The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
I've been scanning the same file (a .yaffs2 file) on 2 different machines having 2 very different outputs; one giving more than 1.5k CVEs and the other 0. I've tracked down the bug to a different version of the package "file";
Using "file" version < 5.45 the output of file <filename> is: : data
Using "file" version = 5.45 the output if the same command is: YAFFS filesystem root entry (little endian), type root or directory, object entry (name: "fonts")
this different output make it so the if not is_exec and not is_linux_kernel: is true and the function returns None, skipping the file.
To reproduce
Steps to reproduce the behaviour:
scan a file
Upgrade to "file" version = 5.45
try scanning the same file
compare the results
Expected behaviour: same results
Actual behaviour: different results
Version/platform info
Version of CVE-bin-tool( e.g. output of cve-bin-tool --version):
Installed from pypi or github?
Operating system: Linux endevour 6.9.3-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 31 May 2024 15:14:45 +0000 x86_64 GNU/Linux
Python version (e.g. python3 --version): 3.11
That is fascinating and definitely a bug. Sounds fixable but someone will need to do some research to figure out how to use the new expected output, I guess?
Description
I've been scanning the same file (a .yaffs2 file) on 2 different machines having 2 very different outputs; one giving more than 1.5k CVEs and the other 0. I've tracked down the bug to a different version of the package "file";
Using "file" version < 5.45 the output of : data
Using "file" version = 5.45 the output if the same command is: YAFFS filesystem root entry (little endian), type root or directory, object entry (name: "fonts")
file <filename>
is:this different output make it so the
if not is_exec and not is_linux_kernel:
is true and the function returns None, skipping the file.To reproduce
Steps to reproduce the behaviour:
Expected behaviour: same results Actual behaviour: different results
Version/platform info
Version of CVE-bin-tool( e.g. output of
cve-bin-tool --version
): Installed from pypi or github? Operating system: Linux endevour 6.9.3-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 31 May 2024 15:14:45 +0000 x86_64 GNU/Linux Python version (e.g.python3 --version
): 3.11