search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.17k stars 450 forks source link

discussion: behaviour for binary checkers with no CVEs associated #3646

Open terriko opened 8 months ago

terriko commented 8 months ago

I just closed #3633 from @ffontaine which would have removed a debianutils checker because it doesn't have any CVEs. On one hand, we're primarily a CVE scanner so it's kind of a waste of cycles to check for a product that doesn't have any CVEs associated with it. But I decided to keep it for two reasons:

  1. It could have CVEs later and we'd want it then.
  2. A number of users have told me that they're using cve-bin-tool to help with software composition analysis, so in that case they'd want to know that debianutils was there even if there are no CVEs associated.

Those of you who've been around this project a while know I have some mixed feelings about using cve-bin-tool for software composition analysis (that is, trying to guess what's in a binary blob), mostly because I don't think we're great at it. But the best tools I know of for this cost $$$ so I've gradually come to accept that maybe we're a useful tool for folk who don't have access to paid tooling. In the past year or so, we've started adding features to make it easier for us to do things like generate SBOM data.

But I'm wondering if we could limit the wasted cycles involved in keeping a checker that doesn't have security issues, so I'm opening this up for discussion: Does anyone have any brilliant ideas about the best way to do this?

To kick off brainstorming, here's some ideas that I don't love but might work:

terriko commented 8 months ago

From discussion on #3633

It is currently the case that most checkers with no CVEs detected also dont' have valid CPE / vendor_product strings. We'll have to make sure any solution for #3628 can handle these appropriately.

That said, if we have some sort of consistent way to represent these such as "leave the vendor_product blank or set it to a specific tuple" then that would make it easier to skip these checkers during normal operation and have them run only when a special flag was set or something.