You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, cve-bin-tool has a few types of support for common Linux packaging formats such as .rpm and .deb:
we support extracting their contents (for use with the binary scanner)
we have some tools for getting information about security fixes from some vendors
But what we don't do is treat them the way we treat language packages, where we could be opening and reading the metadata from the package directly and reporting that without requiring a deeper scan or in conjunction with a scan. I'm not sure off the top of my head what's in the metadata of linux packages nowadays, but I'd expect we could at least get versions, product names, license, source urls, and more that might be useful.
So it would be interesting to add "language parser" style support for linux packages, and potentially integrate that support with our existing tools. So for example, you could compare the stated version with what we're finding form the binaries and make sure you don't report both or print warnings if they appear to be mis-matched, or use the vendor fix information to reduce false positives or provide additional information in reports. It also might be interesting to integrate this with the helper script to make more checkers if we can read the metadata but don't have a binary checker that works for that product.
The text was updated successfully, but these errors were encountered:
Currently, cve-bin-tool has a few types of support for common Linux packaging formats such as .rpm and .deb:
But what we don't do is treat them the way we treat language packages, where we could be opening and reading the metadata from the package directly and reporting that without requiring a deeper scan or in conjunction with a scan. I'm not sure off the top of my head what's in the metadata of linux packages nowadays, but I'd expect we could at least get versions, product names, license, source urls, and more that might be useful.
So it would be interesting to add "language parser" style support for linux packages, and potentially integrate that support with our existing tools. So for example, you could compare the stated version with what we're finding form the binaries and make sure you don't report both or print warnings if they appear to be mis-matched, or use the vendor fix information to reduce false positives or provide additional information in reports. It also might be interesting to integrate this with the helper script to make more checkers if we can read the metadata but don't have a binary checker that works for that product.
The text was updated successfully, but these errors were encountered: