Merge pull request #1452 from m-1-k-3/cve_bin_tool_integration

CVE bin tool integration, VEX support -> F20 replacement

.github/workflows/trivy.yml

@@ -67,7 +67,7 @@ jobs:
             "-l " "-m " "-n 60m" "-o " "-p " "-q " "-r false" "-s " "-t " "-u "
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'
 

config/report_templates/F20_vul_aggregator-post.sh → config/report_templates/F17_cve_bin_tool-post.sh

@@ -13,11 +13,3 @@ write_link "https://security.snyk.io/vuln"
 print_output "$(indent "${ORANGE}X${NC} - Vulnerability is known as exploited")"
 write_link "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
 print_output "$(indent "${ORANGE}V${NC} - Vulnerability verified - Kernel or BusyBox (S26, S118)")"
-
-print_ln
-print_ln
-print_output "[*] Source notes:"
-print_output "$(indent "${ORANGE}STAT${NC} - Details found by static modules (S06, S09, S24, S25)")"
-print_output "$(indent "${ORANGE}PACK${NC} - Details found by package management environment (S08)")"
-print_output "$(indent "${ORANGE}UEMU${NC} - Details found by dynamic user-mode emulation modules (S115, S116)")"
-print_output "$(indent "${ORANGE}SEMU${NC} - Details found by dynamic system emulation modules (L*)")"

config/report_templates/F20_vul_aggregator-pre.sh → config/report_templates/F17_cve_bin_tool-pre.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
 
-print_output "This module aggregates all found version numbers together from S06, S08, S09, S24, S25 and S115 and searches with cve-search for known vulnerabilities."
-print_output "Additionally, the identified CVE details are matched with public exploit databases."
+print_output "This module aggregates all found version numbers together from S06, S08, S09, S24, S25 and S115 and searches with cve-bin-tool for known vulnerabilities."
+print_output "Additionally, the identified CVE details are matched with EPSS, public exploit databases and a VEX json is generated."

docker-compose.yml

@@ -1,9 +1,9 @@
 services:
   # nosemgrep
   emba:
-    image: embeddedanalyzer/emba:1.5.1b
+    image: embeddedanalyzer/emba:1.5.1d
     container_name: emba
-    read_only: true
+    read_only: false
     # all pre-checker mount modules need privileged mode
     # nosemgrep
     privileged: true
@@ -51,7 +51,7 @@ services:
         soft: 0
 
   emba_quest:
-    image: embeddedanalyzer/emba:1.5.1b
+    image: embeddedanalyzer/emba:1.5.1d
     container_name: emba_quest
     read_only: true
     tmpfs:

helpers/helpers_emba_defaults.sh

@@ -116,6 +116,7 @@ set_defaults() {
   if [[ -f "${CONFIG_DIR}"/msf_cve-db.txt ]]; then
     export MSF_DB_PATH="${CONFIG_DIR}"/msf_cve-db.txt
   fi
+  export MSF_INSTALL_PATH="/usr/share/metasploit-framework"
   if [[ -f "${CONFIG_DIR}"/trickest_cve-db.txt ]]; then
     export TRICKEST_DB_PATH="${CONFIG_DIR}"/trickest_cve-db.txt
   fi
@@ -149,7 +150,6 @@ set_defaults() {
   export TOTAL_MEMORY=0
   TOTAL_MEMORY="$(grep MemTotal /proc/meminfo | awk '{print $2}' || true)"
   export Q_MOD_PID=""
-  export F20_DEEP=1      # F20 module - set to cve-discovery caller for further processing
   export UEFI_VERIFIED=0
   export MAIN_CONTAINER=""
   export QUEST_CONTAINER=""
@@ -160,6 +160,10 @@ set_defaults() {
   export SBOM_MAX_FILE_LOG=200
   export SBOM_MINIMAL=0
   export SBOM_UNTRACKED_FILES=1
+  export VEX_METRICS=1
+  # usually we test firmware that is already out in the field
+  # if this changes this option can be adjusted in the scanning profile
+  export SBOM_LIFECYCLE_PHASE="operations"
 
   # we can enable/disable the s08 submodules with the following array configuration
   # -> just comment the submodule that should not be used
@@ -221,6 +225,8 @@ set_log_paths() {
   export S26_LOG="${LOG_DIR}/s26_kernel_vuln_verifier.txt"
   export S26_LOG_DIR="${S26_LOG/\.txt/\/}"
   export S30_LOG="${LOG_DIR}/s30_version_vulnerability_check.txt"
+  export S36_LOG="${LOG_DIR}/s36_lighttpd.txt"
+  export S36_LOG_DIR="${S36_LOG/\.txt/\/}"
   export S36_CSV_LOG="${CSV_DIR}/s36_lighttpd.csv"
   export S40_LOG="${LOG_DIR}/s40_weak_perm_check.txt"
   export S45_LOG="${LOG_DIR}/s45_pass_file_check.txt"
@@ -236,6 +242,8 @@ set_log_paths() {
   export S110_LOG="${LOG_DIR}/s110_yara_check.txt"
   export S116_CSV_LOG="${CSV_DIR}/s116_qemu_version_detection.csv"
   export S118_CSV_LOG="${CSV_DIR}/s118_busybox_verifier.csv"
+  export S118_LOG="${LOG_DIR}/s118_busybox_verifier.txt"
+  export S118_LOG_DIR="${S118_LOG/\.txt/\/}"
   export Q02_LOG="${LOG_DIR}/q02_openai_question.txt"
   export L10_LOG="${LOG_DIR}/l10_system_emulator.txt"
   export L10_SYS_EMU_RESULTS="${LOG_DIR}/emulator_online_results.log"
@@ -245,11 +253,8 @@ set_log_paths() {
   export L25_LOG="${LOG_DIR}/l25_web_checks.txt"
   export L25_CSV_LOG="${CSV_DIR}/l25_web_checks.csv"
   export L35_CSV_LOG="${CSV_DIR}/l35_metasploit_check.csv"
-  export F20_LOG="${LOG_DIR}/f20_vul_aggregator.txt"
-  export F20_CSV_LOG="${CSV_DIR}/f20_vul_aggregator.csv"
-  export F20_LOG_DIR="${F20_LOG/\.txt/\/}"
-  export F20_EXPLOITS_LOG="${F20_LOG_DIR}/exploits-overview.txt"
   export F15_LOG="${LOG_DIR}/f15_cyclonedx_sbom.txt"
   export F15_CSV_LOG="${CSV_DIR}/f15_cyclonedx_sbom.csv"
+  export F17_LOG_DIR="${LOG_DIR}/f17_cve_bin_tool"
   export F50_CSV_LOG="${CSV_DIR}/f50_base_aggregator.csv"
 }

helpers/helpers_emba_dependency_check.sh

@@ -217,6 +217,12 @@ check_docker_version() {
   fi
 }
 
+preparing_cve_bin_tool() {
+  print_output "    Preparing cve-bin-tool ..." "no_log"
+  mkdir "${HOME}"/.cache/cve-bin-tool
+  cp -pri /external/cve-bin-tool/cache_cve-bin-tool/* "${HOME}"/.cache/cve-bin-tool/
+}
+
 dependency_check()
 {
   module_title "Dependency check" "no_log"
@@ -688,6 +694,11 @@ dependency_check()
       # CVE searchsploit
       check_dep_tool "CVE Searchsploit" "cve_searchsploit"
 
+      check_dep_file "cve-bin-tool" "${EXT_DIR}""/cve-bin-tool/cve_bin_tool/cli.py"
+      preparing_cve_bin_tool &
+      local lTMP_PID="$!"
+      store_kill_pids "${lTMP_PID}"
+
       check_dep_file "Routersploit EDB database" "${CONFIG_DIR}""/routersploit_exploit-db.txt"
       check_dep_file "Routersploit CVE database" "${CONFIG_DIR}""/routersploit_cve-db.txt"
       check_dep_file "Metasploit CVE database" "${CONFIG_DIR}""/msf_cve-db.txt"

helpers/helpers_emba_print.sh

@@ -334,7 +334,7 @@ write_json_module_log_entry() {
 # This function collects all temp json files from LOG_PATH_MODULE and puts all temp json files together to a complete json log file
 write_json_module_log() {
   local lJSON_TMP_FILES_ARR=()
-  mapfile -t lJSON_TMP_FILES_ARR < <(find "${LOG_PATH_MODULE}" -maxdepth 1 -type f -name "JSON_tmp_*.json" | sort -u)
+  mapfile -t lJSON_TMP_FILES_ARR < <(find "${LOG_PATH_MODULE}" -maxdepth 1 -type f -name "JSON_tmp_*.json" | sort -u || true)
   if [[ "${#lJSON_TMP_FILES_ARR[@]}" -eq 0 ]]; then
     return
   fi
@@ -349,11 +349,11 @@ write_json_module_log() {
       if (json_pp < "${lCOMP_FILE}" &> /dev/null); then
         cat "${lCOMP_FILE}" >> "${lJSON_LOG}"
       else
-        print_output "[!] WARNING: JSON entry ${lCOMP_FILE} failed to validate with json_pp"
+        print_error "[-] WARNING: JSON entry ${lCOMP_FILE} failed to validate with json_pp"
         continue
       fi
     else
-      print_output "[!] WARNING: JSON entry ${lCOMP_FILE} failed to decode"
+      print_error "[-] WARNING: JSON entry ${lCOMP_FILE} failed to decode"
       continue
     fi
     if [[ $((lCOMP_FILE_ID+1)) -lt "${#lJSON_TMP_FILES_ARR[@]}" ]]; then
@@ -364,7 +364,7 @@ write_json_module_log() {
 
   # as our json is not beautifull we remove all \n and further formatting should be done via jq
   tr -d '\n' < "${lJSON_LOG}" > "${lJSON_LOG/\.tmp/\.json}"
-  find "${LOG_PATH_MODULE}" -maxdepth 1 -type f -name "JSON_tmp_*.json" -delete
+  find "${LOG_PATH_MODULE}" -maxdepth 1 -type f -name "JSON_tmp_*.json" -delete || true
   rm "${lJSON_LOG}" || true
 }
 
@@ -983,7 +983,7 @@ secure_sleep() {
     sleep 10
     lCUR_SLEEP_TIME=$((lCUR_SLEEP_TIME + 10))
     if check_emba_ended; then
-      return
+      exit
     fi
   done
 }

helpers/helpers_emba_sbom_helpers.sh

@@ -191,6 +191,7 @@ build_sbom_json_component_arr() {
   local lAPP_TYPE="${2:-}"
   local lAPP_NAME="${3:-}"
   local lAPP_VERS="${4:-}"
+  # lAPP_MAINT is used as supplier
   local lAPP_MAINT="${5:-}"
   local lAPP_LIC="${6:-}"
   local lCPE_IDENTIFIER="${7:-}"
@@ -202,8 +203,11 @@ build_sbom_json_component_arr() {
 
   local lAPP_LIC_ARR=()
 
+  # detected component is always required
+  local lAPP_SCOPE="required"
+
   if [[ -n "${lAPP_MAINT}" ]] && { [[ "${lAPP_MAINT}" == "NA" ]] || [[ "${lAPP_MAINT}" == "-" ]]; }; then
-    lAPP_MAINT=""
+    lAPP_MAINT="Unknown"
   fi
   [[ -n "${lAPP_MAINT}" ]] && lAPP_MAINT=$(translate_vendor "${lAPP_MAINT}")
 
@@ -235,8 +239,10 @@ build_sbom_json_component_arr() {
   lCOMPONENT_ARR+=( "type=${lAPP_TYPE}" )
   lCOMPONENT_ARR+=( "name=${lAPP_NAME:-NA}" )
   lCOMPONENT_ARR+=( "-s" "version=${lAPP_VERS}" )
-  lCOMPONENT_ARR+=( "author=${lAPP_MAINT}" )
-  # lCOMPONENT_ARR+=( "supplier=${lAPP_MAINT}" )
+  if [[ -n "${lAPP_MAINT}" ]]; then
+    lCOMPONENT_ARR+=( "supplier=$(jo name="${lAPP_MAINT}")" )
+    # lCOMPONENT_ARR+=( "author=${lAPP_MAINT}" )
+  fi
   lCOMPONENT_ARR+=( "group=${lPACKAGING_SYSTEM}" )
   lCOMPONENT_ARR+=( "bom-ref=${SBOM_COMP_BOM_REF}" )
   if [[ "${#lAPP_LIC_ARR[@]}" -gt 0 ]]; then
@@ -246,6 +252,7 @@ build_sbom_json_component_arr() {
     lCOMPONENT_ARR+=( "licenses=$(jo -a :"${TMP_DIR}"/sbom_lic_"${lAPP_NAME}"_"${lTMP_IDENTIFIER}".json)" )
     rm "${TMP_DIR}"/sbom_lic_"${lAPP_NAME}"_"${lTMP_IDENTIFIER}".json || true
   fi
+  lCOMPONENT_ARR+=( "scope=${lAPP_SCOPE}" )
   lCOMPONENT_ARR+=( "cpe=${lCPE_IDENTIFIER}" )
   lCOMPONENT_ARR+=( "purl=${lPURL_IDENTIFIER}" )
   lCOMPONENT_ARR+=( "properties=$(jo -a "${PROPERTIES_JSON_ARR[@]}")" )

installer.sh

@@ -396,6 +396,8 @@ if [[ "${CVE_SEARCH}" -ne 1 ]] || [[ "${DOCKER_SETUP}" -ne 1 ]] || [[ "${IN_DOCK
 
   IL15_emulated_checks_init
 
+  IF17_cve_bin_tool
+
   IF50_aggregator_common
 fi
 

installer/IF17_cve_bin_tool.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# EMBA - EMBEDDED LINUX ANALYZER
+#
+# Copyright 2025-2025 Siemens Energy AG
+#
+# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+# EMBA is licensed under GPLv3
+#
+# Author(s): Michael Messner
+
+# Description:  Installs cve-bin-tool including database for offline work
+
+IF17_cve_bin_tool() {
+  module_title "${FUNCNAME[0]}"
+
+  if [[ "${LIST_DEP}" -eq 1 ]] || [[ "${IN_DOCKER}" -eq 1 ]] || [[ "${DOCKER_SETUP}" -eq 0 ]] || [[ "${FULL}" -eq 1 ]]; then
+
+    INSTALL_APP_LIST=()
+
+    if [[ "${LIST_DEP}" -eq 1 ]] || [[ "${IN_DOCKER}" -eq 1 ]] || [[ "${DOCKER_SETUP}" -eq 0 ]] ; then
+      print_tool_info "gsutil"
+      # print_pip_info "cve_bin_tool"
+      print_git_info "cve-bin-tool" "https://github.com/EMBA-support-repos/cve-bin-tool.git" "cve-bin-tool"
+    fi
+
+    if [[ "${LIST_DEP}" -eq 1 ]] || [[ "${DOCKER_SETUP}" -eq 1 ]] ; then
+      ANSWER=("n")
+    else
+      echo -e "\\n""${MAGENTA}""${BOLD}"" cve-bin-tool will be downloaded (if not already on the system)!""${NC}"
+    fi
+
+    case ${ANSWER:0:1} in
+      y|Y )
+        apt-get install "${INSTALL_APP_LIST[@]}" -y --no-install-recommends
+
+        # radare2
+        echo -e "${ORANGE}""${BOLD}""Install cve-bin-tool""${NC}"
+        git clone https://github.com/EMBA-support-repos/cve-bin-tool.git external/cve-bin-tool
+        cd external/cve-bin-tool || ( echo "Could not install EMBA component cve-bin-tool" && exit 1 )
+        pip install -U -r requirements.txt
+        python3 -m pip install -e .
+        cd "${HOME_PATH}" || ( echo "Could not install EMBA component cve-bin-tool" && exit 1 )
+        python3 external/cve-bin-tool/cve_bin_tool/cli.py --update now || true
+        cp -pr "${HOME}"/.cache/cve-bin-tool ./external/cve-bin-tool/cache_cve-bin-tool
+      ;;
+    esac
+  fi
+}

modules/F15_cyclonedx_sbom.sh

@@ -67,9 +67,10 @@ F15_cyclonedx_sbom() {
     fi
 
     # EMBA details for the SBOM
-    local lSBOM_TOOL="EMBA Binary analysis environment"
+    local lSBOM_TOOL="EMBA binary analysis environment"
     local lSBOM_TOOL_VERS=""
     lSBOM_TOOL_VERS="$(cat "${CONFIG_DIR}"/VERSION.txt)"
+    local lEMBA_URLS_ARR=("https://github.com/e-m-b-a/emba")
 
     local lTOOL_COMP_ARR=()
     lTOOL_COMP_ARR+=( type="application" )
@@ -79,7 +80,7 @@ F15_cyclonedx_sbom() {
       lSBOM_TOOL_VERS+="-$(cat "${INVOCATION_PATH}"/.git/refs/heads/master)"
     fi
     lTOOL_COMP_ARR+=( version="${lSBOM_TOOL_VERS}" )
-    lTOOL_COMP_ARR+=( description="EMBA firmware analyzer - https://github.com/e-m-b-a/emba" )
+    lTOOL_COMP_ARR+=( description="EMBA firmware analyzer - ${lEMBA_URLS_ARR[*]}" )
 
     # the following removes the duplicate untracked files that are handled from an other SBOM entry
     if [[ -s "${SBOM_LOG_PATH}"/duplicates_to_delete.txt ]]; then
@@ -95,7 +96,6 @@ F15_cyclonedx_sbom() {
     lFW_COMPONENT_DATA_ARR+=( name="${lFW_PATH}" )
     lFW_COMPONENT_DATA_ARR+=( type="${lFW_TYPE}" )
     lFW_COMPONENT_DATA_ARR+=( bom-ref="$(uuidgen)" )
-    [[ -n "${FW_VENDOR}" ]] && lFW_COMPONENT_DATA_ARR+=( "supplier=$(jo -n name="${FW_VENDOR}")" )
 
     # generate hashes for the firmware itself:
     if [[ -f "${FIRMWARE_PATH_BAK}" ]]; then
@@ -108,7 +108,7 @@ F15_cyclonedx_sbom() {
     mapfile -t lCOMP_FILES_ARR < <(find "${SBOM_LOG_PATH}" -maxdepth 1 -type f -name "*.json" -not -name "unhandled_file_*" | sort -u)
     if [[ "${SBOM_UNTRACKED_FILES}" -gt 0 ]]; then
       mapfile -t lCOMP_FILES_ARR_UNHANDLED < <(find "${SBOM_LOG_PATH}" -maxdepth 1 -type f -name "unhandled_file_*.json" | sort -u)
-     lCOMP_FILES_ARR+=("${lCOMP_FILES_ARR_UNHANDLED[@]}")
+      lCOMP_FILES_ARR+=("${lCOMP_FILES_ARR_UNHANDLED[@]}")
     fi
 
     # as we can have so many components that everything goes b00m we need to build the
@@ -175,7 +175,11 @@ F15_cyclonedx_sbom() {
         tools="$(jo \
           components="$(jo -a "$(jo -n "${lTOOL_COMP_ARR[@]}")")")" \
         component="$(jo -n \
-          "${lFW_COMPONENT_DATA_ARR[@]}")")" \
+          "${lFW_COMPONENT_DATA_ARR[@]}")" \
+        supplier="$(jo -n \
+          name="${FW_VENDOR:-EMBA binary analyzer}" url="$(jo -a "${lEMBA_URLS_ARR[@]}")")" \
+        lifecycles="$(jo -a \
+          "$(jo phase="${SBOM_LIFECYCLE_PHASE}")")")" \
       components=:"${lSBOM_LOG_FILE}_components.json" \
       dependencies=:"${lSBOM_LOG_FILE}_dependencies.json" \
       vulnerabilities="[]" \