From b34f3ae804c02eeefcc3d4a74e594e8e094f9dfa Mon Sep 17 00:00:00 2001 From: joydeep049 Date: Wed, 11 Jun 2025 13:17:55 +0530 Subject: [PATCH 1/7] feat: basic tests and doc changes for no-scan mode Signed-off-by: joydeep049 --- README.md | 9 ++++++++ test/test_no_scan.py | 55 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 test/test_no_scan.py diff --git a/README.md b/README.md index 86fab58095..212d015d58 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,15 @@ Specifying the `--offline` option when running a scan ensures that cve-bin-tool Note that you will need to obtain a copy of the vulnerability data before the tool can run in offline mode. [The offline how-to guide contains more information on how to set up your database.](https://github.com/intel/cve-bin-tool/blob/main/doc/how_to_guides/offline.md) +### No-Scan Mode +The No-Scan Mode is currently under development, but you can try out a beta version by running: + +```bash +cve-bin-tool --no-scan +``` + +In this beta release, the tool generates output based solely on binary checkers, with all database interaction points decoupled. However, please note that the database is still downloaded during execution. + ### Using CVE Binary Tool in GitHub Actions If you want to integrate cve-bin-tool as a part of your github action pipeline, you can use cve-bin-tool's official GitHub Action. Find more details [here](https://github.com/intel/cve-bin-tool-action/#cve-binary-tool-github-action). The GitHub Action provide reports on the security tab, which is available to open source projects as well as GitHub customers who have paid for that access. diff --git a/test/test_no_scan.py b/test/test_no_scan.py new file mode 100644 index 0000000000..6f6b05c25d --- /dev/null +++ b/test/test_no_scan.py @@ -0,0 +1,55 @@ +import subprocess + + +def test_no_scan_exists(): + """ + Test that --no-scan mode exists + """ + result = subprocess.run( + ["cve-bin-tool", "--help"], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + text=True, + ) + + output = result.stdout + result.stderr + + assert "no-scan" in output + + assert result.returncode == 0 + + +def test_no_scan_output(): + """ + Test the tool with --no-scan flag + """ + result = subprocess.run( + ["cve-bin-tool", "./experiments", "--no-scan"], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + text=True, + ) + + assert "No Scan Mode: No CVE Scanning" in result.stdout + + +def test_normal_scan(): + """ + Test Normal Scan without --no-scan flag + """ + result = subprocess.run( + ["cve-bin-tool", "./experiments"], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + text=True, + ) + + assert "No Scan Mode: No CVE Scanning" not in result.stdout + + +def main(): + test_no_scan_output() + + +if __name__ == "__main__": + main() From 7b6f460c44d8d79bb71de4e6babc4530d8327da9 Mon Sep 17 00:00:00 2001 From: joydeep049 Date: Wed, 11 Jun 2025 17:23:24 +0530 Subject: [PATCH 2/7] doc: minor doc changes and licensing information Signed-off-by: joydeep049 --- README.md | 2 ++ test/test_no_scan.py | 3 +++ 2 files changed, 5 insertions(+) diff --git a/README.md b/README.md index 212d015d58..667d757a38 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,7 @@ For more details, see our [documentation](https://cve-bin-tool.readthedocs.io/en - [Generating a VEX](#generating-a-vex) - [Triaging vulnerabilities](#triaging-vulnerabilities) - [Using the tool offline](#using-the-tool-offline) + - [No Scan Mode](#no-scan-mode) - [Using CVE Binary Tool in GitHub Actions](#using-cve-binary-tool-in-github-actions) - [Output Options](#output-options) - [Configuration](#configuration) @@ -156,6 +157,7 @@ Specifying the `--offline` option when running a scan ensures that cve-bin-tool Note that you will need to obtain a copy of the vulnerability data before the tool can run in offline mode. [The offline how-to guide contains more information on how to set up your database.](https://github.com/intel/cve-bin-tool/blob/main/doc/how_to_guides/offline.md) ### No-Scan Mode + The No-Scan Mode is currently under development, but you can try out a beta version by running: ```bash diff --git a/test/test_no_scan.py b/test/test_no_scan.py index 6f6b05c25d..f2bb3ff7e8 100644 --- a/test/test_no_scan.py +++ b/test/test_no_scan.py @@ -1,3 +1,6 @@ +# Copyright (C) 2025 Intel Corporation +# SPDX-License-Identifier: GPL-3.0-or-later + import subprocess From e64040576e4ca200170196980c52da484cc90ab8 Mon Sep 17 00:00:00 2001 From: joydeep049 Date: Wed, 11 Jun 2025 19:16:35 +0530 Subject: [PATCH 3/7] fix: change entry point to cli.py Signed-off-by: joydeep049 --- test/test_no_scan.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/test_no_scan.py b/test/test_no_scan.py index f2bb3ff7e8..b47a2147d9 100644 --- a/test/test_no_scan.py +++ b/test/test_no_scan.py @@ -9,7 +9,7 @@ def test_no_scan_exists(): Test that --no-scan mode exists """ result = subprocess.run( - ["cve-bin-tool", "--help"], + ["python3","cve_bin_tool/cli.py", "--help"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, @@ -27,7 +27,7 @@ def test_no_scan_output(): Test the tool with --no-scan flag """ result = subprocess.run( - ["cve-bin-tool", "./experiments", "--no-scan"], + ["python3","cve_bin_tool/cli.py", "./experiments", "--no-scan"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, @@ -41,7 +41,7 @@ def test_normal_scan(): Test Normal Scan without --no-scan flag """ result = subprocess.run( - ["cve-bin-tool", "./experiments"], + ["python3","cve_bin_tool/cli.py", "./experiments"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, From bc2bb7b7c0b7b113d2a70e9d03ac3367d3940175 Mon Sep 17 00:00:00 2001 From: joydeep049 Date: Thu, 12 Jun 2025 21:44:39 +0530 Subject: [PATCH 4/7] fix: skip failing tests and fix linter errors Signed-off-by: joydeep049 --- test/test_no_scan.py | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/test/test_no_scan.py b/test/test_no_scan.py index b47a2147d9..ed37667947 100644 --- a/test/test_no_scan.py +++ b/test/test_no_scan.py @@ -2,6 +2,7 @@ # SPDX-License-Identifier: GPL-3.0-or-later import subprocess +import pytest def test_no_scan_exists(): @@ -9,7 +10,7 @@ def test_no_scan_exists(): Test that --no-scan mode exists """ result = subprocess.run( - ["python3","cve_bin_tool/cli.py", "--help"], + ["python3", "cve_bin_tool/cli.py", "--help"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, @@ -22,12 +23,13 @@ def test_no_scan_exists(): assert result.returncode == 0 +@pytest.mark.skip(reason="Failing due to unknown errors") def test_no_scan_output(): """ Test the tool with --no-scan flag """ result = subprocess.run( - ["python3","cve_bin_tool/cli.py", "./experiments", "--no-scan"], + ["python3", "cve_bin_tool/cli.py", "./experiments", "--no-scan"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, @@ -41,18 +43,10 @@ def test_normal_scan(): Test Normal Scan without --no-scan flag """ result = subprocess.run( - ["python3","cve_bin_tool/cli.py", "./experiments"], + ["python3", "cve_bin_tool/cli.py", "./experiments"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, ) assert "No Scan Mode: No CVE Scanning" not in result.stdout - - -def main(): - test_no_scan_output() - - -if __name__ == "__main__": - main() From de0a8140df58e2d64079b200620ec909b8c8874a Mon Sep 17 00:00:00 2001 From: joydeep049 Date: Thu, 12 Jun 2025 22:09:36 +0530 Subject: [PATCH 5/7] fix: isort linter fix Signed-off-by: joydeep049 --- test/test_no_scan.py | 1 + 1 file changed, 1 insertion(+) diff --git a/test/test_no_scan.py b/test/test_no_scan.py index ed37667947..a5f1694168 100644 --- a/test/test_no_scan.py +++ b/test/test_no_scan.py @@ -2,6 +2,7 @@ # SPDX-License-Identifier: GPL-3.0-or-later import subprocess + import pytest From ac7fe172911cc1746b2fc104d213361d8e91ece2 Mon Sep 17 00:00:00 2001 From: joydeep049 Date: Thu, 12 Jun 2025 22:37:44 +0530 Subject: [PATCH 6/7] chore: empty commit to re-run ci Signed-off-by: joydeep049 From 5b96e2d41f34d57e91362572398bab523746b547 Mon Sep 17 00:00:00 2001 From: joydeep049 Date: Fri, 20 Jun 2025 12:04:28 +0530 Subject: [PATCH 7/7] doc: minor changes Signed-off-by: joydeep049 --- README.md | 4 +++- test/test_no_scan.py | 13 ++++--------- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 0646b7b9a6..8fa333a968 100644 --- a/README.md +++ b/README.md @@ -164,7 +164,9 @@ The No-Scan Mode is currently under development, but you can try out a beta vers cve-bin-tool --no-scan ``` -In this beta release, the tool generates output based solely on binary checkers, with all database interaction points decoupled. However, please note that the database is still downloaded during execution. +In this beta release, all the database-related checks are skipped. For the binary checker pipeline, it gives output based on the CPE information embedded in the checkers. For the language parser pipeline, all database queries are skipped and it returns a bunch of ScanInfo objects. + +Please not that you might still find some errors while running no-scan mode in the output pipeline as it is still under development. ### Using CVE Binary Tool in GitHub Actions diff --git a/test/test_no_scan.py b/test/test_no_scan.py index a5f1694168..6ce50a00f8 100644 --- a/test/test_no_scan.py +++ b/test/test_no_scan.py @@ -3,8 +3,6 @@ import subprocess -import pytest - def test_no_scan_exists(): """ @@ -12,8 +10,7 @@ def test_no_scan_exists(): """ result = subprocess.run( ["python3", "cve_bin_tool/cli.py", "--help"], - stdout=subprocess.PIPE, - stderr=subprocess.PIPE, + capture_output=True, text=True, ) @@ -24,15 +21,14 @@ def test_no_scan_exists(): assert result.returncode == 0 -@pytest.mark.skip(reason="Failing due to unknown errors") +# @pytest.mark.skip(reason="Failing due to unknown errors") def test_no_scan_output(): """ Test the tool with --no-scan flag """ result = subprocess.run( ["python3", "cve_bin_tool/cli.py", "./experiments", "--no-scan"], - stdout=subprocess.PIPE, - stderr=subprocess.PIPE, + capture_output=True, text=True, ) @@ -45,8 +41,7 @@ def test_normal_scan(): """ result = subprocess.run( ["python3", "cve_bin_tool/cli.py", "./experiments"], - stdout=subprocess.PIPE, - stderr=subprocess.PIPE, + capture_output=True, text=True, )