Merge branch 'main' into npm_dependencies

terriko · Jan 3, 2024 · 4c2f7ea · 4c2f7ea
2 parents 6a0e930 + 427bb87
commit 4c2f7ea
Show file tree

Hide file tree

Showing 21 changed files with 2,746 additions and 155 deletions.
diff --git a/cve_bin_tool/cli.py b/cve_bin_tool/cli.py
@@ -278,14 +278,12 @@ def main(argv=None):
     output_group.add_argument(
         "--epss-percentile",
         action="store",
-        help="minimum epss percentile of CVE range between 0 to 100 to report (default: 0)",
-        default=0,
+        help="minimum epss percentile of CVE range between 0 to 100 to report. Automatically enables `--metrics`",
     )
     output_group.add_argument(
         "--epss-probability",
         action="store",
-        help="minimum epss probability of CVE range between 0 to 100 to report (default: 0)",
-        default=0,
+        help="minimum epss probability of CVE range between 0 to 100 to report. Automatically enables `--metrics`",
     )
     output_group.add_argument(
         "--no-0-cve-report",
@@ -550,6 +548,10 @@ def main(argv=None):
     if args["nvd"] == "json":
         args["nvd"] = "json-mirror"
     nvd_type = args["nvd"]
+    if nvd_type == "api":
+        LOGGER.warning("API 1.0 is deprecated, switching to API 2.0")
+        nvd_type = "api2"
+
     # If NVD API key is not set, check for environment variable (e.g. GitHub Secrets)
     if not args["nvd_api_key"] and os.getenv("nvd_api_key"):
         args["nvd_api_key"] = os.getenv("nvd_api_key")
@@ -560,9 +562,10 @@ def main(argv=None):
 
     if args["nvd_api_key"]:
         if nvd_type != "api2":
-            LOGGER.debug(f"{nvd_type} - changing to api. API Key {args['nvd_api_key']}")
-            nvd_type = "api"
-
+            LOGGER.debug(
+                f"{nvd_type} - changing to api2. API Key {args['nvd_api_key']}"
+            )
+            nvd_type = "api2"
     # If you're not using an NVD key, let you know how to get one
     if nvd_type == "json-nvd" and not args["nvd_api_key"] and not args["offline"]:
         LOGGER.info("Not using an NVD API key. Your access may be rate limited by NVD.")
@@ -592,15 +595,35 @@ def main(argv=None):
     if int(args["cvss"]) > 0:
         score = int(args["cvss"])
 
+    metrics = args["metrics"]
+    if args["epss_percentile"] or args["epss_probability"]:
+        metrics = True
+
     epss_percentile = 0
-    if float(args["epss_percentile"]) > 0 or float(args["epss_percentile"]) < 100:
+    if (
+        args["epss_percentile"]
+        and float(args["epss_percentile"]) >= 0
+        and float(args["epss_percentile"]) <= 100
+    ):
         epss_percentile = float(args["epss_percentile"]) / 100
         LOGGER.debug(f"epss percentile stored {epss_percentile}")
+    elif args["epss_percentile"]:
+        LOGGER.debug(
+            f'epss percentile {args["epss_percentile"]} is invalid so set it to 0'
+        )
 
     epss_probability = 0
-    if float(args["epss_probability"]) > 0 or float(args["epss_probability"]) < 100:
+    if (
+        args["epss_probability"]
+        and float(args["epss_probability"]) >= 0
+        and float(args["epss_probability"]) <= 100
+    ):
         epss_probability = float(args["epss_probability"]) / 100
         LOGGER.debug(f"epss probability stored {epss_probability}")
+    elif args["epss_probability"]:
+        LOGGER.debug(
+            f'epss probability {args["epss_probability"]} is invalid so set it to 0'
+        )
 
     config_generate = set(args["generate_config"].split(","))
     config_generate = [config_type.strip() for config_type in config_generate]
@@ -902,7 +925,7 @@ def main(argv=None):
 
     with CVEScanner(
         score=score,
-        check_metrics=args["metrics"],
+        check_metrics=metrics,
         epss_percentile=epss_percentile,
         epss_probability=epss_probability,
         check_exploits=args["exploits"],
@@ -1027,7 +1050,7 @@ def main(argv=None):
             merge_report=merged_reports,
             affected_versions=args["affected_versions"],
             exploits=args["exploits"],
-            metrics=args["metrics"],
+            metrics=metrics,
             detailed=args["detailed"],
             vex_filename=args["vex"],
             sbom_filename=args["sbom_output"],

diff --git a/doc/MANUAL.md b/doc/MANUAL.md
@@ -545,7 +545,7 @@ This option controls the frequency of updates for the CVE data from the National
 
 ### -n {json-nvd,json-mirror,api,api2}, --nvd {json-nvd,json-mirror,api,api2}
 
-This option selects how CVE data is downloaded from the National Vulnerability Database. The default `api` option uses the NVD CVE Retrieval API version 1.0. The `api2` option uses the later NVD CVE Retrieval API version 2.0. The results from this API are updated as quickly as the NVD website.
+This option selects how CVE data is downloaded from the National Vulnerability Database. The `api` option previously used the NVD CVE Retrieval API version 1.0, which is now deprecated. Using `--nvd api` will automatically switch to the `--nvd api2` option. The `api2` option uses the later NVD CVE Retrieval API version 2.0. The results from this API are updated as quickly as the NVD database.
 A major benefit of using this NVD API is incremental updates which basically means you won't have to download the complete feed again in case you want the latest CVE entries from NVD. See the detailed guide on [incremental updates](how_to_guides/use_incremental_updates.md) for more details.
 
 You may also choose to update the data using `json-nvd` option which uses the JSON feeds available on [this page](https://nvd.nist.gov/vuln/data-feeds). These per-year feeds are updated once per day. This mode was the default for CVE Binary Tool prior to the 3.0 release.
@@ -1080,6 +1080,10 @@ This option specifies the minimum EPSS percentile of CVE range between 0 to 100
 
 This option specifies the minimum EPSS probability of CVE range between o to 100 to report. The default value is 0 which result in all CVEs being reported.
 
+### Automatic Metrics Activation
+
+If either `--epss-percentile` or `--epss-probability` is set, the system will automatically enable the `--metrics` option so that the epss data will be loaded and displayed.
+
 ### -S {low,medium,high,critical}, --severity {low,medium,high,critical}
 
 This option specifies the minimum CVE severity to report. The default value is low which results in all CVEs being reported.
@@ -1343,6 +1347,11 @@ The `cpanfile` must specify the version data for the vulnerability scanner to wo
 
 Here's an example of what a [`cpanfile`](https://github.com/intel/cve-bin-tool/blob/main/test/language_data/cpanfile) might look like.
 
+### PHP
+
+The scanner examines the `composer.lock` file within a PHP application to identify components. The package names and versions are used to search the database for vulnerabilities. Packages that have a `dev` version are ignored.
+
+Here's an example of what a [`composer.lock`](https://github.com/intel/cve-bin-tool/blob/main/test/language_data/composer.lock) file might look like.
 
 ## Feedback & Contributions
 

diff --git a/fuzz/fuzz_renv_lock.py b/fuzz/fuzz_renv_lock.py
@@ -0,0 +1,96 @@
+# Copyright (C) 2023 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import sys
+import tempfile
+from pathlib import Path
+
+import atheris
+import atheris_libprotobuf_mutator
+from google.protobuf.json_format import MessageToDict
+
+import fuzz.generated.renv_lock_pb2 as renv_lock_pb2
+from cve_bin_tool.cvedb import CVEDB
+from cve_bin_tool.log import LOGGER
+
+with atheris.instrument_imports():
+    from cve_bin_tool.parsers.r import RParser
+
+
+cve_db = CVEDB()
+logger = LOGGER.getChild("Fuzz")
+
+
+def RenvLockBuilder(data):
+    # Parse the JSON data
+    json_data = MessageToDict(
+        data, preserving_proto_field_name=True, including_default_value_fields=True
+    )
+
+    with open(file_path, "w") as f:
+        # Write R version information
+        r_version = json_data.get("r", {}).get("version", "")
+        f.write("{\n")
+        f.write('"R": {\n')
+        if r_version:
+            f.write(f'"Version": {r_version},\n')
+        repositories = json_data.get("r", {}).get("repositories", {})
+        f.write('"Repositories": [\n')
+        for repository in repositories:
+            name = repository.get("name", "")
+            url = repository.get("url", "")
+            f.write("{\n")
+            f.write(f'"Name:{name},"')
+            f.write(f'"URL":{url}')
+            f.write("}\n")
+        f.write("]\n")
+        f.write("},\n")
+        # Write Bioconductor version information
+        bioconductor_version = json_data.get("bioconductor", []).get("version", "")
+        f.write('"Bioconductor":{\n')
+        if bioconductor_version:
+            f.write(f"Version: {bioconductor_version}\n")
+        f.write("},\n")
+        f.write('"Packages":{\n')
+        packages = json_data.get("packages", [])
+        # Write packages
+        for package in packages:
+            name = package.get("package", "")
+            f.write(f'"{name}": ')
+            f.write("{\n")
+            f.write(f'"Package:" {name},\n')
+            version = package.get("version", "")
+            f.write(f'"Version:" {version},\n')
+            source = package.get("source", "")
+            f.write(f'"Source:" {source},\n')
+            repository = package.get("repository", "")
+            f.write(f'"Repository:" {repository},\n')
+            Hash = package.get("hash", "")
+            f.write(f'"Hash:" {Hash}",\n')
+
+            # Write requirements, if any
+            requirements = package.get("requirements", [])
+            if requirements:
+                f.write("Requirements: [\n")
+                for requirement in requirements:
+                    f.write(f'"{requirement}",\n')
+                f.write("]\n")
+            f.write("}\n")
+        f.write("}\n")
+
+
+def TestParseData(data):
+    try:
+        RenvLockBuilder(data)
+
+        r_parser = RParser(cve_db, logger)
+        r_parser.run_checker(file_path)
+
+    except SystemExit:
+        return
+
+
+file_path = str(Path(tempfile.mkdtemp(prefix="cve-bin-tool-")) / "renv.lock")
+
+atheris_libprotobuf_mutator.Setup(sys.argv, TestParseData, proto=renv_lock_pb2.RenvLock)
+atheris.Fuzz()
diff --git a/fuzz/generated/renv_lock_pb2.py b/fuzz/generated/renv_lock_pb2.py
diff --git a/fuzz/proto_files/renv_lock.proto b/fuzz/proto_files/renv_lock.proto
@@ -0,0 +1,40 @@
+// Copyright (C) 2023 Intel Corporation
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+syntax = "proto3";
+
+// Main structure representing the renv.lock file
+message RenvLock {
+  RVersion r = 1;
+  BioconductorVersion bioconductor = 2;
+  repeated Package packages = 3;
+
+
+// R version details
+message RVersion {
+  string version = 1;
+  repeated Repository repositories = 2;
+}
+
+// Bioconductor version details
+message BioconductorVersion {
+  string version = 1;
+}
+
+// Repository information
+message Repository {
+  string name = 1;
+  string url = 2;
+}
+
+// Package details
+message Package {
+  string package = 1;
+  string version = 2;
+  string source = 3;
+  string repository = 4;
+  string hash = 5;
+  repeated string requirements = 6;
+}
+}
+