Merge branch 'main' into add-cpe-summary-without-release-monitoring

.github/actions/spelling/allow.txt

@@ -61,6 +61,7 @@ btn
 bubblewrap
 bugfixes
 busybox
+bwm
 bzip
 c
 cabextract
@@ -113,8 +114,11 @@ cves
 cvs
 cvss
 cyberciti
+cybersecurity
 cygwin
+d
 darkhttpd
+dav
 davfs
 dbus
 dearmor
@@ -145,6 +149,8 @@ emacs
 endoflife
 enscript
 entrypoint
+epss
+EPSS
 Eqt
 Everyone
 everytime
@@ -288,6 +294,7 @@ libass
 libbluetooth
 libbpg
 libc
+libcoap
 libconfuse
 libcurl
 libdb
@@ -611,6 +618,7 @@ unittest
 unixodbc
 upx
 URI
+uri
 URIs
 url
 urlopen
@@ -674,5 +682,4 @@ zsh
 zshrc
 zst
 zstd
-uri
 

.github/actions/spelling/expect.txt

@@ -1,6 +1,8 @@
 Interoperability
 csvjsonconsolehtml
 cyclonedx
+nvdjson
+mirrorapiapi
 jsonapi
 jsonapiapi
 lowmediumhighcritical

.github/workflows/codeql-analysis.yml

@@ -51,7 +51,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2.21.3
+      uses: github/codeql-action/init@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2.21.3
+      uses: github/codeql-action/analyze@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4

.github/workflows/dependency-review.yml

@@ -24,4 +24,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@7d90b4f05fea31dde1c4a1fb3fa787e197ea93ab # v3.0.7
+        uses: actions/dependency-review-action@f6fff72a3217f580d5afd49a46826795305b63c7 # v3.0.8

.github/workflows/testing.yml

@@ -102,7 +102,7 @@ jobs:
       - name: Try single CLI run of tool
         run: |
           [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool
-          NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out -n json
+          NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
           cp -r ~/.cache/cve-bin-tool cache
       - name: Run async tests
         run: >
@@ -188,7 +188,7 @@ jobs:
       - name: Try single CLI run of tool
         run: |
           [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool
-          NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out -n json
+          NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
           cp -r ~/.cache/cve-bin-tool cache
       - name: Run async tests
         env:
@@ -288,7 +288,7 @@ jobs:
       - name: Try single CLI run of tool
         run: |
           [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool
-          NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out -n json
+          NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
           cp -r ~/.cache/cve-bin-tool cache
       - name: Run all tests which rely on external connectivity
         env:
@@ -362,7 +362,7 @@ jobs:
           python -m pip install --upgrade .
       - name: Try single CLI run of tool
         run: |
-          python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out -n json
+          python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
       - name: Run async tests
         run: >
           pytest -n 4 -v
@@ -432,7 +432,7 @@ jobs:
           python -m pip install --upgrade .
       - name: Try single CLI run of tool
         run: |
-          python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out -n json
+          python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
       - name: Run async tests
         run: >
           pytest --cov --cov-append -n 4 -v

README.md

@@ -14,7 +14,7 @@ The CVE Binary Tool is a free, open source tool to help you find known vulnerabi
 
 The tool has two main modes of operation:
 
-1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are <!-- NUMBER OF CHECKERS START-->309<!--NUMBER OF CHECKERS END--> checkers which focus on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
+1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are <!-- NUMBER OF CHECKERS START-->313<!--NUMBER OF CHECKERS END--> checkers which focus on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
 2. Tools for scanning known component lists in various formats, including .csv, several linux distribution package lists, language specific package scanners and several Software Bill of Materials (SBOM) formats.
 
 It is intended to be used as part of your continuous integration system to enable regular vulnerability scanning and give you early warning of known issues in your supply chain.
@@ -215,7 +215,7 @@ options:
 CVE Data Download:
   Arguments related to data sources and Cache Configuration
 
-  <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-n-jsonapiapi2---nvd-jsonapiapi2">-n {api,api2,json}, --nvd {api,api2,json}</a>
+  <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-n-json-nvdjson-mirrorapiapi2---nvd-json-nvdjson-mirrorapiapi2">-n {api,api2,json-nvd,json-mirror}, --nvd {api,api2,json-nvd,json-mirror}</a>
                         choose method for getting CVE lists from NVD
   <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-u-nowdailyneverlatest---update-nowdailyneverlatest">-u {now,daily,never,latest}, --update {now,daily,never,latest}</a>
                         update schedule for data sources and exploits database (default: daily)
@@ -255,6 +255,8 @@ Output:
                         specify multiple output formats by using comma (',') as a separator
                         note: don't use spaces between comma (',') and the output formats.
   <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-c-cvss---cvss-cvss">-c CVSS, --cvss CVSS</a>  minimum CVSS score (as integer in range 0 to 10) to report (default: 0)
+  <a>--epss-percentile</a>
+  minimum EPSS percentile of CVE range between 0 to 100 to report (default: 0)
   <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-s-lowmediumhighcritical---severity-lowmediumhighcritical">-S {low,medium,high,critical}, --severity {low,medium,high,critical}</a>
                         minimum CVE severity to report (default: low)
   --no-0-cve-report     only produce report when CVEs are found
@@ -390,10 +392,10 @@ cve-bin-tool --nvd-api-key your_api_key_here
 
 Once you have set up your NVD API Key, cve-bin-tool will use it to retrieve vulnerability data from the NVD. This will ensure that you have access to the full database and will reduce the likelihood of encountering errors due to limited access.
 
-If for any reason, the NVD API Key is not working, cve-bin-tool will automatically switch to the JSON fallback. However, it is highly recommended that you verify that your API Key is working properly to ensure access with the NVD database. To use the json method, use the flag [`-n json` or `--nvd json`](https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-n-jsonapi---nvd-jsonapi) . You can use it in the following way
+If for any reason, the NVD API Key is not working, cve-bin-tool will automatically switch to the JSON fallback. However, it is highly recommended that you verify that your API Key is working properly to ensure access with the NVD database. To use the json method, use the flag [`-n json-nvd` or `--nvd json-nvd`](https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-n-jsonapi---nvd-jsonapi) . You can use it in the following way
 
 ```bash
-cve-bin-tool --nvd-api-key your_api_key_here -n json
+cve-bin-tool --nvd-api-key your_api_key_here -n json-nvd
 ```
 
 > **Note** : If you have problems downloading the initial data , it may be due to the NVD's current rate limiting scheme which block users entirely if they aren't using an API key.
@@ -430,53 +432,53 @@ This data source provides the CVEs for the CURL product.
 The following checkers are available for finding components in binary files:
 
 <!--CHECKERS TABLE BEGIN-->
-
-|                   |                  |                    | Available checkers |                 |               |                 |
-| ----------------- | ---------------- | ------------------ | ------------------ | --------------- | ------------- | --------------- |
-| accountsservice   | acpid            | apache_http_server | apcupsd            | apparmor        | asn1c         | assimp          |
-| asterisk          | atftp            | avahi              | bash               | bind            | binutils      | bird            |
-| bison             | bluez            | boinc              | botan              | bro             | bubblewrap    | busybox         |
-| bzip2             | c_ares           | capnproto          | ceph               | chess           | chrony        | clamav          |
-| collectd          | commons_compress | connman            | cpio               | cronie          | cryptsetup    | cups            |
-| curl              | cvs              | darkhttpd          | davfs2             | dbus            | dhclient      | dhcpcd          |
-| dhcpd             | dnsmasq          | domoticz           | dovecot            | doxygen         | dpkg          | dropbear        |
-| e2fsprogs         | elfutils         | emacs              | enscript           | exim            | exiv2         | expat           |
-| f2fs_tools        | faad2            | fastd              | ffmpeg             | file            | firefox       | flac            |
-| fluidsynth        | freeradius       | freerdp            | fribidi            | frr             | gcc           | gdb             |
-| gimp              | git              | glib               | glibc              | gmp             | gnomeshell    | gnupg           |
-| gnutls            | gpgme            | gpsd               | graphicsmagick     | grub2           | gstreamer     | gupnp           |
-| gvfs              | gzip             | haproxy            | harfbuzz           | haserl          | hdf5          | hostapd         |
-| hunspell          | i2pd             | icecast            | icu                | iperf3          | ipmitool      | ipsec_tools     |
-| iptables          | irssi            | iucode_tool        | jack2              | jacksondatabind | janus         | jhead           |
-| json_c            | kbd              | keepalived         | kerberos           | kexectools      | kodi          | kubernetes      |
-| ldns              | lftp             | libarchive         | libass             | libbpg          | libconfuse    | libdb           |
-| libebml           | libgcrypt        | libgit2            | libical            | libidn2         | libinput      | libjpeg         |
-| libjpeg_turbo     | libksba          | liblas             | libmatroska        | libmemcached    | libmicrohttpd | libnss          |
-| libpcap           | libraw           | librsvg            | librsync           | libsamplerate   | libseccomp    | libsndfile      |
-| libsolv           | libsoup          | libsrtp            | libssh             | libssh2         | libtiff       | libtomcrypt     |
-| libupnp           | libvirt          | libvncserver       | libvorbis          | libxslt         | lighttpd      | linux_kernel    |
-| lldpd             | logrotate        | lua                | luajit             | lxc             | lynx          | lz4             |
-| mailx             | mariadb          | mdadm              | memcached          | mini_httpd      | minicom       | minidlna        |
-| miniupnpc         | miniupnpd        | modsecurity        | mosquitto          | motion          | mpv           | msmtp           |
-| mtr               | mutt             | mysql              | nano               | nasm            | nbd           | ncurses         |
-| neon              | nessus           | netatalk           | netkit_ftp         | netpbm          | nettle        | nghttp2         |
-| nginx             | nmap             | node               | ntp                | ntpsec          | open_iscsi    | open_vm_tools   |
-| openafs           | opencv           | openjpeg           | openldap           | opensc          | openssh       | openssl         |
-| openswan          | openvpn          | p7zip              | pango              | patch           | pcre          | pcre2           |
-| pcsc_lite         | perl             | picocom            | pigz               | pixman          | png           | polarssl_fedora |
-| poppler           | postgresql       | ppp                | privoxy            | procps_ng       | proftpd       | pspp            |
-| pure_ftpd         | putty            | python             | qemu               | qt              | quagga        | radare2         |
-| radvd             | raptor           | rauc               | rdesktop           | rsync           | rsyslog       | rtl_433         |
-| rtmpdump          | runc             | rust               | samba              | sane_backends   | sdl           | seahorse        |
-| shadowsocks_libev | sngrep           | snort              | sofia_sip          | speex           | spice         | sqlite          |
-| squashfs          | squid            | sslh               | stellarium         | strongswan      | stunnel       | subversion      |
-| sudo              | suricata         | sylpheed           | syslogng           | sysstat         | systemd       | tcpdump         |
-| tcpreplay         | thrift           | thttpd             | thunderbird        | timescaledb     | tinyproxy     | tor             |
-| tpm2_tss          | transmission     | trousers           | u_boot             | unbound         | unixodbc      | upx             |
-| util_linux        | varnish          | vim                | vorbis_tools       | vsftpd          | webkitgtk     | wget            |
-| wireshark         | wolfssl          | wpa_supplicant     | xerces             | xml2            | xscreensaver  | yasm            |
-| zabbix            | zeek             | zlib               | znc                | zsh             |               |                 |
-
+|   |  |  | Available checkers |  |  |  |
+|--------------- |--------------- |------------------ |------------- |--------------- |------------ |----------------- |
+| accountsservice |acpid |apache_http_server |apcupsd |apparmor |asn1c |assimp |
+| asterisk |atftp |avahi |bash |bind |binutils |bird |
+| bison |bluez |boinc |botan |bro |bubblewrap |busybox |
+| bwm_ng |bzip2 |c_ares |capnproto |ceph |chess |chrony |
+| clamav |collectd |commons_compress |connman |coreutils |cpio |cronie |
+| cryptsetup |cups |curl |cvs |darkhttpd |dav1d |davfs2 |
+| dbus |dhclient |dhcpcd |dhcpd |dmidecode |dnsmasq |domoticz |
+| dovecot |doxygen |dpkg |dropbear |e2fsprogs |elfutils |emacs |
+| enscript |exim |exiv2 |f2fs_tools |faad2 |fastd |ffmpeg |
+| file |firefox |flac |fluidsynth |freeradius |freerdp |fribidi |
+| frr |gcc |gdb |gdk_pixbuf |gimp |git |glib |
+| glibc |gmp |gnomeshell |gnupg |gnutls |gpgme |gpsd |
+| graphicsmagick |grub2 |gstreamer |gupnp |gvfs |gzip |haproxy |
+| harfbuzz |haserl |hdf5 |hostapd |hunspell |i2pd |icecast |
+| icu |iperf3 |ipmitool |ipsec_tools |iptables |irssi |iucode_tool |
+| jack2 |jacksondatabind |janus |jhead |json_c |kbd |keepalived |
+| kerberos |kexectools |kodi |kubernetes |ldns |lftp |libarchive |
+| libass |libbpg |libcoap |libconfuse |libcurl |libdb |libebml |
+| libexpat |libgcrypt |libgd |libgit2 |libical |libidn2 |libinput |
+| libjpeg |libjpeg_turbo |libksba |liblas |libmatroska |libmemcached |libmicrohttpd |
+| libmodbus |libnss |libpcap |libraw |librsvg |librsync |libsamplerate |
+| libseccomp |libsndfile |libsolv |libsoup |libsrtp |libssh |libssh2 |
+| libtasn1 |libtiff |libtomcrypt |libupnp |libvirt |libvncserver |libvorbis |
+| libxslt |lighttpd |linux_kernel |lldpd |logrotate |lua |luajit |
+| lxc |lynx |lz4 |mailx |mariadb |mdadm |memcached |
+| mini_httpd |minicom |minidlna |miniupnpc |miniupnpd |modsecurity |mosquitto |
+| motion |mpv |msmtp |mtr |mutt |mysql |nano |
+| nasm |nbd |ncurses |neon |nessus |netatalk |netkit_ftp |
+| netpbm |nettle |nghttp2 |nginx |ngircd |nmap |node |
+| ntfs_3g |ntp |ntpsec |open_iscsi |open_vm_tools |openafs |opencv |
+| openjpeg |openldap |opensc |openssh |openssl |openswan |openvpn |
+| p7zip |pango |patch |pcre |pcre2 |pcsc_lite |perl |
+| picocom |pigz |pixman |png |polarssl_fedora |poppler |postgresql |
+| ppp |privoxy |procps_ng |proftpd |pspp |pure_ftpd |putty |
+| python |qemu |qt |quagga |radare2 |radvd |raptor |
+| rauc |rdesktop |readline |rsync |rsyslog |rtl_433 |rtmpdump |
+| runc |rust |samba |sane_backends |sdl |seahorse |shadowsocks_libev |
+| sngrep |snort |sofia_sip |speex |spice |sqlite |squashfs |
+| squid |sslh |stellarium |strongswan |stunnel |subversion |sudo |
+| suricata |sylpheed |syslogng |sysstat |systemd |tcpdump |tcpreplay |
+| thrift |thttpd |thunderbird |timescaledb |tinyproxy |tor |tpm2_tss |
+| transmission |trousers |u_boot |udisks |unbound |unixodbc |upx |
+| util_linux |varnish |vim |vorbis_tools |vsftpd |webkitgtk |wget |
+| wireshark |wolfssl |wpa_supplicant |xerces |xml2 |xscreensaver |yasm |
+| zabbix |zeek |zlib |znc |zsh | | |
 <!--CHECKERS TABLE END-->
 
 All the checkers can be found in the checkers directory, as can the

cve_bin_tool/checkers/README.md

@@ -342,7 +342,7 @@ $ sqlite3 ~/.cache/cve-bin-tool/cve.db \
 VPkg: apple, mac_os_x
 VPkg: canonical, ubuntu_linux
 VPkg: debian, debian_linux
-VPkg: libexpat, expat
+VPkg: libexpat_project, libexpat
 VPkg: mozilla, firefox
 VPkg: opensuse, leap
 VPkg: suse, linux_enterprise_debuginfo
@@ -351,8 +351,8 @@ VPkg: suse, linux_enterprise_debuginfo
 `VENDOR_PRODUCT` attribute should have list of tuples of vendor product pair
 found in the listings. Some of the listings will be with regards to products
 that include this product. For our example all listings except
-`libexpat, expat` merely include the target product (`expat` for the
-example SQL query).
+`libexpat_project, libexpat` merely include the target product (`libexpat` for
+the example SQL query).
 
 ## Helper-Script
 

cve_bin_tool/checkers/__init__.py

@@ -72,7 +72,6 @@
     "emacs",
     "exim",
     "exiv2",
-    "expat",
     "f2fs_tools",
     "faad2",
     "fastd",
@@ -140,6 +139,7 @@
     "libcurl",
     "libdb",
     "libebml",
+    "libexpat",
     "libgcrypt",
     "libgd",
     "libgit2",

cve_bin_tool/checkers/expat.py → cve_bin_tool/checkers/libexpat.py

@@ -29,13 +29,12 @@
 from cve_bin_tool.checkers import Checker
 
 
-class ExpatChecker(Checker):
-    # FIXME: fix contains pattern
+class LibexpatChecker(Checker):
     CONTAINS_PATTERNS = [
         r"reserved prefix (xml) must not be undeclared or bound to another namespace name",
         r"cannot change setting once parsing has begun",
         "requested feature requires XML_DTD support in Expat",
     ]
-    FILENAME_PATTERNS = [r"expat"]
+    FILENAME_PATTERNS = [r"libexpat.so"]
     VERSION_PATTERNS = [r"expat_([012]+\.[0-9]+\.[0-9]+)"]
     VENDOR_PRODUCT = [("libexpat_project", "libexpat")]