Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 04 19:40

    terriko on master

    Replace stale bash & nss tests … Docs: info on where to start fo… (compare)

  • Jan 04 19:07

    terriko on starthere

    Replace stale bash & nss tests … Docs: info on where to start fo… (compare)

  • Dec 23 2020 19:31

    terriko on fix_bash

    Replace stale nss test from rpm… (compare)

  • Dec 23 2020 00:47

    terriko on master

    Fixed Table in --input-file sec… 2.0 Release notes (#966) * Upd… Improve new contributor documen… and 16 more (compare)

  • Dec 23 2020 00:47

    terriko on expat_6

    (compare)

  • Dec 23 2020 00:47

    terriko on readme_black

    (compare)

  • Dec 23 2020 00:47

    terriko on black_integration

    (compare)

  • Dec 23 2020 00:47

    terriko on systemd_131

    (compare)

  • Dec 23 2020 00:47

    terriko on kerberos_128

    (compare)

  • Dec 23 2020 00:47

    terriko on remove3.3

    (compare)

  • Dec 23 2020 00:47

    terriko on sqlite_rpm

    (compare)

  • Dec 23 2020 00:47

    terriko on compiler_pypi

    (compare)

  • Dec 23 2020 00:47

    terriko on 2.1prep

    (compare)

  • Dec 23 2020 00:46

    terriko on test_update

    (compare)

  • Dec 23 2020 00:46

    terriko on centos6_testupdate

    (compare)

  • Dec 23 2020 00:45

    terriko on fix_bash

    Replace stale bash test from rp… (compare)

  • Dec 23 2020 00:43

    terriko on test_update

    remove failing rpmfind test fro… (compare)

  • Dec 23 2020 00:41

    terriko on test_update

    Specify black version in pre-co… update 404 binary urls for long… merge master (compare)

  • Dec 23 2020 00:38

    terriko on test_update

    added checker libxslt reformatted the code using black added libxslt in init.py and 5 more (compare)

  • Dec 08 2020 06:49

    terriko on centos6_testupdate

    Remove distro-specific rules (compare)

Terri Oda
@terriko
intel/cve-bin-tool#1008 should fix CI for everyone.
If anyone's got a chance to code review it for me, I'd appreciate a second set of eyes before it gets merged.
chaitanyamogal
@chaitanyamogal
Can someone please help me to get started with cve-bin-tool. I have made some documentation contributions to it. I also install it but the problem is that I don't know how to run it and on which file to run it. I read all docs regarding it but still, I'm facing a problem. I want to do some code contributions to cve-bin-tool but I am not able to use it. ( I'm using windows 10)
So I request you to help me. If possible please provide a video explanation.
Terri Oda
@terriko
You run it on "any file you want to know about" -- probably on windows the most interesting would be to try it on c:\Program Files\ (or a part of that if the whole thing is too big)
Terri Oda
@terriko
If you want to know exactly the results, you can download a package where you know the contents and see how that works. Usually we use linux software packages for this. There's lots of ways to download those, but if you're overwhelmed, here's the link for centos: http://mirror.centos.org/centos/7/os/x86_64/Packages/ That's a list of packages you can download directly. Try searching for "openssl" and grabbing a few packages, and seeing which ones get detected.
Once you get that working, take a look at some of hte tests and see if you can get those packages and try them out. that'll help you understand how our tests work.
Terri Oda
@terriko
If you like videos, I don't think they ever put up my bsidespdx one which would have been more up to date, but there is the one from PyCon US (the first one linked here: https://pyvideo.org/speaker/terri-oda.html )
Oh, I'm wrong. the bsidespdx stream is up: https://bsidespdx.org/watch
My talk is a bit after the 3:15 mark
Terri Oda
@terriko
@chaitanyamogal That was all kind of long, but the more step-by-step answer for "how do I run it" is...
  1. open a command prompt
.2. use pip to install it: pip install cve-bin-tool
(That's assuming you've got python working as expected -- if it fails, you'll need to get python set up and in your path)
.3. run it using cve-bin-tool (that should give you the help text, and if it doesn't, again, you'll need to fix your python environment, likely the PATH esttings)
.4. run it against a directory or file. cve-bin-tool "C:\Program Files" will run it on most of the programs on your system so that will be slow but probably interesting. Running it on your downloads directory if you've grabbed a few linux rpms might be shorter but also interesting
chaitanyamogal
@chaitanyamogal
Screenshot (13).png
Screenshot (14).png
It's not moving forward from this. I'm using a decent internet connection.
chaitanyamogal
@chaitanyamogal
It's shows ClientPayloadError: Response payload is not completed
Terri Oda
@terriko
That means the file didn't download. Did you run out of space, maybe?
Pulkit Mishra
@PulkitMishra
Hey why is it that even after intel/cve-bin-tool#1015 long tests are still failing?
or am i missing something?
Pulkit Mishra
@PulkitMishra

for example on running LONG_TESTS=1 pytest -k bash
I get

FAILED test/test_scanner.py::TestScanner::test_version_in_package[https://kojipkgs.fedoraproject.org/packages/bash/4.0/1.fc11/x86_64/-bash-4.0-1.fc11.x86_64.rpm-bash-4.0.0] - FileExistsEr...
FAILED test/test_scanner.py::TestScanner::test_version_in_package[http://www.rpmfind.net/linux/openmandriva/cooker/repository/x86_64/main/release/-bash-5.1.0-1-omv4002.x86_64.rpm-bash-5.1.0]

Pulkit Mishra
@PulkitMishra

similarly on running LONG_TESTS=1 pytest -k curl
I get

FAILED test/test_scanner.py::TestScanner::test_version_in_package[http://www.rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/c/-curl-7.74.0-2.fc34.aarch64.rpm-curl-7.74.0]

Terri Oda
@terriko
@PulkitMishra The build broke this morning, so I'm guessing yes, there are still some tests failing (or possibly a few new ones). Fixes welcome!
chaitanyamogal
@chaitanyamogal
Capture.PNG
hey, @terriko It's not moving forward from this ...........please help.
shioko
@ichisadashioko

@chaitanyamogal Did you install 7z?

Windows has ar and Expand installed in default, but 7z in particular might need to be installed. If you want to run our test-suite or scan a zstd compressed file, We recommend installing this 7-zip-zstd fork of 7zip. We are currently using 7z for extracting jar, apk, msi, exe and rpm files.

shioko
@ichisadashioko
type 7z in terminal to see if is it showing or not. If not you will need to add it to PATH
they do tell us to install this 7z - https://github.com/mcmilk/7-Zip-zstd so you can try it if that still fails
chaitanyamogal
@chaitanyamogal
worked.PNG
chaitanyamogal
@chaitanyamogal
finally, it worked. I'm really happy and thankful for those how to help me to set up the tool. I was bit struggling at first but eventually, I figure it out. Hoping to contribute some good PRs. Thanks, @terriko, and @ichisadashioko for your time.
chaitanyamogal
@chaitanyamogal
As mention in Docs. How to do this on windows.

A few ways to do it:

The CVE Binary tool basically works by running the command line utility strings on a file, so if you have a local copy of the library, you can run strings $libraryname and see what comes out. try strings $libraryname | grep $version and see what you find, and if you don't find it that way strings $libraryname | less and page through (maybe run a filter in there so it's only strings over a certain size?)

If you don't have a copy, browse through the source to find the version string. It's usually helpfully named something like 'version' so a quick grep/search often will turn it up, and if you know the latest version number (usually proudly mentioned in the latest news post or similar) you can grep for that and then look at the history to see what valid patterns look like.

I have installed strings on windows but this commands are not working .
Terri Oda
@terriko
@chaitanyamogal the pipe command | is sending the results of strings into different commands that you may not have installed (grep and less)
@chaitanyamogal They're both part of "git bash" so if you have that installed (and you probably should for pull requests) then open up the git bash console and try there. (git bash doesn't have strings installed, but if you already installed it then it may work correctly)
@chaitanyamogal Alternatively, you might find it easier to set up a linux vm and work in there. The core devs all work in linux so it'll be a lot less work for you long-term to have the same setup.
Terri Oda
@terriko
I haven't really tried it on ubuntu for windows / windows subsystem for linux (WSL) but it should work. Cygwin did work last time I checked.
You could also use virtualbox or vmware player or similar.
chaitanyamogal
@chaitanyamogal
As mention in Docs LONG_TESTS=1 pytest test/test_scanner.py test/test_checkers.py shows the following error
LongTestError.PNG
John Andersen
@pdxjohnny
@chaitanyamogal You need to set the LONG_TESTS environment variable to 1: https://www.tutorialspoint.com/how-to-set-environment-variables-using-powershell
chaitanyamogal
@chaitanyamogal
@pdxjohnny I set the Environment variable LONG_TESTS = 1 but still it shows the same error.
John Andersen
@pdxjohnny
@chaitanyamogal If you set the environment variable then you'll no longer have to prefix the command with LONG_TESTS=1
chaitanyamogal
@chaitanyamogal
ok @pdxjohnny can you please review my commit to PR related to openjpeg checker
Sahil
@imsahil007
image.png
Is it just me or something broke? I cannot see any checkers while running the tool
John Andersen
@pdxjohnny
@imsahil007 Have you run the install? pip install --force-reinstall -e .
@chaitanyamogal Sorry I saw that I haven't had time to respond yet. Essentially you need to write a get_version() method for the checker class you created that will return the version number of the library. How you implement it is up to you. I suggest checking to see if the library name is in the lines passed to the method and then look for the @1.5.1 or whatever. Maybe maintain a list of version that it might be, maybe we can cross check with the cve database to dump all the version numbers that are vulnerable, not sure, start with the first part then maybe move onto the list of known versions.
chaitanyamogal
@chaitanyamogal
As I updated the VERSION_PATTERN now test for the new checker Openjpeg is failing due to a URL change in the Samba checker here. I updated the Samba checker URL in Libevent checker PR intel/cve-bin-tool#1027. Please review it.