) by @b31ngd3v in #1687
- chore: update pre-commit config by @github-actions in #1680
- docs: multiline pattern issue in windows vs linux (#1678) by @b31ngd3v in #1685
- feat: add radare2 contains patterns by @snosratiershad in #1693
- fix: logger.warn() warning & test_output_vex test (#1691) by @M-Faheem-Khan in #1692
- fix: rpm extractor for windows by @b31ngd3v in #1696
- feat: add parser class(#1699) by @XDRAGON2002 in #1700
- feat: add multiline string finder in helper script by @b31ngd3v in #1690
- refactor(extractor): Prioritize 7z while extracting pkg files in windows by @yashugarg in #1689
- feat: Add options to import and export database (fixes #1655) by @anthonyharrison in #1656
- test(extractor): added tests for zst and pkg package extractors by @yashugarg in #1683
- docs: fix remote repo url by @b31ngd3v in #1715
- feat: Add mapping of vulnerable libraries to components (Fixed #1657) by @anthonyharrison in #1658
- docs: add checker instructions into Read the Docs build (#1703) by @b31ngd3v in #1716
- feat(checkers): Add polarssl fedora contains patterns by @snosratiershad in #1695
- refactor: use pathlib.Path instead of os.path by @b31ngd3v in #1714
- ci: bump
setup-pythonversion by @Molkree in #1711 - feat: add affected-versions to all formats (#1342) by @XDRAGON2002 in #1667
- test: added unit tests for format_checkers script by @yashugarg in #1709
- ci: use Dependabot to bump GitHub Actions by @Molkree in #1712
- chore(deps): bump peter-evans/create-pull-request from 3 to 4 by @dependabot in #1726
- chore(deps): bump actions/cache from 2 to 3 by @dependabot in #1727
- feat(checker): luajit checker by @ffontaine in #1705
- docs: fix file extension in package list scanning by @b31ngd3v in #1733
- fix(output_pdf): broken tests and mapping of libraries to components by @b31ngd3v in #1734
- refactor: cvedb structure and datasources by @rhythmrx9 in #1706
- test: unit tests for csv2cve.py by @yashugarg in #1737
- refactor(format_checkers): use pathlib instead of os.path (#1725) by @b31ngd3v in #1731
- refactor: switch to pathlib.Path in cvedb.py by @rhythmrx9 in #1751
- chore(deps): bump codecov/codecov-action from 2 to 3 by @dependabot in #1728
- test: Add triage to requirements test to address aiohttp disputed cve by @terriko in #1746
- test: unit tests for version.py by @yashugarg in #1739
- chore: update pre-commit config by @github-actions in #1732
- fix : Updated spdx_header.txt by @iamnandhu in #1762
- fix: update database before merging by @b31ngd3v in #1765
- chore(deps): bump actions/checkout from 2 to 3 by @dependabot in #1729
- fix: fix is_file call in test_scanner.py by @ffontaine in #1761
- ci: update year in spdx header automatically (#1753) by @b31ngd3v in #1763
- test(language_scanner): use scan_file() & add tests for python packages by @yashugarg in #1758
- feat: provide multiple output formats for a single scan (#1724) by @b31ngd3v in #1740
- fix: delete unnecessary file by @b31ngd3v in #1767
- fix: add luajit to documentation by @ffontaine in #1768
- refactor: refactor javascript parser (#1721) by @XDRAGON2002 in #1722
- test(scanner): unittest to cover make_condensed_from_download() by @yashugarg in #1770
- test(extractor): use all possible libraries to extract a file by @yashugarg in #1720
- refactor: refactor java parser (#1771) by @XDRAGON2002 in #1772
- chore(deps): bump github/codeql-action from 1 to 2 by @dependabot in #1730
- chore(deps): bump html5lib version for dependabot by @terriko in #1780
- fix(TestExtractFilePkg): avoid downloading files in tests by @b31ngd3v in #1784
- test: fix test_extract_file_cab_no_cabextract for wi...
Contributors
wyattearp, raboof, and 55 other contributors
Assets 3
CVE Bin Tool pre-release 3.2rc0
Preview release for 3.2.
We're currently seeing an issue in our testing system where Windows systems are taking a long time to upgrade the database to store additional data source information. Windows users are particularly encouraged to try this pre-release to see if you have any issues!
When updating your database, make sure your NVD_API_KEY is set and you may have better results using -u now to get a fresh database.
What's Changed
- fix: check return on re.search by @wyattearp in #1643
- chore: update pre-commit config by @github-actions in #1629
- refactor: add type hints in cvedb.py by @rhythmrx9 in #1603
- feat: add detailed flag (#781) by @XDRAGON2002 in #1588
- refactor: added type hints to csv2cve by @gaurav879 in #1636
- fix: broken quiet mode in main branch (#1587) by @b31ngd3v in #1648
- fix: improve excel macro filter (#1644) by @b31ngd3v in #1647
- fix: Improved debug output (fixes #1653) by @anthonyharrison in #1654
- chore: update pre-commit config by @github-actions in #1652
- fix: add debug statement if checkers didn't load (#1440) by @b31ngd3v in #1650
- docs: update checkers/README.md by @b31ngd3v in #1651
- test: Add Atheris fuzzing setup for cve-bin-tool by @terriko in #1661
- feat(checker): added jackson-databind checker (#1387) by @b31ngd3v in #1663
- fix: mismatch between cvedb.cve_count and nvd_api.total_results (#1669) by @b31ngd3v in #1670
- test:Updated libvncserver test by @gaurav879 in #1664
- feat: flag exploited cves (#1454) by @XDRAGON2002 in #1520
- test: add test for CLI output dependant on reportlab existence by @onyxcherry in #1641
- fix: add urllib3 explicitly to avoid CVEs by @terriko in #1628
- feat: add new checker pr template (#1268) by @b31ngd3v in #1671
- fix: broken test_console_output_depending_reportlab_existence (#1675) by @b31ngd3v in #1676
- refactor: helper script
filename(#1351) by @b31ngd3v in #1672 - feat(checker): add Apache commons-compress checker (#1040) by @b31ngd3v in #1666
- refactor: add link to helper docs when alternate contains patterns by @snosratiershad in #1674
- fix: licence in setup.py (#1673) by @b31ngd3v in #1677
- feat: improve usability when --input_file is missing (#1649) by @b31ngd3v in #1668
- feat(checker): add rust checker by @b31ngd3v in #1679
- feat: console output to a file by @rhythmrx9 in #1632
- chore(deps): bump html5lib from 0.99 to 0.99999999 (#1686) by @b31ngd3v in #1687
- chore: update pre-commit config by @github-actions in #1680
- docs: multiline pattern issue in windows vs linux (#1678) by @b31ngd3v in #1685
- feat: add radare2 contains patterns by @snosratiershad in #1693
- fix: logger.warn() warning & test_output_vex test (#1691) by @M-Faheem-Khan in #1692
- fix: rpm extractor for windows by @b31ngd3v in #1696
- feat: add parser class(#1699) by @XDRAGON2002 in #1700
- feat: add multiline string finder in helper script by @b31ngd3v in #1690
- refactor(extractor): Prioritize 7z while extracting pkg files in windows by @yashugarg in #1689
- feat: Add options to import and export database (fixes #1655) by @anthonyharrison in #1656
- test(extractor): added tests for zst and pkg package extractors by @yashugarg in #1683
- docs: fix remote repo url by @b31ngd3v in #1715
- feat: Add mapping of vulnerable libraries to components (Fixed #1657) by @anthonyharrison in #1658
- docs: add checker instructions into Read the Docs build (#1703) by @b31ngd3v in #1716
- feat(checkers): Add polarssl fedora contains patterns by @snosratiershad in #1695
- refactor: use pathlib.Path instead of os.path by @b31ngd3v in #1714
- ci: bump
setup-pythonversion by @Molkree in #1711 - feat: add affected-versions to all formats (#1342) by @XDRAGON2002 in #1667
- test: added unit tests for format_checkers script by @yashugarg in #1709
- ci: use Dependabot to bump GitHub Actions by @Molkree in #1712
- chore(deps): bump peter-evans/create-pull-request from 3 to 4 by @dependabot in #1726
- chore(deps): bump actions/cache from 2 to 3 by @dependabot in #1727
- feat(checker): luajit checker by @ffontaine in #1705
- docs: fix file extension in package list scanning by @b31ngd3v in #1733
- fix(output_pdf): broken tests and mapping of libraries to components by @b31ngd3v in #1734
- refactor: cvedb structure and datasources by @rhythmrx9 in #1706
- test: unit tests for csv2cve.py by @yashugarg in #1737
- refactor(format_checkers): use pathlib instead of os.path (#1725) by @b31ngd3v in #1731
- refactor: switch to pathlib.Path in cvedb.py by @rhythmrx9 in #1751
- chore(deps): bump codecov/codecov-action from 2 to 3 by @dependabot in #1728
- test: Add triage to requirements test to address aiohttp disputed cve by @terriko in #1746
- test: unit tests for version.py by @yashugarg in #1739
- chore: update pre-commit config by @github-actions in #1732
- fix : Updated spdx_header.txt by @iamnandhu in #1762
- fix: update database before merging by @b31ngd3v in #1765
- chore(deps): bump actions/checkout from 2 to 3 by @dependabot in #1729
- fix: fix is_file call in test_scanner.py by @ffontaine in #1761
- ci: update year in spdx header automatically (#1753) by @b31ngd3v in #1763
- test(language_scanner): use scan_file() & add tests for python packages by @yashugarg in #1758
- feat: provide multiple output formats for a single scan (#1724) by @b31ngd3v in #1740
- fix: delete unnecessary file by @b31ngd3v in #1767
- fix: add luajit to documentation by @ffontaine in #1768
- refactor: refactor javascript parser (#1721) by @XDRAGON2002 in #1722
- test(scanner): unittest to cover make_condensed_from_download() by @yashugarg in #1770
- test(extractor): use all possible libraries to extract a file by @yashugarg in #1720
- refactor: refactor java parser (#1771) by @XDRAGON2002 in #1772
- chore(deps): bump github/codeql-action from 1 to 2 by @dependabot in #1730
- chore(deps): bump html5lib version for dependabot by @terriko in #1780
- fix(TestExtractFilePkg): avoid downloading files in tests by @b31ngd3v in #1784
- test: fix test_extract_file_cab_no_cabextract for windows by @yashugarg in #1788
- test: add intermediate report in output_html test by @yashugarg in #1778
- ci: add scan.coverity.com workflow by @terriko in #1789
- fix: doc build error by @b31ngd3v in #1796
- test(csv2cve): 5 new cves in haxx.curl by @terriko in #1791
- ci: set coverity build command to --no-command by @terriko in #1800
- refactor(test): remove ALLOWED_PACKAGES ...
Contributors
wyattearp, raboof, and 55 other contributors
Assets 2
CVE Binary Tool 3.1.2
Minor update to force a downgrade of packaging to allow use of LegacyVersion (fixes #2428)
This is intended to be a temporary fix while we finish up the 3.2 release, but I believe we will be able to backport the removal for LegacyVersion without much trouble, so there may be one more release for the 3.1 tree if it looks like 3.2 is going to take more than a week.
Full Changelog: v3.1.1...v3.1.2
CVE Binary Tool 3.1.1
Contributors
terriko
Assets 2
CVE Binary Tool 3.1
CVE Binary Tool 3.1
This release is dedicated to the person who sent me cookies after I was griping about differences in Python 3.7 error handling on Twitter. They were delicious, thank you! Thanks also to the many new contributors who have joined us as part of Google Summer of Code 2022. You can see many new folk had their first commits in this release!
New Features
- CVE Binary Tool 3.1 adds support for NVD API keys. An NVD API key allows registered users to make a greater number of requests to the API. At this time, the NVD API documentation says, "The public rate limit (without an API key) is 10 requests in a rolling 60 second window; the rate limit with an API key is 100 requests in a rolling 60 second window."
- cve-bin-tool updates once per day by default to limit connections to NVD, but users in shared environments or running more frequent updates have occasionally seen 403 errors due to exceeded rate limits. Using an API key should alleviate those issues going forwards.
- New support for scanning Java and JavaScript packages has been added. (Yes, this will now detect log4j packages.) The language-specific packages we support now are Java, JavaScript and Python.
- A new offline flag (
--offline) has been added to disable all network requests for use in isolated environments. A guide for using --offline mode can be found here. - New support VEX (Vulnerabity Expolitabity Exchange) files. Files could be generated following a scan and then used as a supported triage file.
- Extractor support has been extended to include WAR, EAR, pkg and zst files.
- New checkers: Libsrtp, libseccomp, libebml, libsolv
Changed Features
- Some users had expressed concern that they would prefer not to install the Reportlab dependency on their systems due to security concerns if the library is mis-used, so we no longer install it by default.
- Users intending to use PDF export can use
pip install cve-bin-tool[PDF]to add reportlab to their install. orpip install reportlabif they decide they want it later. - Similarly, users can
pip uninstall reportlabat any time and cve-bin-tool will continue to function although without the ability to export PDF files. Users can generate their own using pdf reports using print-to-pdf on an HTML report if needed.
- Users intending to use PDF export can use
- Python 3.6 support and testing has been dropped as Python 3.6 has reached end of life. (This may affect some users on CentOS.)
New Contributors
- @XDRAGON2002 made their first contribution in #1495
- @DangerChamp made their first contribution in #1516
- @Aadityajoshi151 made their first contribution in #1532
- @vkrm1612 made their first contribution in #1536
- @shoneriki made their first contribution in #1576
- @yashugarg made their first contribution in #1533
- @rhythmrx9 made their first contribution in #1572
- @BenL-github made their first contribution in #1606
- @xiongnemo made their first contribution in #1610
- @Alienmaster made their first contribution in #1619
- @MohitOhlyan made their first contribution in #1612
Full Change List
- refactor(package-list-parser): remove csv path by @BreadGenie in #1466
- feat: Add tests for cve_scanner (#1450) by @anthonyharrison in #1456
- ci: fix
check-spellingworkflow by @Molkree in #1471 - bug: Unzip failure requires user interaction (#1473) by @anthonyharrison in #1479
- feat: Add support for WAR and EAR archive files (#1474) by @anthonyharrison in #1478
- refactor: find SBOM product vendor (#1477) by @anthonyharrison in #1481
- chore: update pre-commit config by @github-actions in #1455
- bug: don't follow symlinks in archives (#1475) by @anthonyharrison in #1486
- bug: Update pdf configuration parameters (#1459) by @anthonyharrison in #1484
- Updated spelling.yml by @XDRAGON2002 in #1495
- feat: use cve-bin-tool without Reportlab (Fixes #1464) by @anthonyharrison in #1485
- feat: Add offline command line option (#1452) by @anthonyharrison in #1480
- doc: improve new contributor documentation by @terriko in #1467
- ci: add filetype to allowed word list by @terriko in #1497
- feat: Remove support for python 3.6 (#1488) by @XDRAGON2002 in #1498
- feat: added Libsrtp checker (#1489) by @XDRAGON2002 in #1500
- chore: added LGTM badges to readme (#1380) by @XDRAGON2002 in #1501
- feat: Add support for scanning Java packages (#1463) by @anthonyharrison in #1476
- chore: update pre-commit config by @github-actions in #1499
- test: Move NVD queries to LONG_TESTS due to rate limits (fixes #1509) by @terriko in #1511
- chore: modify detected languages in github by @terriko in #1508
- Gave output types its own subheading by @DangerChamp in #1516
- test: Move backported fix tests to LONG_TESTS (#1502) by @XDRAGON2002 in #1512
- Moved --offline up to "Most popular usage options" by @DangerChamp in #1514
- fix(cve_scanner): fix
canonical_convertby @Molkree in #1519 - Replace "Github" with "GitHub" by @Aadityajoshi151 in #1532
- Correction by @vkrm1612 in #1536
- feat: add NVD API key by @terriko in #1529
- ci: remove NVD_API_KEY from CI because it isn't working by @terriko in #1549
- fix: Only import pdftotext if installed (Fixes #1419) by @anthonyharrison in #1545
- doc: Publish FOSDEM 2022 slides (Fixes #1546) by @anthonyharrison in #1547
- fix: set default version for xml2 checker to UNKNOWN (Fixes #1517) by @anthonyharrison in #1524
- Updated so it shows the correct versions of Python by @DangerChamp in #1515
- doc: keep pdftotext windows install instructions (partial revert #1515) by @terriko in #1550
- doc: add info on syncing to origin/main and rebasing by @terriko in #1540
- test(available-fix): mock cve data by @BreadGenie in #1513
- CI: Add bandit to pre-commit (fixes #1110) by @terriko in #1523
- doc: fix incorrect hyperlink (Fixes #1553) by @anthonyharrison in #1554
- ci: split CI into separate files by @Molkree in #1552
- feat: improve locality of defaults (#1352) by @XDRAGON2002 in #1560
- doc: Add details on language specific checking (Fixes #1551) by @anthonyharrison in #1561
- refactor: replace pkg_resources with importlib (#1521) by @XDRAGON2002 in #1542
- changed windows_tests timeout-minutes to 30 by @shoneriki in #1576
- refactor: migrate from urllib to requests by @BreadGenie in #1569
- feat: Add support for Javascript package scanning (Fixes #1453) by @anthonyharrison in #1548
- New checker: gnome librsvg by @yashugarg in #1533
- refactor: add type hints in util.py by @rhythmrx9 in #1572
- ci(pre-commit): add gitlint by @BreadGenie in #1573
- feat: added libseccomp checker by @yashugarg in #1556
- ci: run bandit on test code by @rhythmrx9 in #1579
- feat(checker): libebml checker by @rhythmrx9 in #1559
- feat(checker): libsolv checker by @rhythmrx9 in #1562
- ci: switch format_checker to run in ci by @rhythmrx9 in #1593
- fix: asyncio warnings (#1558) by @XDRAGON2002 in #1592
- fix: windows helper script test (#1264) by @XDRAGON2002 in https://github.com/i...
Contributors
terriko, anthonyharrison, and 13 other contributors
Assets 2
CVE Binary Tool 3.1rc3
Full Changelog: v3.1rc2...v3.1rc3
CVE Binary Tool 3.1rc2
Potentially the final release candidate for CVE Binary Tool 3.1. (Note the change in naming scheme to match the pip upload)
What's Changed
- fix: add None checks to run_java_checker by @terriko in #1630
- docs: add link to offline guide, rearrange order by @terriko in #1633
- test: add test for null byte in filename by @terriko in #1635
Full Changelog: v3.1.pre1...v3.1rc2
Contributors
terriko