search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.22k stars 462 forks source link

New Checker: Tomcat #1039

Open terriko opened 3 years ago

terriko commented 3 years ago

New checker request: Apache Tomcat

Website: https://tomcat.apache.org/

CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-887/Apache-Tomcat.html

Instructions: How to add a new checker to the CVE Binary Tool

Koukyosyumei commented 3 years ago

Hi, I would like to work on this issue!

terriko commented 3 years ago

@Koukyosyumei have fun! Ask here if you get stuck, or if you can't find a good signature.

peb-peb commented 3 years ago

@terriko I think there is no good VERSION_PATTERNS for tomcat

There were no good patterns when running strings tomcat-7.0.82-1.mga5.noarch.rpm | grep -i tomcat

tomcat5

Also, it doesn't return anything when running find . -exec file {} \; | grep -E 'executable,|shared object,' | tee >(sed -e 's/:.*//g' > executables.txt) and gets stuck when running strings $(cat executables.txt) | sort | uniq | grep -i tomcat (is this normal?)

tomcat4

Sorry for the inactivity for the past two weeks as I was busy with my college exams. I am looking forward to contributing more in the upcoming weeks :)

terriko commented 3 years ago

Wouldn't that first string be a basis for a reasonable signature?

tomcat-0:7.0.82-1.mga5 looks like it's got the expected version of 7.0.82 in it.

You should also try grepping for 7.0.82 instead of tomcat just to see if there's anything else that might be usable.

peb-peb commented 3 years ago

Wouldn't that first string be a basis for a reasonable signature?

tomcat-0:7.0.82-1.mga5 looks like it's got the expected version of 7.0.82 in it.

You should also try grepping for 7.0.82 instead of tomcat just to see if there's anything else that might be usable.

Ok, I'll be working on it!

alt-glitch commented 3 years ago

@terriko @peb-peb: On downloading and going through Tomcat's Binary Package (like this one for example), I found out that the package doesn't seem to have any executable at all. If that is the case, then I guess we can close this issue as the tool only scans binary files if I'm not wrong.

PS: Is it really possible for Tomcat packages to not have any binaries in them or could it be that I'm downloading the wrong package?

terriko commented 3 years ago

Taking the "good first issue" label off this because clearly tomcat is more challenging than expected.

ranjanmangla1 commented 3 months ago

@terriko can I take on this issue?

terriko commented 3 months ago

@ranjanmangla1 Feel free, but be warned that this one might not be solvable so if you get stuck feel free to abandon it and work on something easier. We don't have a lot of things flagged as good first issue right now but you might be able to fix some of the bugs found by fuzzing. More info on that is in #4045