3.1rc3 here we come. ;)
@terriko Question to #1637: Couldn't you just set L230 to "UNKNOWN"? Or is your solution better for readability? Your comment with "else" triggered at first my reflex to search for a "else" clause ;)
maybe slightly faster to leave as is because none checks are faster than string compares?
And yes, language is stupid. No else clause, and I probably could have "if we still can't find a version, set to UNKNOWN"
maybe slightly faster to leave as is because none checks are faster than string compares?
Guess you are right
Anyhow, my stomach is rumbling so I'm gonna go eat some lunch. But https://pypi.org/project/cve-bin-tool/3.1rc3/ is up if anyone else wants to test it.
I'm debating if maybe we shouldn't make "no pdf output available, default to console" happen because it means people will miss the error message telling you how to enable pdf
but... we're getting close?
Okay, I've set up https://github.com/intel/cve-bin-tool/tree/3.1 which should contain everything that will be in the 3.1 release, assuming no changes required as the code review for the remaining patches gets done.
I'm going to go ahead and kick off some final code scans and stuff.
Release notes here: https://github.com/intel/cve-bin-tool/releases/tag/v3.1
Anyone who had PRs open that were waiting for post 3.1: I've merged all the mergeable ones (except my own, which still needs review) and left comments on a number. Some of the older ones wound up with merge conflicts and I think I left a comment on each that needed a manual update.
If anyone wants to review mine, it's here: intel/cve-bin-tool#1628 I don't think github will let you actually approve it, but if you can put a comment saying it looks ok or recommending changes, I'll treat it as is if were a review.
Reminder: our "last wednesday of the month" CVE Binary Tool meeting is tomorrow 9-9:30am US Pacific.
Google meet link: https://meet.google.com/msm-airt-bwp?hs=224
Time conversion link: https://www.timeanddate.com/worldclock/fixedtime.html?msg=CVE+Binary+Tool+April+Meeting&iso=20220427T09&p1=202&am=30
The meeting is open to anyone who's interested. DM me here with your gmail address if you want to be added to the google calendar invite (that lets you join the meeting without being approved, not needed if you don't mind waiting a few seconds to join)
Google meet link: https://meet.google.com/msm-airt-bwp?hs=224
Time conversion link: https://www.timeanddate.com/worldclock/fixedtime.html?msg=CVE+Binary+Tool+April+Meeting&iso=20220427T09&p1=202&am=30
The meeting is open to anyone who's interested. DM me here with your gmail address if you want to be added to the google calendar invite (that lets you join the meeting without being approved, not needed if you don't mind waiting a few seconds to join)
is it normal? or have i done something wrong? i just cloned the repo and then ran the tests
@b31ngd3v:matrix.org The warnings can also be normal depending on your version of python. Because we support 3.7-3.10 some things give deprecation warnings.
The FileNotFound errors are concerning, though. Make sure that those files exist on your system, and make sure you're running
pytest in the correct location so it can find them. (The correct location here is in the main cve-bin-tool directory, not inside test/ or cve_bin_tool/)
Here's the link for the latest run on main: https://github.com/intel/cve-bin-tool/runs/6184224807?check_suite_focus=true
We got a random code approval from a user I didn't recognize. Does anyone know who that is? Seems like spam to me. intel/cve-bin-tool#1650
To be clear: normally I'm happy to have anyone provide a code review and an approval. Please do feel free to review any open PR.
But a code review from someone with incredibly low activity on github who's never been involved with cve-bin-tool before doesn't strike me as very useful.
But a code review from someone with incredibly low activity on github who's never been involved with cve-bin-tool before doesn't strike me as very useful.
Hey folks!
At last my exams are over, so am gonna be active again (finally!)
intel/cve-bin-tool#1520 is on my top priority and only requires solving the merge conflicts so that should be finished up pretty soon.
intel/cve-bin-tool#1598 is a work in progress and that too will be completed soon.
intel/cve-bin-tool#1342 is what I would be working on next.
Moreover, I am also looking into intel/cve-bin-tool#1646 as well as intel/cve-bin-tool#1645.
I suppose this is what I would be working on the next week or two?
At last my exams are over, so am gonna be active again (finally!)
intel/cve-bin-tool#1520 is on my top priority and only requires solving the merge conflicts so that should be finished up pretty soon.
intel/cve-bin-tool#1598 is a work in progress and that too will be completed soon.
intel/cve-bin-tool#1342 is what I would be working on next.
Moreover, I am also looking into intel/cve-bin-tool#1646 as well as intel/cve-bin-tool#1645.
I suppose this is what I would be working on the next week or two?
In case anyone's wondering, what i'm working on right now is fuzzing with Google Atheris, which is based around libfuzzer. Related PR: intel/cve-bin-tool#1661
I got it creating a few meaningful-looking crashes yesterday before I got pulled into another meeting so today my plan involves figuring out how to deploy it on one of our internal cloud systems so it can run for a while. I expect today to be mostly "making scripts so I can deploy more quickly next time" and "learning how to use the infrastructure available to me" but expect crashes sometime soon too.
Fuzzing update: I've merged my work in progress and if you want to play with it, it's all in the
fuzz/ directory and has a readme: https://github.com/intel/cve-bin-tool/tree/main/fuzz
It's very early work and probably won't find much of use in its current form, but if anyone wants to have a go at fuzzing individual functions or hooking it up to fuzz something more interesting than the command line arguments, you might be able to yield some interesting results. I probably won't be looking at it again 'till Tuesday.
@terriko Regarding issue intel/cve-bin-tool#1312, I've created a PR(intel/cve-bin-tool#1665) to solve the problem. I'm having some difficulty passing the github tests. What's going on is that github is installing requirements from requirements.txt, but because we moved the pytest requirement to dev-requirements.txt, it can't install the pytest packages.
I believe we can fix this by changing the CI workflow and include a step to install packages from dev-requirements.txt as well. Kindly help me.
1 reply
hi, i'm having some problem with one test, (pytest test/test_nvd_api.py::TestNVD_API::test_nvd_incremental_update).
2 replies
terriko on atheris
docs: add more setup info (compare)
terriko on atheris
docs: Add fuzzing-related words… (compare)
terriko on atheris
docs: include atheris install s… (compare)
terriko on atheris
docs: add simple fuzzing readme… (compare)
terriko on atheris
fix: typo fix + version bump (#… fix: check return on re.search … chore: update pre-commit config… and 7 more (compare)
github-actions[bot] on chore-precommit-config
chore: update pre-commit config (compare)
terriko on 3.1.1
fix: fix egg_updater for instll… fix: Default to UNKNOWN in java… feat: Bump version to 3.1 for r… and 2 more (compare)
terriko on versionnull
fix: typo (compare)
terriko on versionnull
fix: Improve comment clarity (compare)
terriko on versionbump
feat: Bump version to 3.1 for r… (compare)
terriko on eggupdate
test: add test for null byte in… fix: fix egg_updater for instll… (compare)
terriko on versionnull
fix: Default to UNKNOWN in java… (compare)
terriko on nullbyte
fix: No error code needed in 3.… (compare)
terriko on nullbyte
fix: add special case for 3.7 V… (compare)