search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.19k stars 455 forks source link

feat: new checker [checker name] : How to add custom checker ? #4298

Open Vaibhavpvinchurkar opened 1 month ago

Vaibhavpvinchurkar commented 1 month ago

I am a beginner in python as well as in cve-bin-tool Our Requirement is to add new custom checkers into this tool such as 7-zip, .net, .net core etc...

We have created 7-zip.py into checkers folder with all 4 attributes. added reference into _init.py. While running this tool, checker is detecting newly added checkers but unable to find the vulnerabilities for that software. sometimes we are getting an error "failing to extract .dll file".

Can anyone help me in this ? Is it am I missing something ?

terriko commented 1 month ago

A few questions to help debug:

  1. Have you tried testing your regular expression signatures against the strings you think will work directly? We've got frameworks for doing that in the tests but you can also just open up a python console, import re and then re.match( signature_pattern, string_that_should_work) -- regular expressions can be pretty finicky, so be careful to cut/paste directly what you're trying to use.
  2. If those work, have you written tests that work as well? That'll do the equivalent tests on your actual checker code.
  3. If the failure to extract error doesn't happen every time, you might want to look at whether you have enough space on your filesystem or if there's anything else that might be preventing extraction (cve-bin-tool 's vuln data is more than 3g once it's all downloaded. If you're running on a 4g vm or another constrained environment, that can be a problem.)
  4. Are you sure that cve-bin-tool can extract from the files you're trying to scan?
    • The list of archives we extract is here: https://github.com/intel/cve-bin-tool?tab=readme-ov-file#supported-archive-formats but we've had reports of a weird .msi error that no one's been able to track down so you might need to do some debugging even if something's on that list.
    • Debugging tip: try running an extraction manually and see if you get a different result on the extracted directory vs the package.
    • Our windows file support is weaker than our linux file support for a variety of reasons, so this might be the most likely problem. But it's also a great opportunity for improvement if you know how windows files work, and we'd really love to do better!
deepthi-kk commented 1 month ago

@terriko Can you please assign this to me? I will take a look

terriko commented 1 month ago

@deepthi-kk I don't think there's anything here we can do without more information from @Vaibhavpvinchurkar so there's no point in assigning it to anyone. The "good first issue tag" was incorrect so I've removed it. If you're interested in something else that might be a good first issue, https://github.com/intel/cve-bin-tool/issues/4265 is still unclaimed!