search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.14k stars 444 forks source link

fix: KeyError: 'REDHAT' #4072

Open smirgel opened 2 months ago

smirgel commented 2 months ago

Description

When running a scan on an installed piece of software I get "KeyError: 'REDHAT'":

╭─────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮
│ /usr/local/bin/cve-bin-tool:8 in <module>                                                        │
│                                                                                                  │
│   5 from cve_bin_tool.cli import main                                                            │
│   6 if __name__ == '__main__':                                                                   │
│   7 │   sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])                         │
│ ❱ 8 │   sys.exit(main())                                                                         │
│   9                                                                                              │
│                                                                                                  │
│ /usr/local/lib/python3.12/dist-packages/cve_bin_tool/cli.py:1103 in main                         │
│                                                                                                  │
│   1100 │   │   )                                                                                 │
│   1101 │   │                                                                                     │
│   1102 │   │   if not args["quiet"]:                                                             │
│ ❱ 1103 │   │   │   output.output_file_wrapper(output_formats)                                    │
│   1104 │   │   │   if args["backport_fix"] or args["available_fix"]:                             │
│   1105 │   │   │   │   distro_info = args["backport_fix"] or args["available_fix"]               │
│   1106 │   │   │   │   is_backport = True if args["backport_fix"] else False                     │
│                                                                                                  │
│ /usr/local/lib/python3.12/dist-packages/cve_bin_tool/output_engine/__init__.py:977 in            │
│ output_file_wrapper                                                                              │
│                                                                                                  │
│    974 │   def output_file_wrapper(self, output_types=["console"]):                              │
│    975 │   │   """Call output_file method for all output types."""                               │
│    976 │   │   for output_type in output_types:                                                  │
│ ❱  977 │   │   │   self.output_file(output_type)                                                 │
│    978 │                                                                                         │
│    979 │   def output_file(self, output_type="console"):                                         │
│    980 │   │   """Generate a file for list of CVE"""                                             │
│                                                                                                  │
│ /usr/local/lib/python3.12/dist-packages/cve_bin_tool/output_engine/__init__.py:1037 in           │
│ output_file                                                                                      │
│                                                                                                  │
│   1034 │   │   │   │   self.output_cves(f, output_type)                                          │
│   1035 │   │   else:                                                                             │
│   1036 │   │   │   with open(self.filename, "w", encoding="utf8") as f:                          │
│ ❱ 1037 │   │   │   │   self.output_cves(f, output_type)                                          │
│   1038 │                                                                                         │
│   1039 │   def check_file_path(self, filepath: str, output_type: str, prefix: str = "output"):   │
│   1040 │   │   """Generate a new filename if file already exists."""                             │
│                                                                                                  │
│ /usr/local/lib/python3.12/dist-packages/cve_bin_tool/output_engine/__init__.py:793 in            │
│ output_cves                                                                                      │
│                                                                                                  │
│    790 │   │   │   self.logger.info(f"Output stored at {self.append}")                           │
│    791 │   │                                                                                     │
│    792 │   │   if self.vex_filename != "":                                                       │
│ ❱  793 │   │   │   self.generate_vex(self.all_cve_data, self.vex_filename)                       │
│    794 │   │   if self.sbom_filename != "":                                                      │
│    795 │   │   │   self.generate_sbom(                                                           │
│    796 │   │   │   │   self.all_product_data,                                                    │
│                                                                                                  │
│ /usr/local/lib/python3.12/dist-packages/cve_bin_tool/output_engine/__init__.py:851 in            │
│ generate_vex                                                                                     │
│                                                                                                  │
│    848 │   │   │   │   vulnerability["id"] = id                                                  │
│    849 │   │   │   │   vulnerability["source"] = {                                               │
│    850 │   │   │   │   │   "name": cve.data_source,                                              │
│ ❱  851 │   │   │   │   │   "url": source_url[cve.data_source] + id,                              │
│    852 │   │   │   │   }                                                                         │
│    853 │   │   │   │   # Assume CVSS vulnerability scores are in accordance with NVD guidance    │
│    854 │   │   │   │   if cve.cvss_version == 3:                                                 │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
KeyError: 'REDHAT'

To reproduce

Steps to reproduce the behaviour:

  1. scan using these flags "cve-bin-tool . --severity high -f console,html -o report --vex triage_out.vex"

It is probably related to one of the components but it is hard to tell which one:

[10:51:21] INFO     cve_bin_tool - Overall CVE summary:                                                                                                                                                          cli.py:1059
           INFO     cve_bin_tool - There are 103 products with known CVEs detected                                                                                                                               cli.py:1060
           INFO     cve_bin_tool - Known CVEs in ('apache.camel', '2.25.4'), ('apache.commons_compress', '1.14'), ('apache.commons_compress', '1.19'), ('apache.log4j', '1.2.12'), ('apache.log4j', '1.2.17'),   cli.py:1071
                    ('gnu.gcc', '2.95.4'), ('gnu.gcc', '3.4.2'), ('gnu.gcc', '3.4.3'), ('gnu.gcc', '3.4.6'), ('gnu.gcc', '4.1.2'), ('gnu.gcc', '4.2.1'), ('gnu.gcc', '4.2.4'), ('gnu.gcc', '4.4.4'), ('gnu.gcc',
                    '4.4.7'), ('gnu.gcc', '4.8.1'), ('gnu.gcc', '4.8.3'), ('gnu.gcc', '4.8.5'), ('gnu.gcc', '5.5.0'), ('gnu.gcc', '9.2'), ('google.guava', '22.0-android'), ('google.guava', '25.1-jre'),
                    ('google.guava', '26.0-android'), ('google.guava', '30.1-jre'), ('h2database.h2', '1.4.200'), ('haxx.libcurl', '7.86.0'), ('hdfgroup.hdf5', '1.12.1'), ('ijg.libjpeg', '6b'),
                    ('ijg.libjpeg', '8d'), ('jenkins.junit', '3.8.1'), ('jenkins.junit', '3.8.2'), ('jenkins.junit', '4.10'), ('jenkins.junit', '4.11'), ('jenkins.junit', '4.12'), ('jenkins.junit', '4.13'),
                    ('jenkins.junit', '4.13.2'), ('jenkins.junit', '4.4'), ('jenkins.junit', '4.7'), ('jenkins.junit', '4.8.1'), ('jenkins.junit', '4.8.2'), ('jenkins.junit', '4.9'), ('joyent.json', '1.1.4'),
                    ('jq_project.jq', '0.2'), ('json-c.json-c', '0.13.99'), ('json_project.json', '1.1.4'), ('libexpat_project.libexpat', '2.0.1'), ('libexpat_project.libexpat', '2.4.1'),
                    ('libexpat_project.libexpat', '2.4.4'), ('libexpat_project.libexpat', '2.4.8'), ('libssh2.libssh2', '1.10.0'), ('libtiff.libtiff', '4.3.0'), ('libtiff.libtiff', '4.6.0'),
                    ('mit.kerberos_5', '1.19.3'), ('openssl.openssl', '1.1.1k'), ('openssl.openssl', '1.1.1v'), ('pcre.pcre', '8.32'), ('pypa.pip', '23.0.1'), ('pypa.pip', '24.0'), ('pypa.pip', '9.0.1'),
                    ('python.python', '3.9.19'), ('sqlite.sqlite', '3.39.4'), ('tukaani.xz', '1.6'), ('tukaani.xz', '1.8'), ('unknown.Pillow', '10.1.0'), ('unknown.camel', '2.25.4'), ('unknown.core',
                    '2024.2.31859-4619'), ('unknown.guava', '22.0-android'), ('unknown.guava', '25.1-jre'), ('unknown.guava', '26.0-android'), ('unknown.guava', '30.1-jre'), ('unknown.h2', '1.4.200'),
                    ('unknown.json', '1.1.4'), ('unknown.junit', '3.8.1'), ('unknown.junit', '3.8.2'), ('unknown.junit', '4.10'), ('unknown.junit', '4.11'), ('unknown.junit', '4.12'), ('unknown.junit',
                    '4.13'), ('unknown.junit', '4.13.2'), ('unknown.junit', '4.4'), ('unknown.junit', '4.7'), ('unknown.junit', '4.8.1'), ('unknown.junit', '4.8.2'), ('unknown.junit', '4.9'),
                    ('unknown.jython-standalone', '2.7.1'), ('unknown.log4j', '1.2.12'), ('unknown.log4j', '1.2.17'), ('unknown.log4j', '2.22.0'), ('unknown.logback-classic', '1.2.3'), ('unknown.pip',
                    '23.0.1'), ('unknown.pip', '24.0'), ('unknown.pip', '9.0.1'), ('unknown.project', '1.0.7'), ('unknown.spring-beans', '4.0.0.RELEASE'), ('unknown.spring-core', '4.0.0.RELEASE'),
                    ('unknown.spring-web', '4.0.0.RELEASE'), ('unknown.woodstox-core', '6.4.0'), ('unknown.xalan', '2.7.1'), ('unknown.xstream', '1.4.20'), ('xwiki.commons', '5'), ('zlib.zlib', '1.2.11'),
                    ('zlib.zlib', '1.2.12'), ('zlib.zlib', '1.2.13'), ('zlib.zlib', '1.2.3'):

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.3 Installed from pypi. Operating system: Ubuntu 22.04 Python version: Python 3.12.2

Anything else?

terriko commented 2 months ago

This looks like a bug. It's trying to look up vulnerability data from redhat and not finding it, (likely because the database didn't download). I think we're likely missing a check in output_engine/__init__.py at line 851 as it lists above. Probably an easy fix as long as that's the only place the mistake was made!

You can probably temporarily work around it by telling cve-bin-tool to skip the REDHAT data source, though I hope we can get a fix in fairly quickly.

smirgel commented 2 months ago

Thanks! I was able to get a successful scan by adding "--disable-data-source REDHAT".