CVE Binary Tool 3.1

This release is dedicated to the person who sent me cookies after I was griping about differences in Python 3.7 error handling on Twitter. They were delicious, thank you! Thanks also to the many new contributors who have joined us as part of Google Summer of Code 2022. You can see many new folk had their first commits in this release!

New Features

• CVE Binary Tool 3.1 adds support for NVD API keys. An NVD API key allows registered users to make a greater number of requests to the API. At this time, the NVD API documentation says, "The public rate limit (without an API key) is 10 requests in a rolling 60 second window; the rate limit with an API key is 100 requests in a rolling 60 second window."
  • cve-bin-tool updates once per day by default to limit connections to NVD, but users in shared environments or running more frequent updates have occasionally seen 403 errors due to exceeded rate limits. Using an API key should alleviate those issues going forwards.
• New support for scanning Java and JavaScript packages has been added. (Yes, this will now detect log4j packages.) The language-specific packages we support now are Java, JavaScript and Python.
• A new offline flag (--offline) has been added to disable all network requests for use in isolated environments. A guide for using --offline mode can be found here.
• New support VEX (Vulnerabity Expolitabity Exchange) files. Files could be generated following a scan and then used as a supported triage file.
• Extractor support has been extended to include WAR, EAR, pkg and zst files.
• New checkers: Libsrtp, libseccomp, libebml, libsolv

Changed Features

• Some users had expressed concern that they would prefer not to install the Reportlab dependency on their systems due to security concerns if the library is mis-used, so we no longer install it by default.
  • Users intending to use PDF export can use pip install cve-bin-tool[PDF] to add reportlab to their install. or pip install reportlab if they decide they want it later.
  • Similarly, users can pip uninstall reportlab at any time and cve-bin-tool will continue to function although without the ability to export PDF files. Users can generate their own using pdf reports using print-to-pdf on an HTML report if needed.
• Python 3.6 support and testing has been dropped as Python 3.6 has reached end of life. (This may affect some users on CentOS.)

New Contributors

• @XDRAGON2002 made their first contribution in #1495
• @DangerChamp made their first contribution in #1516
• @Aadityajoshi151 made their first contribution in #1532
• @vkrm1612 made their first contribution in #1536
• @shoneriki made their first contribution in #1576
• @yashugarg made their first contribution in #1533
• @rhythmrx9 made their first contribution in #1572
• @BenL-github made their first contribution in #1606
• @xiongnemo made their first contribution in #1610
• @Alienmaster made their first contribution in #1619
• @MohitOhlyan made their first contribution in #1612

Full Change List

• refactor(package-list-parser): remove csv path by @BreadGenie in #1466
• feat: Add tests for cve_scanner (#1450) by @anthonyharrison in #1456
• ci: fix check-spelling workflow by @Molkree in #1471
• bug: Unzip failure requires user interaction (#1473) by @anthonyharrison in #1479
• feat: Add support for WAR and EAR archive files (#1474) by @anthonyharrison in #1478
• refactor: find SBOM product vendor (#1477) by @anthonyharrison in #1481
• chore: update pre-commit config by @github-actions in #1455
• bug: don't follow symlinks in archives (#1475) by @anthonyharrison in #1486
• bug: Update pdf configuration parameters (#1459) by @anthonyharrison in #1484
• Updated spelling.yml by @XDRAGON2002 in #1495
• feat: use cve-bin-tool without Reportlab (Fixes #1464) by @anthonyharrison in #1485
• feat: Add offline command line option (#1452) by @anthonyharrison in #1480
• doc: improve new contributor documentation by @terriko in #1467
• ci: add filetype to allowed word list by @terriko in #1497
• feat: Remove support for python 3.6 (#1488) by @XDRAGON2002 in #1498
• feat: added Libsrtp checker (#1489) by @XDRAGON2002 in #1500
• chore: added LGTM badges to readme (#1380) by @XDRAGON2002 in #1501
• feat: Add support for scanning Java packages (#1463) by @anthonyharrison in #1476
• chore: update pre-commit config by @github-actions in #1499
• test: Move NVD queries to LONG_TESTS due to rate limits (fixes #1509) by @terriko in #1511
• chore: modify detected languages in github by @terriko in #1508
• Gave output types its own subheading by @DangerChamp in #1516
• test: Move backported fix tests to LONG_TESTS (#1502) by @XDRAGON2002 in #1512
• Moved --offline up to "Most popular usage options" by @DangerChamp in #1514
• fix(cve_scanner): fix canonical_convert by @Molkree in #1519
• Replace "Github" with "GitHub" by @Aadityajoshi151 in #1532
• Correction by @vkrm1612 in #1536
• feat: add NVD API key by @terriko in #1529
• ci: remove NVD_API_KEY from CI because it isn't working by @terriko in #1549
• fix: Only import pdftotext if installed (Fixes #1419) by @anthonyharrison in #1545
• doc: Publish FOSDEM 2022 slides (Fixes #1546) by @anthonyharrison in #1547
• fix: set default version for xml2 checker to UNKNOWN (Fixes #1517) by @anthonyharrison in #1524
• Updated so it shows the correct versions of Python by @DangerChamp in #1515
• doc: keep pdftotext windows install instructions (partial revert #1515) by @terriko in #1550
• doc: add info on syncing to origin/main and rebasing by @terriko in #1540
• test(available-fix): mock cve data by @BreadGenie in #1513
• CI: Add bandit to pre-commit (fixes #1110) by @terriko in #1523
• doc: fix incorrect hyperlink (Fixes #1553) by @anthonyharrison in #1554
• ci: split CI into separate files by @Molkree in #1552
• feat: improve locality of defaults (#1352) by @XDRAGON2002 in #1560
• doc: Add details on language specific checking (Fixes #1551) by @anthonyharrison in #1561
• refactor: replace pkg_resources with importlib (#1521) by @XDRAGON2002 in #1542
• changed windows_tests timeout-minutes to 30 by @shoneriki in #1576
• refactor: migrate from urllib to requests by @BreadGenie in #1569
• feat: Add support for Javascript package scanning (Fixes #1453) by @anthonyharrison in #1548
• New checker: gnome librsvg by @yashugarg in #1533
• refactor: add type hints in util.py by @rhythmrx9 in #1572
• ci(pre-commit): add gitlint by @BreadGenie in #1573
• feat: added libseccomp checker by @yashugarg in #1556
• ci: run bandit on test code by @rhythmrx9 in #1579
• feat(checker): libebml checker by @rhythmrx9 in #1559
• feat(checker): libsolv checker by @rhythmrx9 in #1562
• ci: switch format_checker to run in ci by @rhythmrx9 in #1593
• fix: asyncio warnings (#1558) by @XDRAGON2002 in #1592
• fix: windows helper script test (#1264) by @XDRAGON2002 in #1594
• refactor: add type hints in version_scanner.py by @rhythmrx9 in #1581
• chore: update pre-commit config by @github-actions in #1566
• refactor: add type hints in strings.py and file.py by @rhythmrx9 in #1565
• feat: find common strings in CONTAINS_PATTERNS from helper_scripts.py by @rhythmrx9 in #1586
• feat: retry if NVD API Key is invalid by @terriko in #1574
• ci: run gitlint on PR title by @rhythmrx9 in #1597
• fix: entry point error (#1323) by @XDRAGON2002 in #1601
• fix: python 3.10 DeprecationWarnings by @rhythmrx9 in #1605
• test: disable test_01_nist_scrape in test_cvedb.py by @rhythmrx9 in #1609
• fix: add dynamic version to egg_updater.py by @BenL-github in #1606
• fix: mark cli.py as non-executable (fixes #1590) by @xiongnemo in #1610
• feat: Modified format_checkers to add checker name to dictionary allow by @yashugarg in #1571
• doc: typo and formatting fixes by @Alienmaster in #1619
• ci: upgrade black (fixes #1621) by @terriko in #1622
• fix: Sphinx update #1613 by @Alienmaster in #1620
• doc: improved finndability for issue (#1611) by @MohitOhlyan in #1612
• fix: add explicit setuptools package config by @terriko in #1625
• doc: improve limitations section (#1496) by @XDRAGON2002 in #1604
• feat: add support for VEX (Fixes #1570) by @anthonyharrison in #1583
• feat: extractor support for .pkg and .zst packages by @yashugarg in #1580
• feat: Add XML schema validation (Fixes #1507) by @anthonyharrison in #1544
• fix: Remove reportlab from default install by @terriko in #1626
• fix: add None checks to run_java_checker by @terriko in #1630
• docs: add link to offline guide, rearrange order by @terriko in #1633
• test: add test for null byte in filename by @terriko in #1635
• fix: fix egg_updater for installed packages by @terriko in #1638
• fix: Default to UNKNOWN in java version checker by @terriko in #1637
• feat: Bump version to 3.1 for release by @terriko in #1640
• fix: add excel macro filter for csv output by @terriko in #1634

Full Changelog: v3.0...v3.1