The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
I was trying to do a scan on the requirements for apache-airflow, which is currently a pretty long list of pinned dependencies:
[13:33:59] ERROR cve_bin_tool.VersionScanner - b' error: python.py:72
subprocess-exited-with-error\n \n \xc3\x97 Getting requirements to
build wheel did not run successfully.\n \xe2\x94\x82 exit code: 1\n
\xe2\x95\xb0\xe2\x94\x80> [25 lines of output]\n /bin/sh: line
1: krb5-config: command not found\n Traceback (most recent call
last):\n File
"/home/terri/venv-airflow/lib/python3.12/site-packages/pip/_vendor/py
project_hooks/_in_process/_in_process.py", line 353, in <module>\n
main()\n File
"/home/terri/venv-airflow/lib/python3.12/site-packages/pip/_vendor/py
project_hooks/_in_process/_in_process.py", line 335, in main\n
json_out[\'return_val\'] = hook(**hook_input[\'kwargs\'])\n
^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File
"/home/terri/venv-airflow/lib/python3.12/site-packages/pip/_vendor/py
project_hooks/_in_process/_in_process.py", line 118, in
get_requires_for_build_wheel\n return
hook(config_settings)\n ^^^^^^^^^^^^^^^^^^^^^\n
File
"/tmp/pip-build-env-jn2xk8xz/overlay/lib/python3.12/site-packages/set
uptools/build_meta.py", line 327, in get_requires_for_build_wheel\n
return self._get_build_requires(config_settings, requirements=[])\n
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n
File
"/tmp/pip-build-env-jn2xk8xz/overlay/lib/python3.12/site-packages/set
uptools/build_meta.py", line 297, in _get_build_requires\n
self.run_setup()\n File
"/tmp/pip-build-env-jn2xk8xz/overlay/lib/python3.12/site-packages/set
uptools/build_meta.py", line 313, in run_setup\n exec(code,
locals())\n File "<string>", line 109, in <module>\n
File "<string>", line 22, in get_output\n File
"/usr/lib64/python3.12/subprocess.py", line 466, in check_output\n
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,\n
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n
File "/usr/lib64/python3.12/subprocess.py", line 571, in run\n
raise CalledProcessError(retcode, process.args,\n
subprocess.CalledProcessError: Command \'krb5-config --libs gssapi\'
returned non-zero exit status 127.\n [end of output]\n \n
note: This error originates from a subprocess, and is likely not a
problem with pip.\nerror: subprocess-exited-with-error\n\n\xc3\x97
Getting requirements to build wheel did not run
successfully.\n\xe2\x94\x82 exit code: 1\n\xe2\x95\xb0\xe2\x94\x80>
See above for output.\n\nnote: This error originates from a
subprocess, and is likely not a problem with pip.\n'
Note that this isn't exactly the way airflow wants the install to work, I just wanted to get some scan results to answer a question someone had about the security of apache-airflow. cve-bin-tool does give me some output, but it's missing a lot of components that I would expect to see.
Pinging @anthonyharrison for his expertise on python dependency weirdness and @inosmeet for his recent delving into the language parser code in case they've got any ideas on what we could do better here.
I was trying to do a scan on the requirements for apache-airflow, which is currently a pretty long list of pinned dependencies:
I'm attaching the file I was using for the scan.
airflow-requirements.txt
Note that this isn't exactly the way airflow wants the install to work, I just wanted to get some scan results to answer a question someone had about the security of apache-airflow. cve-bin-tool does give me some output, but it's missing a lot of components that I would expect to see.
Pinging @anthonyharrison for his expertise on python dependency weirdness and @inosmeet for his recent delving into the language parser code in case they've got any ideas on what we could do better here.