terriko on master
Replace stale bash & nss tests … Docs: info on where to start fo… (compare)
terriko on starthere
Replace stale bash & nss tests … Docs: info on where to start fo… (compare)
terriko on fix_bash
Replace stale nss test from rpm… (compare)
terriko on master
Fixed Table in --input-file sec… 2.0 Release notes (#966) * Upd… Improve new contributor documen… and 16 more (compare)
terriko on expat_6
terriko on readme_black
terriko on black_integration
terriko on systemd_131
terriko on kerberos_128
terriko on remove3.3
terriko on sqlite_rpm
terriko on compiler_pypi
terriko on 2.1prep
terriko on test_update
terriko on centos6_testupdate
terriko on fix_bash
Replace stale bash test from rp… (compare)
terriko on test_update
remove failing rpmfind test fro… (compare)
terriko on test_update
Specify black version in pre-co… update 404 binary urls for long… merge master (compare)
terriko on test_update
added checker libxslt reformatted the code using black added libxslt in init.py and 5 more (compare)
terriko on centos6_testupdate
Remove distro-specific rules (compare)
pip install cve-bin-tool
cve-bin-tool
(that should give you the help text, and if it doesn't, again, you'll need to fix your python environment, likely the PATH esttings)
cve-bin-tool "C:\Program Files"
will run it on most of the programs on your system so that will be slow but probably interesting. Running it on your downloads directory if you've grabbed a few linux rpms might be shorter but also interesting
for example on running LONG_TESTS=1 pytest -k bash
I get
FAILED test/test_scanner.py::TestScanner::test_version_in_package[https://kojipkgs.fedoraproject.org/packages/bash/4.0/1.fc11/x86_64/-bash-4.0-1.fc11.x86_64.rpm-bash-4.0.0] - FileExistsEr...
FAILED test/test_scanner.py::TestScanner::test_version_in_package[http://www.rpmfind.net/linux/openmandriva/cooker/repository/x86_64/main/release/-bash-5.1.0-1-omv4002.x86_64.rpm-bash-5.1.0]
similarly on running LONG_TESTS=1 pytest -k curl
I get
FAILED test/test_scanner.py::TestScanner::test_version_in_package[http://www.rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/c/-curl-7.74.0-2.fc34.aarch64.rpm-curl-7.74.0]
@chaitanyamogal Did you install 7z
?
Windows has ar and Expand installed in default, but 7z in particular might need to be installed. If you want to run our test-suite or scan a zstd compressed file, We recommend installing this 7-zip-zstd fork of 7zip. We are currently using 7z for extracting jar, apk, msi, exe and rpm files.
7z
- https://github.com/mcmilk/7-Zip-zstd so you can try it if that still fails
A few ways to do it:
The CVE Binary tool basically works by running the command line utility strings
on a file, so if you have a local copy of the library, you can run strings $libraryname
and see what comes out. try strings $libraryname | grep $version
and see what you find, and if you don't find it that way strings $libraryname | less
and page through (maybe run a filter in there so it's only strings over a certain size?)
If you don't have a copy, browse through the source to find the version string. It's usually helpfully named something like 'version' so a quick grep/search often will turn it up, and if you know the latest version number (usually proudly mentioned in the latest news post or similar) you can grep for that and then look at the history to see what valid patterns look like.
strings
on windows but this commands are not working .
LONG_TESTS
environment variable to 1
: https://www.tutorialspoint.com/how-to-set-environment-variables-using-powershell
get_version()
method for the checker class you created that will return the version number of the library. How you implement it is up to you. I suggest checking to see if the library name is in the lines passed to the method and then look for the @1.5.1
or whatever. Maybe maintain a list of version that it might be, maybe we can cross check with the cve database to dump all the version numbers that are vulnerable, not sure, start with the first part then maybe move onto the list of known versions.
VERSION_PATTERN
now test for the new checker Openjpeg
is failing due to a URL change in the Samba
checker here. I updated the Samba
checker URL in Libevent checker PR intel/cve-bin-tool#1027. Please review it.