search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.23k stars 464 forks source link

bug: HTML report generator fails due to unknown severity #4392

Open stjen opened 2 months ago

stjen commented 2 months ago

Description

HTML report generator fails due to unknown severity "HIGH-EXPLOIT"

To reproduce

Steps to reproduce the behaviour:

  1. Scan using this command: cve-bin-tool -S critical -S high --detailed -l info --affected-versions --exploits mac_build/theapp.app -f json,html -o mac_build/vulnerability

Expected behaviour: HTML report is generated correctly

Actual behaviour: HTML report generation fails due to unexpected severity

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.3 Installed from pypi or github? pypi Operating system: macOS Python version (e.g. python3 --version): Python 3.10 Running in any particular CI environment we should know about? Gitlab

Anything else?

Relevant vulnerability.json snippet

{
    "vendor": "webmproject",
    "product": "libvpx",
    "version": "1.11.0",
    "cve_number": "CVE-2023-5217",
    "severity": "HIGH-EXPLOIT",
    "score": "8.8",
    "source": "NVD",
    "cvss_version": "3",
    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "paths": "[redacted]/MacOS/ffmpeg",
    "remarks": "NewFound",
    "comments": "",
    "description": "Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
    "affected_versions": "< 1.13.1"
},

cve-bin-tool callstack

    INFO     cve_bin_tool.OutputEngine - HTML report     __init__.py:1029
                    stored at                                                   
                    /Users/gitlabrunner/builds/Ln3Astbb/0/git/l                 
                    uxion/mac_build/vulnerability.html                          
╭───────────────────── Traceback (most recent call last) ──────────────────────╮
│ /Users/gitlabrunner/.ci-python-venv/bin/cve-bin-tool:8 in <module>           │
│                                                                              │
│   5 from cve_bin_tool.cli import main                                        │
│   6 if __name__ == '__main__':                                               │
│   7 │   sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])     │
│ ❱ 8 │   sys.exit(main())                                                     │
│   9                                                                          │
│                                                                              │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/cli.py:1103 in main                                                        │
│                                                                              │
│   1100 │   │   )                                                             │
│   1101 │   │                                                                 │
│   1102 │   │   if not args["quiet"]:                                         │
│ ❱ 1103 │   │   │   output.output_file_wrapper(output_formats)                │
│   1104 │   │   │   if args["backport_fix"] or args["available_fix"]:         │
│   1105 │   │   │   │   distro_info = args["backport_fix"] or args["available │
│   1106 │   │   │   │   is_backport = True if args["backport_fix"] else False │
│                                                                              │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/output_engine/__init__.py:977 in output_file_wrapper                       │
│                                                                              │
│    974 │   def output_file_wrapper(self, output_types=["console"]):          │
│    975 │   │   """Call output_file method for all output types."""           │
│    976 │   │   for output_type in output_types:                              │
│ ❱  977 │   │   │   self.output_file(output_type)                             │
│    978 │                                                                     │
│    979 │   def output_file(self, output_type="console"):                     │
│    980 │   │   """Generate a file for list of CVE"""                         │
│                                                                              │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/output_engine/__init__.py:1037 in output_file                              │
│                                                                              │
│   1034 │   │   │   │   self.output_cves(f, output_type)                      │
│   1035 │   │   else:                                                         │
│   1036 │   │   │   with open(self.filename, "w", encoding="utf8") as f:      │
│ ❱ 1037 │   │   │   │   self.output_cves(f, output_type)                      │
│   1038 │                                                                     │
│   1039 │   def check_file_path(self, filepath: str, output_type: str, prefix │
│   1040 │   │   """Generate a new filename if file already exists."""         │
│                                                                              │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/output_engine/__init__.py:752 in output_cves                               │
│                                                                              │
│    749 │   │   │   │   self.metrics,                                         │
│    750 │   │   │   )                                                         │
│    751 │   │   elif output_type == "html":                                   │
│ ❱  752 │   │   │   output_html(                                              │
│    753 │   │   │   │   self.all_cve_data,                                    │
│    754 │   │   │   │   self.all_cve_version_info,                            │
│    755 │   │   │   │   self.scanned_dir,                                     │
│                                                                              │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/output_engine/html.py:279 in output_html                                   │
│                                                                              │
│   276 │   │   │   cve_remarks["NOT AFFECTED"] += len(cve_by_remark[Remarks.N │
│   277 │   │   │                                                              │
│   278 │   │   │   for cve in cve_data["cves"]:                               │
│ ❱ 279 │   │   │   │   cve_severity[cve.severity] += 1                        │
│   280 │   │   │                                                              │
│   281 │   │   │   # hid is unique for each product                           │
│   282 │   │   │   if product_info.vendor != "UNKNOWN":                       │
╰──────────────────────────────────────────────────────────────────────────────╯
KeyError: 'HIGH-EXPLOIT'
terriko commented 2 months ago

I'm not sure if this is related to our other severity bug (fix is in code review) or if it's due to the fact that there's an expectation of the value being "high, medium, low" (as in, "high-exploit" isn't a valid severity), but we should definitely handle this more gracefully. Thanks for letting us know!

stjen commented 2 months ago

Hi again, thanks for getting back to me.

Just some more info FYI, the issue disappeared when I removed the --exploits flag, so it seems to be related to that.