Merge branch 'main' into add-toybox-checker

.github/actions/spelling/allow.txt

@@ -221,6 +221,7 @@ ftp
 ftpd
 fuzzer
 g
+GAAD
 GAD
 gawk
 gcc
@@ -294,6 +295,7 @@ ikeydoherty
 img
 imgur
 imsahil
+inclusivity
 INI
 inosmeet
 iperf
@@ -756,6 +758,7 @@ Vulnerability
 Vulnerabity
 vulnerablities
 vulnerablity
+WCAG
 webkitgtk
 webserver
 website
@@ -785,6 +788,7 @@ xml
 xscreensaver
 xvf
 xwayland
+xz
 yakkety
 yaml
 yashugarg

.github/workflows/testing.yml

@@ -209,21 +209,17 @@ jobs:
           python-version: '3.10'
           cache: 'pip'
 
-#      - name: "Skip tests if this is an automated sbom job"
-#        env:
-#          COMMIT_VAR: ${{ startsWith(github.head_ref, 'chore-sbom-py') && github.event.pull_request.user.login == 'github-actions[bot]' }}
-#        run: |
-#          if ${COMMIT_VAR} == true; then
-#            echo "sbom=true" >> $GITHUB_ENV
-#            echo "sbom set to true"
-#          else
-#            echo "sbom=false" >> $GITHUB_ENV
-#            echo "sbom set to false"
-#          fi
-#
-      - name: "FIXME: Skip tests so we can break out of failure loop"
+      - name: "Skip tests if this is an automated sbom job"
+        env:
+          COMMIT_VAR: ${{ startsWith(github.head_ref, 'chore-sbom-py') && github.event.pull_request.user.login == 'github-actions[bot]' }}
         run: |
+          if ${COMMIT_VAR} == true; then
             echo "sbom=true" >> $GITHUB_ENV
+            echo "sbom set to true"
+          else
+            echo "sbom=false" >> $GITHUB_ENV
+            echo "sbom set to false"
+          fi
 
       - name: Get date
         id: get-date

README.md

@@ -16,7 +16,7 @@ CVE Binary Tool uses the NVD API but is not endorsed or certified by the NVD.
 
 The tool has two main modes of operation:
 
-1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are <!-- NUMBER OF CHECKERS START-->370<!--NUMBER OF CHECKERS END--> checkers.  Our initial focus was on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
+1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are <!-- NUMBER OF CHECKERS START-->371<!--NUMBER OF CHECKERS END--> checkers.  Our initial focus was on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
 
 2. Tools for scanning known component lists in various formats, including .csv, several linux distribution package lists, language specific package scanners and several Software Bill of Materials (SBOM) formats.  
 
@@ -278,8 +278,8 @@ The following checkers are available for finding components in binary files:
 | tpm2_tss |traceroute |transmission |trousers |ttyd |twonky_server |u_boot |
 | udisks |unbound |unixodbc |upx |util_linux |varnish |vim |
 | vlc |vorbis_tools |vsftpd |webkitgtk |wget |wireshark |wolfssl |
-| wpa_supplicant |xerces |xml2 |xscreensaver |xwayland |yasm |zabbix |
-| zchunk |zeek |zlib |znc |zsh |zstandard | |
+| wpa_supplicant |xerces |xml2 |xscreensaver |xwayland |xz |yasm |
+| zabbix |zchunk |zeek |zlib |znc |zsh |zstandard |
 <!--CHECKERS TABLE END-->
 
 All the checkers can be found in the checkers directory, as can the

cve_bin_tool/available_fix/redhat_cve_tracker.py

@@ -95,7 +95,7 @@ def parse_package_data(self, package_data: str) -> str:
 
         """
         parsed_package_data = ""
-        package_name = split(r"-\d", package_data, 1)[0]
+        package_name = split(r"-\d", package_data, maxsplit=1)[0]
         if ":" in package_name:
             package_name, package_version = split(":", package_name)
             package_version = search(r"\d+", package_version)

cve_bin_tool/checkers/__init__.py

@@ -28,6 +28,7 @@
     "apache_http_server",
     "apcupsd",
     "apparmor",
+    "apr",
     "asn1c",
     "assimp",
     "asterisk",
@@ -377,6 +378,7 @@
     "vorbis_tools",
     "vsftpd",
     "vim",
+    "wavpack",
     "webkitgtk",
     "wget",
     "wireshark",
@@ -386,6 +388,7 @@
     "xml2",
     "xscreensaver",
     "xwayland",
+    "xz",
     "yasm",
     "zabbix",
     "zchunk",

cve_bin_tool/checkers/apr.py

@@ -0,0 +1,23 @@
+# Copyright (C) 2025 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for apr
+
+https://www.cvedetails.com/product/17804/Apache-Portable-Runtime.html?vendor_id=45
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class AprChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [
+        r"apr_initialize\r?\n([0-9]+\.[0-9]+\.[0-9]+)",
+        r"([0-9]+\.[0-9]+\.[0-9]+)\r?\n/tmp/apr",
+    ]
+    VENDOR_PRODUCT = [("apache", "portable_runtime")]

cve_bin_tool/checkers/openjpeg.py

@@ -26,6 +26,6 @@ class OpenjpegChecker(Checker):
     ]
     VERSION_PATTERNS = [
         r"openjpeg-([0-9]+\.[0-9]+\.[0-9]+)",
-        r"openjpeg2-([0-9]+\.[0-9]+\.[0-9]+)",
+        r"([0-9]+\.[0-9]+\.[0-9]+)[A-Za-z/ \.\r\n]*(?:opj_setup_decoder|openjp2)",
     ]
     VENDOR_PRODUCT = [("uclouvain", "openjpeg")]

cve_bin_tool/checkers/wavpack.py

@@ -0,0 +1,21 @@
+# Copyright (C) 2025 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for wavpack
+
+https://www.cvedetails.com/product/36196/Wavpack-Project-Wavpack.html?vendor_id=16200
+https://www.cvedetails.com/product/43617/Wavpack-Wavpack.html?vendor_id=17637
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class WavpackChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [r"\r?\n([0-9]+\.[0-9]+\.[0-9]+)\r?\n(?:libwavpack|[wW]av)"]
+    VENDOR_PRODUCT = [("wavpack", "wavpack"), ("wavpack_project", "wavpack")]

cve_bin_tool/checkers/xz.py

@@ -0,0 +1,23 @@
+# Copyright (C) 2025 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for xz
+
+https://www.cvedetails.com/product/38995/Tukaani-XZ.html?vendor_id=16730
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class XzChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [
+        r"xz \(XZ Utils\) ([0-9]+\.[0-9]+\.[0-9]+)",
+        r"([0-9]+\.[0-9]+\.[0-9]+)[A-Za-z0-9,'_=:*&!? \-\.\[\]\"\(\)\r\n]*7zXZ[a-zA-z0-9\r\n]*   @@@",
+    ]
+    VENDOR_PRODUCT = [("tukaani", "xz")]

cve_bin_tool/version_scanner.py

@@ -17,14 +17,7 @@
 from cve_bin_tool.log import LOGGER
 from cve_bin_tool.parsers.parse import available_parsers, parse, valid_files
 from cve_bin_tool.strings import parse_strings
-from cve_bin_tool.util import (
-    DirWalk,
-    ProductInfo,
-    ScanInfo,
-    find_product_location,
-    inpath,
-    validate_location,
-)
+from cve_bin_tool.util import DirWalk, ProductInfo, ScanInfo, inpath
 
 if sys.version_info >= (3, 10):
     from importlib import metadata as importlib_metadata
@@ -288,15 +281,8 @@ def run_checkers(self, filename: str, lines: str) -> Iterator[ScanInfo]:
                             f'{file_path} {result["is_or_contains"]} {dummy_checker_name} {version}'
                         )
                         for vendor, product in checker.VENDOR_PRODUCT:
-                            location = find_product_location(product)
-                            if location is None:
-                                location = "NotFound"
-                            if validate_location(location) is False:
-                                raise ValueError(
-                                    f"Invalid location {location} for {product}"
-                                )
                             yield ScanInfo(
-                                ProductInfo(vendor, product, version, location),
+                                ProductInfo(vendor, product, version, file_path),
                                 file_path,
                             )
 

doc/MANUAL.md

@@ -294,8 +294,8 @@ which is useful if you're trying the latest code from
 | tpm2_tss |traceroute |transmission |trousers |ttyd |twonky_server |u_boot |
 | udisks |unbound |unixodbc |upx |util_linux |varnish |vim |
 | vlc |vorbis_tools |vsftpd |webkitgtk |wget |wireshark |wolfssl |
-| wpa_supplicant |xerces |xml2 |xscreensaver |xwayland |yasm |zabbix |
-| zchunk |zeek |zlib |znc |zsh |zstandard | |
+| wpa_supplicant |xerces |xml2 |xscreensaver |xwayland |xz |yasm |
+| zabbix |zchunk |zeek |zlib |znc |zsh |zstandard |
 <!--CHECKERS TABLE END-->
 
 For a quick overview of usage and how it works, you can also see [the readme file](README.md).