- Name - Harsh(@peb-peb)
- Organisation - Python Software Foundation
- Sub-Organisation - CVE Binary Tool
- Project - Checker Creation Helper-Script
- Proposal - View / Download
cve-bin-tool
looks at strings found in binary files to see if they match certain vulnerable versions
of vulnerable components such as openssl, libsndfile , etc. to let you know if a given directory or a binary file includes vulnerabilities known as CVEs(Common Vulnerabilities and Exposures).
Since, cve-bin-tool
relies on contributors to build checkers for each package. This in turn
requires them to know various file manipulation methods, which are easier to use on linux than
on windows.
To address this issue, a checker creation helper script was created, which would take .rpm
, .deb
, .tar.gz
or other files that represent packaged versions of the software to be detected, including the product name and version number that we expect to find in each as a set of inputs and return us the required data to build a checker.
The output structure for helper-script is:
$ python3 -m cve_bin_tool.helper_script ../test_vulnerable_packages/busybox-1.33.1-1.fc35.x86_64.rpm --product busybox --version 1.33.1
──────────────────────────────────────────── BusyboxChecker ────────────────────────────────────────────
# Copyright (C) 2021 Intel Corporation
# SPDX-License-Identifier: GPL-3.0-or-later
"""
CVE checker for busybox:
<provide reference links here>
"""
from cve_bin_tool.checkers import Checker
class BusyboxChecker(Checker):
CONTAIN_PATTERNS = [
r"BusyBox is a multi-call binary that combines many common Unix",
r"BusyBox is copyrighted by many authors between 1998-2015.",
r"BusyBox v1.33.1 (2021-05-06 17:29:07 UTC)",
r"link to busybox for each function they wish to use and BusyBox",
]
FILENAME_PATTERNS = [
r"busybox", <--- this is a really common filename pattern
]
VERSION_PATTERNS = [
r"BusyBox v1.33.1 (2021-05-06 17:29:07 UTC)",
r"syslogd started: BusyBox v1.33.1",
]
VENDOR_PRODUCT = [('busybox', 'busybox'), ('rob_landley', 'busybox')]
────────────────────────────────────────────────────────────────────────────────────────────────────────
cve-bin-tool
yields the vulnerable package name, version and vendor-product name in it's reports. To extend this functionality, it was proposed to also provide the user with the ranges of all affected packages for the corresponding vulnerable packages found while scanning.
This was done by taking a vulnerable package (which was found in the scan) and the corresponding affected versions data from the database and then formatting the ranges for which the package was found to be vulnerable. This feature could be invoked with --affected-versions
argument.
The output structure for the affected-versions is:
$ python3 -m cve_bin_tool.cli -f console --affected-versions ../test_vulnerable_packages/
┏━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ CVE Number ┃ Severity ┃ Score (CVSS Version) ┃ Affected Versions ┃
┡━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━┩
│ gnu │ gcc │ 8.4.1 │ UNKNOWN │ UNKNOWN │ 0 (v0) │ - │
│ isc │ bind │ 9.11.26 │ CVE-2019-6470 │ HIGH │ 7.5 (v3) │ >= 9.11.2 │
│ isc │ bind │ 9.11.26 │ CVE-2020-8625 │ HIGH │ 8.1 (v3) │ [9.5.0 - 9.11.27] │
│ dovecot │ dovecot │ 2.3.8 │ CVE-2020-24386 │ MEDIUM │ 6.8 (v3) │ [2.2.26 - 2.3.13) │
│ dovecot │ dovecot │ 2.3.8 │ CVE-2020-25275 │ HIGH │ 7.5 (v3) │ < 2.3.13 │
└─────────┴─────────┴─────────┴────────────────┴──────────┴──────────────────────┴───────────────────┘
-
Python and it's diverse libraries: During GSoC, I learned a lot about various python third-party libraries and was fascinated by the vast & diverse python community. Even though it is difficult to measure the progress, Thanks to my mentors (especially Terri, John & Anthony), I became more comfortable and confident in writing clean python code. I also became better at connecting different components across a project to eliminate the overall repetition and complexity of code.
-
CVEs: Before contributing to cve-bin-tool, I had no idea what CVE is. CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. During GSoC, I learned a lot about the CVE system and NVD. I also became familiar with the NVD API, thanks to Sahil.
-
CI & Workflow: During this journey, I also learned about various software development practices like Continuous Integration (CI), workflows, writing & running tests, writing docs, etc.
-
Communication: The one thing that I learned in this program that would help me throughout my career would be: public speaking. Before this, I was a shy person and hesitated to speak in front of an audience. But, because of my incredible mentors and our weekly meetings, now I'm pretty comfortable & confident in speaking in front of an audience.
-
Time management: During the entire period of the program I never felt stressed. My mentors were super chill. I had enough time to study for my college curriculum, read books and spend the summer with my friends.
-
Checker Creation Helper-Script
Automated the file extraction and strings acquiring process for given binary by gathering these existing functionalities scattered in the tool together. Implemented the regex for version-string finding. And returning these in a pretty output on the console.
PRs:
- intel/cve-bin-tool#1173
- vendor-product pair finding from database
- intel/cve-bin-tool#1182
- extraction and regex finding process
- intel/cve-bin-tool#1246
- refactor helper-script for repeating functions
- intel/cve-bin-tool#1333 (to be merged)
- improved output for the script based on feedback
Docs:
- intel/cve-bin-tool#1173
-
Added Affected Versions range feature (Console)
Extracted the affected-versions data from the database. Made a column for affected-versions and displayed the ranges alongside the corresponding cve-number.
PRs:
- intel/cve-bin-tool#1284
- affected-versions range (console only)
- intel/cve-bin-tool#1284
-
Fix existing checkers with Helper-Script
Revisited existing checkers and fixed the version-strings. Standardised tests for checkers. Each checker now includes a tests for RedHat-based Linux Distributions, Debian-based Linux Distributions and BSD Distros.
PRs:
-
Added new checkers for open-source libraries
PRs:
- intel/cve-bin-tool#1237 (libbpg)
- intel/cve-bin-tool#1240 (zsh)
- intel/cve-bin-tool#1241 (dbus)
- intel/cve-bin-tool#1243 (libical)
- intel/cve-bin-tool#1244 (liblas)
- intel/cve-bin-tool#1296 (libvncserver)
- intel/cve-bin-tool#1297 (hdf5)
Detailed weekly description of tasks and work done can be found at:
- Weekly Blogs: https://blogs.python-gsoc.org/en/harshs-blog/
The tool has improved and changed a lot since I first started contributing in January 2021. I plan to keep working on the project and contribute as much as I can. Some of the features I'd like to work in the future are:
- Add affected-versions range for all output formats in
cve-bin-tool
(intel/cve-bin-tool#1342) - Improve
helper_script
over user/contributor's feedback - Add checkers for the tool
I would like to thank Google, Python Software Foundation and Intel for providing me with this wonderful opportunity and my mentors Terri Oda, John Andersen, Anthony Harrison, Harmandeep Singh and Saurabh Khandelwal who guided me and taught me all sorts of things during this summer.
I would also like to thank my fellow GSoCers Sahil and Suhail and cve-bin-tool community for helping me during the program.
Feedback: