v3.1.pre0

CVE Binary Tool 3.1.pre0

Pre-release for what will eventually be 3.1. There are a few PRs still in progress, and you can see what remains to be updated in the 3.1 milestone. The release notes below are auto-generated by GitHub.

What's Changed

• refactor(package-list-parser): remove csv path by @BreadGenie in #1466
• feat: Add tests for cve_scanner (#1450) by @anthonyharrison in #1456
• ci: fix check-spelling workflow by @Molkree in #1471
• bug: Unzip failure requires user interaction (#1473) by @anthonyharrison in #1479
• feat: Add support for WAR and EAR archive files (#1474) by @anthonyharrison in #1478
• refactor: find SBOM product vendor (#1477) by @anthonyharrison in #1481
• chore: update pre-commit config by @github-actions in #1455
• bug: don't follow symlinks in archives (#1475) by @anthonyharrison in #1486
• bug: Update pdf configuration parameters (#1459) by @anthonyharrison in #1484
• Updated spelling.yml by @XDRAGON2002 in #1495
• feat: use cve-bin-tool without Reportlab (Fixes #1464) by @anthonyharrison in #1485
• feat: Add offline command line option (#1452) by @anthonyharrison in #1480
• doc: improve new contributor documentation by @terriko in #1467
• ci: add filetype to allowed word list by @terriko in #1497
• feat: Remove support for python 3.6 (#1488) by @XDRAGON2002 in #1498
• feat: added Libsrtp checker (#1489) by @XDRAGON2002 in #1500
• chore: added LGTM badges to readme (#1380) by @XDRAGON2002 in #1501
• feat: Add support for scanning Java packages (#1463) by @anthonyharrison in #1476
• chore: update pre-commit config by @github-actions in #1499
• test: Move NVD queries to LONG_TESTS due to rate limits (fixes #1509) by @terriko in #1511
• chore: modify detected languages in github by @terriko in #1508
• Gave output types its own subheading by @DangerChamp in #1516
• test: Move backported fix tests to LONG_TESTS (#1502) by @XDRAGON2002 in #1512
• Moved --offline up to "Most popular usage options" by @DangerChamp in #1514
• fix(cve_scanner): fix canonical_convert by @Molkree in #1519
• Replace "Github" with "GitHub" by @Aadityajoshi151 in #1532
• Correction by @vkrm1612 in #1536
• feat: add NVD API key by @terriko in #1529
• ci: remove NVD_API_KEY from CI because it isn't working by @terriko in #1549
• fix: Only import pdftotext if installed (Fixes #1419) by @anthonyharrison in #1545
• doc: Publish FOSDEM 2022 slides (Fixes #1546) by @anthonyharrison in #1547
• fix: set default version for xml2 checker to UNKNOWN (Fixes #1517) by @anthonyharrison in #1524
• Updated so it shows the correct versions of Python by @DangerChamp in #1515
• doc: keep pdftotext windows install instructions (partial revert #1515) by @terriko in #1550
• doc: add info on syncing to origin/main and rebasing by @terriko in #1540
• test(available-fix): mock cve data by @BreadGenie in #1513
• CI: Add bandit to pre-commit (fixes #1110) by @terriko in #1523
• doc: fix incorrect hyperlink (Fixes #1553) by @anthonyharrison in #1554
• ci: split CI into separate files by @Molkree in #1552
• feat: improve locality of defaults (#1352) by @XDRAGON2002 in #1560
• doc: Add details on language specific checking (Fixes #1551) by @anthonyharrison in #1561
• refactor: replace pkg_resources with importlib (#1521) by @XDRAGON2002 in #1542
• changed windows_tests timeout-minutes to 30 by @shoneriki in #1576
• refactor: migrate from urllib to requests by @BreadGenie in #1569
• feat: Add support for Javascript package scanning (Fixes #1453) by @anthonyharrison in #1548
• New checker: gnome librsvg by @yashugarg in #1533
• refactor: add type hints in util.py by @rhythmrx9 in #1572
• ci(pre-commit): add gitlint by @BreadGenie in #1573
• feat: added libseccomp checker by @yashugarg in #1556
• ci: run bandit on test code by @rhythmrx9 in #1579
• feat(checker): libebml checker by @rhythmrx9 in #1559
• feat(checker): libsolv checker by @rhythmrx9 in #1562
• ci: switch format_checker to run in ci by @rhythmrx9 in #1593
• fix: asyncio warnings (#1558) by @XDRAGON2002 in #1592
• fix: windows helper script test (#1264) by @XDRAGON2002 in #1594
• refactor: add type hints in version_scanner.py by @rhythmrx9 in #1581
• chore: update pre-commit config by @github-actions in #1566
• refactor: add type hints in strings.py and file.py by @rhythmrx9 in #1565
• feat: find common strings in CONTAINS_PATTERNS from helper_scripts.py by @rhythmrx9 in #1586
• feat: retry if NVD API Key is invalid by @terriko in #1574
• ci: run gitlint on PR title by @rhythmrx9 in #1597
• fix: entry point error (#1323) by @XDRAGON2002 in #1601

New Contributors

• @XDRAGON2002 made their first contribution in #1495
• @DangerChamp made their first contribution in #1516
• @Aadityajoshi151 made their first contribution in #1532
• @vkrm1612 made their first contribution in #1536
• @shoneriki made their first contribution in #1576
• @yashugarg made their first contribution in #1533
• @rhythmrx9 made their first contribution in #1572

Full Changelog: v3.0...v3.1.pre0

CVE Binary Tool 3.0

CVE Binary Tool 3.0

The CVE Binary Tool 3.0 release includes improved tools for checking known lists of packages including Linux distributions, improved methods of communication with NVD to get vulnerability data, additional checkers, and significant refactoring to streamline the output.

New feature highlights:

• SBOM Scanning: CVE Binary Tool can now take Software Bill of Materials (SBOM) files to help users improve their supply chain security data for all known dependencies. The initial feature can handle some versions of SPDX, CycloneDX and SWID formats. More information on SBOM scanning can be found here: https://github.com/intel/cve-bin-tool/blob/main/doc/how_to_guides/sbom.md
• Known vulnerability information: Users scanning some linux distro packages can now get additional information about fixes available for those platforms.
• Vulnerability Data: The default method for getting NVD vulnerability lists has been changed. Previously we downloaded full yearly JSON files if anything in the year had changed, the new API allows us to get only the latest changes. Users may see a speedup during the update phase as a result.
• (Breaking change) Return codes: The return codes used by CVE Binary Tool have changed.
  • A 0 will be returned if no CVEs are found, a 1 will be returned if any CVEs were found (no matter how many), and codes 2+ indicate operational errors. A full list of error codes is available here: https://github.com/intel/cve-bin-tool/blob/main/cve_bin_tool/error_handler.py
  • Previously we returned the number of CVEs found, but this could exceed the expected range for return codes and cause unexpected behaviour.

Thanks especially to our 2021 GSoC students, @BreadGenie, @imsahil007 and @peb-peb whose final GSoC contributions are part of this release.

A full list of changes are below. Commit messages use the Conventional Commits format.

What's Changed Since 2.2

• feat: Add CVSS Vector by @anthonyharrison in #1220
• fix(security): add noreferer in target=_blank inside html reports by @imsahil007 in #1232
• feat(package-list-parser): Add support for distros using pacman package manager by @BreadGenie in #1235
• feat(checker): Add gupnp Checker by @BreadGenie in #1236
• feat(checker): zsh checker by @peb-peb in #1240
• feat(checker): Add kbd Checker by @BreadGenie in #1239
• feat(checker): libbpg checker by @peb-peb in #1237
• feat(checker): dbus checker by @peb-peb in #1241
• feat(checker): libical checker by @peb-peb in #1243
• feat: Add intermediate severity trace table in pdf report by @imsahil007 in #1245
• feat(checker): liblas checker by @peb-peb in #1244
• feat(checker): Add kexec-tools Checker by @BreadGenie in #1242
• feat(checker): Add hunspell Checker by @BreadGenie in #1238
• feat(checker): Add cronie Checker by @BreadGenie in #1221
• refactor: Unify Checker list and test Checker list by @BreadGenie in #1224
• fix(security): Bandit config and nosec flags for reviewed code by @terriko in #1249
• fix(security): Improve SQL in version_signature.py by @terriko in #1248
• fix: add update_egg function to test_checker by @terriko in #1252
• fix: tests for test_helper_script by @peb-peb in #1255
• docs: remove adding checker names for tests by @BreadGenie in #1256
• test: change way pytest is run in CI by @terriko in #1251
• refactor(scanner): scan strings without splitting the lines by @BreadGenie in #1227
• fix: extract apk packages for alpine and android by @imsahil007 in #1258
• feat(checker): Add sudo checker by @imsahil007 in #1259
• Fix yaml and toml tests in test_config by @terriko in #1253
• feat(checker): Add Lua Checker by @BreadGenie in #1257
• feat(checker): Add mdadm Checker by @BreadGenie in #1261
• feat(checker): Add mtr Checker by @BreadGenie in #1263
• feat(checker): Add TrouSerS checker by @BreadGenie in #1266
• feat: Add recommdended dev tools list by @terriko in #1212
• feat(checker): Add gnome-shell checker by @BreadGenie in #1200
• fix: rename development requirements file for Snyk by @terriko in #1272
• fix: condensed downloads by @BreadGenie in #1274
• refactor: helper script for is_executable() and parse_string() by @peb-peb in #1246
• feat(checker): Add open-vm-tools Checker by @BreadGenie in #1275
• feat(checker): Add nano Checker by @BreadGenie in #1277
• feat(checker): Add pscs-lite Checker by @BreadGenie in #1280
• feat(checker): Add poppler Checker by @BreadGenie in #1283
• fix(cvedb): skip reject cve entries by @imsahil007 in #1282
• feat: Add NVD CVE Retrieval API by @imsahil007 in #1218
• fix: Too many SQL Variables by @anthonyharrison in #1279
• fix: mark failing nvd test as skipped (for now) by @terriko in #1286
• feat(checker): Add pigz Checker by @BreadGenie in #1288
• fix: allow extractraction on all files to fail by @terriko in #1285
• refactor: flake8 code cleanup by @Molkree in #1294
• fix: systemd Checker by @BreadGenie in #1289
• fix: fix datetime and status count tests for nvd_api by @imsahil007 in #1306
• fix(scanner): crash when scanning a METADATA file w/o appropriate data by @BreadGenie in #1301
• update: to latest stable version of black by @peb-peb in #1260
• ci: add flake8 to CI by @Molkree in #1299
• lint: remove unused BeautifulSoup import, fix black by @terriko in #1307
• feat(checker): hdf5 checker by @peb-peb in #1297
• feat(checker): Add sane-backends Checker by @BreadGenie in #1292
• feat(checker): libvncserver checker by @peb-peb in #1296
• feat(checkers): add pre-commit hook for reformatting checkers table by @imsahil007 in #1290
• refactor(logger): Make logger less verbose by @BreadGenie in #1295
• chore: Update dev version to 3.0.dev0 by @terriko in #1319
• ci: autoupdate pre-commit config by @Molkree in #1302
• Updated conf.py and requirements.txt by @P0intMaN in #1313
• fix: mark failing nvd tests skip by @imsahil007 in #1321
• test: add additional bad archive tests by @P0intMaN in #1322
• refactor: bad archive file tests by @P0intMaN in #1328
• feat: enable pre-commit format_checkers for CI by @imsahil007 in #1330
• chore : Removed vestigial/no longer needed pylint disable directives by @GurpreetSarangal in #1327
• fix(nvd_api): refactor nvd_api-cvedb and remove json cache by @imsahil007 in #1318
• feat: recommending safe packages by @peb-peb in #1284
• ci: Add python 3.9 for short tests by @terriko in #1334
• feat(merge): Add filter for intermediate reports by @imsahil007 in #1262
• refactor(windows_tests): Update Python 3.8 to 3.9 by @P0intMaN in #1338
• feat(backports): Add output backport fixes for debian based distros by @BreadGenie in #1273
• feat: improved output for helper-script by @peb-peb in #1333
• fix(nvd_api): nvd_api fetch results over 2000 limit by @imsahil007 in #1345
• docs: backport-fix by @BreadGenie in #1344
• fix: group arguments...

CVE Binary Tool 3.0.pre1

Pre-release for what will hopefully be 3.0. The release notes below are auto-generated by github and it looks like it went a bit too far back in its comparison, but I'm sharing it so everyone can see what the auto-generated output looks like.

What's Changed

• remove unnecessary print debug statement (fixes #260) by @terriko in #264
• Enable ffmpeg signature check (fixes #257) by @terriko in #265
• Updated link for "List of currently available checkers" by @Purvanshsingh in #278
• Github actions experiments by @terriko in #279
• Bug #1 fix based on pdxjohnny's new nvd code by @terriko in #277
• Fix openssh version not found issue, improve version error handling. by @terriko in #275
• Unify Logging by @PrajwalM2212 in #276
• Add ffmpeg tests by @sbs2001 in #283
• string confusion solved by @Purvanshsingh in #284
• Reintroduce quiet mode by @PrajwalM2212 in #290
• Add icu file test by @PrajwalM2212 in #293
• Set default log level by @PrajwalM2212 in #294
• test_nss_rpm_3_26_2 needs replacement #295 solution by @k-udupa2000 in #298
• Update kerberos checker to say kerberos5 since nvd has changed by @terriko in #302
• Revert "Update kerberos checker to say kerberos5 since nvd has change… by @terriko in #303
• Disable kerberos tests temporarily due to #301 by @terriko in #304
• Remove 2.7 from supported versions by @terriko in #299
• Speed testing LONG_TESTS on GitHub Actions by @terriko in #308
• sync cache and database update by @PrajwalM2212 in #309
• gnutls file test added for version 2.3.11 by @SinghHrmn in #311
• Use sys.stout.encoding instead of utf-8 Fixes #258 by @terriko in #316
• Checkers printing twice solved by @SinghHrmn in #318
• Improve kerberos checker (fixes #301) by @terriko in #313
• Improve icu checker. fixes #305 by @terriko in #315
• update checkers example for cvedb by @terriko in #319
• Clean up unused and broken tests. by @terriko in #323
• Add test for skips flag by @PrajwalM2212 in #327
• Fix final_log to check only the skip line by @terriko in #330
• Make build status badge link to /actions page by @terriko in #333
• Mention csv2cve earlier in the readme by @terriko in #335
• Test for update flag by @PrajwalM2212 in #328
• Added Bluez Binary tests by @SinghHrmn in #339
• Test some overly long version strings by @terriko in #337
• Minor improvements to csv2cve tests by @terriko in #336
• Support runs option by @PrajwalM2212 in #338
• Mark the json schema test as a long test (because it really is) by @terriko in #341
• Fix deprecation warning in test_csv2cve by @shreyamalviya in #343
• Updated regex_find in utils.py and all the checkers using it by @SinghHrmn in #331
• Systemd checker improvements by @terriko in #344
• Output filename when warning about version UNKNOWN by @SaurabhK122 in #348
• Added filename in UNKNOWN version warning by @param211 in #347
• Add version option by @PrajwalM2212 in #350
• Add additional version-finding advice for writing checkers by @terriko in #355
• Added Python checker by @SinghHrmn in #353
• Add Berkeleydb checker (Fixes #28) by @terriko in #219
• Test for version unknown warning message by @terriko in #351
• Added unittest for package: sqlite3 and version: 3.30.1 by @Niraj-Kamdar in #356
• Added test for openssl-1.1.1d by @param211 in #358
• Enable test_sample_csv by @terriko in #359
• Add python 3.8.2 rpm test by @terriko in #360
• Improve help text by @terriko in #362
• Make quiet mode actually quiet by @terriko in #363
• Test on windows in github actions by @terriko in #365
• Remove separate run of helper file test_definitions.py by @terriko in #371
• test: Rename test_definitions to utils by @pdxjohnny in #373
• Use pytest parametrize by @PrajwalM2212 in #366
• added pytest to requirements.txt by @abhaykatheria in #379
• Unify strings formatting by @SinghHrmn in #375
• Update required python version to be 3.6+ by @terriko in #381
• Fix failing long tests by @PrajwalM2212 in #378
• Update documentation in preparation for 1.0 release by @ananthan-123 in #367
• Update cvedb.py by @SaurabhK122 in #393
• Update curl.py to fix the bug represented in the Issue #385 by @bigbird555 in #395
• Remove double-bracket by @terriko in #404
• icu documentation updated. by @ananthan-123 in #401
• Fixes #384 by @SaurabhK122 in #406
• Update curl.py by @bigbird555 in #407
• Add checker vs filename test function by @terriko in #387
• Fix filename check in Python by @SinghHrmn in #396
• Update manual.md by @ananthan-123 in #415
• fixed "package" instead of "product" for csv2cve. by @ananthan-123 in #416
• Unified output by @SinghHrmn in #410
• Update documentation. by @ananthan-123 in #420
• fixed:nvd data mismatch results in critical error by @ananthan-123 in #421
• Add filename checker tests for openssh & fix filename check ordering by @hur in #422
• Fix Version not found error by @PrajwalM2212 in #431
• Add basic json output by @mariuszskon in #418
• Move version file to the package by @PrajwalM2212 in #440
• Added Bluez file test. Also Updated checker. by @SinghHrmn in #437
• Revert "Added Bluez file test. Also Updated checker." by @terriko in #441
• Make bluez checker work for "contains" by @terriko in #442
• Update python.py by @SaurabhK122 in #446
• JSON out_file formatted by @SinghHrmn in #448
• Add -v to pytest so we can see the list of tests run by @terriko in #450
• Added ".idea" and "/venv/" by @param211 in #459
• Add contains functionality in gnults.py by @SaurabhK122 in #456
• Use the -o flag to specify the filename by @mariuszskon in #425
• Add test for output_csv in OutputEngine by @mariuszskon in #458
• Make openssh checker work for "contains" by @param211 in #453
• Fixed:Broken checkers cause CI to hang indefinitely by @ananthan-123 in #462
• wrong test file name in README.md by @utkarsh261 in #469
• Add new checker for bzip2 by @SaurabhK122 in #468
• Add test using real files for gnutls by @SaurabhK122 in #484
• several optimization in cvedb and csv2cve files and fixes issue #413 by @Niraj-Kamdar in https://github....

CVE Binary Tool 2.2.1

The 2.2.1 release relaxes the behaviour when file extraction fails, which was causing problems for some users scanning files with .exe and .apk file extensions using the previous release. In 2.2 all extraction fails caused the tool to halt and throw an exception, in 2.2.1 the tool will log a warning and continue.

CVE Binary Tool 2.2

The 2.2 release contains a number of bugfixes and improvements thanks to the many students who contributed as part of our Google Summer of Code selection process. Congratulations to @BreadGenie, @imsahil007 and @peb-peb who will be continuing to work with us for the next few months!

New feature highlights:

• CVE Binary Tool can now be used to get lists of vulnerabilities affecting a python requirements.txt file, as well as lists of packages installed on .deb or .rpm based systems (Thanks to @BreadGenie)
• Scan reports can now be merged (Thanks to @imsahil007)
• Reports can now be generated in PDF format (Thanks to @anthonyharrison)
• A new helper script is available to help new contributors find appropriate patterns for new checkers (Thanks to @peb-peb)
• Reports can now be generated even if no CVEs are found (Thanks to @BreadGenie)
• We've added rate limiting for our NVD requests (Thanks to @nisamson, @param211, @bhargavh)

There are also a number of new checkers and bug fixes.

Thanks also to @jerinjtitus, @Molkree, @alt-glitch, @CabTheProgrammer, @Romi-776, @chaitanyamogal, @Rahul2044, @utkarsh147-del , @SinghHrmn, @SaurabhK122, @pdxjohnny and @terriko for their contributions to this release.

CVE Binary Tool 2.1.post1

Rate limiting temporary fix in response to NVD API update

CVE Binary Tool 2.1

This release fixes an issue with jinja2 autoescape breaking the HTML reports and includes some updates to tests.

CVE Binary Tool 2.0

Release date: 12 Nov 2020

This release features code from our three successful Google Summer of Code students!

• @SinghHrmn made improvements to our output formats, including adding a new HTML human-readable report format. You can try out a demo at https://intel.github.io/cve-bin-tool/

  • Read Harmandeep's final GSoC report for more details.

• @Niraj-Kamdar improved the performance of cve-bin-tool and its tests, provided significant code modernization and added input modes so you can now add and re-use triage data with your scans.

  • Read Niraj's final GSoC report for more details

• @SaurabhK122 added a huge number of new checkers to the tool, both in this release and the previous one.

  • Read Saurabh's final GSoC report for more details

Thanks also to the mentors who worked with our students this year: @terriko, @pdxjohnny, @meflin, @mdwood-intel and unofficial mentor @anthonyharrison who helped us considerably with real-world feedback.

This release also includes contributions from the following new contributors:

• @anthonyharrison
• @imsahil007
• @chaitanyamogal
• @Rahul2044
• @Wicked7000
• @willmcgugan
• @kritirikhi
• @sakshatshinde

CVE Binary Tool 1.1.1

This point release includes fixes so documentation will build and display correctly on readthedocs. There are no functional changes to the code.

2.0 alpha release

This is an alpha release for people interested in trying out an early preview of 2.0. Major features include performance improvements, triage options, new output modes, and many new checkers thanks to our Google Summer of Code students @Niraj-Kamdar, @SinghHrmn and @SaurabhK122 . Thanks for an incredibly productive summer!

We are expecting to make some documentation improvements before the final release, which we hope to have out next week.