Merge branch 'main' into intermediate

intel · Aug 11, 2021 · 8dd7e75 · 8dd7e75
2 parents 3191737 + 82de345
commit 8dd7e75
Show file tree

Hide file tree

Showing 23 changed files with 622 additions and 378 deletions.
diff --git a/.github/workflows/pythonapp.yml b/.github/workflows/pythonapp.yml
@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        tool: ['isort', 'black', 'pyupgrade', 'flake8']
+        tool: ['isort', 'black', 'pyupgrade', 'flake8', 'format_checkers']
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v2
@@ -26,6 +26,11 @@ jobs:
           python -m pip install --upgrade pip
           python -m pip install --upgrade pre-commit
           pre-commit install
+      - name: Install cve-bin-tool if needed
+        if: ${{ matrix.tool == 'format_checkers' }}
+        run: |
+          python -m pip install --upgrade setuptools wheel
+          python -m pip install .
       - name: Run ${{ matrix.tool }}
         run: |
           pre-commit run ${{ matrix.tool }} --all-files

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -21,10 +21,9 @@ repos:
     - id: flake8
 
 -   repo: local
-    hooks: 
+    hooks:
     - id: format_checkers
-      language: python
+      language: system
       name: format_checkers
       entry: python cve_bin_tool/format_checkers.py
       files: "^cve_bin_tool/checkers/__init__.py"
-      types: [python]
diff --git a/README.md b/README.md
@@ -119,22 +119,23 @@ match certain vulnerable versions of the following libraries and tools:
 
 <!--CHECKERS TABLE BEGIN-->
 |   |  |  | Available checkers |  |  |  |
-|--------------- |--------- |-------------- |--------------- |---------- |---------- |------------- |
+|--------------- |------------- |--------- |---------- |------------- |------------ |--------------- |
 | accountsservice |avahi |bash |bind |binutils |bolt |bubblewrap |
 | busybox |bzip2 |cronie |cryptsetup |cups |curl |dbus |
 | dnsmasq |dovecot |dpkg |enscript |expat |ffmpeg |freeradius |
 | ftp |gcc |gimp |glibc |gnomeshell |gnupg |gnutls |
-| gpgme |gstreamer |gupnp |haproxy |hostapd |hunspell |icecast |
-| icu |irssi |kbd |kerberos |kexectools |libarchive |libbpg |
-| libdb |libgcrypt |libical |libjpeg_turbo |liblas |libnss |libsndfile |
-| libsoup |libssh2 |libtiff |libvirt |libxslt |lighttpd |logrotate |
-| lua |mariadb |mdadm |memcached |mtr |mysql |nano |
-| ncurses |nessus |netpbm |nginx |node |ntp |open_vm_tools |
-| openafs |openjpeg |openldap |openssh |openssl |openswan |openvpn |
-| p7zip |pcsc_lite |png |polarssl_fedora |poppler |postgresql |pspp |
-| python |qt |radare2 |rsyslog |samba |sqlite |strongswan |
-| subversion |sudo |syslogng |systemd |tcpdump |trousers |varnish |
-| webkitgtk |wireshark |wpa_supplicant |xerces |xml2 |zlib |zsh |
+| gpgme |gstreamer |gupnp |haproxy |hdf5 |hostapd |hunspell |
+| icecast |icu |irssi |kbd |kerberos |kexectools |libarchive |
+| libbpg |libdb |libgcrypt |libical |libjpeg_turbo |liblas |libnss |
+| libsndfile |libsoup |libssh2 |libtiff |libvirt |libvncserver |libxslt |
+| lighttpd |logrotate |lua |mariadb |mdadm |memcached |mtr |
+| mysql |nano |ncurses |nessus |netpbm |nginx |node |
+| ntp |open_vm_tools |openafs |openjpeg |openldap |openssh |openssl |
+| openswan |openvpn |p7zip |pcsc_lite |pigz |png |polarssl_fedora |
+| poppler |postgresql |pspp |python |qt |radare2 |rsyslog |
+| samba |sane_backends |sqlite |strongswan |subversion |sudo |syslogng |
+| systemd |tcpdump |trousers |varnish |webkitgtk |wireshark |wpa_supplicant |
+| xerces |xml2 |zlib |zsh | | | |
 <!--CHECKERS TABLE END-->
 
 All the checkers can be found in the checkers directory, as can the

diff --git a/cve_bin_tool/async_utils.py b/cve_bin_tool/async_utils.py
@@ -23,7 +23,6 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE."
 
-# pylint: disable=too-many-arguments
 
 """ Utility classes for the CVE Binary Tool """
 

diff --git a/cve_bin_tool/checkers/expat.py b/cve_bin_tool/checkers/expat.py
@@ -1,7 +1,6 @@
 # Copyright (C) 2021 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-# pylint: disable=anomalous-backslash-in-string, invalid-name
 r"""
 CVE checker for libexpat
 

diff --git a/cve_bin_tool/checkers/libgcrypt.py b/cve_bin_tool/checkers/libgcrypt.py
@@ -1,7 +1,6 @@
 # Copyright (C) 2021 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-# pylint: disable=invalid-name
 """
 CVE checker for libgcrypt
 

diff --git a/cve_bin_tool/checkers/libjpeg_turbo.py b/cve_bin_tool/checkers/libjpeg_turbo.py
@@ -1,7 +1,6 @@
 # Copyright (C) 2021 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-# pylint: disable=invalid-name
 
 """
 CVE checker for libjpg-turbo

diff --git a/cve_bin_tool/checkers/liblas.py b/cve_bin_tool/checkers/liblas.py
@@ -1,7 +1,6 @@
 # Copyright (C) 2021 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-# pylint: disable=invalid-name
 """
 CVE checker for liblas
 

diff --git a/cve_bin_tool/checkers/systemd.py b/cve_bin_tool/checkers/systemd.py
@@ -1,7 +1,6 @@
 # Copyright (C) 2021 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-# pylint: disable=invalid-name
 """
 CVE checker for systemd
 

diff --git a/cve_bin_tool/checkers/xerces.py b/cve_bin_tool/checkers/xerces.py
@@ -1,7 +1,6 @@
 # Copyright (C) 2021 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-# pylint: disable=invalid-name
 
 """
 CVE checker for libxerces

diff --git a/cve_bin_tool/cli.py b/cve_bin_tool/cli.py
@@ -1,7 +1,6 @@
 # Copyright (C) 2021 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-# pylint: disable=invalid-name
 
 """
 This tool scans for a number of common, vulnerable open source components
@@ -161,6 +160,12 @@ def main(argv=None):
         action="store",
         help="add a unique tag to differentiate between multiple intermediate reports",
     )
+    output_group.add_argument(
+        "--affected-versions",
+        action="count",
+        default=0,
+        help="Lists versions of product affected by a given CVE (to facilitate upgrades)",
+    )
     parser.add_argument("-V", "--version", action="version", version=VERSION)
     parser.add_argument(
         "-u",
@@ -240,6 +245,7 @@ def main(argv=None):
         "merge": None,
         "nvd": "json",
         "filter": [],
+        "affected_versions": 0,
     }
 
     with ErrorHandler(mode=ErrorMode.NoTrace):
@@ -333,11 +339,12 @@ def main(argv=None):
     if args["update"] != "never":
         cvedb_orig.get_cvelist_if_stale()
     else:
-        LOGGER.warning("Not verifying CVE DB cache")
-        cvedb_orig.get_db_update_date()
-        if not cvedb_orig.nvd_years():
-            with ErrorHandler(mode=error_mode, logger=LOGGER):
-                raise EmptyCache(cvedb_orig.cachedir)
+        if args["nvd"] == "json":
+            LOGGER.warning("Not verifying CVE DB cache")
+            cvedb_orig.get_db_update_date()
+            if not cvedb_orig.nvd_years():
+                with ErrorHandler(mode=error_mode, logger=LOGGER):
+                    raise EmptyCache(cvedb_orig.cachedir)
 
     # CVE Database validation
     if not cvedb_orig.check_cve_entries():
@@ -451,6 +458,7 @@ def main(argv=None):
             # Creates a Object for OutputEngine
             output = OutputEngine(
                 all_cve_data=cve_scanner.all_cve_data,
+                all_cve_version_info=cve_scanner.all_cve_version_info,
                 scanned_dir=args["directory"],
                 filename=args["output_file"],
                 themes_dir=args["html_theme"],
@@ -462,6 +470,7 @@ def main(argv=None):
                 is_report=args["report"],
                 append=args["append"],
                 merge_report=merged_reports,
+                affected_versions=args["affected_versions"],
             )
 
             if not args["quiet"]:

diff --git a/cve_bin_tool/cve_scanner.py b/cve_bin_tool/cve_scanner.py
@@ -17,7 +17,7 @@
 from cve_bin_tool.input_engine import TriageData
 from cve_bin_tool.log import LOGGER
 from cve_bin_tool.theme import cve_theme
-from cve_bin_tool.util import CVE, CVEData, ProductInfo
+from cve_bin_tool.util import CVE, CVEData, ProductInfo, VersionInfo
 
 
 class CVEScanner:
@@ -28,6 +28,7 @@ class CVEScanner:
     products_with_cve: int
     products_without_cve: int
     all_cve_data: DefaultDict[ProductInfo, CVEData]
+    all_cve_version_info: Dict[str, VersionInfo]
 
     RANGE_UNSET: str = ""
     dbname: str = os.path.join(DISK_LOCATION_DEFAULT, DBNAME)
@@ -46,6 +47,7 @@ def __init__(
         self.products_with_cve = 0
         self.products_without_cve = 0
         self.all_cve_data = defaultdict(CVEData)
+        self.all_cve_version_info = dict()
 
     def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
         """Get CVEs against a specific version of a product.
@@ -90,10 +92,10 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
         for cve_range in self.cursor:
             (
                 cve_number,
-                versionStartIncluding,
-                versionStartExcluding,
-                versionEndIncluding,
-                versionEndExcluding,
+                version_start_including,
+                version_start_excluding,
+                version_end_including,
+                version_end_excluding,
             ) = cve_range
 
             parsed_version = parse_version(product_info.version)
@@ -103,56 +105,64 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
             if product_info.product == "openssl":
                 # if last character is a letter, convert it to .number
                 # version = self.openssl_convert(product_info.version)
-                versionStartIncluding = self.openssl_convert(versionStartIncluding)
-                versionStartExcluding = self.openssl_convert(versionStartExcluding)
-                versionEndIncluding = self.openssl_convert(versionEndIncluding)
-                versionEndExcluding = self.openssl_convert(versionEndExcluding)
+                version_start_including = self.openssl_convert(version_start_including)
+                version_start_excluding = self.openssl_convert(version_start_excluding)
+                version_end_including = self.openssl_convert(version_end_including)
+                version_end_excluding = self.openssl_convert(version_end_excluding)
                 parsed_version = parse_version(
                     self.openssl_convert(product_info.version)
                 )
 
             # check the start range
             passes_start = False
             if (
-                versionStartIncluding is not self.RANGE_UNSET
-                and parsed_version >= parse_version(versionStartIncluding)
+                version_start_including is not self.RANGE_UNSET
+                and parsed_version >= parse_version(version_start_including)
             ):
                 passes_start = True
+
             if (
-                versionStartExcluding is not self.RANGE_UNSET
-                and parsed_version > parse_version(versionStartExcluding)
+                version_start_excluding is not self.RANGE_UNSET
+                and parsed_version > parse_version(version_start_excluding)
             ):
                 passes_start = True
 
             if (
-                versionStartIncluding is self.RANGE_UNSET
-                and versionStartExcluding is self.RANGE_UNSET
+                version_start_including is self.RANGE_UNSET
+                and version_start_excluding is self.RANGE_UNSET
             ):
                 # then there is no start range so just say true
                 passes_start = True
 
             # check the end range
             passes_end = False
             if (
-                versionEndIncluding is not self.RANGE_UNSET
-                and parsed_version <= parse_version(versionEndIncluding)
+                version_end_including is not self.RANGE_UNSET
+                and parsed_version <= parse_version(version_end_including)
             ):
                 passes_end = True
 
             if (
-                versionEndExcluding is not self.RANGE_UNSET
-                and parsed_version < parse_version(versionEndExcluding)
+                version_end_excluding is not self.RANGE_UNSET
+                and parsed_version < parse_version(version_end_excluding)
             ):
                 passes_end = True
+
             if (
-                versionEndIncluding is self.RANGE_UNSET
-                and versionEndExcluding is self.RANGE_UNSET
+                version_end_including is self.RANGE_UNSET
+                and version_end_excluding is self.RANGE_UNSET
             ):
                 # then there is no end range so it passes
                 passes_end = True
             # if it fits into both ends of the range, add the cve number
             if passes_start and passes_end:
                 cve_list.append(cve_number)
+                self.all_cve_version_info[cve_number] = VersionInfo(
+                    start_including=version_start_including,
+                    start_excluding=version_start_excluding,
+                    end_including=version_end_including,
+                    end_excluding=version_end_excluding,
+                )
 
         # Go through and get all the severities
         if cve_list: