Merge branch 'intel:main' into main

.github/actions/spelling/allow.txt

@@ -125,6 +125,7 @@ davfs
 dbus
 dearmor
 debian
+debianutils
 debuginfo
 devops
 dgst
@@ -138,6 +139,7 @@ dnsmasq
 docstring
 DOCTYPE
 domoticz
+dosfstools
 dovecot
 downloading
 doxygen
@@ -195,6 +197,7 @@ ftpd
 fuzzer
 g
 GAD
+gawk
 gcc
 gdal
 gdb
@@ -617,6 +620,7 @@ triaging
 trousers
 tss
 turbo
+twonky
 u
 ubuntu
 udisks

README.md

@@ -14,7 +14,7 @@ The CVE Binary Tool is a free, open source tool to help you find known vulnerabi
 
 The tool has two main modes of operation:
 
-1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are <!-- NUMBER OF CHECKERS START-->326<!--NUMBER OF CHECKERS END--> checkers which focus on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
+1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are <!-- NUMBER OF CHECKERS START-->330<!--NUMBER OF CHECKERS END--> checkers which focus on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
 2. Tools for scanning known component lists in various formats, including .csv, several linux distribution package lists, language specific package scanners and several Software Bill of Materials (SBOM) formats.
 
 It is intended to be used as part of your continuous integration system to enable regular vulnerability scanning and give you early warning of known issues in your supply chain.
@@ -440,54 +440,55 @@ The following checkers are available for finding components in binary files:
 
 <!--CHECKERS TABLE BEGIN-->
 |   |  |  | Available checkers |  |  |  |
-|--------------- |-------------- |------------------ |----------- |----------------- |------------- |------------ |
+|----------------- |------------- |------------------ |--------------- |---------------- |-------------- |------------ |
 | accountsservice |acpid |apache_http_server |apcupsd |apparmor |asn1c |assimp |
 | asterisk |atftp |avahi |axel |bash |bind |binutils |
 | bird |bison |bluez |boinc |botan |bro |bubblewrap |
 | busybox |bwm_ng |bzip2 |c_ares |capnproto |ceph |chess |
 | chrony |civetweb |clamav |collectd |commons_compress |connman |coreutils |
 | cpio |cronie |cryptsetup |cups |curl |cvs |darkhttpd |
-| dav1d |davfs2 |dbus |dhclient |dhcpcd |dhcpd |dmidecode |
-| dnsmasq |domoticz |dovecot |doxygen |dpkg |dropbear |e2fsprogs |
-| ed |elfutils |emacs |enscript |exim |exiv2 |f2fs_tools |
-| faad2 |fastd |ffmpeg |file |firefox |flac |fluidsynth |
-| freeradius |freerdp |fribidi |frr |gcc |gdal |gdb |
-| gdk_pixbuf |gimp |git |glib |glibc |gmp |gnomeshell |
-| gnupg |gnutls |gpgme |gpsd |graphicsmagick |grep |grub2 |
-| gstreamer |gupnp |gvfs |gzip |haproxy |harfbuzz |haserl |
-| hdf5 |hostapd |hunspell |hwloc |i2pd |icecast |icu |
-| iperf3 |ipmitool |ipsec_tools |iptables |irssi |iucode_tool |jack2 |
-| jacksondatabind |janus |jhead |json_c |kbd |keepalived |kerberos |
-| kexectools |kodi |kubernetes |ldns |lftp |libarchive |libass |
-| libbpg |libcoap |libconfuse |libcurl |libdb |libebml |libexpat |
-| libgcrypt |libgd |libgit2 |libical |libidn2 |libinput |libjpeg |
-| libjpeg_turbo |libksba |liblas |libmatroska |libmemcached |libmicrohttpd |libmodbus |
-| libnss |libpcap |libraw |librsvg |librsync |libsamplerate |libseccomp |
-| libsndfile |libsolv |libsoup |libsrtp |libssh |libssh2 |libtasn1 |
-| libtiff |libtomcrypt |libupnp |libvirt |libvncserver |libvorbis |libxslt |
-| lighttpd |linux_kernel |lldpd |logrotate |lua |luajit |lxc |
-| lynx |lz4 |mailx |mariadb |mdadm |memcached |minetest |
-| mini_httpd |minicom |minidlna |miniupnpc |miniupnpd |modsecurity |monit |
-| mosquitto |motion |mpg123 |mpv |msmtp |mtr |mupdf |
-| mutt |mysql |nano |nasm |nbd |ncurses |neon |
-| nessus |netatalk |netkit_ftp |netpbm |nettle |nghttp2 |nginx |
-| ngircd |nmap |node |ntfs_3g |ntp |ntpsec |open_iscsi |
-| open_vm_tools |openafs |opencv |openjpeg |openldap |opensc |openssh |
-| openssl |openswan |openvpn |p7zip |pango |patch |pcre |
-| pcre2 |pcsc_lite |perl |picocom |pigz |pixman |png |
-| polarssl_fedora |poppler |postgresql |ppp |privoxy |procps_ng |proftpd |
-| pspp |pure_ftpd |putty |python |qemu |qpdf |qt |
-| quagga |radare2 |radvd |raptor |rauc |rdesktop |readline |
-| rpm |rsync |rsyslog |rtl_433 |rtmpdump |runc |rust |
-| samba |sane_backends |sdl |seahorse |shadowsocks_libev |sngrep |snort |
-| sofia_sip |speex |spice |sqlite |squashfs |squid |sslh |
-| stellarium |strongswan |stunnel |subversion |sudo |suricata |sylpheed |
-| syslogng |sysstat |systemd |tcpdump |tcpreplay |terminology |thrift |
-| thttpd |thunderbird |timescaledb |tinyproxy |tor |tpm2_tss |transmission |
-| trousers |u_boot |udisks |unbound |unixodbc |upx |util_linux |
-| varnish |vim |vorbis_tools |vsftpd |webkitgtk |wget |wireshark |
-| wolfssl |wpa_supplicant |xerces |xml2 |xscreensaver |yasm |zabbix |
-| zeek |zlib |znc |zsh | | | |
+| dav1d |davfs2 |dbus |debianutils |dhclient |dhcpcd |dhcpd |
+| dmidecode |dnsmasq |domoticz |dosfstools |dovecot |doxygen |dpkg |
+| dropbear |e2fsprogs |ed |elfutils |emacs |enscript |exim |
+| exiv2 |f2fs_tools |faad2 |fastd |ffmpeg |file |firefox |
+| flac |fluidsynth |freeradius |freerdp |fribidi |frr |gawk |
+| gcc |gdal |gdb |gdk_pixbuf |gimp |git |glib |
+| glibc |gmp |gnomeshell |gnupg |gnutls |gpgme |gpsd |
+| graphicsmagick |grep |grub2 |gstreamer |gupnp |gvfs |gzip |
+| haproxy |harfbuzz |haserl |hdf5 |hostapd |hunspell |hwloc |
+| i2pd |icecast |icu |iperf3 |ipmitool |ipsec_tools |iptables |
+| irssi |iucode_tool |jack2 |jacksondatabind |janus |jhead |json_c |
+| kbd |keepalived |kerberos |kexectools |kodi |kubernetes |ldns |
+| lftp |libarchive |libass |libbpg |libcoap |libconfuse |libcurl |
+| libdb |libebml |libexpat |libgcrypt |libgd |libgit2 |libical |
+| libidn2 |libinput |libjpeg |libjpeg_turbo |libksba |liblas |libmatroska |
+| libmemcached |libmicrohttpd |libmodbus |libnss |libpcap |libraw |librsvg |
+| librsync |libsamplerate |libseccomp |libsndfile |libsolv |libsoup |libsrtp |
+| libssh |libssh2 |libtasn1 |libtiff |libtomcrypt |libupnp |libvirt |
+| libvncserver |libvorbis |libxslt |lighttpd |linux_kernel |lldpd |logrotate |
+| lua |luajit |lxc |lynx |lz4 |mailx |mariadb |
+| mdadm |memcached |minetest |mini_httpd |minicom |minidlna |miniupnpc |
+| miniupnpd |modsecurity |monit |mosquitto |motion |mpg123 |mpv |
+| msmtp |mtr |mupdf |mutt |mysql |nano |nasm |
+| nbd |ncurses |neon |nessus |netatalk |netkit_ftp |netpbm |
+| nettle |nghttp2 |nginx |ngircd |nmap |node |ntfs_3g |
+| ntp |ntpsec |open_iscsi |open_vm_tools |openafs |opencv |openjpeg |
+| openldap |opensc |openssh |openssl |openswan |openvpn |p7zip |
+| pango |patch |pcre |pcre2 |pcsc_lite |perl |picocom |
+| pigz |pixman |png |polarssl_fedora |poppler |postgresql |ppp |
+| privoxy |procps_ng |proftpd |pspp |pure_ftpd |putty |python |
+| qemu |qpdf |qt |quagga |radare2 |radvd |raptor |
+| rauc |rdesktop |readline |rpm |rsync |rsyslog |rtl_433 |
+| rtmpdump |runc |rust |samba |sane_backends |sdl |seahorse |
+| shadowsocks_libev |sngrep |snort |sofia_sip |speex |spice |sqlite |
+| squashfs |squid |sslh |stellarium |strongswan |stunnel |subversion |
+| sudo |suricata |sylpheed |syslogng |sysstat |systemd |tcpdump |
+| tcpreplay |terminology |thrift |thttpd |thunderbird |timescaledb |tinyproxy |
+| tor |tpm2_tss |transmission |trousers |twonky_server |u_boot |udisks |
+| unbound |unixodbc |upx |util_linux |varnish |vim |vorbis_tools |
+| vsftpd |webkitgtk |wget |wireshark |wolfssl |wpa_supplicant |xerces |
+| xml2 |xscreensaver |yasm |zabbix |zeek |zlib |znc |
+| zsh | | | | | | |
 <!--CHECKERS TABLE END-->
 
 All the checkers can be found in the checkers directory, as can the

cve_bin_tool/checkers/hostapd.py

@@ -18,7 +18,7 @@ class HostapdChecker(Checker):
     CONTAINS_PATTERNS: list[str] = []
     FILENAME_PATTERNS = [r"hostapd"]
     VERSION_PATTERNS = [
-        r"hostapd[_a-z]* v([0-9]+\.[0-9]+)",
+        r"\nhostapd[_a-z]* v([0-9]+\.[0-9]+)",
         r"([0-9]+\.[0-9]+)[a-z-]*\r?\nhostapd",
     ]
     VENDOR_PRODUCT = [("w1.fi", "hostapd")]

cve_bin_tool/checkers/samba.py

@@ -34,6 +34,6 @@ class SambaChecker(Checker):
     ]
     VERSION_PATTERNS = [
         r"SAMBA_([0-9]+\.[0-9]+\.[0-9]+)",
-        r"samba/([0-9]+\.[0-9]+\.[0-9]+)",
+        r"samba[/-]([0-9]+\.[0-9]+\.[0-9]+)",
     ]
     VENDOR_PRODUCT = [("samba", "samba")]

cve_bin_tool/log.py

@@ -7,14 +7,27 @@
 from rich.logging import RichHandler
 
 
-# A log filter to filter out logs based on filter level
-# Any log above and equal the specified level will not be logged
 class LevelFilter(logging.Filter):
+    """
+    Initialize the LevelFilter instance.
+    """
+
     def __init__(self, level):
         super().__init__()
         self.level = level
 
     def filter(self, record):
+        """
+        Filter out logs based on filter level
+
+        Args:
+            record (LogRecord): The log record to be filtered.
+
+        Returns:
+            bool: True if the log record's level is below the specified level,
+                  indicating that it should be processed and logged; False otherwise,
+                  indicating that it should be filtered out.
+        """
         return record.levelno < self.level
 
 

doc/MANUAL.md

@@ -179,54 +179,55 @@ which is useful if you're trying the latest code from
 
 <!--CHECKERS TABLE BEGIN-->
 |   |  |  | Available checkers |  |  |  |
-|--------------- |-------------- |------------------ |----------- |----------------- |------------- |------------ |
+|----------------- |------------- |------------------ |--------------- |---------------- |-------------- |------------ |
 | accountsservice |acpid |apache_http_server |apcupsd |apparmor |asn1c |assimp |
 | asterisk |atftp |avahi |axel |bash |bind |binutils |
 | bird |bison |bluez |boinc |botan |bro |bubblewrap |
 | busybox |bwm_ng |bzip2 |c_ares |capnproto |ceph |chess |
 | chrony |civetweb |clamav |collectd |commons_compress |connman |coreutils |
 | cpio |cronie |cryptsetup |cups |curl |cvs |darkhttpd |
-| dav1d |davfs2 |dbus |dhclient |dhcpcd |dhcpd |dmidecode |
-| dnsmasq |domoticz |dovecot |doxygen |dpkg |dropbear |e2fsprogs |
-| ed |elfutils |emacs |enscript |exim |exiv2 |f2fs_tools |
-| faad2 |fastd |ffmpeg |file |firefox |flac |fluidsynth |
-| freeradius |freerdp |fribidi |frr |gcc |gdal |gdb |
-| gdk_pixbuf |gimp |git |glib |glibc |gmp |gnomeshell |
-| gnupg |gnutls |gpgme |gpsd |graphicsmagick |grep |grub2 |
-| gstreamer |gupnp |gvfs |gzip |haproxy |harfbuzz |haserl |
-| hdf5 |hostapd |hunspell |hwloc |i2pd |icecast |icu |
-| iperf3 |ipmitool |ipsec_tools |iptables |irssi |iucode_tool |jack2 |
-| jacksondatabind |janus |jhead |json_c |kbd |keepalived |kerberos |
-| kexectools |kodi |kubernetes |ldns |lftp |libarchive |libass |
-| libbpg |libcoap |libconfuse |libcurl |libdb |libebml |libexpat |
-| libgcrypt |libgd |libgit2 |libical |libidn2 |libinput |libjpeg |
-| libjpeg_turbo |libksba |liblas |libmatroska |libmemcached |libmicrohttpd |libmodbus |
-| libnss |libpcap |libraw |librsvg |librsync |libsamplerate |libseccomp |
-| libsndfile |libsolv |libsoup |libsrtp |libssh |libssh2 |libtasn1 |
-| libtiff |libtomcrypt |libupnp |libvirt |libvncserver |libvorbis |libxslt |
-| lighttpd |linux_kernel |lldpd |logrotate |lua |luajit |lxc |
-| lynx |lz4 |mailx |mariadb |mdadm |memcached |minetest |
-| mini_httpd |minicom |minidlna |miniupnpc |miniupnpd |modsecurity |monit |
-| mosquitto |motion |mpg123 |mpv |msmtp |mtr |mupdf |
-| mutt |mysql |nano |nasm |nbd |ncurses |neon |
-| nessus |netatalk |netkit_ftp |netpbm |nettle |nghttp2 |nginx |
-| ngircd |nmap |node |ntfs_3g |ntp |ntpsec |open_iscsi |
-| open_vm_tools |openafs |opencv |openjpeg |openldap |opensc |openssh |
-| openssl |openswan |openvpn |p7zip |pango |patch |pcre |
-| pcre2 |pcsc_lite |perl |picocom |pigz |pixman |png |
-| polarssl_fedora |poppler |postgresql |ppp |privoxy |procps_ng |proftpd |
-| pspp |pure_ftpd |putty |python |qemu |qpdf |qt |
-| quagga |radare2 |radvd |raptor |rauc |rdesktop |readline |
-| rpm |rsync |rsyslog |rtl_433 |rtmpdump |runc |rust |
-| samba |sane_backends |sdl |seahorse |shadowsocks_libev |sngrep |snort |
-| sofia_sip |speex |spice |sqlite |squashfs |squid |sslh |
-| stellarium |strongswan |stunnel |subversion |sudo |suricata |sylpheed |
-| syslogng |sysstat |systemd |tcpdump |tcpreplay |terminology |thrift |
-| thttpd |thunderbird |timescaledb |tinyproxy |tor |tpm2_tss |transmission |
-| trousers |u_boot |udisks |unbound |unixodbc |upx |util_linux |
-| varnish |vim |vorbis_tools |vsftpd |webkitgtk |wget |wireshark |
-| wolfssl |wpa_supplicant |xerces |xml2 |xscreensaver |yasm |zabbix |
-| zeek |zlib |znc |zsh | | | |
+| dav1d |davfs2 |dbus |debianutils |dhclient |dhcpcd |dhcpd |
+| dmidecode |dnsmasq |domoticz |dosfstools |dovecot |doxygen |dpkg |
+| dropbear |e2fsprogs |ed |elfutils |emacs |enscript |exim |
+| exiv2 |f2fs_tools |faad2 |fastd |ffmpeg |file |firefox |
+| flac |fluidsynth |freeradius |freerdp |fribidi |frr |gawk |
+| gcc |gdal |gdb |gdk_pixbuf |gimp |git |glib |
+| glibc |gmp |gnomeshell |gnupg |gnutls |gpgme |gpsd |
+| graphicsmagick |grep |grub2 |gstreamer |gupnp |gvfs |gzip |
+| haproxy |harfbuzz |haserl |hdf5 |hostapd |hunspell |hwloc |
+| i2pd |icecast |icu |iperf3 |ipmitool |ipsec_tools |iptables |
+| irssi |iucode_tool |jack2 |jacksondatabind |janus |jhead |json_c |
+| kbd |keepalived |kerberos |kexectools |kodi |kubernetes |ldns |
+| lftp |libarchive |libass |libbpg |libcoap |libconfuse |libcurl |
+| libdb |libebml |libexpat |libgcrypt |libgd |libgit2 |libical |
+| libidn2 |libinput |libjpeg |libjpeg_turbo |libksba |liblas |libmatroska |
+| libmemcached |libmicrohttpd |libmodbus |libnss |libpcap |libraw |librsvg |
+| librsync |libsamplerate |libseccomp |libsndfile |libsolv |libsoup |libsrtp |
+| libssh |libssh2 |libtasn1 |libtiff |libtomcrypt |libupnp |libvirt |
+| libvncserver |libvorbis |libxslt |lighttpd |linux_kernel |lldpd |logrotate |
+| lua |luajit |lxc |lynx |lz4 |mailx |mariadb |
+| mdadm |memcached |minetest |mini_httpd |minicom |minidlna |miniupnpc |
+| miniupnpd |modsecurity |monit |mosquitto |motion |mpg123 |mpv |
+| msmtp |mtr |mupdf |mutt |mysql |nano |nasm |
+| nbd |ncurses |neon |nessus |netatalk |netkit_ftp |netpbm |
+| nettle |nghttp2 |nginx |ngircd |nmap |node |ntfs_3g |
+| ntp |ntpsec |open_iscsi |open_vm_tools |openafs |opencv |openjpeg |
+| openldap |opensc |openssh |openssl |openswan |openvpn |p7zip |
+| pango |patch |pcre |pcre2 |pcsc_lite |perl |picocom |
+| pigz |pixman |png |polarssl_fedora |poppler |postgresql |ppp |
+| privoxy |procps_ng |proftpd |pspp |pure_ftpd |putty |python |
+| qemu |qpdf |qt |quagga |radare2 |radvd |raptor |
+| rauc |rdesktop |readline |rpm |rsync |rsyslog |rtl_433 |
+| rtmpdump |runc |rust |samba |sane_backends |sdl |seahorse |
+| shadowsocks_libev |sngrep |snort |sofia_sip |speex |spice |sqlite |
+| squashfs |squid |sslh |stellarium |strongswan |stunnel |subversion |
+| sudo |suricata |sylpheed |syslogng |sysstat |systemd |tcpdump |
+| tcpreplay |terminology |thrift |thttpd |thunderbird |timescaledb |tinyproxy |
+| tor |tpm2_tss |transmission |trousers |twonky_server |u_boot |udisks |
+| unbound |unixodbc |upx |util_linux |varnish |vim |vorbis_tools |
+| vsftpd |webkitgtk |wget |wireshark |wolfssl |wpa_supplicant |xerces |
+| xml2 |xscreensaver |yasm |zabbix |zeek |zlib |znc |
+| zsh | | | | | | |
 <!--CHECKERS TABLE END-->
 
 For a quick overview of usage and how it works, you can also see [the readme file](README.md).

fuzz/fuzz_python_requirement_parser.py

@@ -0,0 +1,55 @@
+# Copyright (C) 2023 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import sys
+import tempfile
+from pathlib import Path
+
+import atheris
+import atheris_libprotobuf_mutator
+from google.protobuf.json_format import MessageToDict
+
+import fuzz.generated.python_requirements_pb2 as python_requirements_pb2
+from cve_bin_tool.cvedb import CVEDB
+from cve_bin_tool.log import LOGGER
+
+with atheris.instrument_imports():
+    from cve_bin_tool.parsers.python import PythonRequirementsParser
+
+cve_db = CVEDB()
+logger = LOGGER.getChild("Fuzz")
+
+
+def TestParseData(data):
+    try:
+        json_data = MessageToDict(
+            data, preserving_proto_field_name=True, including_default_value_fields=True
+        )
+
+        with open(file_path, "w") as f:
+            for dict in json_data.get("packages", []):
+                extras = ""
+                if len(dict["extras"]) > 0:
+                    extras = f"[{','.join(dict['extras'])}]"
+
+                constraint = ""
+                if "version" in dict.keys():
+                    constraint = f" == {dict['version']}"
+                elif "url" in dict.keys():
+                    constraint = f"@{dict['url']}"
+
+                f.write(f"{dict['name']}{extras}{constraint}\n")
+
+        PRP = PythonRequirementsParser(cve_db, logger)
+        PRP.run_checker(file_path)
+
+    except SystemExit:
+        return
+
+
+file_path = str(Path(tempfile.mkdtemp(prefix="cve-bin-tool-")) / "requirements.txt")
+
+atheris_libprotobuf_mutator.Setup(
+    sys.argv, TestParseData, proto=python_requirements_pb2.PackageList
+)
+atheris.Fuzz()

fuzz/proto_files/python_requirements.proto

@@ -0,0 +1,17 @@
+// Copyright (C) 2023 Intel Corporation
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+syntax = "proto3";
+
+message PackageList{
+    message Package{
+        string name = 1;
+	repeated string extras = 2;
+        oneof constraint{
+            float version = 3;
+            string url = 4;
+        }
+    }
+
+    repeated Package packages = 1;
+}