The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
get_vendor_product_pairs function doesn't handle disabled sources passed by the user. As a result, the user can't disable a datasource (e.g., OSV) when parsing a python PKG-INFO file.
Fix this by passing enabled_sources from cli to version_scanner and then to cvedb. To achieve this functionality, source_nvd must also be added to enabled_sources when appropriate.
nosec must be added to disable this bandit warning:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Low
CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
Location: cve_bin_tool/cvedb.py:681:12
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b608_hardcoded_sql_expressions.html
Indeed, sources is retrieved from self.sources[i].source_name which
can't be updated by an attacker
get_vendor_product_pairs
function doesn't handle disabled sources passed by the user. As a result, the user can't disable a datasource (e.g., OSV) when parsing a pythonPKG-INFO
file.Fix this by passing
enabled_sources
from cli to version_scanner and then to cvedb. To achieve this functionality,source_nvd
must also be added toenabled_sources
when appropriate.nosec must be added to disable this bandit warning:
Indeed,
sources
is retrieved fromself.sources[i].source_name
which can't be updated by an attacker