checker: Add varnish checker

intel · Mar 27, 2020 · c102876 · c102876
1 parent a01bb2a
commit c102876
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 0 deletions.
diff --git a/cve_bin_tool/checkers/__init__.py b/cve_bin_tool/checkers/__init__.py
@@ -24,6 +24,7 @@
     "strongswan",
     "syslogng",
     "systemd",
+    "varnish",
     "xerces",
     "xml2",
     "zlib",

diff --git a/cve_bin_tool/checkers/varnish.py b/cve_bin_tool/checkers/varnish.py
@@ -0,0 +1,35 @@
+#!/usr/bin/python3
+
+"""
+CVE checker for varnish
+https://www.cvedetails.com/vulnerability-list/vendor_id-12937/product_id-26407/Varnish-cache-Varnish.html
+"""
+import os
+from ..util import regex_find
+
+
+def get_version(lines, filename):
+    """returns version information for varnish as found in a given file.
+    The version info is returned as a tuple:
+        [modulename, is_or_contains, version]
+    modulename will be varnish if varnish is found (and blank otherwise)
+    is_or_contains indicates if the file is a copy of varnish or contains one
+    version gives the actual version number
+    VPkg: varnish-cache, varnish
+    """
+    regex = [r"varnish-([0-9]+\.[0-9]+\.[0-9]+)"]
+    version_info = dict()
+    version = regex_find(lines, *regex)
+
+    if "varnish" in filename:
+        version_info["is_or_contains"] = "is"
+        version_info["modulename"] = "varnish"
+        version_info["version"] = version
+        return version_info
+
+    if version != "UNKNOWN" and "is_or_contains" not in version_info:
+        version_info["is_or_contains"] = "contains"
+        version_info["modulename"] = "varnish"
+        version_info["version"] = version
+        return version_info
+    return {}
diff --git a/test/binaries/test-varnish-4.1.1.c b/test/binaries/test-varnish-4.1.1.c
@@ -0,0 +1,11 @@
+#include <stdio.h>
+
+int main() {
+	printf("This program is designed to test the cve-bin-tool checker.");
+	printf("It outputs a few strings normally associated with varnish_4.1.1");
+	printf("They appear below this line.");
+	printf("------------------");
+	printf("varnish-4.1.1");
+
+	return 0;
+}
diff --git a/test/test_scanner.py b/test/test_scanner.py
@@ -798,6 +798,21 @@ def _file_test(self, url, filename, package, version):
                 ["CVE-2016-9445"],
                 ["CVE-2016-9447"],
             ),
+            (
+                "test-varnish-4.1.1.out",
+                "varnish",
+                "4.1.1",
+                [
+                    # Check for known cves in this version
+                    "CVE-2017-12425",
+                    "CVE-2017-8807",
+                ],
+                [
+                    # Check to make sure an older CVE isn't included
+                    "CVE-2013-4484",
+                    "CVE-2013-0345",
+                ],
+            ),
             (
                 "test-binutils-2.31.1.out",
                 "binutils",
@@ -958,6 +973,12 @@ def test_binaries(self, binary, package, version, are_in, not_in):
                         "strongswan",
                         "4.6.2",
                     ),
+                    (
+                        "https://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/v/",
+                        "varnish-4.0.5-1.el7.x86_64.rpm",
+                        "varnish",
+                        "4.0.5",
+                    ),
                     (
                         "http://rpmfind.net/linux/fedora/linux/updates/testing/31/Everything/aarch64/Packages/z/",
                         "zlib-1.2.11-19.fc31.aarch64.rpm",