Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 03:13

    terriko on errorcodes

    typo/black fix (compare)

  • 03:10

    terriko on main

    (compare)

  • 03:08

    terriko on errorcodes

    (compare)

  • 03:08

    terriko on main

    feat(available-fix): Add Red Ha… GitHub Actions How-To Guide (#1… ci: automate keeping dev-requir… and 7 more (compare)

  • Oct 26 23:08

    terriko on disable_nvd_tests

    test: disable hanging nvd tests (compare)

  • Oct 26 21:15

    terriko on timeout

    feat(available-fix): Add Red Ha… GitHub Actions How-To Guide (#1… ci: automate keeping dev-requir… and 1 more (compare)

  • Oct 20 00:46

    terriko on htmlreq

    Add csv file for scanning js li… (compare)

  • Oct 20 00:13

    terriko on main

    doc: Add architecture diagram (… feat: report number of checkers… feat: add CVE summary (#1392) … and 2 more (compare)

  • Oct 20 00:12

    terriko on bandit

    doc: Add architecture diagram (… feat: report number of checkers… feat: add CVE summary (#1392) … and 4 more (compare)

  • Oct 15 00:21

    terriko on main

    docs: Use myst_parser in place … fix: mark failing nvd tests ski… test: add additional bad archiv… and 31 more (compare)

  • Oct 15 00:21

    terriko on architecture

    ci: Add python 3.9 for short te… feat(merge): Add filter for int… refactor(windows_tests): Update… and 24 more (compare)

  • Oct 01 01:05
    github-actions[bot] synchronize #2
  • Oct 01 01:05

    github-actions[bot] on chore-precommit-config

    chore: update pre-commit config (compare)

  • Sep 01 01:02
    github-actions[bot] opened #2
  • Sep 01 01:02

    github-actions[bot] on chore-precommit-config

    chore: update pre-commit config (compare)

  • Aug 11 18:27

    terriko on ci_3.9

    docs: Use myst_parser in place … fix: mark failing nvd tests ski… test: add additional bad archiv… and 6 more (compare)

  • Aug 04 20:03

    terriko on ci_3.9_nvd

    ci(experiemnt): add py3.9, move… (compare)

  • Aug 04 19:54

    terriko on main

    fix: rename development require… fix: condensed downloads (#1274… refactor: helper script for is_… and 25 more (compare)

  • Aug 04 19:14

    terriko on version3.0.dev0

    Update dev version to 3.0.dev0 (compare)

  • Aug 04 19:12

    terriko on version3.0.dev0

    * lint: remove unused Beautiful… feat(checker): hdf5 checker (#1… feat(checker): Add sane-backend… and 3 more (compare)

Terri Oda
@terriko
I think our repo is correctly marked with the hacktoberfest label so anything should show up when the database refreshes, but do let me know if you need ahacktoberfest-accepted label on a PR because it's not showing up.
Terri Oda
@terriko
I took a first pass at an architecture diagram (I'm training some new folk and using CVE Binary Tool as an example project). It's kind of ugly but I'd love feedback on contents or layout or whatever.
CVE Binary Tool Architecture
5 replies
Related pull request: intel/cve-bin-tool#1393
Terri Oda
@terriko
It was done in inkscape if anyone's in the mood to play around with it. You can grab the SVG out of the pull request.
Siddharth Balyan
@alt-glitch

@alt-glitch have fun! You might want to comment directly in the issue saying you're working on it when you start so anyone else poking around knows. (I'm guessing most hacktoberfest participants aren't digging around for gitter chat info until they get stuck)

Thanks! Will do.

John Andersen
@pdxjohnny
I saw this recently for architecture diagrams: https://c4model.com
I've been using mermaid but it isn't as fully featured as inkscape: https://mermaid-js.github.io/mermaid-live-editor/
@terriko I love it!
I think it very nicely describes the architecture
Siddharth Balyan
@alt-glitch
@terriko do you need me to explain the gh_action file in the how-to guide (#1359) extensively or should I just gloss over what it does?
Terri Oda
@terriko
@alt-glitch I'm sure someone would appreciate more explanation, but first pass can just be a minimal "here's an example file for you to use in github actions" and then the file, preferably with nice syntax highlighting to make it easier for people to read as part of the docs, and a link to the raw file for them to include in their own repos if they want.
Terri Oda
@terriko
@anthonyharrison BTW, I did an initial bandit scan and it came up with a bunch of stuff from your latest PR. The hardest to fix is that it dislikes the xml parser because it's vulnerable to some denial of service style attacks. Probably not a huge risk in our current workflow because users supplying the sboms can only inconvenience themselves, but it would be an issue if someone used us to run an sbom-checking service, which seems like a possible future thing? I'll file an issue about it and we can see if the recommended alternative is viable.
Siddharth Balyan
@alt-glitch
Mentors, I was thinking about the usage of this tool as-a-service. How would this work exactly?
Would people upload their binaries to a portal for the tool to scan?
Or would we have a small client that would merely scan the system and send the info to a larger server that has the NVD Database etc and send back the CVE reports?
Terri Oda
@terriko
I think normal use right now is "cve-bin-tool is running on your CI service, which does the scanning and sends back reports in some way"
So there's some questions about how to make that easier to do and deploy. Like, what would it take if cve-bin-tool was run like dependabot runs in github?
Terri Oda
@terriko
Running a web service where people upload binaries would also be an interesting idea, but be warned that there's basically no chance that I'd be able to support that as part of the cve-bin-tool release or as a gsoc project. Basically, running a web service changes our threat model enough that I'd need more validation resources to meet our security compliance requirements.
That doesn't mean we can't talk about it or it isn't worth brainstorming about, just I will not be able to run that service and I probably can't even maintain code that included the server. But we probably could design in ways that makes dropping it in to a service easier -- change flags, improve output, etc. It's a weird line, I know.
Siddharth Balyan
@alt-glitch

"cve-bin-tool is running on your CI service, which does the scanning and sends back reports in some way"

I take it this is the most extensive use case for cve-bin-tool then? I'm curious as to other ways we can offer this tool as a service if a web portal is out of question (of being part of cve-bin-tool release)

Dmitry Volodin
@Molkree
@terriko, any feedback on this?
intel/cve-bin-tool#1309
Terri Oda
@terriko
@Molkree left a comment. I'd just move the cve scanning into its own thing. rest sounds like good improvements to me.
sorry I missed it; it's been a chaotic couple of weeks for me.
anthonyharrison
@anthonyharrison
@terriko Looks like the CI is broken with the tests all failing after 20 minutes. Maybe we have been adding too many tests :-) which makes the current 20 minute timeout insufficient.
@terriko Is there a catchup meeting on the status of Release 3.0 scheduled?
Terri Oda
@terriko
@anthonyharrison I've got a PR open to see if doubling the limits will do the trick to get us unstuck: intel/cve-bin-tool#1418
I'm wondering if it's the nvd change that's making us slower but I haven't gone to dig yet and see where the slowdown is.
no catchup meeting scheduled yet. I was going to do that today but I'm wondering if I should postpone so it hits closer to release time? but maybe it'd be good to just talk through the open PRs for hacktoberfest even if we're not as close to release as I'd been hoping.
Terri Oda
@terriko
Okay, it doesn't look like the nvd change made the tests slow. Up until a few days ago, they were still taking 3 minutes for short tests.
Terri Oda
@terriko
@Molkree already pointed out taht they're all failing on TestSignature. I'd assumed that was just because that's where you get in 20 minutes, but maybe there's something wrong with that particular test in CI.
I've got to do some other stuff (hence the lazy "up the limits and see if it passes or it fails in the same spot") but I'll be back to actually debug this better once those tests are done trying to run on intel/cve-bin-tool#1418
Dmitry Volodin
@Molkree
nope, getting to the TestSignature test takes around 20 seconds and it just gets stuck at that point
image.png
also bumping the timeout limit didn't help 🤔
Dmitry Volodin
@Molkree

@Molkree already pointed out taht they're all failing on TestSignature. I'd assumed that was just because that's where you get in 20 minutes, but maybe there's something wrong with that particular test in CI.

also want to reiterate that it's not just a CI issue, I can recreate it locally as well

Terri Oda
@terriko
@Molkree Yeah, sorry, I think you said that but I was multitasking too much and didn't process it.
I'm not sure at a glance how TestSignature could cause a timeout, but I guess I'll go ahead and disable the test and open an issue.
Dmitry Volodin
@Molkree
debugged a bit more and I think the real culprit is the test/test_nvd_api.py::TestNVD_API::test_get_nvd_params
Terri Oda
@terriko
That definitely seems more likely to get stuck on a timeout.
Dmitry Volodin
@Molkree

I'm not sure at a glance how TestSignature could cause a timeout, but I guess I'll go ahead and disable the test and open an issue.

yeah, it's probably the last file passing, printout is a bit misleading because there was no PASSED for this one but locally I saw it passing once

and also ignoring it still got me stuck at the same percentage so I figured it's something else right after this file

Dmitry Volodin
@Molkree
the only one passing in that file seems to be test_empty_nvd_result (at least locally for me)
Terri Oda
@terriko
ooookay. That's not good.
I'm seeing the same with test_get_nvd_params, haven't tried each test yet
I guess I'll go ahead and disable all the failing ones for now. Unless you want a hacktoberfest PR right now?
2 replies
Terri Oda
@terriko
@Molkree all merged. You'll need to rebase your open PRs to get the tests to run correctly but they should be unstuck now.
Thanks so much for the debugging help!
Also, for everyone: CVE Binary Tool monthly meeting invites just went out. And it's actually a recurring calendar hit this time. I've shortened the meeting to 30 minutes because I don't think we have too much to talk about that we didn't cover two weeks ago.
If anyone wants an invite but didn't get one, send me a message here telling me the email you use for google services and I can get you added.
Terri Oda
@terriko
Also if anyone's able to, I could use an approval on intel/cve-bin-tool#1401 -- it's just a comment so bandit will quit warning me about that call to urlopen
Terri Oda
@terriko
CVE Binary Tool monthly meeting starting shortly. Google meet link: https://meet.google.com/msm-airt-bwp
Bread Genie
@BreadGenie
@terriko intel/cve-bin-tool#1425 is good to be merged now