search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.24k stars 465 forks source link

discussion: Planning for 3.5 / 4.0 releases #4594

Open terriko opened 1 day ago

terriko commented 1 day ago

Thanks everyone who made it out to our last monthly meeting of 2024!

User survey

Per our discussion: we already have an issue about surveying users, so I'll add notes from our discussion into there:

GSoC planning

GSoC 2025 hasn't been announced yet (it's late which sometimes means program changes or they're waiting to announce alongside something else, but the folk at mentor summit didn't seem concerned about things getting cancelled entirely). So we're going to wait on more specific planning until after the program is announced, but a lot of the

Upcoming features/improvements

  1. Improving the accuracy of our SBOM scans, especially around false positives. We've started some of that with the PURL work and mismatch database but need to handle a few more cases and we want to make better use of PURL data in OSV and elsewhere. @anthonyharrison expects this will be particularly helpful for SBOM users in Europe.
  2. Database architecture changes: cve-bin-tool was designed around NVD data, but funding and political changes mean that might not be the best choice long term. We may need to redesign what data we store to make sure we're using PURLs instead of CPEs and have the option of using a different database as our "primary" source.
  3. Overall architecture changes: we also have had a lot of discussion about properly separating the component identification parts of cve-bin-tool (the binary scanner, the language scanners, and the sbom interpretation) and the vulnerability data parts so that you could use it for SBOM generation or similar without scanning. (FIXME: link previous discussion about disabling NVD, previous discussion about architecture) This doesn't have to happen at the same time as the database changes but we should design the two changes to work together. Once those changes are made we would be talking 4.0 rather than 3.5.
  4. Accessibility: @terriko is doing some work on accessibility in December, starting with review of our docs but potentially also working on reports and command line interface. Some fixes may be immediate and some may be potential gsoc projects or enhancements in next release.
  5. Training materials: We'd like to have some training for cve-bin-tool, starting with a focus on improving our docs and potentially building small courses / presentation materials. We had a discussion about potentially getting involved in the Season of Docs or similar events and whether there might be options to fund a contributor to work on this. There's also been some interest in things like videos, but probably the docs need to come first.
  6. Test grouping: @terriko is currently seeing an issue where our long tests time out early at around 45 minutes, likely because of the cloud servers they're running on. Unfortunately, the full long tests can now take 1.5hrs. We'll need to divide our test jobs up differently and potentially have some of them run significantly less frequently. This may have to happen well before the release if it keeps blocking merging of pull requests (which it has been doing for a few weeks).
  7. Test Coverage: we had a big push to improve our test coverage as part of gsoc a few years ago, but have slowly regressed a little (in part because some of our tests had to be moved out due to being too slow) and also I'm having some problems with our codecov setup. Now would probably be a good time to see if we need to fix codecov configs, try other coverage tools, and improve our coverage again.
terriko commented 1 day ago

Please feel free to add anything I forgot from the meeting or any new ideas you have! This thread is more wishlist/brainstorm style, so you don't need to worry too much about feasibility at this stage.