micrium uC/Lib vulnerability causes cve-bin-tool to delete triage response data from triage input file

[tzirn]

Description

cve-bin-tool deletes triage analysis/response to micrium uC/Lib vulnerability. We have micrium uC/Lib listed in our CSV SBOM and there is 1 vulnerability for micrium uC/lib. cve-bin-tool finds it and we have it output the vulnerabilities into a vex file. We then add analysis/triage responses within the vex file to all the vulnerabilities found. When I re-run the cve-bin-tool with that vex file as input it uses all the responses correctly in the output report except for the uC/Lib one - it always deletes/ignores the data I've added and lists it as "unexplored" in the remarks field of the output report. The rest are correct.

To reproduce

Steps to reproduce the behavior:

1. have a CSV SBOM with the following columns and data in it for the uC/Lib entity (product string was retrieved directly from the official-cpe-dictionarey_v2.3.xml) An SBOM with just uC/Lib listed is also attached below
   vendor: micrium; product: uc/lib; version 1.38.01; name: micrium uC/OS Lib; Unique Identifier: cpe:2.3:a:micrium:uc/lib:1.38.00:::::::*; type: library; relationship: included in app; URL: https://www.silabls.com/developers/micrium-os;
2. have a triage input file with the data from the example file below in the "feel free to add any other context here" section
3. scan using these flags/this command line: cve-bin-tool -i test_SBOM.csv --triage-input-file test-triageFile.vex -f html,csv --vex test-triage_out.vex -o vulnerability-report-out

Expected behaviour: The output report files should list CVE-2021-26706 as triaged with the data put in the triage input file
Actual behaviour: The output report files list CVE-2021-26706 as unexplored

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.3
Installed from pypi or github? pypi
Operating system: Linux/Windows

• On Windows you can run systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
  OS Name: Microsoft Windows 10 Pro
  OS Version: 10.0.19042 N/A Build 19042
  Python version (e.g. python3 --version): python v2.7
  Running in any particular CI environment we should know about? (e.g. Github Actions) None

Anything else?

Feel free to add any other context here.
see attached example SBOM, and output csv file and a screen shot of the vex file input vs vex file output (jpg) (I can't attach the triage vex input or output files or the HTML file - your tool doesnt support those types )
test_SBOM.csv
vulnerability-report-out.csv

**Contents of test-triageFile.vex INPUT file **
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"vulnerabilities": [
{
"id": "CVE-2021-26706",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26706"
},
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2021-26706&vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1"
},
"score": 9.8,
"severity": "critical",
"method": "CVSSv3",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"description": "An issue was discovered in lib_mem.c in Micrium uC/OS uC/LIB 1.38.x and 1.39.00. The following memory allocation functions do not check for integer overflow when allocating a pool whose size exceeds the address space: Mem_PoolCreate, Mem_DynPoolCreate, and Mem_DynPoolCreateHW. Because these functions use multiplication to calculate the pool sizes, the operation may cause an integer overflow if the arguments are large enough. The resulting memory pool will be smaller than expected and may be exploited by an attacker.",
"recommendation": "",
"advisories": [],
"created": "NOT_KNOWN",
"published": "NOT_KNOWN",
"updated": "",
"analysis": {
"state": "not_affected",
"response": [
"code_not_reachable"
],
"detail": "NotAffected: affects micrium uC/LIB however those functions NOT USED by Embedded apps",
"justification": "code_not_reachable"
},
"affects": [
{
"ref": "urn:cbt:1/micrium#uc\/lib:1.38.01"
}
]
}
]
}

[terriko]

That definitely sounds like a bug. @mastersans just did a huge rework of the triage system that's poised to come out in 3.4 : do you mind trying the 3.4rc1 build and seeing if you have the same issue or if he's already fixed that issue?

https://pypi.org/project/cve-bin-tool/3.4rc1/

Also, a quick heads up: you're showing as using python2.7 which we stopped supporting when it stopped getting security updates. I doubt this problem is related to that, but I'm honestly a bit surprised that it still works at all in 2.7. I figured by now we'd have used something too new and it would have broken.

[tzirn]

I have Python 3.1.1 also on my computer I can try it with that easily enough first.
Then I'll download the new cve-bin-tool and try v3.4rc1. I'll let you know

[tzirn]

It still happens with python 3.1.1

[tzirn]

I downloaded cve-bin-tool v3.4rc1 and it seems a few of the parameters/options have changed also.
I used to run this command:

cve-bin-tool -i my_SBOM.csv --triage-input-file cve-bin-tool_triageFile.vex -f html,csv --vex triage9c_out.vex
The new version complained about the --vex option for the output file so I changed that to --vex-output
The new version then complained about the --triage-input-file option so tried to change it to --filter-triage
Please let me know if those are the correct command option substitutions.

So then I ran the command like this:

cve-bin-tool -i my_SBOM.csv --filter-triage cve-bin-tool_triageFile.vex -f html,csv --vex-output triage9d_out.vex
and the last 3 lines of output was:
INFO cve_bin_tool - Overall CVE summary: cli.py:1140
INFO cve_bin_tool - There are 0 products with known CVEs detected cli.py:1141
ERROR cve_bin_tool - Please provide --product, --release and --vendor for VEX generation cli.py:1169

With my full SBOM and cve-bin-tool v3.3 there are 4 products with known CVEs and the last lines of output are:

cve-bin-tool -i my_SBOM.csv --triage-input-file cve-bin-tool_triageFile.vex -f html,csv --vex triage9c_out.vex
INFO cve_bin_tool - There are 4 products with known CVEs detected cli.py:1060
INFO cve_bin_tool - Known CVEs in ('micrium.uc\/lib', '1.38.01'), ('micro-ecc_project.micro-ecc', '1.0'), ('qt.qt', '5.12.11'), cli.py:1071
('silabs.micrium_os', '3.04.05'):
INFO cve_bin_tool.OutputEngine - CSV report stored at init.py:1029
C:\Workspace\Mainline\Documentation\Software\SBOM\output.cve-bin-tool.2024-09-04.10-50-49.csv
[10:50:50] INFO cve_bin_tool.OutputEngine - HTML report stored at init.py:1029
C:\Workspace\Mainline\Documentation\Software\SBOM\output.cve-bin-tool.2024-09-04.10-50-49.html

Please advise as to what else has changed with this version so I can get it to run correctly.
Thanks!

[terriko]

@mastersans has the new docs here: https://cve-bin-tool.readthedocs.io/en/latest/triaging_process.html

[mastersans]

@tzirn the .vex file extension has been deprecated and we now support Json for cyclonedx, openvex and csaf, you can checkout new vex process in the docs @terriko shared.

Thanks

[tzirn]

If you are changing options and taking away support for vex files it sounds like this is a major overhaul and maybe shouldnt just be numbered 3.4 but instead 4.0.
I dont have time right now to learn how to change my VEX files into the JSON this new version needs to try out if the bug is fixed. It will have to wait. Since I gave a simple file that causes the issue and the command options I used perhaps someone there can try it out to verify if this bug is fixed or not with this new version. Thanks

[mastersans]

@tzirn renaming filename.vex to filename.json should work.

Thanks

[tzirn]

@mastersans OK I ran the following command:

cve-bin-tool -i test_SBOM.csv --vex-file test-triageFile.json -f html,csv --vex-output test-triage_out.json
<

This completed but did not fix the bug.
Please advise if these parameter/options are correct

I attached all the files this run created. The SBOM is the same as what was attached above and the triageFile is the same, just renamed to .json as you mentioned. So you can run it there very easily.

Note that the run with the new tool creates 2 "test-triage_out.json" files
1_test-triage_out.json
test-triage_out.json
output.cve-bin-tool.2024-09-05.09-12-12.csv
The HTML output can't be attached but it shows the same as the CSV output I can attach ( the uC/Lib vulnerability is still marked as "unexplored")

PLEASE ALSO NOTE: there appears to be a new bug with this test version in that the output report *.csv file no longer has the "comments" column filled out. It used to contain the reasoning given in the analysis --> detail section of the traigefile json/vex - now that column is empty. So no rationale is showing for the analysis stored in the "remarks" column.

[terriko]

Does the extension have to matter? If renaming works, I feel like we should just allow .vex as a possible extension.

[mastersans]

Let me see what i can find out, my linux machine got froze and won't work after that so i have to setup everything.

[terriko]

So, I've been thinking about whether we should change the planned release number. I'm not adverse to making this 4.0, but it seems like if we allow .vex and maybe turn the old flag into syntactic sugar for the new one with a deprecation warning, I think we can improve the backwards compatibility, so I'm going to go ahead and see how doable those two things are today.

New release is still likely to happen next week for a bunch of non-technical reasons, and I don't think we'll be able to fix everything in this thread (most of this is just going to have to happen in 3.4.1 or 4.0.1) but let me see about smoothing the transition to the new version.

[tzirn]

ok so just to summarize the issues on this thread:

1. main issue reported that the uC/Lib (id: uc/lib) vulnerability analysis data does not copy over after run through cve-bin-tool rev3.3 and the beta rev3.4rc1 (see original post and 9/5/24 post where I tested the new version and still see it)
2. the beta rev3.4rc1 has a new bug where the CSV output report AND the HTML output report does not fill out the Comments field from the triaged-file input. NOTE when I posted this I hadn't looked at the HTML output report but did today and they are both missing this data
3. a new problem I just noticed where the beta version added in a "see " comment that I dont have in my triage file. I have no idea where that came from (see CSV screen shot and 2nd HTML screen shot below)

@terriko Considering this 2nd and 3rd issues I can't see how you can put out this version since it losses the triage comments - it makes the output reports useless. See the 2 attachments I put in from my full report with all my SBOM data so you can see where it says its triaged but has no comments.

CSV report: Shows #1( last line), #2 (last column) and #3 (see green ?)

HTML report 1st capture: shows #2

HTML report 2nd capture: shows #1 (last row) and #3 (see green ?)

[terriko]

I'm doing the check to see if I need to change the versioning number first because if I switch this to be a 4.0 release it changes some internal process stuff that is easier for me if I know that it needs doing today vs next week. So I'm trying to get it done so I can make appropriate plans.

1. The original issue will not be fixed in the next release. It's not a regression and I don't currently know how to solve it.
2. We're ALREADY holding the 3.4 release because of the triage comments issue. (The release would otherwise have been today, a week after the pre-release.) I don't think it's going to take longer than next week to fix.
3. I'm pretty certain that this is an artifact of why the triage comments are broken so it should get fixed too. (I'm fairly certain the wrong comments field is getting propagated.)

Sorry about the confusion!

[terriko]

Okay, backwards compat attempt is up, would love feedback on it: #4421

I need to grab some lunch but I'll continue on to triage comments this afternoon (if @mastersans hasn't already fixed it by then...)

[terriko]

As I kind of suspected, the problem is that we used to have some magic that turned "detail" into the "comments" inside of input_engine.py:

  comments = strip_remark(vulnerability["analysis"]["detail"])

That got lost in the transition to use lib4vex and so now it's printing something from the actual "comments" field (which is... not usually there). So that answers the why.

My lazy attempt just made more blank spaces in the output so I may need to do some explicit plumbing (may need to happen in lib4vex) before I can make it behave as expected. But I thought I'd give an update since I've been doing a lousy job of helping with the actual bug while my brain was pre-release-paperwork mode.

[terriko]

Oh, I should probably tag @anthonyharrison on this too.

I don't have an answer of how to fix it yet.

It looks like it's loading the data the way I'd expect from lib4vex:

[{'id': 'CVE-2021-26706',          parse.py:74
                    'source-name': 'NVD', 'source-url':                                               
                    'https://nvd.nist.gov/vuln/detail/CVE-2021-26706', 'description': 'An             
                    issue was discovered in lib_mem.c in Micrium uC/OS uC/LIB 1.38.x and              
                    1.39.00. The following memory allocation functions do not check for               
                    integer overflow when allocating a pool whose size exceeds the address            
                    space: Mem_PoolCreate, Mem_DynPoolCreate, and Mem_DynPoolCreateHW.                
                    Because these functions use multiplication to calculate the pool                  
                    sizes, the operation may cause an integer overflow if the arguments               
                    are large enough. The resulting memory pool will be smaller than                  
                    expected and may be exploited by an attacker.', 'created':                        
                    'NOT_KNOWN', 'updated': '', 'status': 'not_affected', 'comment':                  
                    'NotAffected:  affects micrium uC/LIB however those functions NOT USED            
                    by Embedded apps', 'remediation': None, 'justification':                          
                    'code_not_reachable', 'bom_link':                                                 
                    'urn:cbt:1/micrium#uc\\/lib:1.38.01'}]  

I think there's possibly an error there that it's "comment" instead of "comments" so that's not helping the propagation, but doing a lazy fix there doesn't seem to be enough. I need to go because my kid is home, so anyone else should feel free to continue from where I'm at if you think you can figure the rest out! Otherwise, I'll be back at it on Monday when I have childcare again (well, barring a bolt of brilliance in the middle of the weekend).

[terriko]

And also: it looks like our existing vex tests don't have "detail" set on any of them, so we should definitely fix the tests to look for that once we get it fixed because I absolutely do not want another regression here.

[terriko]

Update: so we did have comments set in a few of the vex tests, just not in the expected values from the tests where I looked first because of the "comments" vs "comment" issue. So I've fixed that in #4423 and updated the tests, so there will be tests for comments going forwards. So that's once piece waiting on code review but it should be fixed soon.

I merged the basic backwards compat stuff too.

Not sure we've solved everything yet, but I need to switch to another task for a while so I'm noting where I'm at for now.

[tzirn]

@terriko @mastersans @anthonyharrison if you have a new build now of what you've fixed I can try it out.
I think from the comments though that the original issue is still not fixed. But I dont mind testing out for the other fixes if it's ready. just let me know.

[terriko]

No build yet (because I haven't finished testing comment propagation and I suspect it's not actually fixed yet) but if you want to try it out from main here's the commands

git clone https://github.com/intel/cve-bin-tool.git
cd cve-bin-tool
python -m cve_bin_tool.cli <scan options go here>

If you're using a virtualenv for one of your python versions don't forget to activate it. I'm assuming since you tried the release candidates you've got the pre-reqs installed but if you're doing it in a fresh environment you can install them using `pip install -U -r requirements.txt" after the cd step.

I'll try to get a build out once I think it's actually working, but it may not be today because something else has come up.

[terriko]

Okay, managed to find a few minutes to do some very manual tests and the comment propagation seems to be working (for anything other than uC/lib which is still unfixed).

Threw up a quick rc2 build for you to try here: https://pypi.org/project/cve-bin-tool/3.4rc2/ so you don't have to follow the instructions above. Let me know how that works for you!

[tzirn]

@terriko Is there another way to contact you so we dont keep cluttering up this thread with other issues? this test version 3.4rc2 outputs the reports but crashes before making the triage-output file. However, even though the reports now have the comments from the "details" JSON field back in them, they are missing the "Justification" field string in the beginning of it. I'd rather not keep doing this on this thread otherwise my original bug will get lost in the mix.

[terriko]

There's lots of ways to contact me, but tracking triage problems in an issue in this repo likely makes the most sense, especially if anyone else testing the pre-release has similar problems they can chime in. Let's open a separate issue for the crash and one for the justification details (though the latter is probably a lib4vex issue so we may need to make that fix in https://github.com/anthonyharrison/lib4vex/ and move an issue there, but we can start with it here and potentially have a workaround in while we figure things out.)

[terriko]

New issues are here:

• bug: crash during triage output #4438
• bug: justification is no longer prepended to triage comments #4439

I've got a fix for the 1st one merged and a fix for the second is running through the CI system now.

[terriko]

Well, no 3.4 release for me this week after all, but I have a new 3.4rc3 build for you to try!
https://pypi.org/project/cve-bin-tool/3.4rc3/

Assuming nothing in rc3 explodes, hopefully the final release will be out next week. I'm going to work on some tests and then hopefully come back to the original issue with uC/Lib after those are in place.

[terriko]

Quick heads up: since I didn't hear anything from you and all other feedback from the release candidates has been positive, I've gone ahead and put out the 3.4 release: https://pypi.org/project/cve-bin-tool/3.4/

I'm going to tag this particular bug as "future" so it will get moved into 3.4.1 planning, but I'm going to be busy with some other stuff starting this week so 3.4.1 development probably won't kick off right away.

If you want to contact me outside of the public issues for offline feedback (as some of the other folk testing the release candidates have done since the feedback was "it worked for us" rather than a bug that needed filing), feel free to email me at my intel email listed in my github profile.

[tzirn]

sorry I have been very busy with my job this week. I will test this out tomorrow AM as it's almost the end of my day now and I have more meetings.

[tzirn]

@terriko I am working on a different computer today so I installed Python 3.8.0 and the new version of cve-bin-tool that you linked above. I can't get it to run at all as Python crashes. So I dont know if it's the new install of python or the cve-bin-tool. I'll have to try again tomorrow on my original computer if I can't figure this out today.

[tzirn]

@terriko please verify the parameters in this screen shot ( I copied my original *.vex triage file to *.json as previously instructed)

[terriko]

That looks like a problem with your python install or operating system rather than cve-bin-tool. Usually we get at least the initial version and nvd download information before there's even a chance of the OS halting the process.

Are you on windows? We no longer support python 3.8 on windows (there's an issue with the tarfile library that we couldn't find an adequate workaround for so we can't run the tests) and it's going out of support in general on October 31 this year. Before you spend too much time debugging your issue, I highly recommend you switch to python 3.12 which is the only version on windows we can currently test.

[tzirn]

ok I updated to Python 3.8 because when I ran the tool install using 3.7 the install reported that version of cve-bin-tool required 3.8. I can update to 3.12 and try again

[tzirn]

@terriko OK I ran it on my main computer today. Below are the results I got from running 3.4 with Python v3.12.0:
command: cve-bin-tool -i test_SBOM.csv --vex-file test_cve-bin-tool_triageFile.json -f csv,html --vex-output triage0919a.json

1. 3.4's CSV report removes/doesnt report CVE-2020-27209 (micro-ecc_project) , even though micro-ecc is in my SBOM and that CVE is in my triage input file - it just doesnt list it at all in the output report.
2. 3.4s's HTML report removes that same CVE and micro-ecc all together - it is not listed at all under VendorName section or Product CVEs chart showing 0 (perhaps because it thinks it has 0 cves? )
3. 3.4's CSV report added a column called "location" and every row for this column has the value "location/to/product" - I figured out I needed to rename my SBOM's "URL" column to "location". Once updated I re-ran it and now the URLs are put into that column. So that is good now that the URL is included in the output report as it wasnt in v3.3.
4. 3.4 (good thing) finds a Qt CVE that v3.3 does not. CVE-2024-39936.
5. 3.4 does not fix the original bug for this thread ( as you said it would not but I wanted to record it here)

This wont let me attach an HTML file so I can't attach that report. Here are the rest of the files used or created from that command:

test_SBOM.csv
test_cve-bin-tool_triageFile.json
output.cve-bin-tool.2024-09-19.14-28-51.csv
triage0919a.json
triage0919a.json

1_triage0919a.json

[mastersans]

@tzirn the problem regarding first 2 arise due to the reason that the sbom used have micro-ecc 's version set to 1 instead it should be 1.0, you can try change the version to 1.0 and it will fix the issue for reference

currently cve-bin-tool checks weather the data that is obtain from scanning vex file is also present in the main file being scanned in this case its a sbom, if its not present then the tool logs out a message that it didn't find product in the main file, Is a valid file being scanned, its mostly to avoid wrong vex file being scanned since we don't have a for sure way to tell that a main file is linked with a vex file or not, for cyclonedx we do support bom-link to check if the cyclonedx vex is linked with correct cyclonedx sbom or not. heres also the output of html when version 1.0 is used instead of 1:

[tzirn]

@mastersans I put 1.0 in the csv and then when I save it excel changes it to 1. However, this worked with version 3.3 so it should still work in v3.4 why change it when Excel fights the 1.0 and changes it to 1? Other people will have this issue and since it worked with 3.3 (I haven't changed the SBOM at all) it seems like it was accidental so a bug.

[terriko]

I suspect what's happening with the 1.0 vs 1 issue is that we're checking for an exact match in that case since it's not a range comparison and since it's not an exact match it's not coming back. I'll have to think a little bit about how we want to handle that more correctly. What it's doing is... technically correct but likely unexpected in this case and maybe similar ones. For the case of a version 1 vs 1.0 we could just try adding .0 on the end and compare a second time, but for some versions (particularly those that are dates rather than semantic versions) that might be hideously incorrect.

If you get a chance, we should move just the 1 vs 1.0 part to a separate issue for tracking. (If you don't get a chance, I'll split that off next week when I do my Monday triage/PR review but if you want to track the fix you'll have to manually follow it then.)

[terriko]

(And I wish I could say "excel's bugs are not my problem" but I think a lot of people probably use excel to edit .csv files so I'd like to at least see how viable it is to handle this on our end. Though seriously, WTF excel you are the worst and this is why I stopped using you for scientific analysis when I was that kind of scientist.)

[tzirn]

I suspect what's happening with the 1.0 vs 1 issue is that we're checking for an exact match in that case since it's not a range comparison and since it's not an exact match it's not coming back. I'll have to think a little bit about how we want to handle that more correctly. What it's doing is... technically correct but likely unexpected in this case and maybe similar ones. For the case of a version 1 vs 1.0 we could just try adding .0 on the end and compare a second time, but for some versions (particularly those that are dates rather than semantic versions) that might be hideously incorrect.

If you get a chance, we should move just the 1 vs 1.0 part to a separate issue for tracking. (If you don't get a chance, I'll split that off next week when I do my Monday triage/PR review but if you want to track the fix you'll have to manually follow it then.)

I opened 4467

And just wanted to say I get what you're saying but my point is this used to work in v3.3 so then it should still work in v3.4. If it never worked and was documented that 1 had to be forced to 1.0 then that would have been fine. But since it used to work I thought it should still work, rather than remove functionality.
Anyway it has it's own issue report now

[tzirn]

Hi - just checking back in on this original issue. If there is anyone looking into the original issue please let me know if I can help in any way.

[terriko]

I don't think anyone's looking into it this week. I've been dragged into a more urgent project for the moment.

[terriko]

Random thought: is this happening only with uC/Lib or does it also happen with products that don't have a / in the name? I'm wondering if it's getting chopped out due to our input validation checks on product names.

[tzirn]

Random thought: is this happening only with uC/Lib or does it also happen with products that don't have a / in the name? I'm wondering if it's getting chopped out due to our input validation checks on product names.

We have 2 Micrium uC items in our SBOM listed in the official-cpe-dictionary_v2.3.xml file. Micrium uC/OS and uC/Lib. The uC/OS doesn't have a \ in the product name (see below).
uC/Lib is the only one with \ and / in the product name from the CPE listing in the "official-cpe-dictionary_v2.3.xml" file . So it could be the \ or the / that is causing the problem.
The cve-bin-tool uses the vendor, product and version data in our SBOM.csv that I got from that official-cpe-dictionary to find the CVE listings in the NIST/NVD database. And it finds those uC/Lib correctly.
It's later in the parsing of the triage input json/vex file that it doesn't find that one correctly and continues to list it as untriaged.

This is the Micrium product data we have in our SBOM.csv file:
vendor product version

silabs micrium_os 3.04.05*this version is not in the official-cpe-dictionary but others are, so that's how I got the vendor/product info
micrium uc/lib 1.38.01

and in the CVE databases they each have these CPE names:

• uC/OS: cpe:2.3:o:silabs:micrium_os (as noted above they dont list our version )
• uC/Lib: cpe:2.3:a:micrium:uc/lib:1.38.00:::::::*
  The uC/Lib CPE does have several versions listed that also have the / in them. So this isn't the only one with /

And I also found these Silab products in the official-cpe-dictionary that have / in their names but we dont use them. They may be useful for further testing though:
cpe:2.3:a:silabs:uc/tcp-ip:3.6.0:::::::*
cpe:2.3:a:silabs:z/ip_gateway_sdk:-:::::::*
cpe:2.3:a:silabs:z/ip_gateway_sdk:7.18.01:::::::*
cpe:2.3:a:silabs:z/ip_gateway_sdk:7.18.03:::::::*

Thanks for looking into this