CVE Binary Tool 3.0
The CVE Binary Tool 3.0 release includes improved tools for checking known lists of packages including Linux distributions, improved methods of communication with NVD to get vulnerability data, additional checkers, and significant refactoring to streamline the output.
New feature highlights:
- SBOM Scanning: CVE Binary Tool can now take Software Bill of Materials (SBOM) files to help users improve their supply chain security data for all known dependencies. The initial feature can handle some versions of SPDX, CycloneDX and SWID formats. More information on SBOM scanning can be found here: https://github.com/intel/cve-bin-tool/blob/main/doc/how_to_guides/sbom.md
- Known vulnerability information: Users scanning some linux distro packages can now get additional information about fixes available for those platforms.
- Vulnerability Data: The default method for getting NVD vulnerability lists has been changed. Previously we downloaded full yearly JSON files if anything in the year had changed, the new API allows us to get only the latest changes. Users may see a speedup during the update phase as a result.
- (Breaking change) Return codes: The return codes used by CVE Binary Tool have changed.
- A 0 will be returned if no CVEs are found, a 1 will be returned if any CVEs were found (no matter how many), and codes 2+ indicate operational errors. A full list of error codes is available here: https://github.com/intel/cve-bin-tool/blob/main/cve_bin_tool/error_handler.py
- Previously we returned the number of CVEs found, but this could exceed the expected range for return codes and cause unexpected behaviour.
Thanks especially to our 2021 GSoC students, @BreadGenie, @imsahil007 and @peb-peb whose final GSoC contributions are part of this release.
A full list of changes are below. Commit messages use the Conventional Commits format.
What's Changed Since 2.2
- feat: Add CVSS Vector by @anthonyharrison in #1220
- fix(security): add noreferer in target=_blank inside html reports by @imsahil007 in #1232
- feat(package-list-parser): Add support for distros using pacman package manager by @BreadGenie in #1235
- feat(checker): Add gupnp Checker by @BreadGenie in #1236
- feat(checker): zsh checker by @peb-peb in #1240
- feat(checker): Add kbd Checker by @BreadGenie in #1239
- feat(checker): libbpg checker by @peb-peb in #1237
- feat(checker): dbus checker by @peb-peb in #1241
- feat(checker): libical checker by @peb-peb in #1243
- feat: Add intermediate severity trace table in pdf report by @imsahil007 in #1245
- feat(checker): liblas checker by @peb-peb in #1244
- feat(checker): Add kexec-tools Checker by @BreadGenie in #1242
- feat(checker): Add hunspell Checker by @BreadGenie in #1238
- feat(checker): Add cronie Checker by @BreadGenie in #1221
- refactor: Unify Checker list and test Checker list by @BreadGenie in #1224
- fix(security): Bandit config and nosec flags for reviewed code by @terriko in #1249
- fix(security): Improve SQL in version_signature.py by @terriko in #1248
- fix: add update_egg function to test_checker by @terriko in #1252
- fix: tests for test_helper_script by @peb-peb in #1255
- docs: remove adding checker names for tests by @BreadGenie in #1256
- test: change way pytest is run in CI by @terriko in #1251
- refactor(scanner): scan strings without splitting the lines by @BreadGenie in #1227
- fix: extract apk packages for alpine and android by @imsahil007 in #1258
- feat(checker): Add sudo checker by @imsahil007 in #1259
- Fix yaml and toml tests in test_config by @terriko in #1253
- feat(checker): Add Lua Checker by @BreadGenie in #1257
- feat(checker): Add mdadm Checker by @BreadGenie in #1261
- feat(checker): Add mtr Checker by @BreadGenie in #1263
- feat(checker): Add TrouSerS checker by @BreadGenie in #1266
- feat: Add recommdended dev tools list by @terriko in #1212
- feat(checker): Add gnome-shell checker by @BreadGenie in #1200
- fix: rename development requirements file for Snyk by @terriko in #1272
- fix: condensed downloads by @BreadGenie in #1274
- refactor: helper script for is_executable() and parse_string() by @peb-peb in #1246
- feat(checker): Add open-vm-tools Checker by @BreadGenie in #1275
- feat(checker): Add nano Checker by @BreadGenie in #1277
- feat(checker): Add pscs-lite Checker by @BreadGenie in #1280
- feat(checker): Add poppler Checker by @BreadGenie in #1283
- fix(cvedb): skip reject cve entries by @imsahil007 in #1282
- feat: Add NVD CVE Retrieval API by @imsahil007 in #1218
- fix: Too many SQL Variables by @anthonyharrison in #1279
- fix: mark failing nvd test as skipped (for now) by @terriko in #1286
- feat(checker): Add pigz Checker by @BreadGenie in #1288
- fix: allow extractraction on all files to fail by @terriko in #1285
- refactor: flake8 code cleanup by @Molkree in #1294
- fix: systemd Checker by @BreadGenie in #1289
- fix: fix datetime and status count tests for nvd_api by @imsahil007 in #1306
- fix(scanner): crash when scanning a METADATA file w/o appropriate data by @BreadGenie in #1301
- update: to latest stable version of black by @peb-peb in #1260
- ci: add flake8 to CI by @Molkree in #1299
- lint: remove unused BeautifulSoup import, fix black by @terriko in #1307
- feat(checker): hdf5 checker by @peb-peb in #1297
- feat(checker): Add sane-backends Checker by @BreadGenie in #1292
- feat(checker): libvncserver checker by @peb-peb in #1296
- feat(checkers): add pre-commit hook for reformatting checkers table by @imsahil007 in #1290
- refactor(logger): Make logger less verbose by @BreadGenie in #1295
- chore: Update dev version to 3.0.dev0 by @terriko in #1319
- ci: autoupdate pre-commit config by @Molkree in #1302
- Updated conf.py and requirements.txt by @P0intMaN in #1313
- fix: mark failing nvd tests skip by @imsahil007 in #1321
- test: add additional bad archive tests by @P0intMaN in #1322
- refactor: bad archive file tests by @P0intMaN in #1328
- feat: enable pre-commit format_checkers for CI by @imsahil007 in #1330
- chore : Removed vestigial/no longer needed pylint disable directives by @GurpreetSarangal in #1327
- fix(nvd_api): refactor nvd_api-cvedb and remove json cache by @imsahil007 in #1318
- feat: recommending safe packages by @peb-peb in #1284
- ci: Add python 3.9 for short tests by @terriko in #1334
- feat(merge): Add filter for intermediate reports by @imsahil007 in #1262
- refactor(windows_tests): Update Python 3.8 to 3.9 by @P0intMaN in #1338
- feat(backports): Add output backport fixes for debian based distros by @BreadGenie in #1273
- feat: improved output for helper-script by @peb-peb in #1333
- fix(nvd_api): nvd_api fetch results over 2000 limit by @imsahil007 in #1345
- docs: backport-fix by @BreadGenie in #1344
- fix: group arguments in cli by @imsahil007 in #1340
- Updated existing checkers using Helper Script by @peb-peb in #1189
- test(extractor): refactor bad files by @Molkree in #1341
- fix: change
CONTAIN_PATTERNStoCONTAINS_PATTERNSby @Molkree in #1347 - fix(pdf): resolve reportlab table style index bug by @imsahil007 in #1329
- docs: add Python 3.9 classifier by @Molkree in #1355
- fix: unbound output variable in version_scanner by @imsahil007 in #1356
- chore: update pre-commit config by @github-actions in #1357
- feat: Add spell-checker to Github Workflow by @P0intMaN in #1350
- chore: change comment about not detecting backported fixes by @BreadGenie in #1365
- refactor: Add tool version to console output by @anthonyharrison in #1376
- feat: Add Python 3.10 support by @anthonyharrison in #1370
- feat: Add PDF Tests by @anthonyharrison in #1361
- feat: add SBOM support by @anthonyharrison in #1366
- refactor(checker): merge libcurl and curl checker by @BreadGenie in #1364
- feat: Add Available Fix Utility by @BreadGenie in #1363
- chore: update pre-commit config by @github-actions in #1367
- refactor: reduce logging output by @anthonyharrison in #1374
- chore: bump black to 21.9b0 by @itsmais in #1389
- doc: Add architecture diagram by @terriko in #1393
- feat: report number of checkers by @anthonyharrison in #1391
- feat: add CVE summary by @anthonyharrison in #1392
- docs: fix Manual table of contents by @Molkree in #1397
- refactor(nvd): switch default nvd api from json by @BreadGenie in #1394
- feat(available-fix): Add Red Hat support by @BreadGenie in #1390
- GitHub Actions How-To Guide by @alt-glitch in #1396
- ci: automate keeping dev-requirements.txt and .pre-commit-config in sync by @Molkree in #1405
- test: disable hanging nvd tests by @terriko in #1420
- test: skip NVD API tests by @Molkree in #1421
- docs: including suggest to install pdftext in Windows using conda by @marlonemmerich in #1395
- refactor: type hints in available fix files by @Molkree in #1408
- refactor(sbom): typing and
try exceptconstructions by @Molkree in #1409 - Updated requirements.csv with valid vendors #1403 by @Shiv2708 in #1406
- feat(package-list-parser): improve error messsages for unsupported distros by @BreadGenie in #1413
- fix(test): switch
--nvdoption to JSON for broken long tests by @BreadGenie in #1425 - fix: Unknown CVEs in output by @anthonyharrison in #1429
- fix: Replace xml.etree.ElementTree with defusedxml.ElementTree by @anthonyharrison in #1430
- fix: enable nvd_api tests and add modEndDate param by @imsahil007 in #1427
- chore: Add # nosec comment for bandit by @terriko in #1401
- refactor(package-list-parser): Make invalid packages log warning instead of throwing error by @BreadGenie in #1415
- fix: bump binutils to v2.34-6ubuntu1.3 in package list parser test by @BreadGenie in #1434
- fix: don't scan if vendor is "UNKNOWN" by @anthonyharrison in #1439
- test: mark jsonschema tests as xfail by @terriko in #1441
- CI: disable jsonschema tests due to NVD data errors by @terriko in #1442
- refactor: encapsulate vendor fetch to CVEDB by @BreadGenie in #1417
- chore: update JavaScript dependencies by @BreadGenie in #1432
- fix(available-fix): Use
affected_releasefor fixed status by @BreadGenie in #1445 - fix!: Make error codes fit standard range by @terriko in #1423
- fix: ensure canonical version numbers used in version comparison by @anthonyharrison in #1437
- test(package-list-parser): use ubuntu packages' versions dynamically by @BreadGenie in #1458
- OpenSSF Badge (in progress) by @terriko in #1443
- doc: Release notes, readme and version updates for 3.0 release. by @terriko in #1461
New Contributors
- @P0intMaN made their first contribution in #1313
- @GurpreetSarangal made their first contribution in #1327
- @github-actions made their first contribution in #1357
- @itsmais made their first contribution in #1389
- @marlonemmerich made their first contribution in #1395
- @Shiv2708 made their first contribution in #1406
Full Changelog: v2.2...v3.0