intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.23k stars 463 forks source link

The application crashes when scanning a file #4453

Open uh3tay opened 1 month ago

uh3tay commented 1 month ago

cvebintool.zip

Description

Hello! When scanning the application, the analysis will reach the file "rootpom.xml" and causes the <<AttributeError" to fail:' NoneType ' object has no attribute 'text'>>. The application started with the line "cve-bin-tool ./my-app-path |to err.log". Attachments: "error" - output to the console, rootpom.xml - file causing the crash, java.py - my temporary solution(lines 84-95). To understand what's going on, I modified the java.py , for output of filename and types root.find (schema + "artifactId") AND root.find(schema + "version").

To reproduce

Steps to reproduce the behaviour:

  1. Activate VENV: oldscool-cvebintool/bin/activate
  2. Scan using "cve-bin-tool ./my-app-path"

Expected behaviour: Actual behaviour:

Version/platform info

Version of CVE-bin-tool: 3.3 Installed from pypi. Operating system: Ubuntu 24.04.1 (Linux 6.8.0-44-generic #44-Ubuntu SMP PREEMPT_DYNAMIC) Python version: python 3.12.3 Running in any particular CI environment we should know about? run into VENV

terriko commented 1 month ago

Sounds like a bug in the java parser. I'm not completely surprised; we could really use some help making better test cases for java because it feels like there's a lot of behaviours we haven't captured very well yet.

Did you want to submit your fix as a pull request so it could be integrated?

anthonyharrison commented 1 month ago

@uh3tay The Java parser is very simple and assumes that the pom file is valid. Can you provide the pom file which results in the crash?