Merge branch 'main' into add-indent-checker

ffontaine · Feb 6, 2025 · 6308389 · 6308389
2 parents d3bcb72 + 0baeb7b
commit 6308389
Show file tree

Hide file tree

Showing 16 changed files with 116 additions and 6 deletions.
diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
@@ -758,11 +758,11 @@ Vulnerability
 Vulnerabity
 vulnerablities
 vulnerablity
+WCAG
 webkitgtk
 webserver
 website
 websites
-WCAG
 wget
 whl
 wiki
@@ -788,6 +788,7 @@ xml
 xscreensaver
 xvf
 xwayland
+xz
 yakkety
 yaml
 yashugarg

diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@ CVE Binary Tool uses the NVD API but is not endorsed or certified by the NVD.
 
 The tool has two main modes of operation:
 
-1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are <!-- NUMBER OF CHECKERS START-->370<!--NUMBER OF CHECKERS END--> checkers.  Our initial focus was on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
+1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are <!-- NUMBER OF CHECKERS START-->371<!--NUMBER OF CHECKERS END--> checkers.  Our initial focus was on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
 
 2. Tools for scanning known component lists in various formats, including .csv, several linux distribution package lists, language specific package scanners and several Software Bill of Materials (SBOM) formats.  
 
@@ -278,8 +278,8 @@ The following checkers are available for finding components in binary files:
 | tpm2_tss |traceroute |transmission |trousers |ttyd |twonky_server |u_boot |
 | udisks |unbound |unixodbc |upx |util_linux |varnish |vim |
 | vlc |vorbis_tools |vsftpd |webkitgtk |wget |wireshark |wolfssl |
-| wpa_supplicant |xerces |xml2 |xscreensaver |xwayland |yasm |zabbix |
-| zchunk |zeek |zlib |znc |zsh |zstandard | |
+| wpa_supplicant |xerces |xml2 |xscreensaver |xwayland |xz |yasm |
+| zabbix |zchunk |zeek |zlib |znc |zsh |zstandard |
 <!--CHECKERS TABLE END-->
 
 All the checkers can be found in the checkers directory, as can the

diff --git a/cve_bin_tool/checkers/__init__.py b/cve_bin_tool/checkers/__init__.py
@@ -28,6 +28,7 @@
     "apache_http_server",
     "apcupsd",
     "apparmor",
+    "apr",
     "asn1c",
     "assimp",
     "asterisk",
@@ -377,6 +378,7 @@
     "vorbis_tools",
     "vsftpd",
     "vim",
+    "wavpack",
     "webkitgtk",
     "wget",
     "wireshark",

diff --git a/cve_bin_tool/checkers/apr.py b/cve_bin_tool/checkers/apr.py
@@ -0,0 +1,23 @@
+# Copyright (C) 2025 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for apr
+
+https://www.cvedetails.com/product/17804/Apache-Portable-Runtime.html?vendor_id=45
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class AprChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [
+        r"apr_initialize\r?\n([0-9]+\.[0-9]+\.[0-9]+)",
+        r"([0-9]+\.[0-9]+\.[0-9]+)\r?\n/tmp/apr",
+    ]
+    VENDOR_PRODUCT = [("apache", "portable_runtime")]
diff --git a/cve_bin_tool/checkers/wavpack.py b/cve_bin_tool/checkers/wavpack.py
@@ -0,0 +1,21 @@
+# Copyright (C) 2025 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for wavpack
+
+https://www.cvedetails.com/product/36196/Wavpack-Project-Wavpack.html?vendor_id=16200
+https://www.cvedetails.com/product/43617/Wavpack-Wavpack.html?vendor_id=17637
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class WavpackChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [r"\r?\n([0-9]+\.[0-9]+\.[0-9]+)\r?\n(?:libwavpack|[wW]av)"]
+    VENDOR_PRODUCT = [("wavpack", "wavpack"), ("wavpack_project", "wavpack")]
diff --git a/doc/MANUAL.md b/doc/MANUAL.md
@@ -294,8 +294,8 @@ which is useful if you're trying the latest code from
 | tpm2_tss |traceroute |transmission |trousers |ttyd |twonky_server |u_boot |
 | udisks |unbound |unixodbc |upx |util_linux |varnish |vim |
 | vlc |vorbis_tools |vsftpd |webkitgtk |wget |wireshark |wolfssl |
-| wpa_supplicant |xerces |xml2 |xscreensaver |xwayland |yasm |zabbix |
-| zchunk |zeek |zlib |znc |zsh |zstandard | |
+| wpa_supplicant |xerces |xml2 |xscreensaver |xwayland |xz |yasm |
+| zabbix |zchunk |zeek |zlib |znc |zsh |zstandard |
 <!--CHECKERS TABLE END-->
 
 For a quick overview of usage and how it works, you can also see [the readme file](README.md).

diff --git a/setup.cfg b/setup.cfg
@@ -8,3 +8,4 @@ extend-ignore = E203, E501
 
 [tool:pytest]
 asyncio_mode = strict
+asyncio_default_fixture_loop_scope = function
diff --git a/test/condensed-downloads/apr-1.7.0-r0.apk.tar.gz b/test/condensed-downloads/apr-1.7.0-r0.apk.tar.gz
diff --git a/test/condensed-downloads/apr-1.7.5-2.fc42.aarch64.rpm.tar.gz b/test/condensed-downloads/apr-1.7.5-2.fc42.aarch64.rpm.tar.gz
diff --git a/test/condensed-downloads/libapr1_1.6.5-1+b1_amd64.deb.tar.gz b/test/condensed-downloads/libapr1_1.6.5-1+b1_amd64.deb.tar.gz
diff --git a/test/condensed-downloads/libapr_1.7.0-2_x86_64.ipk.tar.gz b/test/condensed-downloads/libapr_1.7.0-2_x86_64.ipk.tar.gz
diff --git a/test/condensed-downloads/wavpack-5.1.0-r8.apk.tar.gz b/test/condensed-downloads/wavpack-5.1.0-r8.apk.tar.gz
diff --git a/test/condensed-downloads/wavpack-5.7.0-11.fc42.aarch64.rpm.tar.gz b/test/condensed-downloads/wavpack-5.7.0-11.fc42.aarch64.rpm.tar.gz
diff --git a/test/condensed-downloads/wavpack_5.4.0-1_arm64.deb.tar.gz b/test/condensed-downloads/wavpack_5.4.0-1_arm64.deb.tar.gz
diff --git a/test/test_data/apr.py b/test/test_data/apr.py
@@ -0,0 +1,36 @@
+# Copyright (C) 2025 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+    {
+        "product": "portable_runtime",
+        "version": "1.6.5",
+        "version_strings": ["apr_initialize\n1.6.5"],
+    }
+]
+package_test_data = [
+    {
+        "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/a/",
+        "package_name": "apr-1.7.5-2.fc42.aarch64.rpm",
+        "product": "portable_runtime",
+        "version": "1.7.5",
+    },
+    {
+        "url": "http://ftp.debian.org/debian/pool/main/a/apr/",
+        "package_name": "libapr1_1.6.5-1+b1_amd64.deb",
+        "product": "portable_runtime",
+        "version": "1.6.5",
+    },
+    {
+        "url": "https://downloads.openwrt.org/releases/packages-19.07/x86_64/packages/",
+        "package_name": "libapr_1.7.0-2_x86_64.ipk",
+        "product": "portable_runtime",
+        "version": "1.7.0",
+    },
+    {
+        "url": "https://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/",
+        "package_name": "apr-1.7.0-r0.apk",
+        "product": "portable_runtime",
+        "version": "1.7.0",
+    },
+]
diff --git a/test/test_data/wavpack.py b/test/test_data/wavpack.py
@@ -0,0 +1,26 @@
+# Copyright (C) 2025 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+    {"product": "wavpack", "version": "5.1.0", "version_strings": ["5.1.0\nlibwavpack"]}
+]
+package_test_data = [
+    {
+        "url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/aarch64/os/Packages/w/",
+        "package_name": "wavpack-5.7.0-11.fc42.aarch64.rpm",
+        "product": "wavpack",
+        "version": "5.7.0",
+    },
+    {
+        "url": "http://ftp.debian.org/debian/pool/main/w/wavpack/",
+        "package_name": "wavpack_5.4.0-1_arm64.deb",
+        "product": "wavpack",
+        "version": "5.4.0",
+    },
+    {
+        "url": "https://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/",
+        "package_name": "wavpack-5.1.0-r8.apk",
+        "product": "wavpack",
+        "version": "5.1.0",
+    },
+]
Original file line number	Diff line number	Diff line change
Expand Up		@@ -8,3 +8,4 @@ extend-ignore = E203, E501

		[tool:pytest]
		asyncio_mode = strict
		asyncio_default_fixture_loop_scope = function