The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
get_vendor_product_pairs function doesn't handle disabled sources passed by the user. As a result, the user can't disable a datasource (e.g., OSV) when parsing a python PKG-INFO file.
Fix this by passing enabled_sources from cli to version_scanner and then to cvedb. To achieve this functionality, source_nvd must also be added to enabled_sources when appropriate.
nosec must be added to disable this bandit warning:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Low
CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
Location: cve_bin_tool/cvedb.py:681:12
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b608_hardcoded_sql_expressions.html
Indeed, sources is retrieved from self.sources[i].source_name which
can't be updated by an attacker
get_vendor_product_pairsfunction doesn't handle disabled sources passed by the user. As a result, the user can't disable a datasource (e.g., OSV) when parsing a pythonPKG-INFOfile.Fix this by passing
enabled_sourcesfrom cli to version_scanner and then to cvedb. To achieve this functionality,source_nvdmust also be added toenabled_sourceswhen appropriate.nosec must be added to disable this bandit warning:
Indeed,
sourcesis retrieved fromself.sources[i].source_namewhich can't be updated by an attacker