diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt index de44ce20fd..319bd9ae9f 100644 --- a/.github/actions/spelling/allow.txt +++ b/.github/actions/spelling/allow.txt @@ -1,3 +1,11 @@ +refactoring +peb +conventionalcommits +nisamson +bhargavh +jerinjtitus +Molkree +Romi abhaykatheria ableabhinav accountsservice diff --git a/README.md b/README.md index 824c66447d..6b9be6f28a 100644 --- a/README.md +++ b/README.md @@ -9,20 +9,20 @@ [![Imports: isort](https://img.shields.io/badge/%20imports-isort-%231674b1?style=flat&labelColor=ef8336)](https://pycqa.github.io/isort/) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5380/badge)](https://bestpractices.coreinfrastructure.org/projects/5380) -The CVE Binary Tool scans for a number of common, vulnerable open source -components such as openssl, libpng, libxml2, and expat to let you know -if a given directory or binary file includes common libraries with -known vulnerabilities., known as CVEs ([Common Vulnerabilities and Exposures](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures#:~:text=Common%20Vulnerabilities%20and%20Exposures%20(CVE)%20is%20a%20dictionary%20of%20common,publicly%20known%20information%20security%20vulnerabilities.)). +The CVE Binary Tool is a free, open source tool to help you find known vulnerabilities in software, using data from the [National Vulnerability Database](https://nvd.nist.gov/) (NVD) list of [Common Vulnerabilities and Exposures](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures#:~:text=Common%20Vulnerabilities%20and%20Exposures%20(CVE)%20is%20a%20dictionary%20of%20common,publicly%20known%20information%20security%20vulnerabilities.) (CVEs). + +The tool has two main modes of operation: + +1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are around 100 checkers which focus on common, vulnerable open source components such as openssl, libpng, libxml2 and expat. +2. Tools for scanning known component lists in various formats, including .csv, Python's requirements.txt, several linux distribution package lists, and several Software Bill of Materials (SBOM) formats. + +It is intended to be used as part of your continuous integration system to enable regular vulnerability scanning and give you early warning of known issues in your supply chain. See our [documentation](https://cve-bin-tool.readthedocs.io/en/latest/) and [quickstart guide](https://cve-bin-tool.readthedocs.io/en/latest/README.html) + Usage: `cve-bin-tool ` -You can also do `python -m cve_bin_tool.cli` -which is useful if you're trying the latest code from -[the cve-bin-tool github](https://github.com/intel/cve-bin-tool). - - optional arguments: -h, --help show this help message and exit -e, --exclude exclude path while scanning @@ -89,6 +89,10 @@ which is useful if you're trying the latest code from CVE Binary Tool autoextracts all compressed files by default now +You can also do `python -m cve_bin_tool.cli` +which is useful if you're trying the latest code from +[the cve-bin-tool github](https://github.com/intel/cve-bin-tool). + Note that if the CVSS and Severity flags are both specified, the CVSS flag takes precedence. `--input-file` extends the functionality of *csv2cve* for other formats like JSON. It also allows cve-bin-tool to specify triage data so you can group issues which may have been mitigated (through patches, configuration, or other methods not detectable by our version scanning method) or mark false positives. Triage data can be re-used and applied to multiple scans. You can provide either CSV or JSON file as input_file with vendor, product and version fields. You can also add optional fields like remarks, comments, cve_number, severity. diff --git a/cve_bin_tool/version.py b/cve_bin_tool/version.py index 46a635d5e3..ae09f05daf 100644 --- a/cve_bin_tool/version.py +++ b/cve_bin_tool/version.py @@ -9,7 +9,7 @@ from cve_bin_tool.log import LOGGER -VERSION: str = "3.0.dev0" +VERSION: str = "3.0" def check_latest_version(): diff --git a/doc/RELEASE.md b/doc/RELEASE.md index 5323e0ca23..272fe35b20 100644 --- a/doc/RELEASE.md +++ b/doc/RELEASE.md @@ -1,8 +1,57 @@ # CVE Binary Tool Release Notes +## CVE Binary Tool 3.0 + +The CVE Binary Tool 3.0 release includes improved tools for checking known lists of packages including Linux distributions, improved methods of communication with NVD to get vulnerability data, additional checkers, and significant refactoring to streamline the output. + +### New feature highlights: +* **SBOM Scanning**: CVE Binary Tool can now take Software Bill of Materials (SBOM) files to help users improve their supply chain security data for all known dependencies. The initial feature can handle some versions of SPDX, CycloneDX and SWID formats. More information on SBOM scanning can be found here: https://github.com/intel/cve-bin-tool/blob/main/doc/how_to_guides/sbom.md +* **Known vulnerability information**: Users scanning some linux distro packages can now get additional information about fixes available for those platforms. +* **Vulnerability Data**: The default method for getting NVD vulnerability lists has been changed. Previously we downloaded full yearly JSON files if anything in the year had changed, the new API allows us to get only the latest changes. Users may see a speedup during the update phase as a result. +* **(Breaking change) Return codes:** The return codes used by CVE Binary Tool have changed. + * A 0 will be returned if no CVEs are found, a 1 will be returned if any CVEs were found (no matter how many), and codes 2+ indicate operational errors. A full list of error codes is available here: https://github.com/intel/cve-bin-tool/blob/main/cve_bin_tool/error_handler.py + * Previously we returned the number of CVEs found, but this could exceed the expected range for return codes and cause unexpected behaviour. + +Thanks especially to our 2021 GSoC students, @BreadGenie, @imsahil007 and @peb-peb whose final GSoC contributions are part of this release. + +A full list of changes is available in GitHub. https://github.com/intel/cve-bin-tool/releases/tag/v3.0 + +Commit messages use the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) format. + + +## CVE Binary Tool 2.2.1 + +Release date: 04 Aug 2021 + +The 2.2.1 release relaxes the behaviour when file extraction fails, which was causing problems for some users scanning files with .exe and .apk file extensions using the previous release. In 2.2 all extraction fails caused the tool to halt and throw an exception, in 2.2.1 the tool will log a warning and continue. + +## CVE Binary Tool 2.2 + +Release date: 08 Jul 2021 + +The 2.2 release contains a number of bugfixes and improvements thanks to the many students who contributed as part of our Google Summer of Code selection process. Congratulations to @BreadGenie, @imsahil007 and @peb-peb who will be continuing to work with us for the next few months! + +New feature highlights: +- CVE Binary Tool can now be used to get lists of vulnerabilities affecting a python requirements.txt file, as well as lists of packages installed on .deb or .rpm based systems (Thanks to @BreadGenie) +- Scan reports can now be merged (Thanks to @imsahil007) +- Reports can now be generated in PDF format (Thanks to @anthonyharrison) +- A new helper script is available to help new contributors find appropriate patterns for new checkers (Thanks to @peb-peb) +- Reports can now be generated even if no CVEs are found (Thanks to @BreadGenie) +- We've added rate limiting for our NVD requests (Thanks to @nisamson, @param211, @bhargavh) + +There are also a number of new checkers and bug fixes. + +Thanks also to @jerinjtitus, @Molkree, @alt-glitch, @CabTheProgrammer, @Romi-776, @chaitanyamogal, @Rahul2044, @utkarsh147-del , @SinghHrmn, @SaurabhK122, @pdxjohnny and @terriko for their contributions to this release. + +## CVE Binary Tool 2.1.post1 + +Release date: 27 Apr 2021 + +Rate limiting temporary fix in response to NVD API update + ## CVE Binary Tool 2.1 -Release Date: 07 Dec 2020 +Release date: 07 Dec 2020 This release fixes an issue with jinja2 autoescape breaking the HTML reports and includes some updates to tests.