diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index af68221feb..af0ac355a2 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -9,3 +9,13 @@ rdf sbom spdx swid +aiohttp +cdx +cwes +getbootstrap +GMS +NOTKNOWN +pyyaml +skontar +Svunknown +urllib diff --git a/README.md b/README.md index d1fd492263..71c67c2592 100644 --- a/README.md +++ b/README.md @@ -79,10 +79,6 @@ To scan a comma-delimited (CSV) or JSON file which lists dependencies and versio cve-bin-tool --input-file ``` -Note that the `--input-file` option can also be used to add extra triage data like remarks, comments etc. while scanning a directory so that output will reflect this triage data and you can save time of re-triaging (Usage: `cve-bin-tool -i=test.csv /path/to/scan`). -A VEX file (which may be created using the `--vex` command line option) can also be used as a triage file. A VEX file -is detected if the file suffix is '.vex'. - ### Scanning an SBOM file for known vulnerabilities To scan a software bill of materials file (SBOM): @@ -94,6 +90,11 @@ cve-bin-tool --sbom --sbom-file Valid SBOM types are [SPDX](https://spdx.dev/specifications/), [CycloneDX](https://cyclonedx.org/specification/overview/), and [SWID](https://csrc.nist.gov/projects/software-identification-swid/guidelines). +### Providing triage input + +The `--triage-input-file` option can be used to add extra triage data like remarks, comments etc. while scanning a directory so that output will reflect this triage data and you can save time of re-triaging (Usage: `cve-bin-tool --triage-input-file test.vex /path/to/scan`). +The supported format is the [CycloneDX](https://cyclonedx.org/capabilities/vex/) VEX format which can be generated using the `--vex` option. + ### Using the tool offline Specifying the `--offline` option when running a scan ensures that cve-bin-tool doesn't attempt to download the latest database files or to check for a newer version of the tool. @@ -114,7 +115,7 @@ Note: Please don't use spaces between comma (',') and the output formats. The reported vulnerabilities can additionally be reported in the Vulnerability Exchange (VEX) format by specifying `--vex` command line option. -The generated VEX file can then be used as an `--input-file` to support +The generated VEX file can then be used as a `--triage-input-file` to support a triage process. If you wish to use PDF support, you will need to install the `reportlab` @@ -400,11 +401,11 @@ with security issues that have been compiled into their binaries. The tool does not guarantee that any vulnerabilities reported are actually present or exploitable, neither is it able to find all present vulnerabilities with a guarantee. -Users can add triage information to reports to mark issues as false positives, false negatives, indicate that the risk has been mitigated by configuration/usage changes, and so on. +Users can add triage information to reports to mark issues as false positives, indicate that the risk has been mitigated by configuration/usage changes, and so on. Triage details can be re-used on other projects so, for example, triage on a Linux base image could be applied to multiple containers using that image. -For more information and usage of triage information with the tool kindly have a look [here](https://cve-bin-tool.readthedocs.io/en/latest/MANUAL.html#i-input-file-input-file-input-file). +For more information and usage of triage information with the tool kindly have a look [here](https://cve-bin-tool.readthedocs.io/en/latest/MANUAL.html#triage-input-file-input-file). If you are using the binary scanner capabilities, be aware that we only have a limited number of binary checkers (see table above) so we can only detect those libraries. Contributions of new checkers are always welcome! You can also use an alternate way to detect components (for example, a bill of materials tool such as [tern](https://github.com/tern-tools/tern)) and then use the resulting list as input to cve-bin-tool to get a more comprehensive vulnerability list. diff --git a/doc/MANUAL.md b/doc/MANUAL.md index 751d7a0bd0..de8d9f4289 100644 --- a/doc/MANUAL.md +++ b/doc/MANUAL.md @@ -359,7 +359,7 @@ Specify path to directory you want to scan. ### -i INPUT_FILE, --input-file INPUT_FILE -This option extends functionality of *csv2cve* for other formats like JSON and allow cve-bin-tool to accept some form of triage data and incorporate that into the output so that people could spend less time re-triaging. +This option extends functionality of *csv2cve* for other formats like JSON. You can provide either CSV or JSON file as input_file with vendor, product and version fields. You can also add optional fields like remarks, comments, cve_number, severity. Here's the detailed description and usecase of each fields: @@ -377,8 +377,14 @@ You can provide either CSV or JSON file as input_file with vendor, product and v 4. **severity** - This field allows you to adjust severity score of specific product or CVE. This can be useful in the case where CVE affects a portion of the library that you aren't using currently but you don't want to ignore it completely. In that case, you can reduce severity for this CVE. 5. **cve_number** - This field give you fine grained control over output of specific CVE. You can change remarks, comments and severity for specific CVE instead of whole product. -You can also provide a Vulnerability Exchange (VEX) file which contains the reported vulnerabilities for components within a product. The supported format -is the [CycloneDX](https://cyclonedx.org/capabilities/vex/) VEX format which can be generated using the `--vex` option. A VEX file is identified with a file extension of .vex. +Note that `--input-file`, unlike `cve-bin-tool directory` scan, will work on *any* product known in the National Vulnerability Database, not only those that have checkers written. + +> Note: For backward compatibility, we still support `csv2cve` command for producing CVEs from csv but we recommend using new `--input-file` command instead. + +### --triage-input-file INPUT_FILE + +This option allows you to provide triage data and incorporate that into the output so that people could spend less time re-triaging. The supported format +is the [CycloneDX](https://cyclonedx.org/capabilities/vex/) VEX format which can be generated using the `--vex` option. For the triage process, the **state** value in the analysis section of each CVE should have one of the following values: ``` @@ -390,78 +396,125 @@ For the triage process, the **state** value in the analysis section of each CVE The **detail** value in the analysis section can be used to provide comments related to the state -You can use `-i` or `--input-file` option to produce list of CVEs found in given vendor, product and version fields (Usage: `cve-bin-tool -i=test.csv`) or supplement extra triage data like remarks, comments etc. while scanning directory so that output will reflect this triage data and you can save time of re-triaging (Usage: `cve-bin-tool -i=test.csv /path/to/scan`). - -Note that `--input-file`, unlike `cve-bin-tool directory` scan, will work on *any* product known in the National Vulnerability Database, not only those that have checkers written. +For example, if `input_file.csv` contains the following data: -> Note: For backward compatibility, we still support `csv2cve` command for producing CVEs from csv but we recommend using new `--input-file` command instead. +``` +| vendor | product | version | +| --------------- | --------- | --------- | +| plot | plotly | h5.10.0 | +| pocoo | jinja2 | 3.1.2 | +| aiohttp_project | aiohttp | 3.8.1 | +| pyyaml | pyyaml | 6.0 | +| python | requests | 2.28.1 | +| python | urllib3 | 1.26.12 | +| skontar | cvss | 2.5 | +| getbootstrap | bootstrap | 5.2.0 | +| plotly | plotly.js | 2.13.2 | +``` -For Example if input_file contains following data: +Where `aiohttp_project` and `plotly` are affected by `CVE-2022-33124` and `GMS-2016-69`, respectively, +you could provide the following triage file: -| vendor | product | version | remarks | comments | cve_number | severity | -| ------------- | ------------- | -------- | --------- | ------------------------------------- | -------------- | -------- | -| libjpeg-turbo | libjpeg-turbo | 2.0.1 | 3 | High priority need to resolve fast | CVE-2018-19664 | CRITICAL | -| libjpeg-turbo | libjpeg-turbo | 2.0.1 | 2 | Need to mitigate cves of this product | | HIGH | -| haxx | curl | 7.59.0 | 1 | | | | -| haxx | libcurl | 7.59.0 | | | | | -| mit | kerberos_5 | 5-1.15.1 | 3 | | | | -| mit | kerberos | 1.15.1 | | | | | -| sun | sunos | 5.4 | 4 | | | | -| ssh | ssh2 | 2.0 | Mitigated | | | | +``` +{ + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "version": 1, + "vulnerabilities": [ + { + "id": "GMS-2016-69", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/GMS-2016-69" + }, + "ratings": [ + { + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=GMS-2016-69&vector=unknown&version=2.0" + }, + "score": "unknown", + "severity": "unknown", + "method": "CVSSvunknown", + "vector": "unknown" + } + ], + "cwes": [], + "description": "If an attacker can trick an unsuspecting user into viewing a specially crafted plot on a site that uses plotly.js, then the attacker could potentially retrieve authentication tokens and perform actions on behalf of the user.", + "recommendation": "", + "advisories": [], + "created": "NOT_KNOWN", + "published": "NOT_KNOWN", + "updated": "NOT_KNOWN", + "analysis": { + "state": "not_affected", + "response": [ "code_not_reachable" ], + "justification": "", + "detail": "" + }, + "affects": [ + { + "ref": "urn:cdx:NOTKNOWN/1#plotly.js-2.13.2" + } + ] + } + ] +} +``` -You can test it using our [test input file](https://github.com/intel/cve-bin-tool/blob/main/test/json/test_triage.json) with following command: +Then when you invoke `cve-bin-tool` like this: ```console -cve-bin-tool -i="test/json/test_triage.json" +cve-bin-tool -i="input_file.csv" --triage-input-file triage.vex ``` The output will look like following: - ╔══════════════════════════════════════════════════════════════════════════════╗ - ║ CVE BINARY TOOL ║ - ╚══════════════════════════════════════════════════════════════════════════════╝ - - • cve-bin-tool Report Generated: 2020-07-31 17:49:56 - ╭───────────────╮ - │ NewFound CVEs │ - ╰───────────────╯ - ┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┓ - ┃ Vendor ┃ Product ┃ Version ┃ CVE Number ┃ Severity ┃ - ┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━┩ - │ haxx │ curl │ 7.59.0 │ CVE-2019-5443 │ HIGH │ - │ haxx │ curl │ 7.59.0 │ CVE-2019-5481 │ CRITICAL │ - └────────┴─────────┴─────────┴───────────────────┴───────────┘ - ╭─────────────────╮ - │ Unexplored CVEs │ - ╰─────────────────╯ - ┏━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┓ - ┃ Vendor ┃ Product ┃ Version ┃ CVE Number ┃ Severity ┃ - ┡━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━┩ - │ haxx │ libcurl │ 7.59.0 │ CVE-2018-14618 │ CRITICAL │ - │ haxx │ libcurl │ 7.59.0 │ CVE-2018-16890 │ HIGH │ - │ mit │ kerberos │ 1.15.1 │ CVE-2000-0547 │ MEDIUM │ - │ libjpeg-turbo │ libjpeg-turbo │ 2.0.1 │ CVE-2018-20330 │ HIGH │ - └────────────────┴────────────────┴─────────┴─────────────────┴───────────┘ - ╭────────────────╮ - │ Confirmed CVEs │ - ╰────────────────╯ - ┏━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┓ - ┃ Vendor ┃ Product ┃ Version ┃ CVE Number ┃ Severity ┃ - ┡━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━┩ - │ mit │ kerberos_5 │ 5-1.15.1 │ CVE-2018-5729 │ MEDIUM │ - │ mit │ kerberos_5 │ 5-1.15.1 │ CVE-2018-5730 │ LOW │ - │ libjpeg-turbo │ libjpeg-turbo │ 2.0.1 │ CVE-2018-19664 │ CRITICAL │ - └────────────────┴────────────────┴───────────┴─────────────────┴───────────┘ - ╭────────────────╮ - │ Mitigated CVEs │ - ╰────────────────╯ - ┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━┓ - ┃ Vendor ┃ Product ┃ Version ┃ CVE Number ┃ Severity ┃ - ┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━┩ - │ ssh │ ssh2 │ 2.0 │ CVE-1999-1029 │ HIGH │ - │ ssh │ ssh2 │ 2.0 │ CVE-1999-1231 │ MEDIUM │ - │ sun │ sunos │ 5.4 │ CVE-1999-0008 │ HIGH │ - └────────┴─────────┴─────────┴────────────────┴──────────┘ +``` +╔══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╗ +║ CVE BINARY TOOL version: 3.1.1 ║ +╚══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╝ + + • Report Generated: 2022-11-09 13:52:20 + • Time of last update of CVE Data: 2022-11-09 13:39:31 +╭─────────────╮ +│ CVE SUMMARY │ +╰─────────────╯ +┏━━━━━━━━━━┳━━━━━━━┓ +┃ Severity ┃ Count ┃ +┡━━━━━━━━━━╇━━━━━━━┩ +│ CRITICAL │ 0 │ +│ HIGH │ 0 │ +│ MEDIUM │ 1 │ +│ LOW │ 0 │ +└──────────┴───────┘ +╭───────────────────╮ +│ Unexplored CVEs │ +╰───────────────────╯ +┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓ +┃ Vendor ┃ Product ┃ Version ┃ CVE Number ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃ +┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩ +│ aiohttp_project │ aiohttp │ 3.8.1 │ CVE-2022-33124 │ NVD │ MEDIUM │ 5.5 (v3) │ +└─────────────────┴─────────┴─────────┴────────────────┴────────┴──────────┴──────────────────────┘ +┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┓ +┃ Vendor ┃ Product ┃ Version ┃ Root ┃ Filename ┃ +┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━╇━━━━━━━━━━┩ +│ aiohttp_project │ aiohttp │ 3.8.1 │ │ │ +└─────────────────┴─────────┴─────────┴──────┴──────────┘ +╭──────────────────╮ +│ Mitigated CVEs │ +╰──────────────────╯ +┏━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓ +┃ Vendor ┃ Product ┃ Version ┃ CVE Number ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃ +┡━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩ +│ plotly │ plotly.js │ 2.13.2 │ GMS-2016-69 │ GAD │ unknown │ unknown │ +└────────┴───────────┴─────────┴─────────────┴────────┴──────────┴──────────────────────┘ +┏━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┓ +┃ Vendor ┃ Product ┃ Version ┃ Root ┃ Filename ┃ +┡━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━╇━━━━━━━━━━┩ +│ plotly │ plotly.js │ 2.13.2 │ │ │ +└────────┴───────────┴─────────┴──────┴──────────┘ +``` ### -L PACKAGE_LIST, --package-list PACKAGE_LIST @@ -516,8 +569,8 @@ input: # Directory to scan directory: test/assets # To supplement triage data of previous scan or run standalone as csv2cve - # Currently we only support csv and json file. - input_file: test/csv/triage.csv + # Currently we only support vex file. + triage_input_file: triage.vex checker: # list of checkers you want to skip