search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.22k stars 463 forks source link

WARNING cve_bin_tool.VersionScanner - Failure extracting #1899

Closed mikaelrepo closed 1 year ago

mikaelrepo commented 2 years ago

Hi, I have installed cve-bin-tool on Windows 10 with 7zip but I keep getting "Failure extracting" for every binary it scans... If I extract the binaries manually, it works just fine. I searched the manual, the issues and tried google it but couldn't find anything so as a last resort I'm posting here before I give up on this tool.

C:\Windows\system32>cve-bin-tool --nvd-api-key MY_API_KEY "c:\Program Files" [15:17:52] INFO xmlschema - Resource 'XMLSchema.xsd' is already loaded schemas.py:1235 INFO cve_bin_tool - CVE Binary Tool v3.1.1 cli.py:365 INFO cve_bin_tool - This product uses the NVD API but is not endorsed or certified by the cli.py:366 NVD. WARNING cve_bin_tool - cli.py:393

                                          Warning: this utility was developed for Linux.
                                          You may need to install additional utilities
                                          to use it on other operating systems.
                                          **********************************************

       INFO     cve_bin_tool.CVEDB - Using cached CVE data (<24h old). Use -u now to update            cvedb.py:351
                immediately.
       INFO     cve_bin_tool.CVEDB - There are 182719 CVE entries in the database                      cvedb.py:381
       INFO     cve_bin_tool - CVE database last updated on 21 August 2022 at 14:22:59                   cli.py:492

[15:17:53] INFO cve_bin_tool - Number of checkers: 114 cli.py:567 INFO cve_bin_tool.VersionScanner - Checkers: accountsservice, avahi, bash, bind, version_scanner.py:105 binutils, bolt, bubblewrap, busybox, bzip2, cronie, cryptsetup, cups, curl, dbus, dnsmasq, dovecot, dpkg, enscript, expat, ffmpeg, freeradius, ftp, gcc, gimp, glibc, gnomeshell, gnupg, gnutls, gpgme, gstreamer, gupnp, haproxy, hdf5, hostapd, hunspell, icecast, icu, irssi, kbd, kerberos, kexectools, libarchive, libbpg, libdb, libebml, libgcrypt, libical, libjpeg_turbo, liblas, libnss, librsvg, libseccomp, libsndfile, libsolv, libsoup, libsrtp, libssh2, libtiff, libvirt, libvncserver, libxslt, lighttpd, logrotate, lua, mariadb, mdadm, memcached, mtr, mysql, nano, ncurses, nessus, netpbm, nginx, node, ntp, open_vm_tools, openafs, openjpeg, openldap, openssh, openssl, openswan, openvpn, p7zip, pcsc_lite, pigz, png, polarssl_fedora, poppler, postgresql, pspp, python, qt, radare2, rsyslog, samba, sane_backends, sqlite, strongswan, subversion, sudo, syslogng, systemd, tcpdump, trousers, varnish, webkitgtk, wireshark, wpa_supplicant, xerces, xml2, zlib, zsh [15:18:10] WARNING cve_bin_tool.VersionScanner - Failure extracting c:\Program Files\7-Zip\7z.exe extractor.py:278 [15:18:15] WARNING cve_bin_tool.VersionScanner - Failure extracting c:\Program Files\7-Zip\7zFM.exe extractor.py:278 [15:18:17] WARNING cve_bin_tool.VersionScanner - Failure extracting c:\Program Files\7-Zip\7zG.exe extractor.py:278 WARNING cve_bin_tool.VersionScanner - Failure extracting c:\Program Files\7-Zip\Uninstall.exe extractor.py:278

anthonyharrison commented 2 years ago

@mhemma A warning will be reported if there is any output on the stdout or stderr streams following the execution of the extractor application; in your example this appears to be following the execution of the 7-Zip application. It looks as if you trying to scan the 7-Zip application directory - is this correct?.

Some extractors will issue warnings which are reported during the extraction process e.g. relating to soft links or file permissions.

Have you tried running 7-Zip with the x option for one of the reported files to see if anything is reported?

terriko commented 2 years ago

What version of cve-bin-tool are you using?

Looking at those filenames, they're all .exe files. What I believe is happening is that cve-bin-tool is using 7zip to check if they might be self-extracting zips, and printing the warnings because they're not. I thought we had changed this behaviour so in the case of .exe files these messages would be debug messages instead because since we started supporting windows it's pretty normal for people to scan .exes that aren't secretly self-extracting zips (the behaviour made more sense when we were a linux-only utility and being used to scan download websites). If you're still seeing these as warnings in 3.1 or 3.1.1 then it's a bug we should fix.

As it happens, you can just ignore these warnings unless you know one of these files is a self-extracting zip. It shouldn't affect the operation of the tool in any way. But I'd still consider it a user experience bug worth fixing.

terriko commented 1 year ago

I think this was resolved with #1285 and should be fixed in the 3.2 release when it comes out or in github now, so I'm going to close this issue.