Merge branch 'main' into deb-parser

.github/actions/spelling/allow.txt

@@ -138,11 +138,13 @@ distro
 distros
 dmidecode
 dnsmasq
+docker
 docstring
 docstrings
 DOCTYPE
 domoticz
 dosfstools
+dotnet
 dovecot
 downloading
 doxygen
@@ -353,6 +355,7 @@ libtasn
 libtiff
 libtomcrypt
 libupnp
+libuv
 libvips
 libvirt
 libvncserver
@@ -402,6 +405,7 @@ minidlna
 miniupnpc
 miniupnpd
 mkdir
+moby
 modsecurity
 modulename
 Molkree
@@ -470,6 +474,7 @@ opencv
 openjpeg
 openldap
 opensc
+openssf
 openssh
 openssl
 opensuse
@@ -517,9 +522,11 @@ proftpd
 protobuf
 pspp
 PUBKEY
+pubspec
 Purvanshsingh
 putty
 pybabel
+pycon
 pycqa
 pypa
 pypi
@@ -583,6 +590,7 @@ securityscorecards
 shadowsocks
 shreyamalviya
 sip
+snapd
 sngrep
 snort
 socat
@@ -651,6 +659,7 @@ transmission
 triaging
 trousers
 tss
+ttyd
 turbo
 twonky
 u

.github/actions/spelling/patterns.txt

@@ -0,0 +1,2 @@
+https?:\S+
+\]\(\S+\)

.github/workflows/codeql-analysis.yml

@@ -51,7 +51,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+      uses: github/codeql-action/init@c7f9125735019aa87cfc361530512d50ea439c71 # v3.25.1
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+      uses: github/codeql-action/analyze@c7f9125735019aa87cfc361530512d50ea439c71 # v3.25.1

.github/workflows/coverity.yml

@@ -19,7 +19,7 @@ jobs:
         egress-policy: audit
 
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: vapier/coverity-scan-action@cae3c096a2eb21c431961a49375ac17aea2670ce # v1.7.0
+    - uses: vapier/coverity-scan-action@2068473c7bdf8c2fb984a6a40ae76ee7facd7a85 # v1.8.0
       with:
         email: ${{ secrets.COVERITY_SCAN_EMAIL }}
         token: ${{ secrets.COVERITY_SCAN_TOKEN }}

.github/workflows/cve_bin_tool_action.yml

@@ -1,11 +1,11 @@
 name: CVE Binary Tool Scanner
-permissions: read-all
 
 on:
   push:
   workflow_dispatch:
 
 permissions:
+  contents: read
   security-events: write
 
 jobs:
@@ -15,3 +15,4 @@ jobs:
       - uses: intel/cve-bin-tool-action@main
         with:
           exclude_dir: test
+          triage_input_file: TRIAGE.vex

.github/workflows/cve_scan.yml

@@ -20,7 +20,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '3.11'
           cache: 'pip'
@@ -30,7 +30,7 @@ jobs:
         run: |
           echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
       - name: Get cached database
-        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: cache
           key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}

.github/workflows/dependency-review.yml

@@ -24,4 +24,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0
+        uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5

.github/workflows/formatting.yml

@@ -24,7 +24,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '3.11'
           cache: 'pip'
@@ -36,7 +36,7 @@ jobs:
         run: |
           python cve_bin_tool/format_checkers.py
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+        uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4
         with:
           commit-message: "chore: update checkers table"
           title: "chore: update checkers table"

.github/workflows/fuzzing.yml

@@ -19,7 +19,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Python 
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v5.1.0
         with:
           python-version: 3.9  
 
@@ -43,7 +43,33 @@ jobs:
           python -m pip install --upgrade setuptools
           python -m pip install --upgrade -r dev-requirements.txt
           python -m pip install --upgrade .
+          
+      - name: Get date
+        id: get-date
+        run: |
+          echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
+          echo "yesterday=$(/bin/date -d "-1 day" -u "+%Y%m%d")" >> $GITHUB_OUTPUT
 
+      - name: Get today's cached database
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        id: todays-cache
+        with:
+          path: fuzz-cache
+          key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}
+      - name: Get yesterday's cached database if today's is not available
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        if: steps.todays-cache.outputs.cache-hit != 'true'
+        with:
+          path: fuzz-cache
+          key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}
+
+      - name: Try single CLI run of tool
+        if: env.sbom != 'true'
+        run: |
+          [[ -e fuzz-cache ]] && mkdir -p .cache && mv fuzz-cache ~/.cache/cve-bin-tool
+          NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
+          cp -r ~/.cache/cve-bin-tool fuzz-cache
+          
       - name: Run Fuzzing 
         id: fuzzing
         env:
@@ -58,4 +84,4 @@ jobs:
           at_index=$((($(date -u +%U) % ${#fuzzing_scripts[@]})))
           selected_script="${fuzzing_scripts[$at_index]}"
           echo "Selected script: $selected_script"
-          timeout --preserve-status --signal=SIGINT 60m python $selected_script
+          timeout --preserve-status --signal=SIGINT 60m python $selected_script

.github/workflows/linting.yml

@@ -23,7 +23,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '3.11'
           cache: 'pip'

.github/workflows/sbom.yml

@@ -27,7 +27,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: ${{ matrix.python }}
           cache: 'pip'
@@ -62,7 +62,7 @@ jobs:
           cp cve-bin-tool-py${{ matrix.python }}.json sbom/cve-bin-tool-py${{ matrix.python }}.json
       - name: Create Pull Request
         if: ${{ steps.diff-sbom.outputs.changed }}
-        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0
+        uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4
         with:
           commit-message: "chore: update SBOM for Python ${{ matrix.python }}"
           title: "chore: update SBOM for Python ${{ matrix.python }}"