CVE Binary Tool 3.4

Release highlights

This release comes with the finished products from our two Google Summer of Code 2024 contributors:

• GSoC 2024 contributor @mastersans has improved our triage workflow and VEX support.
• GSoC 2024 contributor @inosmeet has added PURL identifier support and improved tooling for reducing false positives.

Thank you especially to @anthonyharrison , @BenL-github and @terriko for being Google Summer of Code mentors for us this year. For more details about these projects, see the "Improved VEX support" and "PURL and mismatch database" sections below.

This release also includes

• numerous new and improved binary checkers thanks to @ffontaine
• improvements both to our fuzzing infrastructure and fixes for issues found (shout out to @joydeep049 who laid a lot of groundwork here)
• many other bug fixes and features listed below.

Thanks also to the many new bug reporters who gave us feedback this release. Your feedback has been instrumental in making cve-bin-tool better, and we're so glad you've been willing to work with us as we try to find fixes for your issues. We love finding out how people use cve-bin-tool and ways we can make it more useful to you!

Breaking changes

The --triage--input-file flag has been replaced by --vex-input. (See VEX section below for details.)

Improved VEX support

GSoC 2024 contributor @mastersans has improved the CVE Binary Tool by revamping the VEX workflow to integrate Lib4vex, which now handles both parsing and generating VEX files. This update aligns the sbom_manager with the vex_manager structure, enhancing overall functionality.

The focus was on integrating advanced VEX triage features, which involved a thorough refactoring of the existing workflow. This includes support for various VEX formats like CSAF, OpenVEX, and CycloneDX. Key enhancements include linking Components in the File being scanned using identifiers such as bom-ref and Package URL (purl) to precisely identify Product_Info (product, version, and vendor). Specifically, bom-ref is used in CycloneDX VEX, while purl is used in CSAF and OpenVEX formats. These identifiers help in accurately pinpointing product details like vendor and release.

The triage process has also been streamlined: the old --triage-input-file flag is replaced with the new --vex-file flag. This new flag automatically detects the VEX format and whether the file is standalone or paired with a companion file. Additionally, the --filter-triage flag allows you to filter out vulnerabilities marked as NotAffected and FalsePositive in the VEX document, ensuring that only relevant vulnerabilities are reported.

The new triaging documentation can be found here: https://cve-bin-tool.readthedocs.io/en/latest/triaging_process.html

PURL and Mismatch database

GSoC 2024 contributor @inosmeet has added support for PURL identifiers and the purl2cpe database to our code, as well as a new "mismatch" database to help us fine tune product name matching.

Previously, our code assumed that the product name in a language dependency list would match the product name in our vulnerability data sources, and this sometimes produced false positives when product names were re-used across languages/vendors. Using PURLs to more precisely identify components from language scans and the purl2cpe database to look up human-verified matches in the vulnerability database should increase cve-bin-tool's accuracy.

The mismatch database provides another way to fine-tune results by allowing us to drop name collisions that are causing false positives. For example, there may be multiple languages with a package named "xml" -- if they had entries in the vulnerability databases then purl2cpe would handle finding the right one, but if they had no matches then we fallback to a search and sometimes found an incorrect set of vulnerabilities. This allows us to explicitly define mistaken matches and exclude them from results.

The new mismatch documentation can be found here: https://cve-bin-tool.readthedocs.io/en/latest/mismatch_data.html

What's Changed

Open for list of pull requests merged (quite long)

• chore: update SBOM for Python 3.8 by @github-actions in #4028
• chore: update SBOM for Python 3.12 by @github-actions in #4027
• chore: update SBOM for Python 3.9 by @github-actions in #4026
• chore: update SBOM for Python 3.11 by @github-actions in #4025
• chore: update SBOM for Python 3.10 by @github-actions in #4024
• feat: add fix to allow detection of python3.11 on DLL file by @jananir640 in #4023
• chore(deps): bump codecov/codecov-action from 4.1.0 to 4.3.0 by @dependabot in #4017
• chore(deps): bump github/codeql-action from 3.24.9 to 3.24.10 by @dependabot in #4010
• chore(deps): bump actions/dependency-review-action from 4.1.3 to 4.2.5 by @dependabot in #3999
• chore(deps): bump actions/setup-python from 5.0.0 to 5.1.0 by @dependabot in #3985
• chore(deps): bump github/codeql-action from 3.24.10 to 3.25.0 by @dependabot in #4034
• feat: added PURL generation to PhpParser by @joydeep049 in #4016
• feat: added PURL generation for r parser by @inosmeet in #4035
• chore(deps-dev): bump black from 24.3.0 to 24.4.0 by @dependabot in #4030
• chore(deps): bump peter-evans/create-pull-request from 6.0.2 to 6.0.3 by @dependabot in #4029
• feat: added PURL generation to DartParser by @mastersans in #4004
• chore(deps): bump sphinx from 7.2.6 to 7.3.5 in /doc by @dependabot in #4039
• chore: set dev version number by @terriko in #4036
• feat(checker): add ttyd checker by @ffontaine in #4031
• chore: update checkers table by @github-actions in #4043
• chore(deps): bump sphinx from 7.3.5 to 7.3.6 in /doc by @dependabot in #4050
• chore(deps): bump peter-evans/create-pull-request from 6.0.3 to 6.0.4 by @dependabot in #4048
• chore(deps): bump github/codeql-action from 3.25.0 to 3.25.1 by @dependabot in #4047
• feat: Adding locations in CycloneDX reports by @Mayankrai449 in #3989
• fix: update openssl checker by @ffontaine in #4051
• fix: fix symlink handling by @ffontaine in #4054
• chore(deps): bump sphinx from 7.3.6 to 7.3.7 in /doc by @dependabot in #4056
• chore: update SBOM for Python 3.8 by @github-actions in #4068
• chore: update SBOM for Python 3.9 by @github-actions in #4067
• chore: update SBOM for Python 3.10 by @github-actions in #4066
• chore: update SBOM for Python 3.12 by @github-actions in #4065
• chore: update SBOM for Python 3.11 by @github-actions in #4064
• chore(deps): bump github/codeql-action from 3.25.1 to 3.25.2 by @dependabot in #4071
• chore(deps): bump myst-parser from 2.0.0 to 3.0.0 in /doc by @dependabot in #4074
• chore: removed Old cyclonedx and spdx parser from sbom manager by @ranjanmangla1 in #4076
• fix: update binutils pattern by @ffontaine in #4077
• chore: use unique tempdir prefixes in fuzzing temp dirs (fixes: #3960) by @ranjanmangla1 in #4022
• fix: TypeError in RenvLockBuilder by @joydeep049 in #4061
• fix: improve cryptsetup checker by @ffontaine in #4086
• fix: parse CPE names correctly #4041 by @fthdrmzzz in #4063
• fix: improved cpe parsing in sbom code by @ranjanmangla1 in #4082
• ci: reduce dependabot scan frequency by @terriko in #4080
• chore(deps): bump myst-parser from 3.0.0 to 3.0.1 by @dependabot in #4098
• chore(deps): bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 by @dependabot in #4091
• chore(deps): bump github/codeql-action from 3.25.2 to 3.25.3 by @dependabot in #4090
• chore(deps): bump conda-incubator/setup-miniconda from 3.0.3 to 3.0.4 by @dependabot in #4089
• fix: add additional ppp CPE ID by @ffontaine in #4092
• chore: update SBOM for Python 3.8 by @github-actions in #4097
• chore: update SBOM for Python 3.10 by @github-actions in #4096
• chore: update SBOM for Python 3.9 by @github-actions in https://github.com/intel/cve-bin...

CVE Binary Tool 3.4rc3

What's Changed

• chore: bump version to 3.4 by @terriko in #4435
• Match cve_metrics foreign key to the metrics table definition by @steven-hh-ding in #4436
• fix: fix glibc patterns by @ffontaine in #4437
• fix: handle unset serial number by @terriko in #4440
• fix: prepend justification to comments by @terriko in #4442

New Contributors

• @steven-hh-ding made their first contribution in #4436

Full Changelog: v3.4rc2...v3.4rc3

CVE Binary Tool 3.4rc2

Some late-breaking changes to improve backwards compatibility and fix a bug in comment propagation for triage.

What's Changed

• chore: update SBOM for Python 3.8 by @github-actions in #4409
• chore: update SBOM for Python 3.9 by @github-actions in #4410
• chore: update SBOM for Python 3.10 by @github-actions in #4408
• chore: update SBOM for Python 3.11 by @github-actions in #4406
• chore: update SBOM for Python 3.12 by @github-actions in #4407
• chore: update pre-commit config by @github-actions in #4405
• chore(deps): bump actions/upload-artifact from 4.3.1 to 4.4.0 by @dependabot in #4411
• chore(deps): bump github/codeql-action from 3.26.5 to 3.26.6 by @dependabot in #4413
• chore(deps): bump actions/setup-python from 5.1.1 to 5.2.0 by @dependabot in #4412
• feat: auto detect for vex and added linkage check by @mastersans in #4415
• chore: bump version to 3.4 release by @terriko in #4416
• fix: handle : in filenames better by @ffontaine in #4418
• fix: update dovecot checker by @ffontaine in #4419
• fix: Backwards compatibility for vex triage by @terriko in #4421
• chore(deps): bump actions/attest-build-provenance from 1.4.2 to 1.4.3 by @dependabot in #4430
• chore: update SBOM for Python 3.8 by @github-actions in #4428
• chore: update SBOM for Python 3.9 by @github-actions in #4425
• chore: update SBOM for Python 3.10 by @github-actions in #4426
• chore: update SBOM for Python 3.11 by @github-actions in #4427
• chore: update SBOM for Python 3.12 by @github-actions in #4424
• fix: Incorrect validation of purl (fixes #4420) by @anthonyharrison in #4422
• feat(checker): add mp4v2 checker by @ffontaine in #4380
• fix: improve comment propagation from lib4vex by @terriko in #4423
• chore: update checkers table by @github-actions in #4431
• chore: 3.4rc2 version number by @terriko in #4432

Full Changelog: v3.4rc1...v3.4rc2

CVE Binary Tool 3.4rc1

Final (hopefully!) pre-release for 3.4.

Auto-generated release notes below:

What's Changed

• test: regression test for 0 cve pdf report by @terriko in #4371
• feat(checker): add jasper checker by @ffontaine in #4378
• feat(checker): add ghostscript checker by @ffontaine in #4379
• feat(checker): add libyaml checker by @ffontaine in #4377
• test: re-enable some disabled tests by @terriko in #4376
• chore: fix documentation and remove older test by @mastersans in #4374
• chore: update checkers table by @github-actions in #4381
• chore(deps): bump actions/attest-build-provenance from 1.3.3 to 1.4.2 by @dependabot in #4389
• chore(deps): bump github/codeql-action from 3.26.2 to 3.26.5 by @dependabot in #4390
• chore: update SBOM for Python 3.9 by @github-actions in #4388
• chore: update SBOM for Python 3.8 by @github-actions in #4387
• chore: update SBOM for Python 3.12 by @github-actions in #4386
• chore: update SBOM for Python 3.10 by @github-actions in #4385
• chore: update SBOM for Python 3.11 by @github-actions in #4384
• fix: remove excessively noisy cvedb debug message by @terriko in #4395
• docs: Add json2 output format (fixes #4333) by @anthonyharrison in #4397
• chore: bump version to 3.4rc1 by @terriko in #4382
• fix: Reduce debug noise by @anthonyharrison in #4400
• fix: update jq checker by @ffontaine in #4399
• fix: modernize cvss score loading by @terriko in #4373
• fix: update test data for lib4vex 0.2.0 (fixes #4402) by @anthonyharrison in #4403
• chore: min version of lib4vex to 0.2.0 by @terriko in #4404

Full Changelog: v3.4rc0...v3.4rc1

CVE Binary Tool 3.4rc0

Pre-release for v3.4

What's Changed

• chore: update SBOM for Python 3.8 by @github-actions in #4028
• chore: update SBOM for Python 3.12 by @github-actions in #4027
• chore: update SBOM for Python 3.9 by @github-actions in #4026
• chore: update SBOM for Python 3.11 by @github-actions in #4025
• chore: update SBOM for Python 3.10 by @github-actions in #4024
• feat: add fix to allow detection of python3.11 on DLL file by @jananir640 in #4023
• chore(deps): bump codecov/codecov-action from 4.1.0 to 4.3.0 by @dependabot in #4017
• chore(deps): bump github/codeql-action from 3.24.9 to 3.24.10 by @dependabot in #4010
• chore(deps): bump actions/dependency-review-action from 4.1.3 to 4.2.5 by @dependabot in #3999
• chore(deps): bump actions/setup-python from 5.0.0 to 5.1.0 by @dependabot in #3985
• chore(deps): bump github/codeql-action from 3.24.10 to 3.25.0 by @dependabot in #4034
• feat: added PURL generation to PhpParser by @joydeep049 in #4016
• feat: added PURL generation for r parser by @inosmeet in #4035
• chore(deps-dev): bump black from 24.3.0 to 24.4.0 by @dependabot in #4030
• chore(deps): bump peter-evans/create-pull-request from 6.0.2 to 6.0.3 by @dependabot in #4029
• feat: added PURL generation to DartParser by @mastersans in #4004
• chore(deps): bump sphinx from 7.2.6 to 7.3.5 in /doc by @dependabot in #4039
• chore: set dev version number by @terriko in #4036
• feat(checker): add ttyd checker by @ffontaine in #4031
• chore: update checkers table by @github-actions in #4043
• chore(deps): bump sphinx from 7.3.5 to 7.3.6 in /doc by @dependabot in #4050
• chore(deps): bump peter-evans/create-pull-request from 6.0.3 to 6.0.4 by @dependabot in #4048
• chore(deps): bump github/codeql-action from 3.25.0 to 3.25.1 by @dependabot in #4047
• feat: Adding locations in CycloneDX reports by @Mayankrai449 in #3989
• fix: update openssl checker by @ffontaine in #4051
• fix: fix symlink handling by @ffontaine in #4054
• chore(deps): bump sphinx from 7.3.6 to 7.3.7 in /doc by @dependabot in #4056
• chore: update SBOM for Python 3.8 by @github-actions in #4068
• chore: update SBOM for Python 3.9 by @github-actions in #4067
• chore: update SBOM for Python 3.10 by @github-actions in #4066
• chore: update SBOM for Python 3.12 by @github-actions in #4065
• chore: update SBOM for Python 3.11 by @github-actions in #4064
• chore(deps): bump github/codeql-action from 3.25.1 to 3.25.2 by @dependabot in #4071
• chore(deps): bump myst-parser from 2.0.0 to 3.0.0 in /doc by @dependabot in #4074
• chore: removed Old cyclonedx and spdx parser from sbom manager by @ranjanmangla1 in #4076
• fix: update binutils pattern by @ffontaine in #4077
• chore: use unique tempdir prefixes in fuzzing temp dirs (fixes: #3960) by @ranjanmangla1 in #4022
• fix: TypeError in RenvLockBuilder by @joydeep049 in #4061
• fix: improve cryptsetup checker by @ffontaine in #4086
• fix: parse CPE names correctly #4041 by @fthdrmzzz in #4063
• fix: improved cpe parsing in sbom code by @ranjanmangla1 in #4082
• ci: reduce dependabot scan frequency by @terriko in #4080
• chore(deps): bump myst-parser from 3.0.0 to 3.0.1 by @dependabot in #4098
• chore(deps): bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 by @dependabot in #4091
• chore(deps): bump github/codeql-action from 3.25.2 to 3.25.3 by @dependabot in #4090
• chore(deps): bump conda-incubator/setup-miniconda from 3.0.3 to 3.0.4 by @dependabot in #4089
• fix: add additional ppp CPE ID by @ffontaine in #4092
• chore: update SBOM for Python 3.8 by @github-actions in #4097
• chore: update SBOM for Python 3.10 by @github-actions in #4096
• chore: update SBOM for Python 3.9 by @github-actions in #4095
• chore: update SBOM for Python 3.12 by @github-actions in #4094
• chore: update SBOM for Python 3.11 by @github-actions in #4093
• chore: update pre-commit config by @github-actions in #4099
• chore(deps): bump actions/dependency-review-action from 4.2.5 to 4.3.2 by @dependabot in #4109
• chore(deps): bump codecov/codecov-action from 4.3.0 to 4.3.1 by @dependabot in #4108
• chore(deps): bump step-security/harden-runner from 2.7.0 to 2.7.1 by @dependabot in #4107
• chore: update SBOM for Python 3.8 by @github-actions in #4106
• chore: update SBOM for Python 3.10 by @github-actions in #4105
• chore: update SBOM for Python 3.12 by @github-actions in #4104
• chore: update SBOM for Python 3.9 by @github-actions in #4103
• chore: update SBOM for Python 3.11 by @github-actions in #4102
• feat: upload slsa to github on testing ci build job by @pdxjohnny in #4113
• ci: update Testing workflow with harden-runner recommendations by @michaelwknott in #4114
• chore(deps-dev): bump pre-commit from 3.7.0 to 3.7.1 by @dependabot in #4121
• chore(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in #4124
• chore: update SBOM for Python 3.8 by @github-actions in #4120
• chore: update SBOM for Python 3.9 by @github-actions in #4119
• chore: update SBOM for Python 3.10 by @github-actions in #4118
• chore: update SBOM for Python 3.12 by @github-actions in #4117
• chore: update SBOM for Python 3.11 by @github-actions in #4116
• chore(deps): bump github/codeql-action from 3.25.3 to 3.25.4 by @dependabot in #4123
• chore(deps): bump actions/attest-build-provenance from 1.0.0 to 1.1.1 by @dependabot in #4122
• ci: build wheel only on origin, make sbom test more robust by @terriko in #4126
• chore(deps): bump codecov/codecov-action from 4.3.1 to 4.4.0 by @dependabot in #4134
• chore(deps): bump github/codeql-action from 3.25.4 to 3.25.5 by @dependabot in #4133
• chore: update SBOM for Python 3.8 by @github-actions in #4132
• chore: update SBOM for Python 3.9 by @github-actions in #4131
• chore: update SBOM for Python 3.10 by @github-actions in #4130
• chore: update SBOM for Python 3.12 by @github-actions in #4129
• chore: update SBOM for Python 3.11 by @github-actions in #4128
• chore(deps): requests>=2.32.0 due to session bug by @terriko in #4136
• chore(deps): bump codecov/codecov-action from 4.4.0 to 4.4.1 by @dependabot in #4147
• chore(deps): bump step-security/harden-runner from 2.7.1 to 2.8.0 by @dependabot in #4146
• chore(deps): bump github/codeql-action from 3.25.5 to 3.25.6 by @dependabot in #4145
• test: added test for generate_sbom function by @inosmeet in #4060
• chore: update SBOM for Python 3.8 by @gi...

CVE Binary Tool 3.3

Release highlights

• GSoC 2023 contributor @Rexbeast2 added support for EPSS scores to help users assess vulnerability risks (more info : https://cve-bin-tool.readthedocs.io/en/latest/MANUAL.html#metric)

• GSoC 2023 contributor @b31ngd3v has set up a github action (available here: https://github.com/intel/cve-bin-tool-action) and did a lot of work related to using our new NVD mirror (available here: https://cveb.in/)

• We now default to using our own NVD mirror unless an NVD_API_KEY is set.

  • The data is updated multiple times per day and duplicated to mirrors in several countries across the globe. They should be significantly faster than getting data from NVD directly, especially if you need to populate a database from scratch.
  • Mirroring infrastructure is provided by FCIX Software Mirrors, who currently provide a large portion of the global mirroring for linux distributions and other open source projects.
  • If you have difficulties with the mirrors or wish us to activate a mirror closer to you (we're only using a fraction of the servers available), please file an issue https://github.com/intel/cve-bin-tool/issues
  • These mirrors can be used in other tools or as part of research. We'd love to know if and how you use them!

• Breaking Change: Windows users will now need to use python 3.12 if they want to scan tarfiles.

  • Testing has been disabled on windows for python < 3.12. It's likely that older versions of python will continue to work on Windows as long as you don't need tarfile support, but our binary checker tests use tarfiles so we can no longer run the full test suite.

• We now provide our own version compare function, which will not be limited to PEP 440 compliant semantic versions.

• Thanks especially to @ffontaine we are up to 359 binary checkers!

• Our fuzz testing has been improved to cover more of our language file parsers. Thanks especially to @joydeep049, @mastersans , @raffifu and @inosmeet for their work in setting these up and fixing errors found via fuzzing.

We've also got a large number of new contributors, many of whom participated in Hacktoberfest 2023 or the first part of GSoC 2024, as well as users and security experts who were generous enough to share their time and expertise with us outside of these open source beginner-focused programs. Thank you!

Change Log

List of pull requests merged (quite long)

• fix: java parser failing to match vendor on product without '-' by @bcieszko in #2961
• feat(checker): New checker request - GNU emacs by @bcieszko in #2941
• chore: update SBOM for Python 3.7 by @github-actions in #3025
• chore: update SBOM for Python 3.10 by @github-actions in #3024
• chore: update SBOM for Python 3.9 by @github-actions in #3023
• chore: update SBOM for Python 3.8 by @github-actions in #3022
• chore: update SBOM for Python 3.11 by @github-actions in #3021
• [StepSecurity] Apply security best practices by @step-security-bot in #3031
• fix: Enhance SBOM docs (fixes #2922) by @offsake in #3029
• ci: adjust dependabot config to limit false positives by @terriko in #3033
• chore: update checkers table by @github-actions in #3026
• chore: bump to dev version 3.2.2dev0 by @terriko in #3019
• chore(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by @dependabot in #3034
• chore: update SBOM for Python 3.7 by @github-actions in #3040
• chore: update SBOM for Python 3.8 by @github-actions in #3039
• chore: update SBOM for Python 3.9 by @github-actions in #3038
• chore: update SBOM for Python 3.11 by @github-actions in #3037
• chore: update SBOM for Python 3.10 by @github-actions in #3036
• feat(checker): add mini_httpd checker by @ffontaine in #3020
• feat(checker): add libmicrohttpd checker by @ffontaine in #3014
• ci: fix dependabot config by @terriko in #3041
• chore: update pre-commit config by @github-actions in #2968
• feat(checker): add cpio checker by @ffontaine in #3013
• ci: Harden GitHub Actions [StepSecurity] by @step-security-bot in #3043
• feat(checker): add sngrep checker by @ffontaine in #3035
• feat(checker): add fluidsynth checker by @ffontaine in #3012
• feat(checker): add pixman checker by @ffontaine in #3010
• feat(checker): add ldns checker by @ffontaine in #3004
• feat(checker): add gzip checker by @ffontaine in #2998
• chore: update checkers table by @github-actions in #3044
• ci: Dependabot "duplicated" lines and ignore "*" by @terriko in #3045
• chore(deps): bump github/codeql-action from 2.1.27 to 2.3.5 by @dependabot in #3049
• chore(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by @dependabot in #3051
• chore(deps): bump actions/checkout from 3.1.0 to 3.5.2 by @dependabot in #3050
• chore: update pre-commit config by @github-actions in #3048
• ci: pin dependency-review linux, fix dependabot by @terriko in #3055
• feat(checker): add gdk-pixbuf checker by @ffontaine in #3011
• feat(checker): add libtasn1 checker by @ffontaine in #3000
• feat(checker): add dmidecode checker by @ffontaine in #2997
• feat(checker): add libgd checker by @ffontaine in #2978
• feat: merged report content change and comments added in html reports by @gvozzolo in #2913
• feat: add support for pgp signing (#2577) by @b31ngd3v in #2882
• chore: update checkers table by @github-actions in #3061
• chore: update SBOM for Python 3.8 by @github-actions in #3070
• chore: update SBOM for Python 3.7 by @github-actions in #3069
• chore: update SBOM for Python 3.10 by @github-actions in #3068
• chore: update SBOM for Python 3.9 by @github-actions in #3067
• chore: update SBOM for Python 3.11 by @github-actions in #3066
• ci: up timeouts on short and long tests by @terriko in #3072
• feat(checker): add udisks checker by @ffontaine in #2999
• feat(scanner): slight update in version display by @ffontaine in #3063
• feat(checker): add readline checker by @ffontaine in #2976
• feat(checker): add ntfs-3g checker by @ffontaine in #2973
• feat(checker): add ngircd checker by @ffontaine in #3003
• feat(checker): add libmodbus checker by @ffontaine in #3002
• feat(checker): add coreutils checker by @ffontaine in #3001
• fix: improve openssl checker by @ffontaine in #2987
• chore(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by @dependabot in #3052
• chore: update SBOM for Python 3.8 by @github-actions in #3082
• fix: root file path of vulnerable component is missing by @b31ngd3v in #3088
• chore: update SBOM for Python 3.9 by @github-actions in #3081
• chore: update SBOM for Python 3.10 by @github-actions in #3080
• chore: update SBOM for Python 3.11 by @github-actions in #3079
• chore: update SBOM for Python 3.7 by @github-actions in #3078
• chore: update checkers table by @github-actions in #3073
• chore(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by @dependabot in #3090
• chore(deps-dev): bump pre-commit from 3.3.2 to 3.3.3 by @dependabot in #3087
• chore(deps): bump github/codeql-action from 2.3.5 to 2.20.0 by @dependabot in https://github.com/intel/cve-bin-tool...

CVE Binary Tool 3.3rc3 pre-release

Assorted bugfixes, new checkers, and improvements (see details below). This may be the last pre-release before 3.3 if we don't find any additional issues.

BREAKING CHANGE: Windows users will now have to use python 3.12 if they intend to scan tarfiles.

What's Changed

• fix: java parser failing to match vendor on product without '-' by @bcieszko in #2961
• feat(checker): New checker request - GNU emacs by @bcieszko in #2941
• chore: update SBOM for Python 3.7 by @github-actions in #3025
• chore: update SBOM for Python 3.10 by @github-actions in #3024
• chore: update SBOM for Python 3.9 by @github-actions in #3023
• chore: update SBOM for Python 3.8 by @github-actions in #3022
• chore: update SBOM for Python 3.11 by @github-actions in #3021
• [StepSecurity] Apply security best practices by @step-security-bot in #3031
• fix: Enhance SBOM docs (fixes #2922) by @offsake in #3029
• ci: adjust dependabot config to limit false positives by @terriko in #3033
• chore: update checkers table by @github-actions in #3026
• chore: bump to dev version 3.2.2dev0 by @terriko in #3019
• chore(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by @dependabot in #3034
• chore: update SBOM for Python 3.7 by @github-actions in #3040
• chore: update SBOM for Python 3.8 by @github-actions in #3039
• chore: update SBOM for Python 3.9 by @github-actions in #3038
• chore: update SBOM for Python 3.11 by @github-actions in #3037
• chore: update SBOM for Python 3.10 by @github-actions in #3036
• feat(checker): add mini_httpd checker by @ffontaine in #3020
• feat(checker): add libmicrohttpd checker by @ffontaine in #3014
• ci: fix dependabot config by @terriko in #3041
• chore: update pre-commit config by @github-actions in #2968
• feat(checker): add cpio checker by @ffontaine in #3013
• ci: Harden GitHub Actions [StepSecurity] by @step-security-bot in #3043
• feat(checker): add sngrep checker by @ffontaine in #3035
• feat(checker): add fluidsynth checker by @ffontaine in #3012
• feat(checker): add pixman checker by @ffontaine in #3010
• feat(checker): add ldns checker by @ffontaine in #3004
• feat(checker): add gzip checker by @ffontaine in #2998
• chore: update checkers table by @github-actions in #3044
• ci: Dependabot "duplicated" lines and ignore "*" by @terriko in #3045
• chore(deps): bump github/codeql-action from 2.1.27 to 2.3.5 by @dependabot in #3049
• chore(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by @dependabot in #3051
• chore(deps): bump actions/checkout from 3.1.0 to 3.5.2 by @dependabot in #3050
• chore: update pre-commit config by @github-actions in #3048
• ci: pin dependency-review linux, fix dependabot by @terriko in #3055
• feat(checker): add gdk-pixbuf checker by @ffontaine in #3011
• feat(checker): add libtasn1 checker by @ffontaine in #3000
• feat(checker): add dmidecode checker by @ffontaine in #2997
• feat(checker): add libgd checker by @ffontaine in #2978
• feat: merged report content change and comments added in html reports by @gvozzolo in #2913
• feat: add support for pgp signing (#2577) by @b31ngd3v in #2882
• chore: update checkers table by @github-actions in #3061
• chore: update SBOM for Python 3.8 by @github-actions in #3070
• chore: update SBOM for Python 3.7 by @github-actions in #3069
• chore: update SBOM for Python 3.10 by @github-actions in #3068
• chore: update SBOM for Python 3.9 by @github-actions in #3067
• chore: update SBOM for Python 3.11 by @github-actions in #3066
• ci: up timeouts on short and long tests by @terriko in #3072
• feat(checker): add udisks checker by @ffontaine in #2999
• feat(scanner): slight update in version display by @ffontaine in #3063
• feat(checker): add readline checker by @ffontaine in #2976
• feat(checker): add ntfs-3g checker by @ffontaine in #2973
• feat(checker): add ngircd checker by @ffontaine in #3003
• feat(checker): add libmodbus checker by @ffontaine in #3002
• feat(checker): add coreutils checker by @ffontaine in #3001
• fix: improve openssl checker by @ffontaine in #2987
• chore(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by @dependabot in #3052
• chore: update SBOM for Python 3.8 by @github-actions in #3082
• fix: root file path of vulnerable component is missing by @b31ngd3v in #3088
• chore: update SBOM for Python 3.9 by @github-actions in #3081
• chore: update SBOM for Python 3.10 by @github-actions in #3080
• chore: update SBOM for Python 3.11 by @github-actions in #3079
• chore: update SBOM for Python 3.7 by @github-actions in #3078
• chore: update checkers table by @github-actions in #3073
• chore(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by @dependabot in #3090
• chore(deps-dev): bump pre-commit from 3.3.2 to 3.3.3 by @dependabot in #3087
• chore(deps): bump github/codeql-action from 2.3.5 to 2.20.0 by @dependabot in #3086
• chore(deps): bump peter-evans/create-pull-request from 5.0.1 to 5.0.2 by @dependabot in #3085
• chore(deps): bump actions/checkout from 3.5.2 to 3.5.3 by @dependabot in #3084
• fix: improve luajit checker by @ffontaine in #2993
• fix: improve gimp checker by @ffontaine in #2992
• ci: Automatically committing/suggesting linter fixes for PRs by @metabiswadeep in #3017
• chore(deps): bump sphinx from 4.4.0 to 7.0.1 in /doc by @dependabot in #3056
• fix: improve nghttp2 checker by @ffontaine in #2991
• docs: adding database schema by @Rexbeast2 in #3097
• chore(deps): bump github/codeql-action from 2.20.0 to 2.20.1 by @dependabot in #3098
• fix: fix xerces CPE ID by @ffontaine in #2932
• docs: including doc in build by @Rexbeast2 in #3102
• chore: update SBOM for Python 3.8 by @github-actions in #3111
• chore: update SBOM for Python 3.11 by @github-actions in #3110
• chore: update SBOM for Python 3.7 by @github-actions in #3109
• chore: update SBOM for Python 3.10 by @github-actions in #3108
• chore: update SBOM for Python 3.9 by @github-actions in #3107
• fix: report is not generated when no CVEs detected (#3028) by @b31ngd3v in #3075
• ci: dedeuplicate usage of codeql by @metabiswadeep in #3100
• feat: adding epss data by @Rexbeast2 in #3104
• feat: updating schema by @Rexbeast2 in #3106
• chore(deps): bump ossf/scorecard-action from 2.1.3 t...

CVE Binary Tool 3.3rc2 pre-release

This pre-release improved the version compare function so it can handle certain distro versions and other special version cases more smoothly. Note that it does not have any special handling for hashes because they appear infrequently in the NVD data, but you may have some unpredictable results if you have hashes listed in an SBOM or local version.

auto-generated notes follow:

What's Changed

• chore: update SBOM for Python 3.9 by @github-actions in #3623
• chore: update SBOM for Python 3.8 by @github-actions in #3622
• chore: update SBOM for Python 3.10 by @github-actions in #3621
• chore: update SBOM for Python 3.11 by @github-actions in #3620
• feat(checker): add protobuf-c checker by @ffontaine in #3596
• feat: disable metrics by default by @ffontaine in #3618
• feat(checker): add socat checker by @ffontaine in #3597
• fix: improve lua checker by @ffontaine in #3598
• feat(checker): add tar checker by @ffontaine in #3600
• feat(checker): add libvpx checker by @ffontaine in #3602
• fix: drop wrong gnutls VENDOR_PRODUCT by @ffontaine in #3604
• fix: update squashfs VENDOR_PRODUCT by @ffontaine in #3605
• fix: update tor VENDOR_PRODUCT by @ffontaine in #3606
• fix: update gawk pattern by @ffontaine in #3607
• feat(checker): add lrzip checker by @ffontaine in #3608
• fix: update glibc pattern by @ffontaine in #3611
• fix: update zsh pattern by @ffontaine in #3613
• fix: improve gdb pattern by @ffontaine in #3614
• chore: bump version for 3.3 release by @terriko in #3630
• fix: update coreutils pattern by @ffontaine in #3616
• fix: update binutils pattern by @ffontaine in #3615
• fix: update bison pattern by @ffontaine in #3617
• feat(checker): add mbedtls checker by @ffontaine in #3619
• feat(checker): add php checker by @ffontaine in #3627
• fix: drop gpgme CPE ID without CVEs by @ffontaine in #3632
• fix: drop rsync CPE ID without CVEs by @ffontaine in #3634
• fix: drop netatalk CPE ID without CVEs by @ffontaine in #3635
• feat(checker): add jq checker by @ffontaine in #3636
• feat(checker): add libheif checker by @ffontaine in #3641
• chore: update checkers table by @github-actions in #3624
• docs: Updated examples in sbom_generation.md by @Mayankrai449 in #3640
• feat(checker): add heimdal checker by @ffontaine in #3643
• feat(checker): add libde265 checker by @ffontaine in #3645
• ci: fix sbom test skipping logic by @terriko in #3631
• chore: update checkers table by @github-actions in #3647
• docs: add cmd for installing the cve-tool in virtualenv by @ayushthe1 in #3649
• fix: update detailed description by @ffontaine in #3650
• feat: Enable metrics if epss-{percentile,probability} is set by @ffontaine in #3642
• chore: update SBOM for Python 3.8 by @github-actions in #3669
• chore: update SBOM for Python 3.11 by @github-actions in #3668
• chore: update SBOM for Python 3.9 by @github-actions in #3667
• chore: update SBOM for Python 3.10 by @github-actions in #3666
• test: temporarily disable failing tests by @terriko in #3655
• fix: temporary disabling due to #3674 by @terriko in #3676
• test: added test for OutputEngine with metrics=False by @mastersans in #3672
• fix: Deprecate NVD API 1.0 by @akshatgokul in #3671
• docs: add PHP launguage specification to docs by @Mahhheshh in #3665
• feat: Fuzz Testing RParser by @crazytrain328 in #3664
• docs: Clarifying use of --metrics and epss options by @Mayankrai449 in #3663
• chore: update spdx header by @github-actions in #3679
• chore: update js dependencies by @github-actions in #3680
• docs: Add appropriate docstring to output_engine/print_mode.py (#3457) by @aptitudepi in #3677
• chore: update pre-commit config by @github-actions in #3678
• docs(README.md): updated options list in README.md by @DEVESH-N2 in #3662
• ci: add interrogate to github actions & exclude some directories by @ayushthe1 in #3612
• feat(checker): add iwd checker by @ffontaine in #3660
• chore: add template for docstrings issues by @terriko in #3685
• chore: update SBOM for Python 3.9 by @github-actions in #3691
• chore: update SBOM for Python 3.8 by @github-actions in #3690
• chore: update SBOM for Python 3.10 by @github-actions in #3689
• chore: update SBOM for Python 3.11 by @github-actions in #3688
• chore: update checkers table by @github-actions in #3686
• fix: add additional CPE IDs to faad2 by @ffontaine in #3699
• chore(deps): bump actions/dependency-review-action from 3.1.4 to 3.1.5 by @dependabot in #3695
• feat(checker): add netdata checker by @ffontaine in #3648
• chore: fix broken docstrings issue template by @terriko in #3702
• feat(checker): add micropython checker by @ffontaine in #3704
• chore: update SBOM for Python 3.8 by @github-actions in #3709
• chore: update SBOM for Python 3.9 by @github-actions in #3708
• chore: update SBOM for Python 3.11 by @github-actions in #3707
• chore: update SBOM for Python 3.10 by @github-actions in #3706
• chore: update checkers table by @github-actions in #3703
• feat: test handling of ~= in requirements.txt and add it to docs by @ayushthe1 in #3610
• ci: improve interrogate/pre-commit config by @terriko in #3714
• fix: [Snyk] Security upgrade pillow from 9.5.0 to 10.0.1 by @terriko in #3601
• test: re-enable failing tests from #3653 by @terriko in #3720
• fix: fail gracefully for npm .package-lock.json files by @terriko in #3654
• chore: update SBOM for Python 3.9 by @github-actions in #3732
• chore: update SBOM for Python 3.8 by @github-actions in #3731
• chore: update SBOM for Python 3.11 by @github-actions in #3730
• chore: update SBOM for Python 3.10 by @github-actions in #3729
• chore(deps): bump actions/cache from 3.3.2 to 4.0.0 by @dependabot in #3739
• feat(checker): add go checker by @ffontaine in #3651
• docs: add docstrings to cve-bin-tool/util by @Mahhheshh in #3715
• chore(deps): bump github/codeql-action from 2.22.9 to 3.23.0 by @dependabot in #3705
• docs: added docstring to swid_parser.py by @Mahhheshh in #3716
• feat: Fuzz testing PerlParser by @crazytrain328 in #3725
• chore: update checkers table by @github-actions in #3740
• fix: improve robustness of version compare by @terriko in #3694
• chore: update SBOM for Python 3.8 by @github-actions ...

CVE Binary Tool 3.3rc1 pre-release

This has some fixes for the version compare function that were reported against the previous pre-release, as well as some new checkers and bugfixes. Automated release notes below.

What's Changed

• chore(deps): bump actions/dependency-review-action from 3.1.3 to 3.1.4 by @dependabot in #3546
• chore(deps): bump conda-incubator/setup-miniconda from 2.3.0 to 3.0.1 by @dependabot in #3549
• typo in issue template by @perrinjerome in #3557
• test_version_compare: use different pytest.raises for each instruction by @perrinjerome in #3555
• version_compare: support + in versions by @perrinjerome in #3554
• chore: update SBOM for Python 3.8 by @github-actions in #3563
• chore: update SBOM for Python 3.9 by @github-actions in #3562
• chore: update SBOM for Python 3.11 by @github-actions in #3561
• chore: update SBOM for Python 3.10 by @github-actions in #3560
• feat(checker): add exfatprogs checker by @ffontaine in #3542
• chore: update checkers table by @github-actions in #3564
• chore(deps): bump actions/setup-python from 4 to 5 by @dependabot in #3567
• fix: improve version_compare to drop hashes by @terriko in #3566
• chore: update SBOM for Python 3.10 by @github-actions in #3574
• chore: update SBOM for Python 3.9 by @github-actions in #3573
• chore: update SBOM for Python 3.8 by @github-actions in #3572
• chore: update SBOM for Python 3.11 by @github-actions in #3571
• chore(deps): bump github/codeql-action from 2.22.6 to 2.22.9 by @dependabot in #3568
• fix: improve openssl checker by @ffontaine in #3569
• feat(checker): add tesseract checker by @ffontaine in #3570
• fix: update mosquitto pattern by @ffontaine in #3580
• chore(deps-dev): bump pre-commit from 3.5.0 to 3.6.0 by @dependabot in #3577
• chore: update checkers table by @github-actions in #3584
• fix: improve version_compare logic by @terriko in #3548
• fix: non-alphanumeric characters as separators by @terriko in #3565
• feat(checker): add libevent checker by @ffontaine in #3587
• fix: remove resizeGraph function by @terriko in #3585
• feat(checker): add zstandard checker by @ffontaine in #3590
• feat(checker): add xwayland checker by @ffontaine in #3591
• feat(checker): add vlc checker by @ffontaine in #3593
• chore: update checkers table by @github-actions in #3589
• fix: remove cases of resizeGraph from examples by @terriko in #3592

New Contributors

• @perrinjerome made their first contribution in #3557

Full Changelog: v3.3a0...v3.3rc1

CVE Binary Tool pre-release 3.3a0

Preview release for 3.3, which will hopefully be coming in December.

There's a lot of changes in this release (see below, more curated release notes to come), but I'm particularly eager to have people try out the new version compare function and make sure it is sufficiently robust for arbitrary versions, as we needed to migrate away from the function provided in python packaging as it could not handle some of the versions we see in the NVD data.

What's Changed

• fix: java parser failing to match vendor on product without '-' by @bcieszko in #2961
• feat(checker): New checker request - GNU emacs by @bcieszko in #2941
• chore: update SBOM for Python 3.7 by @github-actions in #3025
• chore: update SBOM for Python 3.10 by @github-actions in #3024
• chore: update SBOM for Python 3.9 by @github-actions in #3023
• chore: update SBOM for Python 3.8 by @github-actions in #3022
• chore: update SBOM for Python 3.11 by @github-actions in #3021
• [StepSecurity] Apply security best practices by @step-security-bot in #3031
• fix: Enhance SBOM docs (fixes #2922) by @offsake in #3029
• ci: adjust dependabot config to limit false positives by @terriko in #3033
• chore: update checkers table by @github-actions in #3026
• chore: bump to dev version 3.2.2dev0 by @terriko in #3019
• chore(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by @dependabot in #3034
• chore: update SBOM for Python 3.7 by @github-actions in #3040
• chore: update SBOM for Python 3.8 by @github-actions in #3039
• chore: update SBOM for Python 3.9 by @github-actions in #3038
• chore: update SBOM for Python 3.11 by @github-actions in #3037
• chore: update SBOM for Python 3.10 by @github-actions in #3036
• feat(checker): add mini_httpd checker by @ffontaine in #3020
• feat(checker): add libmicrohttpd checker by @ffontaine in #3014
• ci: fix dependabot config by @terriko in #3041
• chore: update pre-commit config by @github-actions in #2968
• feat(checker): add cpio checker by @ffontaine in #3013
• ci: Harden GitHub Actions [StepSecurity] by @step-security-bot in #3043
• feat(checker): add sngrep checker by @ffontaine in #3035
• feat(checker): add fluidsynth checker by @ffontaine in #3012
• feat(checker): add pixman checker by @ffontaine in #3010
• feat(checker): add ldns checker by @ffontaine in #3004
• feat(checker): add gzip checker by @ffontaine in #2998
• chore: update checkers table by @github-actions in #3044
• ci: Dependabot "duplicated" lines and ignore "*" by @terriko in #3045
• chore(deps): bump github/codeql-action from 2.1.27 to 2.3.5 by @dependabot in #3049
• chore(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by @dependabot in #3051
• chore(deps): bump actions/checkout from 3.1.0 to 3.5.2 by @dependabot in #3050
• chore: update pre-commit config by @github-actions in #3048
• ci: pin dependency-review linux, fix dependabot by @terriko in #3055
• feat(checker): add gdk-pixbuf checker by @ffontaine in #3011
• feat(checker): add libtasn1 checker by @ffontaine in #3000
• feat(checker): add dmidecode checker by @ffontaine in #2997
• feat(checker): add libgd checker by @ffontaine in #2978
• feat: merged report content change and comments added in html reports by @gvozzolo in #2913
• feat: add support for pgp signing (#2577) by @b31ngd3v in #2882
• chore: update checkers table by @github-actions in #3061
• chore: update SBOM for Python 3.8 by @github-actions in #3070
• chore: update SBOM for Python 3.7 by @github-actions in #3069
• chore: update SBOM for Python 3.10 by @github-actions in #3068
• chore: update SBOM for Python 3.9 by @github-actions in #3067
• chore: update SBOM for Python 3.11 by @github-actions in #3066
• ci: up timeouts on short and long tests by @terriko in #3072
• feat(checker): add udisks checker by @ffontaine in #2999
• feat(scanner): slight update in version display by @ffontaine in #3063
• feat(checker): add readline checker by @ffontaine in #2976
• feat(checker): add ntfs-3g checker by @ffontaine in #2973
• feat(checker): add ngircd checker by @ffontaine in #3003
• feat(checker): add libmodbus checker by @ffontaine in #3002
• feat(checker): add coreutils checker by @ffontaine in #3001
• fix: improve openssl checker by @ffontaine in #2987
• chore(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by @dependabot in #3052
• chore: update SBOM for Python 3.8 by @github-actions in #3082
• fix: root file path of vulnerable component is missing by @b31ngd3v in #3088
• chore: update SBOM for Python 3.9 by @github-actions in #3081
• chore: update SBOM for Python 3.10 by @github-actions in #3080
• chore: update SBOM for Python 3.11 by @github-actions in #3079
• chore: update SBOM for Python 3.7 by @github-actions in #3078
• chore: update checkers table by @github-actions in #3073
• chore(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by @dependabot in #3090
• chore(deps-dev): bump pre-commit from 3.3.2 to 3.3.3 by @dependabot in #3087
• chore(deps): bump github/codeql-action from 2.3.5 to 2.20.0 by @dependabot in #3086
• chore(deps): bump peter-evans/create-pull-request from 5.0.1 to 5.0.2 by @dependabot in #3085
• chore(deps): bump actions/checkout from 3.5.2 to 3.5.3 by @dependabot in #3084
• fix: improve luajit checker by @ffontaine in #2993
• fix: improve gimp checker by @ffontaine in #2992
• ci: Automatically committing/suggesting linter fixes for PRs by @metabiswadeep in #3017
• chore(deps): bump sphinx from 4.4.0 to 7.0.1 in /doc by @dependabot in #3056
• fix: improve nghttp2 checker by @ffontaine in #2991
• docs: adding database schema by @Rexbeast2 in #3097
• chore(deps): bump github/codeql-action from 2.20.0 to 2.20.1 by @dependabot in #3098
• fix: fix xerces CPE ID by @ffontaine in #2932
• docs: including doc in build by @Rexbeast2 in #3102
• chore: update SBOM for Python 3.8 by @github-actions in #3111
• chore: update SBOM for Python 3.11 by @github-actions in #3110
• chore: update SBOM for Python 3.7 by @github-actions in #3109
• chore: update SBOM for Python 3.10 by @github-actions in #3108
• chore: update SBOM for Python 3.9 by @github-actions in #3107
• fix: report is not generated when no CVEs detected (#3028) by @b31ngd3v in #3075
• ci: dedeuplicate usage of codeql by @metabiswadeep in #3100
• feat: adding epss data by @Rexbeast...