Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • May 06 00:26

    terriko on atheris

    test: Add a more viable fuzz st… (compare)

  • May 05 23:02

    terriko on atheris

    docs: fix typo (compare)

  • May 05 22:59
    github-actions[bot] commented on 2565f3b
  • May 05 22:59

    terriko on atheris

    docs: add more setup info (compare)

  • May 05 19:02

    terriko on atheris

    docs: Add fuzzing-related words… (compare)

  • May 04 19:13
    github-actions[bot] commented on 81ce849
  • May 04 19:13

    terriko on atheris

    docs: include atheris install s… (compare)

  • May 04 19:03
    github-actions[bot] commented on c1c0e34
  • May 04 19:03

    terriko on atheris

    docs: add simple fuzzing readme… (compare)

  • May 04 18:53

    terriko on atheris

    fix: typo fix + version bump (#… fix: check return on re.search … chore: update pre-commit config… and 7 more (compare)

  • May 01 02:14
    github-actions[bot] opened #6
  • May 01 02:14

    github-actions[bot] on chore-precommit-config

    chore: update pre-commit config (compare)

  • Apr 20 18:29

    terriko on 3.1.1

    fix: fix egg_updater for instll… fix: Default to UNKNOWN in java… feat: Bump version to 3.1 for r… and 2 more (compare)

  • Apr 14 18:45

    terriko on versionnull

    fix: typo (compare)

  • Apr 14 18:41

    terriko on versionnull

    fix: Improve comment clarity (compare)

  • Apr 14 18:34

    terriko on versionbump

    feat: Bump version to 3.1 for r… (compare)

  • Apr 13 19:53

    terriko on eggupdate

    test: add test for null byte in… fix: fix egg_updater for instll… (compare)

  • Apr 13 17:59

    terriko on versionnull

    fix: Default to UNKNOWN in java… (compare)

  • Apr 13 01:40

    terriko on nullbyte

    fix: No error code needed in 3.… (compare)

  • Apr 13 01:00

    terriko on nullbyte

    fix: add special case for 3.7 V… (compare)

Terri Oda
@terriko
yeah, just running some tests
3.1rc3 here we come. ;)
Robert Geislinger
@Alienmaster
@terriko Question to #1637: Couldn't you just set L230 to "UNKNOWN"? Or is your solution better for readability? Your comment with "else" triggered at first my reflex to search for a "else" clause ;)
Terri Oda
@terriko
yeah, that would work, though then you'd have to change the if clauses below. Kind of a wash for usability.
maybe slightly faster to leave as is because none checks are faster than string compares?
And yes, language is stupid. No else clause, and I probably could have "if we still can't find a version, set to UNKNOWN"
Robert Geislinger
@Alienmaster

And yes, language is stupid. No else clause, and I probably could have "if we still can't find a version, set to UNKNOWN"

That sounds good to me :)

maybe slightly faster to leave as is because none checks are faster than string compares?

Guess you are right

XDRAGON2002
@XDRAGON2002

maybe slightly faster to leave as is because none checks are faster than string compares?

Yea, no overheads for checking the value.

Terri Oda
@terriko
Anyhow, my stomach is rumbling so I'm gonna go eat some lunch. But https://pypi.org/project/cve-bin-tool/3.1rc3/ is up if anyone else wants to test it.
I'm debating if maybe we shouldn't make "no pdf output available, default to console" happen because it means people will miss the error message telling you how to enable pdf
but... we're getting close?
Terri Oda
@terriko
Okay, I've set up https://github.com/intel/cve-bin-tool/tree/3.1 which should contain everything that will be in the 3.1 release, assuming no changes required as the code review for the remaining patches gets done.
I'm going to go ahead and kick off some final code scans and stuff.
Gaurav S
@gaurav879
@terriko I have submitted my proposal on "Add new datasources for vulnerabilities" kindly review it at your convenience.
rhythmrx9
@rhythmrx9
Submitted my GSOC proposal, any feedback is appreciated, Thanks.
Gaurav S
@gaurav879
@terriko, did you get a chance to take a look at my proposal? I have also updated my PR kindly have a look at that as well as and when you get the time.
Terri Oda
@terriko
CVE Binary Tool 3.1 is now released: https://pypi.org/project/cve-bin-tool/
1 reply
Terri Oda
@terriko
Augh, I was so excited about finally finishing my internal checklist that I apparently uploaded the wrong package. Since pyPI doesn't allow replacing a release, I'll be uploading 3.1.1 shortly.
Terri Oda
@terriko
Anyone who had PRs open that were waiting for post 3.1: I've merged all the mergeable ones (except my own, which still needs review) and left comments on a number. Some of the older ones wound up with merge conflicts and I think I left a comment on each that needed a manual update.
If anyone wants to review mine, it's here: intel/cve-bin-tool#1628 I don't think github will let you actually approve it, but if you can put a comment saying it looks ok or recommending changes, I'll treat it as is if were a review.
Terri Oda
@terriko
Reminder: our "last wednesday of the month" CVE Binary Tool meeting is tomorrow 9-9:30am US Pacific.
Google meet link: https://meet.google.com/msm-airt-bwp?hs=224
Time conversion link: https://www.timeanddate.com/worldclock/fixedtime.html?msg=CVE+Binary+Tool+April+Meeting&iso=20220427T09&p1=202&am=30
The meeting is open to anyone who's interested. DM me here with your gmail address if you want to be added to the google calendar invite (that lets you join the meeting without being approved, not needed if you don't mind waiting a few seconds to join)
b31ngd3v
@b31ngd3v:matrix.org
[m]
is it normal? or have i done something wrong? i just cloned the repo and then ran the tests
Terri Oda
@terriko
@b31ngd3v:matrix.org the cabextract one is pretty normal -- if you want to run those tests, you'll need to install cabextract. If you don't want to install it, you can ignore the related failure.
@b31ngd3v:matrix.org The warnings can also be normal depending on your version of python. Because we support 3.7-3.10 some things give deprecation warnings.
The FileNotFound errors are concerning, though. Make sure that those files exist on your system, and make sure you're running pytest in the correct location so it can find them. (The correct location here is in the main cve-bin-tool directory, not inside test/ or cve_bin_tool/)
Terri Oda
@terriko
If you want to check the warnings or any other error message against what "should" be happening, our CI is all visible through GitHub Actions:
Terri Oda
@terriko
We got a random code approval from a user I didn't recognize. Does anyone know who that is? Seems like spam to me. intel/cve-bin-tool#1650
Terri Oda
@terriko
To be clear: normally I'm happy to have anyone provide a code review and an approval. Please do feel free to review any open PR.
But a code review from someone with incredibly low activity on github who's never been involved with cve-bin-tool before doesn't strike me as very useful.
XDRAGON2002
@XDRAGON2002
Hey folks!
At last my exams are over, so am gonna be active again (finally!)
intel/cve-bin-tool#1520 is on my top priority and only requires solving the merge conflicts so that should be finished up pretty soon.
intel/cve-bin-tool#1598 is a work in progress and that too will be completed soon.
intel/cve-bin-tool#1342 is what I would be working on next.
Moreover, I am also looking into intel/cve-bin-tool#1646 as well as intel/cve-bin-tool#1645.
I suppose this is what I would be working on the next week or two?
Terri Oda
@terriko
@XDRAGON2002 sounds great!
In case anyone's wondering, what i'm working on right now is fuzzing with Google Atheris, which is based around libfuzzer. Related PR: intel/cve-bin-tool#1661
Terri Oda
@terriko
I got it creating a few meaningful-looking crashes yesterday before I got pulled into another meeting so today my plan involves figuring out how to deploy it on one of our internal cloud systems so it can run for a while. I expect today to be mostly "making scripts so I can deploy more quickly next time" and "learning how to use the infrastructure available to me" but expect crashes sometime soon too.
Terri Oda
@terriko
Fuzzing update: I've merged my work in progress and if you want to play with it, it's all in the fuzz/ directory and has a readme: https://github.com/intel/cve-bin-tool/tree/main/fuzz
It's very early work and probably won't find much of use in its current form, but if anyone wants to have a go at fuzzing individual functions or hooking it up to fuzz something more interesting than the command line arguments, you might be able to yield some interesting results. I probably won't be looking at it again 'till Tuesday.
Gaurav S
@gaurav879

@terriko Regarding issue intel/cve-bin-tool#1312, I've created a PR(intel/cve-bin-tool#1665) to solve the problem. I'm having some difficulty passing the github tests. What's going on is that github is installing requirements from requirements.txt, but because we moved the pytest requirement to dev-requirements.txt, it can't install the pytest packages.

I believe we can fix this by changing the CI workflow and include a step to install packages from dev-requirements.txt as well. Kindly help me.

1 reply
Pramurta Sinha
@b31ngd3v:matrix.org
[m]
hi, i'm having some problem with one test, (pytest test/test_nvd_api.py::TestNVD_API::test_nvd_incremental_update).
2 replies
Terri Oda
@terriko
Hey all, I've been sick and am still catching up. I see there's some build failures in all recent PRs, I'm guessing due to the nvd test above. I'm hoping to get some time to debug this afternoon.
1 reply
Pramurta Sinha
@b31ngd3v:matrix.org
[m]
Terri Oda
@terriko
@b31ngd3v:matrix.org thanks! I'm letting it re-run the failed tests, although they look maybe like they were rate-limiting related. We really need to get the nvd key working properly in Actions
XDRAGON2002
@XDRAGON2002
I was ill for the past few days and just looked through my mails right now, thanks to the mentors for providing me with this opportunity! As well as kudos to my fellow GSoCers as well!
rhythmrx9
@rhythmrx9
Congratulations @XDRAGON2002 and @yashugarg, hope to learn a lot from this. Thanks to the mentors for giving me this opportunity.
peb
@peb-peb
Congratulations @XDRAGON2002 @rhythmrx9 and @yashugarg !!! 🥳
Pramurta Sinha
@b31ngd3v:matrix.org
[m]
congratulations guys @XDRAGON2002 @rhythmrx9 @yashugarg
Yashu Garg
@yashugarg
Thankyou everyone!
Really excited for the event! Special thanks to the mentors for this opportunity!!
Congratulations @XDRAGON2002 and @rhythmrx9
Bread Genie
@BreadGenie
congrats 🎉