diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt index 5a3aaa68fd..63fbf185a8 100644 --- a/.github/actions/spelling/allow.txt +++ b/.github/actions/spelling/allow.txt @@ -61,6 +61,7 @@ btn bubblewrap bugfixes busybox +bwm bzip c cabextract @@ -113,8 +114,11 @@ cves cvs cvss cyberciti +cybersecurity cygwin +d darkhttpd +dav davfs dbus dearmor @@ -145,6 +149,8 @@ emacs endoflife enscript entrypoint +epss +EPSS Eqt Everyone everytime @@ -288,6 +294,7 @@ libass libbluetooth libbpg libc +libcoap libconfuse libcurl libdb @@ -611,6 +618,7 @@ unittest unixodbc upx URI +uri URIs url urlopen @@ -674,5 +682,4 @@ zsh zshrc zst zstd -uri diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index af0ac355a2..792331fd4a 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -1,6 +1,8 @@ Interoperability csvjsonconsolehtml cyclonedx +nvdjson +mirrorapiapi jsonapi jsonapiapi lowmediumhighcritical diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d20520188d..d70e6a6b43 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -51,7 +51,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2.21.3 + uses: github/codeql-action/init@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -76,4 +76,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2.21.3 + uses: github/codeql-action/analyze@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 8a94badb56..7bbc4c7838 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,4 +24,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: 'Dependency Review' - uses: actions/dependency-review-action@7d90b4f05fea31dde1c4a1fb3fa787e197ea93ab # v3.0.7 + uses: actions/dependency-review-action@f6fff72a3217f580d5afd49a46826795305b63c7 # v3.0.8 diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 88f36b4f74..fe2d1b84a5 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -102,7 +102,7 @@ jobs: - name: Try single CLI run of tool run: | [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool - NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out -n json + NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out cp -r ~/.cache/cve-bin-tool cache - name: Run async tests run: > @@ -188,7 +188,7 @@ jobs: - name: Try single CLI run of tool run: | [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool - NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out -n json + NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out cp -r ~/.cache/cve-bin-tool cache - name: Run async tests env: @@ -288,7 +288,7 @@ jobs: - name: Try single CLI run of tool run: | [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool - NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out -n json + NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out cp -r ~/.cache/cve-bin-tool cache - name: Run all tests which rely on external connectivity env: @@ -362,7 +362,7 @@ jobs: python -m pip install --upgrade . - name: Try single CLI run of tool run: | - python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out -n json + python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out - name: Run async tests run: > pytest -n 4 -v @@ -432,7 +432,7 @@ jobs: python -m pip install --upgrade . - name: Try single CLI run of tool run: | - python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out -n json + python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out - name: Run async tests run: > pytest --cov --cov-append -n 4 -v diff --git a/README.md b/README.md index 79c8e7e3c6..07b8f167ec 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ The CVE Binary Tool is a free, open source tool to help you find known vulnerabi The tool has two main modes of operation: -1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are 309 checkers which focus on common, vulnerable open source components such as openssl, libpng, libxml2 and expat. +1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are 313 checkers which focus on common, vulnerable open source components such as openssl, libpng, libxml2 and expat. 2. Tools for scanning known component lists in various formats, including .csv, several linux distribution package lists, language specific package scanners and several Software Bill of Materials (SBOM) formats. It is intended to be used as part of your continuous integration system to enable regular vulnerability scanning and give you early warning of known issues in your supply chain. @@ -215,7 +215,7 @@ options: CVE Data Download: Arguments related to data sources and Cache Configuration - -n {api,api2,json}, --nvd {api,api2,json} + -n {api,api2,json-nvd,json-mirror}, --nvd {api,api2,json-nvd,json-mirror} choose method for getting CVE lists from NVD -u {now,daily,never,latest}, --update {now,daily,never,latest} update schedule for data sources and exploits database (default: daily) @@ -255,6 +255,8 @@ Output: specify multiple output formats by using comma (',') as a separator note: don't use spaces between comma (',') and the output formats. -c CVSS, --cvss CVSS minimum CVSS score (as integer in range 0 to 10) to report (default: 0) + --epss-percentile + minimum EPSS percentile of CVE range between 0 to 100 to report (default: 0) -S {low,medium,high,critical}, --severity {low,medium,high,critical} minimum CVE severity to report (default: low) --no-0-cve-report only produce report when CVEs are found @@ -390,10 +392,10 @@ cve-bin-tool --nvd-api-key your_api_key_here Once you have set up your NVD API Key, cve-bin-tool will use it to retrieve vulnerability data from the NVD. This will ensure that you have access to the full database and will reduce the likelihood of encountering errors due to limited access. -If for any reason, the NVD API Key is not working, cve-bin-tool will automatically switch to the JSON fallback. However, it is highly recommended that you verify that your API Key is working properly to ensure access with the NVD database. To use the json method, use the flag [`-n json` or `--nvd json`](https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-n-jsonapi---nvd-jsonapi) . You can use it in the following way +If for any reason, the NVD API Key is not working, cve-bin-tool will automatically switch to the JSON fallback. However, it is highly recommended that you verify that your API Key is working properly to ensure access with the NVD database. To use the json method, use the flag [`-n json-nvd` or `--nvd json-nvd`](https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-n-jsonapi---nvd-jsonapi) . You can use it in the following way ```bash -cve-bin-tool --nvd-api-key your_api_key_here -n json +cve-bin-tool --nvd-api-key your_api_key_here -n json-nvd ``` > **Note** : If you have problems downloading the initial data , it may be due to the NVD's current rate limiting scheme which block users entirely if they aren't using an API key. @@ -430,53 +432,53 @@ This data source provides the CVEs for the CURL product. The following checkers are available for finding components in binary files: - -| | | | Available checkers | | | | -| ----------------- | ---------------- | ------------------ | ------------------ | --------------- | ------------- | --------------- | -| accountsservice | acpid | apache_http_server | apcupsd | apparmor | asn1c | assimp | -| asterisk | atftp | avahi | bash | bind | binutils | bird | -| bison | bluez | boinc | botan | bro | bubblewrap | busybox | -| bzip2 | c_ares | capnproto | ceph | chess | chrony | clamav | -| collectd | commons_compress | connman | cpio | cronie | cryptsetup | cups | -| curl | cvs | darkhttpd | davfs2 | dbus | dhclient | dhcpcd | -| dhcpd | dnsmasq | domoticz | dovecot | doxygen | dpkg | dropbear | -| e2fsprogs | elfutils | emacs | enscript | exim | exiv2 | expat | -| f2fs_tools | faad2 | fastd | ffmpeg | file | firefox | flac | -| fluidsynth | freeradius | freerdp | fribidi | frr | gcc | gdb | -| gimp | git | glib | glibc | gmp | gnomeshell | gnupg | -| gnutls | gpgme | gpsd | graphicsmagick | grub2 | gstreamer | gupnp | -| gvfs | gzip | haproxy | harfbuzz | haserl | hdf5 | hostapd | -| hunspell | i2pd | icecast | icu | iperf3 | ipmitool | ipsec_tools | -| iptables | irssi | iucode_tool | jack2 | jacksondatabind | janus | jhead | -| json_c | kbd | keepalived | kerberos | kexectools | kodi | kubernetes | -| ldns | lftp | libarchive | libass | libbpg | libconfuse | libdb | -| libebml | libgcrypt | libgit2 | libical | libidn2 | libinput | libjpeg | -| libjpeg_turbo | libksba | liblas | libmatroska | libmemcached | libmicrohttpd | libnss | -| libpcap | libraw | librsvg | librsync | libsamplerate | libseccomp | libsndfile | -| libsolv | libsoup | libsrtp | libssh | libssh2 | libtiff | libtomcrypt | -| libupnp | libvirt | libvncserver | libvorbis | libxslt | lighttpd | linux_kernel | -| lldpd | logrotate | lua | luajit | lxc | lynx | lz4 | -| mailx | mariadb | mdadm | memcached | mini_httpd | minicom | minidlna | -| miniupnpc | miniupnpd | modsecurity | mosquitto | motion | mpv | msmtp | -| mtr | mutt | mysql | nano | nasm | nbd | ncurses | -| neon | nessus | netatalk | netkit_ftp | netpbm | nettle | nghttp2 | -| nginx | nmap | node | ntp | ntpsec | open_iscsi | open_vm_tools | -| openafs | opencv | openjpeg | openldap | opensc | openssh | openssl | -| openswan | openvpn | p7zip | pango | patch | pcre | pcre2 | -| pcsc_lite | perl | picocom | pigz | pixman | png | polarssl_fedora | -| poppler | postgresql | ppp | privoxy | procps_ng | proftpd | pspp | -| pure_ftpd | putty | python | qemu | qt | quagga | radare2 | -| radvd | raptor | rauc | rdesktop | rsync | rsyslog | rtl_433 | -| rtmpdump | runc | rust | samba | sane_backends | sdl | seahorse | -| shadowsocks_libev | sngrep | snort | sofia_sip | speex | spice | sqlite | -| squashfs | squid | sslh | stellarium | strongswan | stunnel | subversion | -| sudo | suricata | sylpheed | syslogng | sysstat | systemd | tcpdump | -| tcpreplay | thrift | thttpd | thunderbird | timescaledb | tinyproxy | tor | -| tpm2_tss | transmission | trousers | u_boot | unbound | unixodbc | upx | -| util_linux | varnish | vim | vorbis_tools | vsftpd | webkitgtk | wget | -| wireshark | wolfssl | wpa_supplicant | xerces | xml2 | xscreensaver | yasm | -| zabbix | zeek | zlib | znc | zsh | | | - +| | | | Available checkers | | | | +|--------------- |--------------- |------------------ |------------- |--------------- |------------ |----------------- | +| accountsservice |acpid |apache_http_server |apcupsd |apparmor |asn1c |assimp | +| asterisk |atftp |avahi |bash |bind |binutils |bird | +| bison |bluez |boinc |botan |bro |bubblewrap |busybox | +| bwm_ng |bzip2 |c_ares |capnproto |ceph |chess |chrony | +| clamav |collectd |commons_compress |connman |coreutils |cpio |cronie | +| cryptsetup |cups |curl |cvs |darkhttpd |dav1d |davfs2 | +| dbus |dhclient |dhcpcd |dhcpd |dmidecode |dnsmasq |domoticz | +| dovecot |doxygen |dpkg |dropbear |e2fsprogs |elfutils |emacs | +| enscript |exim |exiv2 |f2fs_tools |faad2 |fastd |ffmpeg | +| file |firefox |flac |fluidsynth |freeradius |freerdp |fribidi | +| frr |gcc |gdb |gdk_pixbuf |gimp |git |glib | +| glibc |gmp |gnomeshell |gnupg |gnutls |gpgme |gpsd | +| graphicsmagick |grub2 |gstreamer |gupnp |gvfs |gzip |haproxy | +| harfbuzz |haserl |hdf5 |hostapd |hunspell |i2pd |icecast | +| icu |iperf3 |ipmitool |ipsec_tools |iptables |irssi |iucode_tool | +| jack2 |jacksondatabind |janus |jhead |json_c |kbd |keepalived | +| kerberos |kexectools |kodi |kubernetes |ldns |lftp |libarchive | +| libass |libbpg |libcoap |libconfuse |libcurl |libdb |libebml | +| libexpat |libgcrypt |libgd |libgit2 |libical |libidn2 |libinput | +| libjpeg |libjpeg_turbo |libksba |liblas |libmatroska |libmemcached |libmicrohttpd | +| libmodbus |libnss |libpcap |libraw |librsvg |librsync |libsamplerate | +| libseccomp |libsndfile |libsolv |libsoup |libsrtp |libssh |libssh2 | +| libtasn1 |libtiff |libtomcrypt |libupnp |libvirt |libvncserver |libvorbis | +| libxslt |lighttpd |linux_kernel |lldpd |logrotate |lua |luajit | +| lxc |lynx |lz4 |mailx |mariadb |mdadm |memcached | +| mini_httpd |minicom |minidlna |miniupnpc |miniupnpd |modsecurity |mosquitto | +| motion |mpv |msmtp |mtr |mutt |mysql |nano | +| nasm |nbd |ncurses |neon |nessus |netatalk |netkit_ftp | +| netpbm |nettle |nghttp2 |nginx |ngircd |nmap |node | +| ntfs_3g |ntp |ntpsec |open_iscsi |open_vm_tools |openafs |opencv | +| openjpeg |openldap |opensc |openssh |openssl |openswan |openvpn | +| p7zip |pango |patch |pcre |pcre2 |pcsc_lite |perl | +| picocom |pigz |pixman |png |polarssl_fedora |poppler |postgresql | +| ppp |privoxy |procps_ng |proftpd |pspp |pure_ftpd |putty | +| python |qemu |qt |quagga |radare2 |radvd |raptor | +| rauc |rdesktop |readline |rsync |rsyslog |rtl_433 |rtmpdump | +| runc |rust |samba |sane_backends |sdl |seahorse |shadowsocks_libev | +| sngrep |snort |sofia_sip |speex |spice |sqlite |squashfs | +| squid |sslh |stellarium |strongswan |stunnel |subversion |sudo | +| suricata |sylpheed |syslogng |sysstat |systemd |tcpdump |tcpreplay | +| thrift |thttpd |thunderbird |timescaledb |tinyproxy |tor |tpm2_tss | +| transmission |trousers |u_boot |udisks |unbound |unixodbc |upx | +| util_linux |varnish |vim |vorbis_tools |vsftpd |webkitgtk |wget | +| wireshark |wolfssl |wpa_supplicant |xerces |xml2 |xscreensaver |yasm | +| zabbix |zeek |zlib |znc |zsh | | | All the checkers can be found in the checkers directory, as can the diff --git a/cve_bin_tool/checkers/README.md b/cve_bin_tool/checkers/README.md index 02f2cd58e5..688b8dbb71 100644 --- a/cve_bin_tool/checkers/README.md +++ b/cve_bin_tool/checkers/README.md @@ -342,7 +342,7 @@ $ sqlite3 ~/.cache/cve-bin-tool/cve.db \ VPkg: apple, mac_os_x VPkg: canonical, ubuntu_linux VPkg: debian, debian_linux -VPkg: libexpat, expat +VPkg: libexpat_project, libexpat VPkg: mozilla, firefox VPkg: opensuse, leap VPkg: suse, linux_enterprise_debuginfo @@ -351,8 +351,8 @@ VPkg: suse, linux_enterprise_debuginfo `VENDOR_PRODUCT` attribute should have list of tuples of vendor product pair found in the listings. Some of the listings will be with regards to products that include this product. For our example all listings except -`libexpat, expat` merely include the target product (`expat` for the -example SQL query). +`libexpat_project, libexpat` merely include the target product (`libexpat` for +the example SQL query). ## Helper-Script diff --git a/cve_bin_tool/checkers/__init__.py b/cve_bin_tool/checkers/__init__.py index 7641fb79ca..3cc42df48d 100644 --- a/cve_bin_tool/checkers/__init__.py +++ b/cve_bin_tool/checkers/__init__.py @@ -72,7 +72,6 @@ "emacs", "exim", "exiv2", - "expat", "f2fs_tools", "faad2", "fastd", @@ -140,6 +139,7 @@ "libcurl", "libdb", "libebml", + "libexpat", "libgcrypt", "libgd", "libgit2", diff --git a/cve_bin_tool/checkers/expat.py b/cve_bin_tool/checkers/libexpat.py similarity index 93% rename from cve_bin_tool/checkers/expat.py rename to cve_bin_tool/checkers/libexpat.py index f6476d47e0..06cea82ec8 100644 --- a/cve_bin_tool/checkers/expat.py +++ b/cve_bin_tool/checkers/libexpat.py @@ -29,13 +29,12 @@ from cve_bin_tool.checkers import Checker -class ExpatChecker(Checker): - # FIXME: fix contains pattern +class LibexpatChecker(Checker): CONTAINS_PATTERNS = [ r"reserved prefix (xml) must not be undeclared or bound to another namespace name", r"cannot change setting once parsing has begun", "requested feature requires XML_DTD support in Expat", ] - FILENAME_PATTERNS = [r"expat"] + FILENAME_PATTERNS = [r"libexpat.so"] VERSION_PATTERNS = [r"expat_([012]+\.[0-9]+\.[0-9]+)"] VENDOR_PRODUCT = [("libexpat_project", "libexpat")] diff --git a/cve_bin_tool/cli.py b/cve_bin_tool/cli.py index 6cd0106895..2a22e1511a 100644 --- a/cve_bin_tool/cli.py +++ b/cve_bin_tool/cli.py @@ -12,7 +12,7 @@ """ This tool scans for a number of common, vulnerable open source components -(openssl, libpng, libxml2, expat and a few others) to let you know if your +(openssl, libpng, libxml2, libexpat and a few others) to let you know if your system includes common libraries with known vulnerabilities. It emits a list of CVE numbers that may be relevant to your binary based on the versions. There is a flag to enable information about backported fixes for specific @@ -103,7 +103,7 @@ def main(argv=None): description=textwrap.dedent( """ The CVE Binary Tool scans for a number of common, vulnerable open source - components (openssl, libpng, libxml2, expat and a few others) to let you know + components (openssl, libpng, libxml2, libexpat and a few others) to let you know if a given directory or binary file includes common libraries with known vulnerabilities. """ @@ -130,9 +130,9 @@ def main(argv=None): "-n", "--nvd", action="store", - choices=["api", "api2", "json"], + choices=["api", "api2", "json", "json-mirror", "json-nvd"], help="choose method for getting CVE lists from NVD", - default="api", + default="json-mirror", ) data_sources_group.add_argument( "-u", @@ -266,6 +266,12 @@ def main(argv=None): help="minimum CVE severity to report (default: low)", default="low", ) + output_group.add_argument( + "--epss-percentile", + action="store", + help="minimum epss percentile of CVE range between 0 to 100 to report (default: 0)", + default=0, + ) output_group.add_argument( "--no-0-cve-report", action="store_true", @@ -523,6 +529,8 @@ def main(argv=None): "This product uses the NVD API but is not endorsed or certified by the NVD." ) + if args["nvd"] == "json": + args["nvd"] = "json-mirror" nvd_type = args["nvd"] # If NVD API key is not set, check for environment variable (e.g. GitHub Secrets) if not args["nvd_api_key"] and os.getenv("nvd_api_key"): @@ -532,16 +540,17 @@ def main(argv=None): if not args["nvd_api_key"] and os.getenv("NVD_API_KEY"): args["nvd_api_key"] = os.getenv("NVD_API_KEY") + if args["nvd_api_key"]: + nvd_type = "api" + # If you're not using an NVD key, let you know how to get one - if not args["nvd_api_key"] and not args["offline"]: + if nvd_type == "json-nvd" and not args["nvd_api_key"] and not args["offline"]: LOGGER.info("Not using an NVD API key. Your access may be rate limited by NVD.") LOGGER.info( "Get an NVD API key here: https://nvd.nist.gov/developers/request-an-api-key" ) - # Default NVD access to use JSON - nvd_type = "json" - if nvd_type == "json": + if nvd_type == "json-nvd": LOGGER.warning("Using legacy JSON interface") if platform.system() != "Linux": @@ -563,6 +572,10 @@ def main(argv=None): if int(args["cvss"]) > 0: score = int(args["cvss"]) + epss_percentile = 0 + if float(args["epss_percentile"]) > 0: + epss_percentile = float(args["epss_percentile"]) / 100 + config_generate = set(args["generate_config"].split(",")) config_generate = [config_type.strip() for config_type in config_generate] for config_type in config_generate: @@ -863,6 +876,7 @@ def main(argv=None): with CVEScanner( score=score, + epss_percentile=epss_percentile, check_exploits=args["exploits"], exploits_list=cvedb_orig.get_exploits_list(), disabled_sources=disabled_sources, diff --git a/cve_bin_tool/cve_scanner.py b/cve_bin_tool/cve_scanner.py index 19ea29cf47..2056aa592a 100644 --- a/cve_bin_tool/cve_scanner.py +++ b/cve_bin_tool/cve_scanner.py @@ -40,6 +40,7 @@ class CVEScanner: def __init__( self, score: int = 0, + epss_percentile: float = 0.0, logger: Logger = None, error_mode: ErrorMode = ErrorMode.TruncTrace, check_exploits: bool = False, @@ -49,6 +50,7 @@ def __init__( self.logger = logger or LOGGER.getChild(self.__class__.__name__) self.error_mode = error_mode self.score = score + self.epss_percentile = epss_percentile self.products_with_cve = 0 self.products_without_cve = 0 self.all_cve_data = defaultdict(CVEData) @@ -68,6 +70,8 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData): # being reported if self.score > 10: return + if self.epss_percentile > 100: + return if product_info.vendor == "UNKNOWN": # Add product @@ -84,7 +88,7 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData): f"{product_info} already processed. Update path {triage_data['paths']}" ) # self.products_with_cve += 1 - self.all_cve_data[product_info]["paths"] |= triage_data["paths"] + self.all_cve_data[product_info]["paths"] |= set(triage_data["paths"]) return # Check for anything directly marked @@ -257,16 +261,24 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData): row_dict["cvss_version"] or row["cvss_version"] ) # executing query to get metric for CVE - metric_result = self.metric((row["cve_number"],)) + metric_result = self.metric( + (row["cve_number"],), self.epss_percentile + ) # row_dict doesnt have metric as key. As it based on result from query on cve_severity table # declaring row_dict[metric] row_dict["metric"] = {} - # # looping for result of query for metrics. + # looping for result of query for metrics. for key, value in metric_result.items(): row_dict["metric"][key] = [ value[0], value[1], ] + # checking if epss percentile filter is applied + if self.epss_percentile: + # if epss filter is applied and condition is failed to satisfy row_dict["metric"] will be empty + if not row_dict["metric"]: + # continue to not include that particular cve + continue self.logger.debug( f'metrics found in CVE {row_dict["cve_number"]} is {row_dict["metric"]}' ) @@ -283,7 +295,7 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData): f"{len(cves)} CVE(s) in {product_info.vendor}.{product_info.product} version {product_info.version}" ) self.all_cve_data[product_info]["cves"] = cves - self.all_cve_data[product_info]["paths"] |= triage_data["paths"] + self.all_cve_data[product_info]["paths"] |= set(triage_data["paths"]) else: # No cves found for (product, vendor, version) tuple in the NVD database. self.products_without_cve += 1 @@ -358,7 +370,7 @@ def affected(self): for cve_data in self.all_cve_data ) - def metric(self, cve_number): + def metric(self, cve_number, epss_percentile): """The query needs to be executed separately because if it is executed using the same cursor, the search stops. We need to create a separate connection and cursor for the query to be executed independently. Finally, the function should return a dictionary with the metrics of a given CVE. @@ -376,6 +388,13 @@ def metric(self, cve_number): # looping for result of query for metrics. for result in metric_result: metric_name, metric_score, metric_field = result + # if metric is EPSS if metric field must represent EPSS percentile + if metric_name == "EPSS": + # comparing if EPSS percentile found in CVE is less then EPSS percentile return + if float(metric_field) < epss_percentile: + cur.close() + conn.close() + return met met[metric_name] = [ metric_score, metric_field, diff --git a/cve_bin_tool/data_sources/curl_source.py b/cve_bin_tool/data_sources/curl_source.py index 0e54ea25f4..41fe409426 100644 --- a/cve_bin_tool/data_sources/curl_source.py +++ b/cve_bin_tool/data_sources/curl_source.py @@ -37,7 +37,7 @@ def __init__(self, error_mode=ErrorMode.TruncTrace): self.session = None self.affected_data = None self.source_name = self.SOURCE - self.vulnerbility_data = [] + self.vulnerability_data = [] async def get_cve_data(self): await self.fetch_cves() @@ -59,16 +59,16 @@ async def fetch_cves(self): async def download_curl_vulnerabilities(self, session: RateLimiter) -> None: async with await session.get(self.DATA_SOURCE_LINK) as response: response.raise_for_status() - self.vulnerbility_data = await response.json() + self.vulnerability_data = await response.json() path = Path(str(Path(self.cachedir) / "vuln.json")) filepath = path.resolve() async with FileIO(filepath, "w") as f: - await f.write(json.dumps(self.vulnerbility_data, indent=4)) + await f.write(json.dumps(self.vulnerability_data, indent=4)) def get_cve_list(self): self.affected_data = [] - for cve in self.vulnerbility_data: + for cve in self.vulnerability_data: affected = { "cve_id": cve["aliases"][0], "vendor": "haxx", diff --git a/cve_bin_tool/data_sources/nvd_source.py b/cve_bin_tool/data_sources/nvd_source.py index 9cd69c83cd..e1490d724b 100644 --- a/cve_bin_tool/data_sources/nvd_source.py +++ b/cve_bin_tool/data_sources/nvd_source.py @@ -48,11 +48,14 @@ class NVD_Source(Data_Source): SOURCE = "NVD" CACHEDIR = DISK_LOCATION_DEFAULT BACKUPCACHEDIR = DISK_LOCATION_BACKUP - FEED = "https://nvd.nist.gov/vuln/data-feeds" + FEED_NVD = "https://nvd.nist.gov/vuln/data-feeds" + FEED_MIRROR = "https://mirror.cveb.in/nvd/json/cve/1.1" LOGGER = LOGGER.getChild("CVEDB") NVDCVE_FILENAME_TEMPLATE = NVD_FILENAME_TEMPLATE - META_LINK = "https://nvd.nist.gov" - META_REGEX = re.compile(r"\/feeds\/json\/.*-[0-9]*\.[0-9]*-[0-9]*\.meta") + META_LINK_NVD = "https://nvd.nist.gov" + META_LINK_MIRROR = "https://mirror.cveb.in/nvd/json/cve/1.1" + META_REGEX_NVD = re.compile(r"feeds\/json\/.*-[0-9]*\.[0-9]*-[0-9]*\.meta") + META_REGEX_MIRROR = re.compile(r"nvdcve-[0-9]*\.[0-9]*-[0-9]*\.meta") RANGE_UNSET = "" def __init__( @@ -60,11 +63,14 @@ def __init__( feed: str | None = None, session: RateLimiter | None = None, error_mode: ErrorMode = ErrorMode.TruncTrace, - nvd_type: str = "json", + nvd_type: str = "json-mirror", incremental_update: bool = False, nvd_api_key: str = "", ): - self.feed = feed if feed is not None else self.FEED + if feed is None: + self.feed = self.FEED_NVD if nvd_type == "json-nvd" else self.FEED_MIRROR + else: + self.feed = feed self.cachedir = self.CACHEDIR self.backup_cachedir = self.BACKUPCACHEDIR self.error_mode = error_mode @@ -173,7 +179,8 @@ def format_data(self, all_cve_entries): def parse_node(self, node: dict[str, list[dict[str, str]]]) -> list[dict[str, str]]: affects_list = [] if "cpe_match" in node: - for cpe_match in node["cpe_match"]: + vulnerable_matches = (m for m in node["cpe_match"] if m["vulnerable"]) + for cpe_match in vulnerable_matches: cpe_split = cpe_match["cpe23Uri"].split(":") affects = { "vendor": cpe_split[3], @@ -277,7 +284,8 @@ def parse_node_api2( ) -> list[dict[str, str]]: affects_list = [] if "cpeMatch" in node: - for cpe_match in node["cpeMatch"]: + vulnerable_matches = (m for m in node["cpeMatch"] if m["vulnerable"]) + for cpe_match in vulnerable_matches: cpe_split = cpe_match["criteria"].split(":") affects = { "vendor": cpe_split[3], @@ -330,7 +338,7 @@ async def fetch_cves(self): total_tasks = len(tasks) # error_mode.value will only be greater than 1 if quiet mode. - if self.error_mode.value > 1 and self.nvd_type == "json": + if self.error_mode.value > 1 and self.nvd_type.startswith("json"): iter_tasks = track( asyncio.as_completed(tasks), description="Downloading CVEs...", @@ -404,11 +412,16 @@ async def nist_scrape(self, session: RateLimiter): async with await session.get(self.feed) as response: response.raise_for_status() page = await response.text() - json_meta_links = self.META_REGEX.findall(page) + if self.nvd_type == "json-nvd": + json_meta_links = self.META_REGEX_NVD.findall(page) + meta_host = self.META_LINK_NVD + else: + json_meta_links = self.META_REGEX_MIRROR.findall(page) + meta_host = self.META_LINK_MIRROR return dict( await asyncio.gather( *( - self.getmeta(session, f"{self.META_LINK}{meta_url}") + self.getmeta(session, f"{meta_host}/{meta_url}") for meta_url in json_meta_links ) ) diff --git a/cve_bin_tool/data_sources/osv_source.py b/cve_bin_tool/data_sources/osv_source.py index 4150492fe5..175a1edf3f 100644 --- a/cve_bin_tool/data_sources/osv_source.py +++ b/cve_bin_tool/data_sources/osv_source.py @@ -297,7 +297,9 @@ def format_data(self, all_cve_entries): vendor = ( "unknown" # OSV Schema does not provide vendor names for packages ) - if "/" in product and "github": + if ( + "github.com/" in product + ): # if package name is of format github.com/xxxx/yyyy xxxx can be vendor name and yyyy is package name vendor = product.split("/")[-2] # trying to guess vendor name product = product.split("/")[-1] @@ -314,20 +316,22 @@ def format_data(self, all_cve_entries): events = None for ranges in package.get("ranges", []): - if ranges["type"] != "GIT": + if ranges["type"] == "SEMVER": events = ranges["events"] - if events is None: + if events is None and "versions" in package: versions = package["versions"] if versions == []: continue - affected["versionStartIncluding"] = versions[0] - affected["versionEndIncluding"] = versions[-1] + version_affected = affected.copy() - affected_data.append(affected) - else: + version_affected["versionStartIncluding"] = versions[0] + version_affected["versionEndIncluding"] = versions[-1] + + affected_data.append(version_affected) + elif events is not None: introduced = None fixed = None @@ -338,12 +342,14 @@ def format_data(self, all_cve_entries): fixed = event.get("fixed") if fixed is not None: - affected["versionStartIncluding"] = introduced - affected["versionEndExcluding"] = fixed + range_affected = affected.copy() + + range_affected["versionStartIncluding"] = introduced + range_affected["versionEndExcluding"] = fixed fixed = None - affected_data.append(affected) + affected_data.append(range_affected) return severity_data, affected_data diff --git a/cve_bin_tool/input_engine.py b/cve_bin_tool/input_engine.py index de81e393a5..b5ef7d8329 100644 --- a/cve_bin_tool/input_engine.py +++ b/cve_bin_tool/input_engine.py @@ -151,7 +151,7 @@ def strip_remark(detail) -> str: self.parsed_data[product_info][id.strip() or "default"][ "severity" ] = severity.strip() - self.parsed_data[product_info]["paths"] = {""} + self.parsed_data[product_info]["paths"] = {} def parse_data(self, fields: Set[str], data: Iterable) -> None: required_fields = {"vendor", "product", "version"} diff --git a/cve_bin_tool/output_engine/__init__.py b/cve_bin_tool/output_engine/__init__.py index ab2fc15baa..7f2c3d95b6 100644 --- a/cve_bin_tool/output_engine/__init__.py +++ b/cve_bin_tool/output_engine/__init__.py @@ -468,6 +468,74 @@ def output_pdf( "Applicationlist", widths=[3 * cm, 3 * cm, 2 * cm, 4 * cm, 3 * cm] ) + pdfdoc.heading(1, "List of Vulnerabilities with different metric") + pdfdoc.paragraph( + "The table given below gives CVE found with there score on different metrics." + ) + cve_by_metrics: defaultdict[Remarks, list[dict[str, str]]] = defaultdict( + list + ) + col_headings = [ + "CVE Number", + "CVSS_version", + "CVSS_score", + "EPSS_probability", + "EPSS_percentile", + ] + # group cve_data by its remarks and separately by paths + for product_info, cve_data in all_cve_data.items(): + for cve in cve_data["cves"]: + probability = "-" + percentile = "-" + for metric, field in cve.metric.items(): + if metric == "EPSS": + probability = round(field[0] * 100, 4) + percentile = field[1] + + cve_by_metrics[cve.remarks].append( + { + "cve_number": cve.cve_number, + "cvss_version": str(cve.cvss_version), + "cvss_score": str(cve.score), + "epss_probability": str(probability), + "epss_percentile": str(percentile), + "severity": cve.severity, + } + ) + + for remarks in sorted(cve_by_metrics): + pdfdoc.createtable( + "cvemetric", + col_headings, + pdfdoc.tblStyle, + ) + row = 1 + for cve in cve_by_metrics[remarks]: + entry = [ + cve["cve_number"], + cve["cvss_version"], + str(cve["cvss_score"]), + str(cve["epss_probability"]), + str(cve["epss_percentile"]), + ] + pdfdoc.addrow( + "cvemetric", + entry, + [ + ( + "TEXTCOLOR", + (0, row), + (4, row), + severity_colour[cve["severity"].split("-")[0].upper()], + ), + ("FONT", (0, row), (4, row), "Helvetica-Bold"), + ], + ) + row += 1 + pdfdoc.showtable( + "cvemetric", widths=[4 * cm, 4 * cm, 3 * cm, 4 * cm, 4 * cm] + ) + # List of scanned products with no identified vulnerabilities if all_product_data is not None: pdfdoc.heading(1, "No Identified Vulnerabilities") @@ -481,8 +549,12 @@ def output_pdf( [10, 10, 10], ) row = 1 + products_with_cves = list(map(lambda x: x[1], all_cve_data)) for product_data in all_product_data: - if all_product_data[product_data] == 0: + if ( + all_product_data[product_data] == 0 + and product_data.product not in products_with_cves + ): product_entry = [ product_data.vendor, product_data.product, diff --git a/cve_bin_tool/output_engine/console.py b/cve_bin_tool/output_engine/console.py index 6a381bcd9f..d9bcc20a75 100644 --- a/cve_bin_tool/output_engine/console.py +++ b/cve_bin_tool/output_engine/console.py @@ -150,11 +150,11 @@ def _output_console_nowrap( # group cve_data by its remarks and separately by paths for product_info, cve_data in all_cve_data.items(): for cve in cve_data["cves"]: - propability = "-" + probability = "-" percentile = "-" for metric, field in cve.metric.items(): if metric == "EPSS": - propability = str(round(field[0] * 100, 4)) + probability = str(round(field[0] * 100, 4)) percentile = str(field[1]) cve_by_remarks[cve.remarks].append( { @@ -166,7 +166,7 @@ def _output_console_nowrap( "severity": cve.severity, "score": cve.score, "cvss_version": cve.cvss_version, - "epss_propability": propability, + "epss_probability": probability, "epss_percentile": percentile, } ) @@ -203,7 +203,7 @@ def _output_console_nowrap( table.add_column("Source") table.add_column("Severity") table.add_column("Score (CVSS Version)") - table.add_column("EPSS propability") + table.add_column("EPSS probability") table.add_column("EPSS percentile") if affected_versions != 0: table.add_column("Affected Versions") @@ -224,7 +224,7 @@ def _output_console_nowrap( Text.styled(cve_data["source"], color), Text.styled(cve_data["severity"], color), Text.styled(cvss_text, color), - Text.styled(cve_data["epss_propability"], color), + Text.styled(cve_data["epss_probability"], color), Text.styled(cve_data["epss_percentile"], color), ] if affected_versions != 0: @@ -304,8 +304,12 @@ def validate_cell_length(cell_name, cell_type): table.add_column("Product") table.add_column("Version") + products_with_cves = list(map(lambda x: x[1], all_cve_data)) for product_data in all_product_data: - if all_product_data[product_data] == 0: + if ( + all_product_data[product_data] == 0 + and product_data.product not in products_with_cves + ): cells = [ Text.styled(product_data.vendor, color), Text.styled(product_data.product, color), @@ -314,3 +318,47 @@ def validate_cell_length(cell_name, cell_type): table.add_row(*cells) # Print the table to the console console.print(table) + + table = Table() + # Add Head Columns to the Table + table.add_column("CVE") + table.add_column("CVSS_version") + table.add_column("CVSS_score") + table.add_column("EPSS_probability") + table.add_column("EPSS_percentile") + color = "green" + + cve_by_metrics: defaultdict[Remarks, list[dict[str, str]]] = defaultdict(list) + # group cve_data by its remarks and separately by paths + for product_info, cve_data in all_cve_data.items(): + for cve in cve_data["cves"]: + probability = "-" + percentile = "-" + for metric, field in cve.metric.items(): + if metric == "EPSS": + probability = round(field[0] * 100, 4) + percentile = field[1] + cve_by_metrics[cve.remarks].append( + { + "cve_number": cve.cve_number, + "cvss_version": str(cve.cvss_version), + "cvss_score": str(cve.score), + "epss_probability": str(probability), + "epss_percentile": str(percentile), + "severity": cve.severity, + } + ) + + for remarks in sorted(cve_by_remarks): + color = remarks_colors[remarks] + for cve in cve_by_metrics[remarks]: + color = cve["severity"].split("-")[0].lower() + cells = [ + Text.styled(cve["cve_number"], color), + Text.styled(cve["cvss_version"], color), + Text.styled(str(cve["cvss_score"]), color), + Text.styled(cve["epss_probability"], color), + Text.styled(cve["epss_percentile"], color), + ] + table.add_row(*cells) + console.print(table) diff --git a/cve_bin_tool/output_engine/html.py b/cve_bin_tool/output_engine/html.py index 15b1eef064..6944c5c9c5 100644 --- a/cve_bin_tool/output_engine/html.py +++ b/cve_bin_tool/output_engine/html.py @@ -211,6 +211,52 @@ def output_html( cve_severity = {"CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "LOW": 0, "UNKNOWN": 0} + cve_by_metrics: defaultdict[Remarks, list[dict[str, str]]] = defaultdict(list) + for product_info, cve_data in all_cve_data.items(): + for cve in cve_data["cves"]: + probability = "-" + percentile = "-" + + for metric, field in cve.metric.items(): + if metric == "EPSS": + probability = round(field[0] * 100, 4) + percentile = field[1] + + cve_by_metrics[cve.remarks].append( + { + "cve_number": cve.cve_number, + "cvss_version": str(cve.cvss_version), + "cvss_score": str(cve.score), + "epss_probability": str(probability), + "epss_percentile": str(percentile), + "severity": cve.severity, + } + ) + + cve_metric_html_rows = [] + for remarks in sorted(cve_by_metrics): + for cve in cve_by_metrics[remarks]: + row_color = "table-success" + if cve["severity"] == "CRITICAL": + row_color = "table-danger" + elif cve["severity"] == "HIGH": + row_color = "table-primary" + elif cve["severity"] == "MEDIUM": + row_color = "table-warning" + + html_row = f""" + + {cve["cve_number"]} + {cve["cvss_version"]} + {cve["cvss_score"]} + {cve["epss_probability"]} + {cve["epss_percentile"]} + + """ + cve_metric_html_rows.append(html_row) + # Join the HTML rows to create the full table content + table_content = "\n".join(cve_metric_html_rows) + # List of Products for product_info, cve_data in all_cve_data.items(): # Check if product contains CVEs @@ -357,6 +403,7 @@ def output_html( products_without_cve=products_without_cve, cve_remarks=cve_remarks, cve_severity=cve_severity, + table_content=table_content, ) # try to load the bigger files just before the generation of report diff --git a/cve_bin_tool/output_engine/html_reports/templates/dashboard.html b/cve_bin_tool/output_engine/html_reports/templates/dashboard.html index 225a3e35fd..a2dbf3ddea 100644 --- a/cve_bin_tool/output_engine/html_reports/templates/dashboard.html +++ b/cve_bin_tool/output_engine/html_reports/templates/dashboard.html @@ -131,3 +131,23 @@
Product CVEs
+
+
+
CVE metric
+
+
+ + + + + + + + + + + + {{ table_content }} + +
CVE numberCVSS versionCVSS scoreEPSS probabilityEPSS percentile
+
\ No newline at end of file diff --git a/cve_bin_tool/output_engine/util.py b/cve_bin_tool/output_engine/util.py index a2411e0c57..920e4dd678 100644 --- a/cve_bin_tool/output_engine/util.py +++ b/cve_bin_tool/output_engine/util.py @@ -143,11 +143,11 @@ def format_output( if isinstance(cve, str): continue # If EPSS values are not available for a given CVE, assign them a value of "-" - propability = "-" + probability = "-" percentile = "-" for metric, field in cve.metric.items(): if metric == "EPSS": - propability = round(field[0] * 100, 4) + probability = round(field[0] * 100, 4) percentile = field[1] details = { "vendor": product_info.vendor, @@ -160,7 +160,7 @@ def format_output( "cvss_version": str(cve.cvss_version), "cvss_vector": cve.cvss_vector, # converting epss score (probability) 0-1 to 0-100 - "epss_probability": str(propability), + "epss_probability": str(probability), "epss_percentile": str(percentile), "paths": ", ".join(cve_data["paths"]), "remarks": cve.remarks.name, diff --git a/doc/MANUAL.md b/doc/MANUAL.md index ccf362b327..493ea1f1db 100644 --- a/doc/MANUAL.md +++ b/doc/MANUAL.md @@ -7,6 +7,9 @@ - [Limitations](#limitations) - [Architecture](#architecture) - [Database Structure](#database-structure) + - [Metric](#metric) + - [EPSS](#epss) + - [Different output showing metrics](#different-output-showing-metrics) - [Optional Arguments](#optional-arguments) - [-e EXCLUDE, --exclude EXCLUDE](#-e-exclude---exclude-exclude) - [-h, --help](#-h---help) @@ -16,7 +19,7 @@ - [--offline](#--offline) - [CVE Data Download Arguments](#cve-data-download-arguments) - [-u {now,daily,never,latest}, --update {now,daily,never,latest}](#-u-nowdailyneverlatest---update-nowdailyneverlatest) - - [-n {json,api,api2}, --nvd {json,api,api2}](#-n-jsonapiapi2---nvd-jsonapiapi2) + - [-n {json-nvd,json-mirror,api,api2}, --nvd {json-nvd,json-mirror,api,api2}](#-n-json-nvdjson-mirrorapiapi2---nvd-json-nvdjson-mirrorapiapi2) - [--nvd-api-key NVD_API_KEY](#--nvd-api-key-nvd_api_key) - [-d {NVD,OSV,GAD,CURL} \[{NVD,OSV,GAD,CURL} ...\], --disable-data-source {NVD,OSV,GAD,CURL} \[{NVD,OSV,GAD,CURL} ...\]](#-d-nvdosvgadcurl-nvdosvgadcurl----disable-data-source-nvdosvgadcurl-nvdosvgadcurl-) - [Checkers Arguments](#checkers-arguments) @@ -36,6 +39,7 @@ - [--html-theme HTML_THEME](#--html-theme-html_theme) - [-f {csv,json,console,html}, --format {csv,json,console,html}](#-f-csvjsonconsolehtml---format-csvjsonconsolehtml) - [-c CVSS, --cvss CVSS](#-c-cvss---cvss-cvss) + - [--epss-percentile](#epss-percentile) - [-S {low,medium,high,critical}, --severity {low,medium,high,critical}](#-s-lowmediumhighcritical---severity-lowmediumhighcritical) - [-A \[\-\\], --available-fix \[\-\\]](#-a-distro_name-distro_version_name---available-fix-distro_name-distro_version_name) - [-b \[\-\\], --backport-fix \[\-\\]](#-b-distro_name-distro_version_name---backport-fix-distro_name-distro_version_name) @@ -88,7 +92,7 @@ which is useful if you're trying the latest code from CVE Data Download: Arguments related to data sources and Cache Configuration - -n {api,api2,json}, --nvd {api,api2,json} + -n {api,api2,json-nvd,json-mirror}, --nvd {api,api2,json-nvd,json-mirror} choose method for getting CVE lists from NVD -u {now,daily,never,latest}, --update {now,daily,never,latest} update schedule for data sources and exploits database (default: daily) @@ -123,6 +127,8 @@ which is useful if you're trying the latest code from specify multiple output formats by using comma (',') as a separator note: don't use spaces between comma (',') and the output formats. -c CVSS, --cvss CVSS minimum CVSS score (as integer in range 0 to 10) to report (default: 0) + --epss-percentile minimum EPSS percentile of CVE range between 0 to 100 to report + (default: 0) -S {low,medium,high,critical}, --severity {low,medium,high,critical} minimum CVE severity to report (default: low) --no-0-cve-report only produce report when CVEs are found @@ -169,53 +175,53 @@ which is useful if you're trying the latest code from CVE Binary Tool produces report by default even if there are no CVEs - -| | | | Available checkers | | | | -| ----------------- | ---------------- | ------------------ | ------------------ | --------------- | ------------- | --------------- | -| accountsservice | acpid | apache_http_server | apcupsd | apparmor | asn1c | assimp | -| asterisk | atftp | avahi | bash | bind | binutils | bird | -| bison | bluez | boinc | botan | bro | bubblewrap | busybox | -| bzip2 | c_ares | capnproto | ceph | chess | chrony | clamav | -| collectd | commons_compress | connman | cpio | cronie | cryptsetup | cups | -| curl | cvs | darkhttpd | davfs2 | dbus | dhclient | dhcpcd | -| dhcpd | dnsmasq | domoticz | dovecot | doxygen | dpkg | dropbear | -| e2fsprogs | elfutils | emacs | enscript | exim | exiv2 | expat | -| f2fs_tools | faad2 | fastd | ffmpeg | file | firefox | flac | -| fluidsynth | freeradius | freerdp | fribidi | frr | gcc | gdb | -| gimp | git | glib | glibc | gmp | gnomeshell | gnupg | -| gnutls | gpgme | gpsd | graphicsmagick | grub2 | gstreamer | gupnp | -| gvfs | gzip | haproxy | harfbuzz | haserl | hdf5 | hostapd | -| hunspell | i2pd | icecast | icu | iperf3 | ipmitool | ipsec_tools | -| iptables | irssi | iucode_tool | jack2 | jacksondatabind | janus | jhead | -| json_c | kbd | keepalived | kerberos | kexectools | kodi | kubernetes | -| ldns | lftp | libarchive | libass | libbpg | libconfuse | libdb | -| libebml | libgcrypt | libgit2 | libical | libidn2 | libinput | libjpeg | -| libjpeg_turbo | libksba | liblas | libmatroska | libmemcached | libmicrohttpd | libnss | -| libpcap | libraw | librsvg | librsync | libsamplerate | libseccomp | libsndfile | -| libsolv | libsoup | libsrtp | libssh | libssh2 | libtiff | libtomcrypt | -| libupnp | libvirt | libvncserver | libvorbis | libxslt | lighttpd | linux_kernel | -| lldpd | logrotate | lua | luajit | lxc | lynx | lz4 | -| mailx | mariadb | mdadm | memcached | mini_httpd | minicom | minidlna | -| miniupnpc | miniupnpd | modsecurity | mosquitto | motion | mpv | msmtp | -| mtr | mutt | mysql | nano | nasm | nbd | ncurses | -| neon | nessus | netatalk | netkit_ftp | netpbm | nettle | nghttp2 | -| nginx | nmap | node | ntp | ntpsec | open_iscsi | open_vm_tools | -| openafs | opencv | openjpeg | openldap | opensc | openssh | openssl | -| openswan | openvpn | p7zip | pango | patch | pcre | pcre2 | -| pcsc_lite | perl | picocom | pigz | pixman | png | polarssl_fedora | -| poppler | postgresql | ppp | privoxy | procps_ng | proftpd | pspp | -| pure_ftpd | putty | python | qemu | qt | quagga | radare2 | -| radvd | raptor | rauc | rdesktop | rsync | rsyslog | rtl_433 | -| rtmpdump | runc | rust | samba | sane_backends | sdl | seahorse | -| shadowsocks_libev | sngrep | snort | sofia_sip | speex | spice | sqlite | -| squashfs | squid | sslh | stellarium | strongswan | stunnel | subversion | -| sudo | suricata | sylpheed | syslogng | sysstat | systemd | tcpdump | -| tcpreplay | thrift | thttpd | thunderbird | timescaledb | tinyproxy | tor | -| tpm2_tss | transmission | trousers | u_boot | unbound | unixodbc | upx | -| util_linux | varnish | vim | vorbis_tools | vsftpd | webkitgtk | wget | -| wireshark | wolfssl | wpa_supplicant | xerces | xml2 | xscreensaver | yasm | -| zabbix | zeek | zlib | znc | zsh | | | - +| | | | Available checkers | | | | +|--------------- |--------------- |------------------ |------------- |--------------- |------------ |----------------- | +| accountsservice |acpid |apache_http_server |apcupsd |apparmor |asn1c |assimp | +| asterisk |atftp |avahi |bash |bind |binutils |bird | +| bison |bluez |boinc |botan |bro |bubblewrap |busybox | +| bwm_ng |bzip2 |c_ares |capnproto |ceph |chess |chrony | +| clamav |collectd |commons_compress |connman |coreutils |cpio |cronie | +| cryptsetup |cups |curl |cvs |darkhttpd |dav1d |davfs2 | +| dbus |dhclient |dhcpcd |dhcpd |dmidecode |dnsmasq |domoticz | +| dovecot |doxygen |dpkg |dropbear |e2fsprogs |elfutils |emacs | +| enscript |exim |exiv2 |f2fs_tools |faad2 |fastd |ffmpeg | +| file |firefox |flac |fluidsynth |freeradius |freerdp |fribidi | +| frr |gcc |gdb |gdk_pixbuf |gimp |git |glib | +| glibc |gmp |gnomeshell |gnupg |gnutls |gpgme |gpsd | +| graphicsmagick |grub2 |gstreamer |gupnp |gvfs |gzip |haproxy | +| harfbuzz |haserl |hdf5 |hostapd |hunspell |i2pd |icecast | +| icu |iperf3 |ipmitool |ipsec_tools |iptables |irssi |iucode_tool | +| jack2 |jacksondatabind |janus |jhead |json_c |kbd |keepalived | +| kerberos |kexectools |kodi |kubernetes |ldns |lftp |libarchive | +| libass |libbpg |libcoap |libconfuse |libcurl |libdb |libebml | +| libexpat |libgcrypt |libgd |libgit2 |libical |libidn2 |libinput | +| libjpeg |libjpeg_turbo |libksba |liblas |libmatroska |libmemcached |libmicrohttpd | +| libmodbus |libnss |libpcap |libraw |librsvg |librsync |libsamplerate | +| libseccomp |libsndfile |libsolv |libsoup |libsrtp |libssh |libssh2 | +| libtasn1 |libtiff |libtomcrypt |libupnp |libvirt |libvncserver |libvorbis | +| libxslt |lighttpd |linux_kernel |lldpd |logrotate |lua |luajit | +| lxc |lynx |lz4 |mailx |mariadb |mdadm |memcached | +| mini_httpd |minicom |minidlna |miniupnpc |miniupnpd |modsecurity |mosquitto | +| motion |mpv |msmtp |mtr |mutt |mysql |nano | +| nasm |nbd |ncurses |neon |nessus |netatalk |netkit_ftp | +| netpbm |nettle |nghttp2 |nginx |ngircd |nmap |node | +| ntfs_3g |ntp |ntpsec |open_iscsi |open_vm_tools |openafs |opencv | +| openjpeg |openldap |opensc |openssh |openssl |openswan |openvpn | +| p7zip |pango |patch |pcre |pcre2 |pcsc_lite |perl | +| picocom |pigz |pixman |png |polarssl_fedora |poppler |postgresql | +| ppp |privoxy |procps_ng |proftpd |pspp |pure_ftpd |putty | +| python |qemu |qt |quagga |radare2 |radvd |raptor | +| rauc |rdesktop |readline |rsync |rsyslog |rtl_433 |rtmpdump | +| runc |rust |samba |sane_backends |sdl |seahorse |shadowsocks_libev | +| sngrep |snort |sofia_sip |speex |spice |sqlite |squashfs | +| squid |sslh |stellarium |strongswan |stunnel |subversion |sudo | +| suricata |sylpheed |syslogng |sysstat |systemd |tcpdump |tcpreplay | +| thrift |thttpd |thunderbird |timescaledb |tinyproxy |tor |tpm2_tss | +| transmission |trousers |u_boot |udisks |unbound |unixodbc |upx | +| util_linux |varnish |vim |vorbis_tools |vsftpd |webkitgtk |wget | +| wireshark |wolfssl |wpa_supplicant |xerces |xml2 |xscreensaver |yasm | +| zabbix |zeek |zlib |znc |zsh | | | For a quick overview of usage and how it works, you can also see [the readme file](README.md). @@ -236,7 +242,7 @@ known CVEs. A [list of currently available checkers](https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers) can be found in the checkers directory or using `cve-bin-tool --help` command, as can the [instructions on how to add a new checker](https://github.com/intel/cve-bin-tool/blob/main/cve_bin_tool/checkers/README.md). -Support for new checkers can be requested via +Support for new checkers can be requested via [GitHub issues](https://github.com/intel/cve-bin-tool/issues). (Please note, you will need to be logged in to add a new issue.) @@ -301,8 +307,8 @@ in the Input section. ## Limitations -The last release of this tool to support python 2.7 is 0.3.1. Please use -python 3.8+ for development and future versions. Linux and Windows are +The last release of this tool to support python 2.7 is 0.3.1. Please use +python 3.8+ for development and future versions. Linux and Windows are supported, as is usage within cygwin on windows. This tool does not scan for all possible known public vulnerabilities, it only @@ -324,12 +330,58 @@ discrepancies if the data is incomplete or inconsistent. This may result, for ex ## Architecture +The CVE binary tool is utilized to identify vulnerabilities within a software. When the CVE binary tool is initiated, it commences by populating CVE database which include downloading, and updating the database from various sources. Currently, the CVE binary tool employs diverse sources for downloading CVEs and their associated information, including curl, EPSS, GAD, NVD, OSV, and RedHat. + +Once the database is populated, the CVE binary tool conducts searches for CVEs using two distinct methods: + +- The first approach involves examining language component lists (e.g., requirement.txt, package.json) for different programming languages. Presently, the CVE binary tool provides support for 10 languages: Go, Java, JavaScript, Python, Perl, PHP, R, Ruby, Rust, and Swift. If your desired language is not listed, you can refer to this guide on [how to add a parser](../cve_bin_tool/parsers/README.md) for it. + +- The second method employs checkers to gather information about software vulnerabilities. Checkers consist of predefined information about software entities. The CVE binary tool scans binaries for patterns matching the descriptions provided by the checkers, thereby extracting details like software version and vendor. At present, the CVE binary tool includes over 300 checkers. Crafting new checkers is a straightforward process and can serve as a beginner-friendly task. You can learn more about [adding checkers here](../cve_bin_tool/checkers/README.md). + +After collecting information about the software and its version, the CVE binary tool proceeds to search for corresponding vulnerabilities within the CVE database. Following the database query, additional information is sought, such as available fixes and, depending on the scan type, potential exploits for the identified CVEs. + +Subsequently, the tool generates an output based on the gathered information. The CVE binary tool supports multiple output formats, including console, CSV, JSON, HTML, and PDF. + +Furthermore, the CVE binary tool offers an option to detect vulnerabilities within a provided [CSV file](CSV2CVE.md). + ### Database Structure The CVE Binary Tool database comprises three tables: cve_severity, cve_range, and cve_exploited. The cve_range and cve_severity tables are connected. The cve_range has a foreign key referencing the cve_number and data_source in the cve_severity table. The cve_severity table holds information about the severity of vulnerabilities, with the cve_number serving as the primary key. The cve_range table is linked to cve_severity via the cve_number and data_source columns, establishing a relationship between vulnerability severity and affected product ranges. The cve_exploited table tracks exploited vulnerabilities, utilizing the cve_number as the primary key. This database structure enables effective management and analysis of CVE-related data, facilitating identifying and assessing vulnerabilities and their associated exploit instances. ![database structure of CVE Binary Tool](images/cve-bin-tool-database.png) +## Metric + +### EPSS + +The Exploit Prediction Scoring System (EPSS) is a data-driven tool designed to help estimate the likelihood of a software vulnerability being exploited in the real world. Its purpose is to assist cybersecurity teams in prioritizing which vulnerabilities to address first. While other standards focus on inherent vulnerability traits and severity, they often lack the ability to evaluate the actual threat level. + +EPSS bridges this gap by incorporating up-to-date threat information from CVE and real-world exploit data. Using this data, EPSS generates a probability score ranging from 0 to 1 (equivalent to 0% to 100%). A higher score indicates a higher likelihood of a vulnerability being exploited. For more information about [EPSS here](https://www.first.org/epss/model) + +### Different output showing metrics + +- Console + +![console table](images/metric/console_table.png) + +![console metric table](images/metric/metric_table.png) + +- HTML + +![HTML metric table](images/metric/HTML.png) + +- PDF + +![PDF metric table](images/metric/PDF.png) + +- CSV + +![CSV metric table](images/metric/CSV.png) + +- JSON + +![JSON metric table](images/metric/JSON.png) + ## Optional Arguments ### -e EXCLUDE, --exclude EXCLUDE @@ -366,12 +418,12 @@ When the offline flag is enabled, the tool will only use the local CVE data that This option controls the frequency of updates for the CVE data from the National Vulnerability Database. By default, the tool checks the staleness of the data with every run, and if the data is more than one day old, it gets an update from NVD. You may also choose to update the data `now` (in which case all cached data is deleted and a full new download is done) or `never` in which case the staleness check is not done and no update is requested. The `now` and `never` modes can be combined to produce alternative update schedules if daily is not the desired one. -### -n {json,api,api2}, --nvd {json,api,api2} +### -n {json-nvd,json-mirror,api,api2}, --nvd {json-nvd,json-mirror,api,api2} This option selects how CVE data is downloaded from the National Vulnerability Database. The default `api` option uses the NVD CVE Retrieval API version 1.0. The `api2` option uses the later NVD CVE Retrieval API version 2.0. The results from this API are updated as quickly as the NVD website. A major benefit of using this NVD API is incremental updates which basically means you won't have to download the complete feed again in case you want the latest CVE entries from NVD. See the detailed guide on [incremental updates](how_to_guides/use_incremental_updates.md) for more details. -You may also choose to update the data using `json` option which uses the JSON feeds available on [this page](https://nvd.nist.gov/vuln/data-feeds). These per-year feeds are updated once per day. This mode was the default for CVE Binary Tool prior to the 3.0 release. +You may also choose to update the data using `json-nvd` option which uses the JSON feeds available on [this page](https://nvd.nist.gov/vuln/data-feeds). These per-year feeds are updated once per day. This mode was the default for CVE Binary Tool prior to the 3.0 release. ### --nvd-api-key NVD_API_KEY @@ -895,6 +947,10 @@ Note: Please don't use spaces between comma (',') and the output formats. This option specifies the minimum CVSS score (as integer in range 0 to 10) of the CVE to report. The default value is 0 which results in all CVEs being reported. +### --epss-percentile + +this option specifies the minimum EPSS percentile of CVE range between 0 to 100 to report. The default value is 0 which results in all CVEs being reported. + ### -S {low,medium,high,critical}, --severity {low,medium,high,critical} This option specifies the minimum CVE severity to report. The default value is low which results in all CVEs being reported. diff --git a/doc/images/metric/CSV.png b/doc/images/metric/CSV.png new file mode 100644 index 0000000000..3b4af1c8a6 Binary files /dev/null and b/doc/images/metric/CSV.png differ diff --git a/doc/images/metric/HTML.png b/doc/images/metric/HTML.png new file mode 100644 index 0000000000..be6cd01bb3 Binary files /dev/null and b/doc/images/metric/HTML.png differ diff --git a/doc/images/metric/JSON.png b/doc/images/metric/JSON.png new file mode 100644 index 0000000000..a9f561a504 Binary files /dev/null and b/doc/images/metric/JSON.png differ diff --git a/doc/images/metric/PDF.png b/doc/images/metric/PDF.png new file mode 100644 index 0000000000..ee75f7e9cc Binary files /dev/null and b/doc/images/metric/PDF.png differ diff --git a/doc/images/metric/console_table.png b/doc/images/metric/console_table.png new file mode 100644 index 0000000000..620205270c Binary files /dev/null and b/doc/images/metric/console_table.png differ diff --git a/doc/images/metric/metric_table.png b/doc/images/metric/metric_table.png new file mode 100644 index 0000000000..012bbcdf89 Binary files /dev/null and b/doc/images/metric/metric_table.png differ diff --git a/doc/requirements.txt b/doc/requirements.txt index 6d07e036e3..a772829160 100644 --- a/doc/requirements.txt +++ b/doc/requirements.txt @@ -1,4 +1,4 @@ -Sphinx==7.1.2 +Sphinx==7.2.2 sphinx_markdown_tables myst_parser==2.0.0 sbom2doc \ No newline at end of file diff --git a/sbom/cve-bin-tool-py3.10.json b/sbom/cve-bin-tool-py3.10.json index c01318d5e9..9ffa050535 100644 --- a/sbom/cve-bin-tool-py3.10.json +++ b/sbom/cve-bin-tool-py3.10.json @@ -1,11 +1,11 @@ { - "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", - "serialNumber": "urn:uuide3e05b88-20fe-4fb4-a70a-7a988a30a646", + "serialNumber": "urn:uuid:40d6248a-216c-4ad9-b692-0ba5b38f177f", "version": 1, "metadata": { - "timestamp": "2023-08-07T01:14:28Z", + "timestamp": "2023-08-21T00:24:46Z", "tools": { "components": [ { @@ -144,7 +144,7 @@ "type": "library", "bom-ref": "5-async-timeout", "name": "async-timeout", - "version": "4.0.2", + "version": "4.0.3", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -153,7 +153,7 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:async-timeout:4.0.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:async-timeout:4.0.3:*:*:*:*:*:*:*", "description": "Timeout context manager for asyncio programs", "licenses": [ { @@ -165,12 +165,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/async-timeout/4.0.2", + "url": "https://pypi.org/project/async-timeout/4.0.3", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/async-timeout@4.0.2", + "purl": "pkg:pypi/async-timeout@4.0.3", "properties": [ { "name": "License Comments", @@ -1419,11 +1419,11 @@ "type": "library", "bom-ref": "43-jsonschema", "name": "jsonschema", - "version": "4.18.6", + "version": "4.19.0", "supplier": { "name": "Julian Berman" }, - "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.18.6:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:*", "description": "An implementation of JSON Schema validation for Python", "licenses": [ { @@ -1435,12 +1435,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/jsonschema/4.18.6", + "url": "https://pypi.org/project/jsonschema/4.19.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/jsonschema@4.18.6" + "purl": "pkg:pypi/jsonschema@4.19.0" }, { "type": "library", @@ -1527,7 +1527,7 @@ "type": "library", "bom-ref": "47-lib4sbom", "name": "lib4sbom", - "version": "0.4.1", + "version": "0.4.3", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -1536,7 +1536,7 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*", "description": "Software Bill of Material (SBOM) generator and consumer library", "licenses": [ { @@ -1548,12 +1548,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4sbom/0.4.1", + "url": "https://pypi.org/project/lib4sbom/0.4.3", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4sbom@0.4.1" + "purl": "pkg:pypi/lib4sbom@0.4.3" }, { "type": "library", @@ -1666,7 +1666,7 @@ "type": "library", "bom-ref": "51-plotly", "name": "plotly", - "version": "5.15.0", + "version": "5.16.1", "supplier": { "name": "Chris P", "contact": [ @@ -1675,7 +1675,7 @@ } ] }, - "cpe": "cpe:2.3:a:chris_p:plotly:5.15.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:*", "description": "An open-source, interactive data visualization library for Python", "licenses": [ { @@ -1687,18 +1687,18 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/plotly/5.15.0", + "url": "https://pypi.org/project/plotly/5.16.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/plotly@5.15.0" + "purl": "pkg:pypi/plotly@5.16.1" }, { "type": "library", "bom-ref": "52-tenacity", "name": "tenacity", - "version": "8.2.2", + "version": "8.2.3", "supplier": { "name": "Julien Danjou", "contact": [ @@ -1707,7 +1707,7 @@ } ] }, - "cpe": "cpe:2.3:a:julien_danjou:tenacity:8.2.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julien_danjou:tenacity:8.2.3:*:*:*:*:*:*:*", "description": "Retry code until it succeeds", "licenses": [ { @@ -1719,12 +1719,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/tenacity/8.2.2", + "url": "https://pypi.org/project/tenacity/8.2.3", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/tenacity@8.2.2", + "purl": "pkg:pypi/tenacity@8.2.3", "properties": [ { "name": "License Comments", diff --git a/sbom/cve-bin-tool-py3.10.spdx b/sbom/cve-bin-tool-py3.10.spdx index c5385189c3..dd1c5fdfd5 100644 --- a/sbom/cve-bin-tool-py3.10.spdx +++ b/sbom/cve-bin-tool-py3.10.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-d5127a7d-b857-4821-a5d3-57951445c898 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-f3c8b150-3c4b-4802-8882-7b512c33d04c LicenseListVersion: 3.21 Creator: Tool: sbom4python-0.10.0 -Created: 2023-08-07T01:12:54Z +Created: 2023-08-21T00:23:15Z CreatorComment: This document has been automatically generated. ##### @@ -70,18 +70,18 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/frozenlist@1.4.0 PackageName: async-timeout SPDXID: SPDXRef-Package-5-async-timeout -PackageVersion: 4.0.2 +PackageVersion: 4.0.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/async-timeout/4.0.2 +PackageDownloadLocation: https://pypi.org/project/async-timeout/4.0.3 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: async-timeout declares Apache 2 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Timeout context manager for asyncio programs -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/async-timeout@4.0.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:async-timeout:4.0.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/async-timeout@4.0.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:async-timeout:4.0.3:*:*:*:*:*:*:* ##### PackageName: attrs @@ -658,17 +658,17 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.3 PackageName: jsonschema SPDXID: SPDXRef-Package-43-jsonschema -PackageVersion: 4.18.6 +PackageVersion: 4.19.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman -PackageDownloadLocation: https://pypi.org/project/jsonschema/4.18.6 +PackageDownloadLocation: https://pypi.org/project/jsonschema/4.19.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An implementation of JSON Schema validation for Python -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.18.6 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.18.6:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.19.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:* ##### PackageName: jsonschema-specifications @@ -718,17 +718,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.9.2:*:*:*:*:*: PackageName: lib4sbom SPDXID: SPDXRef-Package-47-lib4sbom -PackageVersion: 0.4.1 +PackageVersion: 0.4.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.1 +PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.3 FilesAnalyzed: false PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Software Bill of Material (SBOM) generator and consumer library -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:* ##### PackageName: pyyaml @@ -780,33 +780,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut PackageName: plotly SPDXID: SPDXRef-Package-51-plotly -PackageVersion: 5.15.0 +PackageVersion: 5.16.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Chris P (chris@plot.ly) -PackageDownloadLocation: https://pypi.org/project/plotly/5.15.0 +PackageDownloadLocation: https://pypi.org/project/plotly/5.16.1 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An open-source, interactive data visualization library for Python -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.15.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.15.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.16.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:* ##### PackageName: tenacity SPDXID: SPDXRef-Package-52-tenacity -PackageVersion: 8.2.2 +PackageVersion: 8.2.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julien Danjou (julien@danjou.info) -PackageDownloadLocation: https://pypi.org/project/tenacity/8.2.2 +PackageDownloadLocation: https://pypi.org/project/tenacity/8.2.3 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: tenacity declares Apache 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Retry code until it succeeds -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/tenacity@8.2.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julien_danjou:tenacity:8.2.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/tenacity@8.2.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julien_danjou:tenacity:8.2.3:*:*:*:*:*:*:* ##### PackageName: python-gnupg diff --git a/sbom/cve-bin-tool-py3.11.json b/sbom/cve-bin-tool-py3.11.json index 8d30864b80..7cbc8d328d 100644 --- a/sbom/cve-bin-tool-py3.11.json +++ b/sbom/cve-bin-tool-py3.11.json @@ -1,11 +1,11 @@ { - "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", - "serialNumber": "urn:uuid9beac7a0-cf82-4180-94e1-d60f73a8bc3d", + "serialNumber": "urn:uuid:33c23464-882c-4482-baa5-4438bfcbfa09", "version": 1, "metadata": { - "timestamp": "2023-08-07T01:13:58Z", + "timestamp": "2023-08-21T00:24:27Z", "tools": { "components": [ { @@ -144,7 +144,7 @@ "type": "library", "bom-ref": "5-async-timeout", "name": "async-timeout", - "version": "4.0.2", + "version": "4.0.3", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -153,7 +153,7 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:async-timeout:4.0.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:async-timeout:4.0.3:*:*:*:*:*:*:*", "description": "Timeout context manager for asyncio programs", "licenses": [ { @@ -165,12 +165,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/async-timeout/4.0.2", + "url": "https://pypi.org/project/async-timeout/4.0.3", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/async-timeout@4.0.2", + "purl": "pkg:pypi/async-timeout@4.0.3", "properties": [ { "name": "License Comments", @@ -1419,11 +1419,11 @@ "type": "library", "bom-ref": "43-jsonschema", "name": "jsonschema", - "version": "4.18.6", + "version": "4.19.0", "supplier": { "name": "Julian Berman" }, - "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.18.6:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:*", "description": "An implementation of JSON Schema validation for Python", "licenses": [ { @@ -1435,12 +1435,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/jsonschema/4.18.6", + "url": "https://pypi.org/project/jsonschema/4.19.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/jsonschema@4.18.6" + "purl": "pkg:pypi/jsonschema@4.19.0" }, { "type": "library", @@ -1527,7 +1527,7 @@ "type": "library", "bom-ref": "47-lib4sbom", "name": "lib4sbom", - "version": "0.4.1", + "version": "0.4.3", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -1536,7 +1536,7 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*", "description": "Software Bill of Material (SBOM) generator and consumer library", "licenses": [ { @@ -1548,12 +1548,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4sbom/0.4.1", + "url": "https://pypi.org/project/lib4sbom/0.4.3", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4sbom@0.4.1" + "purl": "pkg:pypi/lib4sbom@0.4.3" }, { "type": "library", @@ -1666,7 +1666,7 @@ "type": "library", "bom-ref": "51-plotly", "name": "plotly", - "version": "5.15.0", + "version": "5.16.1", "supplier": { "name": "Chris P", "contact": [ @@ -1675,7 +1675,7 @@ } ] }, - "cpe": "cpe:2.3:a:chris_p:plotly:5.15.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:*", "description": "An open-source, interactive data visualization library for Python", "licenses": [ { @@ -1687,18 +1687,18 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/plotly/5.15.0", + "url": "https://pypi.org/project/plotly/5.16.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/plotly@5.15.0" + "purl": "pkg:pypi/plotly@5.16.1" }, { "type": "library", "bom-ref": "52-tenacity", "name": "tenacity", - "version": "8.2.2", + "version": "8.2.3", "supplier": { "name": "Julien Danjou", "contact": [ @@ -1707,7 +1707,7 @@ } ] }, - "cpe": "cpe:2.3:a:julien_danjou:tenacity:8.2.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julien_danjou:tenacity:8.2.3:*:*:*:*:*:*:*", "description": "Retry code until it succeeds", "licenses": [ { @@ -1719,12 +1719,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/tenacity/8.2.2", + "url": "https://pypi.org/project/tenacity/8.2.3", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/tenacity@8.2.2", + "purl": "pkg:pypi/tenacity@8.2.3", "properties": [ { "name": "License Comments", diff --git a/sbom/cve-bin-tool-py3.11.spdx b/sbom/cve-bin-tool-py3.11.spdx index 278c6b62e8..3adf7af277 100644 --- a/sbom/cve-bin-tool-py3.11.spdx +++ b/sbom/cve-bin-tool-py3.11.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-902a60d6-fdd8-465f-b9d3-cb3ea5f99805 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-bcd56c00-be42-440a-a897-e5280804ea21 LicenseListVersion: 3.21 Creator: Tool: sbom4python-0.10.0 -Created: 2023-08-07T01:12:26Z +Created: 2023-08-21T00:23:05Z CreatorComment: This document has been automatically generated. ##### @@ -70,18 +70,18 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/frozenlist@1.4.0 PackageName: async-timeout SPDXID: SPDXRef-Package-5-async-timeout -PackageVersion: 4.0.2 +PackageVersion: 4.0.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/async-timeout/4.0.2 +PackageDownloadLocation: https://pypi.org/project/async-timeout/4.0.3 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: async-timeout declares Apache 2 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Timeout context manager for asyncio programs -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/async-timeout@4.0.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:async-timeout:4.0.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/async-timeout@4.0.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:async-timeout:4.0.3:*:*:*:*:*:*:* ##### PackageName: attrs @@ -658,17 +658,17 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.3 PackageName: jsonschema SPDXID: SPDXRef-Package-43-jsonschema -PackageVersion: 4.18.6 +PackageVersion: 4.19.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman -PackageDownloadLocation: https://pypi.org/project/jsonschema/4.18.6 +PackageDownloadLocation: https://pypi.org/project/jsonschema/4.19.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An implementation of JSON Schema validation for Python -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.18.6 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.18.6:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.19.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:* ##### PackageName: jsonschema-specifications @@ -718,17 +718,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.9.2:*:*:*:*:*: PackageName: lib4sbom SPDXID: SPDXRef-Package-47-lib4sbom -PackageVersion: 0.4.1 +PackageVersion: 0.4.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.1 +PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.3 FilesAnalyzed: false PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Software Bill of Material (SBOM) generator and consumer library -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:* ##### PackageName: pyyaml @@ -780,33 +780,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut PackageName: plotly SPDXID: SPDXRef-Package-51-plotly -PackageVersion: 5.15.0 +PackageVersion: 5.16.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Chris P (chris@plot.ly) -PackageDownloadLocation: https://pypi.org/project/plotly/5.15.0 +PackageDownloadLocation: https://pypi.org/project/plotly/5.16.1 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An open-source, interactive data visualization library for Python -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.15.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.15.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.16.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:* ##### PackageName: tenacity SPDXID: SPDXRef-Package-52-tenacity -PackageVersion: 8.2.2 +PackageVersion: 8.2.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julien Danjou (julien@danjou.info) -PackageDownloadLocation: https://pypi.org/project/tenacity/8.2.2 +PackageDownloadLocation: https://pypi.org/project/tenacity/8.2.3 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: tenacity declares Apache 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Retry code until it succeeds -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/tenacity@8.2.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julien_danjou:tenacity:8.2.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/tenacity@8.2.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julien_danjou:tenacity:8.2.3:*:*:*:*:*:*:* ##### PackageName: python-gnupg diff --git a/sbom/cve-bin-tool-py3.8.json b/sbom/cve-bin-tool-py3.8.json index 5085398b8f..c0c754a1a3 100644 --- a/sbom/cve-bin-tool-py3.8.json +++ b/sbom/cve-bin-tool-py3.8.json @@ -1,11 +1,11 @@ { - "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", - "serialNumber": "urn:uuidd6f17b21-d3b2-4528-bee5-76e137998772", + "serialNumber": "urn:uuid:7e796cf0-1893-469d-9ab0-aed8324e772a", "version": 1, "metadata": { - "timestamp": "2023-08-07T01:01:03Z", + "timestamp": "2023-08-21T00:24:57Z", "tools": { "components": [ { @@ -144,7 +144,7 @@ "type": "library", "bom-ref": "5-async-timeout", "name": "async-timeout", - "version": "4.0.2", + "version": "4.0.3", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -153,7 +153,7 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:async-timeout:4.0.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:async-timeout:4.0.3:*:*:*:*:*:*:*", "description": "Timeout context manager for asyncio programs", "licenses": [ { @@ -165,12 +165,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/async-timeout/4.0.2", + "url": "https://pypi.org/project/async-timeout/4.0.3", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/async-timeout@4.0.2", + "purl": "pkg:pypi/async-timeout@4.0.3", "properties": [ { "name": "License Comments", @@ -1412,7 +1412,7 @@ "type": "library", "bom-ref": "43-importlib-resources", "name": "importlib-resources", - "version": "6.0.0", + "version": "6.0.1", "supplier": { "name": "Barry Warsaw", "contact": [ @@ -1421,16 +1421,16 @@ } ] }, - "cpe": "cpe:2.3:a:barry_warsaw:importlib-resources:6.0.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:barry_warsaw:importlib-resources:6.0.1:*:*:*:*:*:*:*", "description": "Read resources from Python packages", "externalReferences": [ { - "url": "https://pypi.org/project/importlib-resources/6.0.0", + "url": "https://pypi.org/project/importlib-resources/6.0.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/importlib-resources@6.0.0" + "purl": "pkg:pypi/importlib-resources@6.0.1" }, { "type": "library", @@ -1491,11 +1491,11 @@ "type": "library", "bom-ref": "46-jsonschema", "name": "jsonschema", - "version": "4.18.6", + "version": "4.19.0", "supplier": { "name": "Julian Berman" }, - "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.18.6:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:*", "description": "An implementation of JSON Schema validation for Python", "licenses": [ { @@ -1507,12 +1507,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/jsonschema/4.18.6", + "url": "https://pypi.org/project/jsonschema/4.19.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/jsonschema@4.18.6" + "purl": "pkg:pypi/jsonschema@4.19.0" }, { "type": "library", @@ -1623,7 +1623,7 @@ "type": "library", "bom-ref": "51-lib4sbom", "name": "lib4sbom", - "version": "0.4.1", + "version": "0.4.3", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -1632,7 +1632,7 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*", "description": "Software Bill of Material (SBOM) generator and consumer library", "licenses": [ { @@ -1644,12 +1644,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4sbom/0.4.1", + "url": "https://pypi.org/project/lib4sbom/0.4.3", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4sbom@0.4.1" + "purl": "pkg:pypi/lib4sbom@0.4.3" }, { "type": "library", @@ -1762,7 +1762,7 @@ "type": "library", "bom-ref": "55-plotly", "name": "plotly", - "version": "5.15.0", + "version": "5.16.1", "supplier": { "name": "Chris P", "contact": [ @@ -1771,7 +1771,7 @@ } ] }, - "cpe": "cpe:2.3:a:chris_p:plotly:5.15.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:*", "description": "An open-source, interactive data visualization library for Python", "licenses": [ { @@ -1783,18 +1783,18 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/plotly/5.15.0", + "url": "https://pypi.org/project/plotly/5.16.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/plotly@5.15.0" + "purl": "pkg:pypi/plotly@5.16.1" }, { "type": "library", "bom-ref": "56-tenacity", "name": "tenacity", - "version": "8.2.2", + "version": "8.2.3", "supplier": { "name": "Julien Danjou", "contact": [ @@ -1803,7 +1803,7 @@ } ] }, - "cpe": "cpe:2.3:a:julien_danjou:tenacity:8.2.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julien_danjou:tenacity:8.2.3:*:*:*:*:*:*:*", "description": "Retry code until it succeeds", "licenses": [ { @@ -1815,12 +1815,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/tenacity/8.2.2", + "url": "https://pypi.org/project/tenacity/8.2.3", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/tenacity@8.2.2", + "purl": "pkg:pypi/tenacity@8.2.3", "properties": [ { "name": "License Comments", diff --git a/sbom/cve-bin-tool-py3.8.spdx b/sbom/cve-bin-tool-py3.8.spdx index fcf4e43cdb..ce10044836 100644 --- a/sbom/cve-bin-tool-py3.8.spdx +++ b/sbom/cve-bin-tool-py3.8.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-4ebe989f-e3b4-43e2-996a-aee6d2303adf +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-584a60f5-f0d9-462b-858c-0070d12cc6d5 LicenseListVersion: 3.21 Creator: Tool: sbom4python-0.10.0 -Created: 2023-08-07T00:59:13Z +Created: 2023-08-21T00:23:23Z CreatorComment: This document has been automatically generated. ##### @@ -70,18 +70,18 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/frozenlist@1.4.0 PackageName: async-timeout SPDXID: SPDXRef-Package-5-async-timeout -PackageVersion: 4.0.2 +PackageVersion: 4.0.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/async-timeout/4.0.2 +PackageDownloadLocation: https://pypi.org/project/async-timeout/4.0.3 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: async-timeout declares Apache 2 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Timeout context manager for asyncio programs -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/async-timeout@4.0.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:async-timeout:4.0.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/async-timeout@4.0.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:async-timeout:4.0.3:*:*:*:*:*:*:* ##### PackageName: attrs @@ -659,17 +659,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:jason_r._coombs:zipp:3.16.2:*:*:*:*:*: PackageName: importlib-resources SPDXID: SPDXRef-Package-43-importlib-resources -PackageVersion: 6.0.0 +PackageVersion: 6.0.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Barry Warsaw (barry@python.org) -PackageDownloadLocation: https://pypi.org/project/importlib-resources/6.0.0 +PackageDownloadLocation: https://pypi.org/project/importlib-resources/6.0.1 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: NOASSERTION PackageCopyrightText: NOASSERTION PackageSummary: Read resources from Python packages -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/importlib-resources@6.0.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:barry_warsaw:importlib-resources:6.0.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/importlib-resources@6.0.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:barry_warsaw:importlib-resources:6.0.1:*:*:*:*:*:*:* ##### PackageName: jinja2 @@ -703,17 +703,17 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.3 PackageName: jsonschema SPDXID: SPDXRef-Package-46-jsonschema -PackageVersion: 4.18.6 +PackageVersion: 4.19.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman -PackageDownloadLocation: https://pypi.org/project/jsonschema/4.18.6 +PackageDownloadLocation: https://pypi.org/project/jsonschema/4.19.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An implementation of JSON Schema validation for Python -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.18.6 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.18.6:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.19.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:* ##### PackageName: jsonschema-specifications @@ -778,17 +778,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:vinay_sajip:pkgutil-resolve-name:1.3.1 PackageName: lib4sbom SPDXID: SPDXRef-Package-51-lib4sbom -PackageVersion: 0.4.1 +PackageVersion: 0.4.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.1 +PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.3 FilesAnalyzed: false PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Software Bill of Material (SBOM) generator and consumer library -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:* ##### PackageName: pyyaml @@ -840,33 +840,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut PackageName: plotly SPDXID: SPDXRef-Package-55-plotly -PackageVersion: 5.15.0 +PackageVersion: 5.16.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Chris P (chris@plot.ly) -PackageDownloadLocation: https://pypi.org/project/plotly/5.15.0 +PackageDownloadLocation: https://pypi.org/project/plotly/5.16.1 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An open-source, interactive data visualization library for Python -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.15.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.15.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.16.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:* ##### PackageName: tenacity SPDXID: SPDXRef-Package-56-tenacity -PackageVersion: 8.2.2 +PackageVersion: 8.2.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julien Danjou (julien@danjou.info) -PackageDownloadLocation: https://pypi.org/project/tenacity/8.2.2 +PackageDownloadLocation: https://pypi.org/project/tenacity/8.2.3 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: tenacity declares Apache 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Retry code until it succeeds -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/tenacity@8.2.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julien_danjou:tenacity:8.2.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/tenacity@8.2.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julien_danjou:tenacity:8.2.3:*:*:*:*:*:*:* ##### PackageName: python-gnupg diff --git a/sbom/cve-bin-tool-py3.9.json b/sbom/cve-bin-tool-py3.9.json index 85385d6122..c0db5e2a39 100644 --- a/sbom/cve-bin-tool-py3.9.json +++ b/sbom/cve-bin-tool-py3.9.json @@ -1,11 +1,11 @@ { - "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", - "serialNumber": "urn:uuidfe4b268c-cc3c-453d-b219-54512a78784d", + "serialNumber": "urn:uuid:25f4b876-a973-4954-b768-39c090ff8a2f", "version": 1, "metadata": { - "timestamp": "2023-08-07T01:15:57Z", + "timestamp": "2023-08-21T00:24:23Z", "tools": { "components": [ { @@ -144,7 +144,7 @@ "type": "library", "bom-ref": "5-async-timeout", "name": "async-timeout", - "version": "4.0.2", + "version": "4.0.3", "supplier": { "name": "Andrew Svetlov", "contact": [ @@ -153,7 +153,7 @@ } ] }, - "cpe": "cpe:2.3:a:andrew_svetlov:async-timeout:4.0.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:andrew_svetlov:async-timeout:4.0.3:*:*:*:*:*:*:*", "description": "Timeout context manager for asyncio programs", "licenses": [ { @@ -165,12 +165,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/async-timeout/4.0.2", + "url": "https://pypi.org/project/async-timeout/4.0.3", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/async-timeout@4.0.2", + "purl": "pkg:pypi/async-timeout@4.0.3", "properties": [ { "name": "License Comments", @@ -1467,11 +1467,11 @@ "type": "library", "bom-ref": "45-jsonschema", "name": "jsonschema", - "version": "4.18.6", + "version": "4.19.0", "supplier": { "name": "Julian Berman" }, - "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.18.6:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:*", "description": "An implementation of JSON Schema validation for Python", "licenses": [ { @@ -1483,12 +1483,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/jsonschema/4.18.6", + "url": "https://pypi.org/project/jsonschema/4.19.0", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/jsonschema@4.18.6" + "purl": "pkg:pypi/jsonschema@4.19.0" }, { "type": "library", @@ -1575,7 +1575,7 @@ "type": "library", "bom-ref": "49-lib4sbom", "name": "lib4sbom", - "version": "0.4.1", + "version": "0.4.3", "supplier": { "name": "Anthony Harrison", "contact": [ @@ -1584,7 +1584,7 @@ } ] }, - "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.1:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:*", "description": "Software Bill of Material (SBOM) generator and consumer library", "licenses": [ { @@ -1596,12 +1596,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/lib4sbom/0.4.1", + "url": "https://pypi.org/project/lib4sbom/0.4.3", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/lib4sbom@0.4.1" + "purl": "pkg:pypi/lib4sbom@0.4.3" }, { "type": "library", @@ -1714,7 +1714,7 @@ "type": "library", "bom-ref": "53-plotly", "name": "plotly", - "version": "5.15.0", + "version": "5.16.1", "supplier": { "name": "Chris P", "contact": [ @@ -1723,7 +1723,7 @@ } ] }, - "cpe": "cpe:2.3:a:chris_p:plotly:5.15.0:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:*", "description": "An open-source, interactive data visualization library for Python", "licenses": [ { @@ -1735,18 +1735,18 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/plotly/5.15.0", + "url": "https://pypi.org/project/plotly/5.16.1", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/plotly@5.15.0" + "purl": "pkg:pypi/plotly@5.16.1" }, { "type": "library", "bom-ref": "54-tenacity", "name": "tenacity", - "version": "8.2.2", + "version": "8.2.3", "supplier": { "name": "Julien Danjou", "contact": [ @@ -1755,7 +1755,7 @@ } ] }, - "cpe": "cpe:2.3:a:julien_danjou:tenacity:8.2.2:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:julien_danjou:tenacity:8.2.3:*:*:*:*:*:*:*", "description": "Retry code until it succeeds", "licenses": [ { @@ -1767,12 +1767,12 @@ ], "externalReferences": [ { - "url": "https://pypi.org/project/tenacity/8.2.2", + "url": "https://pypi.org/project/tenacity/8.2.3", "type": "distribution", "comment": "Download location for component" } ], - "purl": "pkg:pypi/tenacity@8.2.2", + "purl": "pkg:pypi/tenacity@8.2.3", "properties": [ { "name": "License Comments", diff --git a/sbom/cve-bin-tool-py3.9.spdx b/sbom/cve-bin-tool-py3.9.spdx index dfe8394946..096a9f3836 100644 --- a/sbom/cve-bin-tool-py3.9.spdx +++ b/sbom/cve-bin-tool-py3.9.spdx @@ -2,10 +2,10 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: Python-cve-bin-tool -DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-cc88efbc-1429-47bf-8ecc-2e871d9f79b3 +DocumentNamespace: http://spdx.org/spdxdocs/Python-cve-bin-tool-b9a15a46-447a-4198-bd2f-2b8bfe931ec9 LicenseListVersion: 3.21 Creator: Tool: sbom4python-0.10.0 -Created: 2023-08-07T01:14:05Z +Created: 2023-08-21T00:23:04Z CreatorComment: This document has been automatically generated. ##### @@ -70,18 +70,18 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/frozenlist@1.4.0 PackageName: async-timeout SPDXID: SPDXRef-Package-5-async-timeout -PackageVersion: 4.0.2 +PackageVersion: 4.0.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Organization: Andrew Svetlov (andrew.svetlov@gmail.com) -PackageDownloadLocation: https://pypi.org/project/async-timeout/4.0.2 +PackageDownloadLocation: https://pypi.org/project/async-timeout/4.0.3 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: async-timeout declares Apache 2 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Timeout context manager for asyncio programs -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/async-timeout@4.0.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:async-timeout:4.0.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/async-timeout@4.0.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:andrew_svetlov:async-timeout:4.0.3:*:*:*:*:*:*:* ##### PackageName: attrs @@ -688,17 +688,17 @@ ExternalRef: PACKAGE-MANAGER purl pkg:pypi/markupsafe@2.1.3 PackageName: jsonschema SPDXID: SPDXRef-Package-45-jsonschema -PackageVersion: 4.18.6 +PackageVersion: 4.19.0 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julian Berman -PackageDownloadLocation: https://pypi.org/project/jsonschema/4.18.6 +PackageDownloadLocation: https://pypi.org/project/jsonschema/4.19.0 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An implementation of JSON Schema validation for Python -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.18.6 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.18.6:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/jsonschema@4.19.0 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:jsonschema:4.19.0:*:*:*:*:*:*:* ##### PackageName: jsonschema-specifications @@ -748,17 +748,17 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:julian_berman:rpds-py:0.9.2:*:*:*:*:*: PackageName: lib4sbom SPDXID: SPDXRef-Package-49-lib4sbom -PackageVersion: 0.4.1 +PackageVersion: 0.4.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Anthony Harrison (anthony.p.harrison@gmail.com) -PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.1 +PackageDownloadLocation: https://pypi.org/project/lib4sbom/0.4.3 FilesAnalyzed: false PackageLicenseDeclared: Apache-2.0 PackageLicenseConcluded: Apache-2.0 PackageCopyrightText: NOASSERTION PackageSummary: Software Bill of Material (SBOM) generator and consumer library -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.1 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.1:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/lib4sbom@0.4.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:anthony_harrison:lib4sbom:0.4.3:*:*:*:*:*:*:* ##### PackageName: pyyaml @@ -810,33 +810,33 @@ ExternalRef: SECURITY cpe23Type cpe:2.3:a:donald_stufft_and_individual_contribut PackageName: plotly SPDXID: SPDXRef-Package-53-plotly -PackageVersion: 5.15.0 +PackageVersion: 5.16.1 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Chris P (chris@plot.ly) -PackageDownloadLocation: https://pypi.org/project/plotly/5.15.0 +PackageDownloadLocation: https://pypi.org/project/plotly/5.16.1 FilesAnalyzed: false PackageLicenseDeclared: MIT PackageLicenseConcluded: MIT PackageCopyrightText: NOASSERTION PackageSummary: An open-source, interactive data visualization library for Python -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.15.0 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.15.0:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/plotly@5.16.1 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:chris_p:plotly:5.16.1:*:*:*:*:*:*:* ##### PackageName: tenacity SPDXID: SPDXRef-Package-54-tenacity -PackageVersion: 8.2.2 +PackageVersion: 8.2.3 PrimaryPackagePurpose: LIBRARY PackageSupplier: Person: Julien Danjou (julien@danjou.info) -PackageDownloadLocation: https://pypi.org/project/tenacity/8.2.2 +PackageDownloadLocation: https://pypi.org/project/tenacity/8.2.3 FilesAnalyzed: false PackageLicenseDeclared: NOASSERTION PackageLicenseConcluded: Apache-2.0 PackageLicenseComments: tenacity declares Apache 2.0 which is not currently a valid SPDX License identifier or expression. PackageCopyrightText: NOASSERTION PackageSummary: Retry code until it succeeds -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/tenacity@8.2.2 -ExternalRef: SECURITY cpe23Type cpe:2.3:a:julien_danjou:tenacity:8.2.2:*:*:*:*:*:*:* +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/tenacity@8.2.3 +ExternalRef: SECURITY cpe23Type cpe:2.3:a:julien_danjou:tenacity:8.2.3:*:*:*:*:*:*:* ##### PackageName: python-gnupg diff --git a/test/condensed-downloads/ceph-15.2.17-1-aarch64.pkg.tar.xz.tar.gz b/test/condensed-downloads/ceph-15.2.17-1-aarch64.pkg.tar.xz.tar.gz new file mode 100644 index 0000000000..3777b618d4 Binary files /dev/null and b/test/condensed-downloads/ceph-15.2.17-1-aarch64.pkg.tar.xz.tar.gz differ diff --git a/test/condensed-downloads/ceph-base-18.2.0-1.fc40.aarch64.rpm.tar.gz b/test/condensed-downloads/ceph-base-18.2.0-1.fc40.aarch64.rpm.tar.gz new file mode 100644 index 0000000000..041f08a530 Binary files /dev/null and b/test/condensed-downloads/ceph-base-18.2.0-1.fc40.aarch64.rpm.tar.gz differ diff --git a/test/condensed-downloads/ceph-base_12.2.11+dfsg1-2.1+b1_amd64.deb.tar.gz b/test/condensed-downloads/ceph-base_12.2.11+dfsg1-2.1+b1_amd64.deb.tar.gz new file mode 100644 index 0000000000..ecc5a8dce5 Binary files /dev/null and b/test/condensed-downloads/ceph-base_12.2.11+dfsg1-2.1+b1_amd64.deb.tar.gz differ diff --git a/test/condensed-downloads/ceph_14.2.21-1_amd64.deb.tar.gz b/test/condensed-downloads/ceph_14.2.21-1_amd64.deb.tar.gz deleted file mode 100644 index f2348ae5f5..0000000000 Binary files a/test/condensed-downloads/ceph_14.2.21-1_amd64.deb.tar.gz and /dev/null differ diff --git a/test/test_checkers.py b/test/test_checkers.py index 5b31b3127f..65080256a3 100644 --- a/test/test_checkers.py +++ b/test/test_checkers.py @@ -71,7 +71,6 @@ def setup_class(cls): ("emacs", "emacs", ["emacs"]), ("emacs", "emacs-nox", ["emacs"]), ("emacs", "emacs-gtk", ["emacs"]), - ("expat", "libexpat.so", ["expat"]), ("ffmpeg", "libffmpeg.so", ["ffmpeg"]), ("gnutls_cli", "libgnutls.so", ["gnutls-cli"]), ("gnutls_serv", "gnutls-serv", ["gnutls-serv"]), @@ -85,6 +84,7 @@ def setup_class(cls): ("kerberos", "kerberos", ["kerberos_5"]), ("libcurl", "libcurl.so.2.0", ["libcurl"]), ("libdb", "libdb-2.0.so", ["libdb"]), + ("libexpat", "libexpat.so", ["libexpat"]), ("libgcrypt", "libgcrypt.so.1.0", ["libgcrypt"]), ("libjpeg", "libjpg.so.2.0", ["libjpeg-turbo"]), ("libnss", "libnss.so.1.0", ["nss"]), diff --git a/test/test_cli.py b/test/test_cli.py index 1fdc9e4145..f9e31c9c34 100644 --- a/test/test_cli.py +++ b/test/test_cli.py @@ -198,7 +198,7 @@ def test_skips(self, caplog): test_path = str(Path(__file__).parent.resolve() / "csv") skip_checkers = ["systemd", "xerces", "xml2", "kerberos"] - include_checkers = ["expat", "libgcrypt", "openssl", "sqlite"] + include_checkers = ["libexpat", "libgcrypt", "openssl", "sqlite"] with caplog.at_level(logging.INFO): main(["cve-bin-tool", test_path, "-s", ",".join(skip_checkers)]) self.check_checkers_log(caplog, skip_checkers, include_checkers) @@ -212,7 +212,7 @@ def test_skips(self, caplog): def test_runs(self, caplog): test_path = str(Path(__file__).parent.resolve() / "csv") - runs = ["expat", "libgcrypt", "openssl", "sqlite"] + runs = ["libexpat", "libgcrypt", "openssl", "sqlite"] skip_checkers = ["systemd", "xerces", "xml2", "kerberos"] with caplog.at_level(logging.INFO): main(["cve-bin-tool", test_path, "-r", ",".join(runs)]) @@ -484,6 +484,60 @@ def test_CVSS_score(self, capsys, caplog): my_test_filename_pathlib.unlink() caplog.clear() + def test_EPSS_percentile(self, capsys, caplog): + """scan with EPSS percentile to ensure only CVEs above score threshold are reported + Checks cannot placed on epss percentile value as the value changes everyday + """ + + my_test_filename = "epss_percentile.csv" + my_test_filename_pathlib = Path(my_test_filename) + + # Check command line parameters. Less than 0 result in default behaviour. + if my_test_filename_pathlib.exists(): + my_test_filename_pathlib.unlink() + with caplog.at_level(logging.DEBUG): + main( + [ + "cve-bin-tool", + "-x", + "--epss-percentile", + "-1", + "-f", + "csv", + "-o", + my_test_filename, + str(Path(self.tempdir) / CURL_7_20_0_RPM), + ] + ) + # Verify that some CVEs with a severity of Medium are reported + # Checks cannot placed on epss percentile value as the value changes everyday. + assert self.check_string_in_file(my_test_filename, "MEDIUM") + caplog.clear() + + # Check command line parameters. >10 results in no CVEs being reported (Maximum CVSS score is 10) + if my_test_filename_pathlib.exists(): + my_test_filename_pathlib.unlink() + with caplog.at_level(logging.DEBUG): + main( + [ + "cve-bin-tool", + "-x", + "--epss-percentile", + "110", + "-f", + "csv", + "-o", + my_test_filename, + str(Path(self.tempdir) / CURL_7_20_0_RPM), + ] + ) + # Verify that no CVEs are reported + with open(my_test_filename_pathlib) as fd: + assert not fd.read().split("\n")[1] + caplog.clear() + if my_test_filename_pathlib.exists(): + my_test_filename_pathlib.unlink() + @pytest.mark.skip(reason="Needs database rebuild. Temporary fix.") def test_SBOM(self, caplog): # check sbom file option @@ -614,7 +668,7 @@ def test_console_output_depending_reportlab_existence(self, caplog): output_tomls = [ [ "This is an automatically generated configuration file", - 'nvd = "json"', + 'nvd = "json-mirror"', 'sbom = "swid"', 'log_level = "warning"', 'offline = "True"', diff --git a/test/test_data/ceph.py b/test/test_data/ceph.py index a01d482159..6b8e96ac27 100644 --- a/test/test_data/ceph.py +++ b/test/test_data/ceph.py @@ -8,20 +8,22 @@ package_test_data = [ { "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/c/", - "package_name": "ceph-17.2.5-13.fc39.aarch64.rpm", + "package_name": "ceph-base-18.2.0-1.fc40.aarch64.rpm", "product": "ceph", - "version": "17.2.5", + "version": "18.2.0", }, { "url": "http://ftp.fr.debian.org/debian/pool/main/c/ceph/", - "package_name": "ceph_14.2.21-1_amd64.deb", + "package_name": "ceph-base_12.2.11+dfsg1-2.1+b1_amd64.deb", "product": "ceph", - "version": "14.2.21", + "version": "12.2.11", + "other_products": ["lua"], }, { - "url": "http://ftp.fr.debian.org/debian/pool/main/c/ceph/", - "package_name": "ceph-base_10.2.11-2_amd64.deb", + "url": "https://eu.mirror.archlinuxarm.org/aarch64/extra/", + "package_name": "ceph-15.2.17-1-aarch64.pkg.tar.xz", "product": "ceph", - "version": "10.2.11", + "version": "15.2.17", + "other_products": ["gcc", "lua"], }, ] diff --git a/test/test_data/expat.py b/test/test_data/libexpat.py similarity index 100% rename from test/test_data/expat.py rename to test/test_data/libexpat.py diff --git a/test/test_input_engine.py b/test/test_input_engine.py index c553dea6f1..3a7ecc7718 100644 --- a/test/test_input_engine.py +++ b/test/test_input_engine.py @@ -66,7 +66,7 @@ class TestInputEngine: "remarks": Remarks.Confirmed, "severity": "CRITICAL", }, - "paths": {""}, + "paths": {}, }, ProductInfo("gnu", "glibc", "2.33"): { "CVE-2021-1234": { @@ -74,7 +74,7 @@ class TestInputEngine: "remarks": Remarks.Unexplored, "severity": "HIGH", }, - "paths": {""}, + "paths": {}, }, } # cyclonedx currently doesn't have vendors @@ -85,7 +85,7 @@ class TestInputEngine: "remarks": Remarks.Confirmed, "severity": "CRITICAL", }, - "paths": {""}, + "paths": {}, }, ProductInfo("UNKNOWN", "glibc", "2.33"): { "CVE-2021-1234": { @@ -93,7 +93,7 @@ class TestInputEngine: "remarks": Remarks.Unexplored, "severity": "HIGH", }, - "paths": {""}, + "paths": {}, }, } MISSING_FIELD_REGEX = re.compile( diff --git a/test/test_output_engine.py b/test/test_output_engine.py index 0e6aadec55..ef08bf1c21 100644 --- a/test/test_output_engine.py +++ b/test/test_output_engine.py @@ -176,6 +176,9 @@ class TestOutputEngine(unittest.TestCase): cvss_version=2, cvss_vector="C:H", data_source="NVD", + metric={ + "EPSS": [0.6932, "0.2938"], + }, ), CVE( "CVE-1234-1234", @@ -184,6 +187,9 @@ class TestOutputEngine(unittest.TestCase): cvss_version=2, cvss_vector="CVSS2.0/C:H", data_source="NVD", + metric={ + "EPSS": [0.06084, "0.7936"], + }, ), ], paths={""}, @@ -198,7 +204,7 @@ class TestOutputEngine(unittest.TestCase): cvss_vector="CVSS3.0/C:H/I:L/A:M", data_source="NVD", metric={ - "EPSS": [0.0468, "0.34072"], + "EPSS": [0.1646, "0.3955"], }, ) ], @@ -213,6 +219,7 @@ class TestOutputEngine(unittest.TestCase): cvss_version=2, cvss_vector="C:H/I:L/A:M", data_source="NVD", + metric={"EPSS": [0.2059, "0.09260"]}, ) ], paths={""}, @@ -665,6 +672,37 @@ class TestOutputEngine(unittest.TestCase): "Page 2" ) + PDF_OUTPUT_2 = ( + "4. List of Vulnerabilities with different metric" + "The table given below gives CVE found with there score on different metrics." + "CVE Number" + "CVSS_version" + "CVSS_score" + "EPSS_probability" + "EPSS_percentile" + "CVE-1234-1234" + "2" + "4.2" + "69.32" + "0.2938" + "CVE-1234-1234" + "2" + "1.2" + "6.084" + "0.7936" + "CVE-1234-1234" + "3" + "2.5" + "16.46" + "0.3955" + "CVE-1234-1234" + "2" + "7.5" + "20.59" + "0.09260" + "Page 3" + ) + VEX_FORMATTED_OUTPUT = [ { "bomFormat": "CycloneDX", @@ -864,6 +902,7 @@ def test_output_pdf(self): # Only interested in section 3 of the report which contains table of CVEs. This is on the second page page = pdf[1] # Find start of section 3 header + section2_start = page.find("3. List of Identified Vulnerabilities") self.assertEqual( page[section2_start:] @@ -874,6 +913,17 @@ def test_output_pdf(self): self.PDF_OUTPUT.replace(" ", ""), ) + page = pdf[2] + section2_start = page.find("4. List of Vulnerabilities with different metric") + self.assertEqual( + page[section2_start:] + .replace(" ", "") + .replace("\r", "") + .replace("\n", "") + .strip(), + self.PDF_OUTPUT_2.replace(" ", ""), + ) + def test_output_console(self): """Test Formatting Output as console""" @@ -902,10 +952,18 @@ def test_output_console(self): "│ vendor1 │ product1 │ 3.2.1.0 │ CVE-1234-1234 │ OSV │ HIGH │ 7.5 (v2) │ 4.68 │ 0.34072 │\n" "└─────────┴──────────┴─────────┴───────────────┴────────┴──────────┴────────────────┴─────────────────┴────────────────┘\n" ) + expected_output_2 = ( + "│ CVE-1234-1234 │ 2 │ 4.2 │ 0.126 │ 0.46387 │\n" + "│ CVE-1234-1234 │ 2 │ 1.2 │ 1.836 │ 0.79673 │\n" + "│ CVE-1234-1234 │ 3 │ 2.5 │ 3.895 │ 0.37350 │\n" + "│ CVE-1234-1234 │ 2 │ 7.5 │ 4.68 │ 0.34072 │\n" + "└───────────────┴──────────────┴────────────┴──────────────────┴─────────────────┘\n" + ) self.mock_file.seek(0) # reset file position result = self.mock_file.read() self.assertIn(expected_output, result) + self.assertIn(expected_output_2, result) def test_output_console_affected_versions(self): """Test Formatting Output as console with affected-versions""" @@ -980,10 +1038,18 @@ def test_output_console_outfile(self): "│ vendor1 │ product1 │ 3.2.1.0 │ CVE-1234-1234 │ OSV │ HIGH │ 7.5 (v2) │ 4.68 │ 0.34072 │\n" "└─────────┴──────────┴─────────┴───────────────┴────────┴──────────┴────────────────┴─────────────────┴────────────────┘\n" ) + expected_output_2 = ( + "│ CVE-1234-1234 │ 2 │ 4.2 │ 0.126 │ 0.46387 │\n" + "│ CVE-1234-1234 │ 2 │ 1.2 │ 1.836 │ 0.79673 │\n" + "│ CVE-1234-1234 │ 3 │ 2.5 │ 3.895 │ 0.37350 │\n" + "│ CVE-1234-1234 │ 2 │ 7.5 │ 4.68 │ 0.34072 │\n" + "└───────────────┴──────────────┴────────────┴──────────────────┴─────────────────┘\n" + ) with open(tmpf.name, encoding="utf-8") as f: result = f.read() self.assertIn(expected_output, result) + self.assertIn(expected_output_2, result) Path(tmpf.name).unlink() # deleting tempfile def test_output_file(self): diff --git a/test/test_scanner.py b/test/test_scanner.py index ab325ecfac..d69339807e 100644 --- a/test/test_scanner.py +++ b/test/test_scanner.py @@ -49,7 +49,7 @@ for i in prod_list: all_the_tests.append(i) -DISABLED_TESTS_ACTIONS: list[str] = ["ceph"] +DISABLED_TESTS_ACTIONS: list[str] = [] DISABLED_TESTS_LOCAL: list[str] = [] DISABLED_TESTS_WINDOWS: list[str] = ["libsrtp", "p7zip"] diff --git a/test/test_source_osv.py b/test/test_source_osv.py index 74ac1c736c..90cba79889 100644 --- a/test/test_source_osv.py +++ b/test/test_source_osv.py @@ -155,7 +155,18 @@ def teardown_class(cls): "CVSS_vector": "unknown", "last_modified": "2021-09-26T23:33:39.795406Z", }, - "affected_data": [], + "affected_data": [ + { + "cve_id": "CVE-2018-20133", + "vendor": "unknown", + "product": "ymlref", + "version": "*", + "versionStartIncluding": "0.1.0", + "versionStartExcluding": "", + "versionEndIncluding": "0.1.1", + "versionEndExcluding": "", + } + ], }, "CVE-2014-5461": { "severity_data": { @@ -173,10 +184,10 @@ def teardown_class(cls): "vendor": "unknown", "product": "lua5.1", "version": "*", - "versionStartIncluding": "0", + "versionStartIncluding": "5.1.4-5", "versionStartExcluding": "", - "versionEndIncluding": "", - "versionEndExcluding": "5.1.4-5+deb6u1", + "versionEndIncluding": "5.1.4-5", + "versionEndExcluding": "", } ], },