Merge branch 'main' into improved-sbom-filename-extension-handling

Author: Saksham-Sirohi

.github/workflows/codeql-analysis.yml

@@ -51,7 +51,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+      uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+      uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11

.github/workflows/formatting.yml

@@ -36,7 +36,7 @@ jobs:
         run: |
           python cve_bin_tool/format_checkers.py
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@dd2324fc52d5d43c699a5636bcf19fceaa70c284 # v7.0.7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           commit-message: "chore: update checkers table"
           title: "chore: update checkers table"

.github/workflows/sbom.yml

@@ -62,7 +62,7 @@ jobs:
           cp cve-bin-tool-py${{ matrix.python }}.json sbom/cve-bin-tool-py${{ matrix.python }}.json
       - name: Create Pull Request
         if: ${{ steps.diff-sbom.outputs.changed }}
-        uses: peter-evans/create-pull-request@dd2324fc52d5d43c699a5636bcf19fceaa70c284 # v7.0.7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           commit-message: "chore: update SBOM for Python ${{ matrix.python }}"
           title: "chore: update SBOM for Python ${{ matrix.python }}"

.github/workflows/scorecard.yml

@@ -27,7 +27,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif

.github/workflows/update-js-dependencies.yml

@@ -54,7 +54,7 @@ jobs:
         run: python -m pytest -v -n auto test/test_html.py
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@dd2324fc52d5d43c699a5636bcf19fceaa70c284 # v7.0.7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           commit-message: "chore: update js dependencies"
           title: "chore: update js dependencies"

.github/workflows/update-pre-commit.yml

@@ -48,7 +48,7 @@ jobs:
           python .github/workflows/update-dev-requirements.py
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@dd2324fc52d5d43c699a5636bcf19fceaa70c284 # v7.0.7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           commit-message: "chore: update pre-commit config"
           title: "chore: update pre-commit config"

.github/workflows/update-spdx-header.yml

@@ -33,7 +33,7 @@ jobs:
           sed -i "s/[0-9]\{4\}/$(date +%Y)/" spdx_header.txt
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@dd2324fc52d5d43c699a5636bcf19fceaa70c284 # v7.0.7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           commit-message: 'chore: update spdx header'
           title: 'chore: update spdx header'

README.md

@@ -75,7 +75,7 @@ If you want to try the latest code from
 
 Pip will install the python requirements for you, but for some types of extraction we use system libraries. If you have difficulties extracting files, you may want to look at our [additional Requirements lists for Linux and Windows](#additional-requirements).
 
-On first usage (and by default, once per day) The tool will download vulnerability data from [a set of known vulnerability data sources](https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#data-sources).  Due to reliability issues with NVD, as of release 3.3 we will be using our own NVD mirror at [https://cveb.in/](https://cveb.in/) by default rather than contacting NVD directly.  If you wish to get data directly from the NVD servers you must [provide your own NVD_API_KEY](https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#--nvd-api-key-nvd_api_key) to use their API.
+On first usage (and by default, once per day), the tool will download vulnerability data from [a set of known vulnerability data sources](https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#data-sources).  Due to reliability issues with NVD, as of release 3.3, we will be using our own NVD mirror at [https://cveb.in/](https://cveb.in/) by default rather than contacting NVD directly.  If you wish to get data directly from the NVD servers, you must [provide your own NVD_API_KEY](https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#--nvd-api-key-nvd_api_key) to use their API.
 
 If you are using a release prior to 3.3 that does not use our mirror, please use an NVD_API_KEY as described above.
 
@@ -123,7 +123,7 @@ The [SBOM generation how-to guide](https://github.com/intel/cve-bin-tool/blob/ma
 
 ### Generating a VEX
 
-As well as scanning VEX, CVE Binary Tool can be used to generate an VEX from a scan as follows:
+As well as scanning VEX, CVE Binary Tool can be used to generate a VEX from a scan as follows:
 
 ```bash
 cve-bin-tool  --vex-type <vex_type> --vex-output <vex_filename> <other scan options as required>
@@ -137,7 +137,7 @@ The [VEX generation how-to guide](https://github.com/intel/cve-bin-tool/blob/mai
 ### Triaging vulnerabilities
 
 The `--vex-file` option can be used to add extra triage data like remarks, comments etc. while scanning a directory so that output will reflect this triage data and you can save time of re-triaging (Usage: `cve-bin-tool --vex-file test.json /path/to/scan`).
-The supported format is the [CycloneDX](https://cyclonedx.org/capabilities/vex/),[CSAF](https://oasis-open.github.io/csaf-documentation/) and [OpenVEX](https://edu.chainguard.dev/open-source/sbom/what-is-openvex/) VEX format which can be generated using the `--vex-output` option.
+The supported formats are the [CycloneDX](https://cyclonedx.org/capabilities/vex/), [CSAF](https://oasis-open.github.io/csaf-documentation/) and [OpenVEX](https://edu.chainguard.dev/open-source/sbom/what-is-openvex/) VEX formats which can be generated using the `--vex-output` option.
 
 Typical usage:
 
@@ -385,7 +385,7 @@ The tool does not guarantee that any vulnerabilities reported are actually prese
 
 Users can add triage information to reports to mark issues as false positives, indicate that the risk has been mitigated by configuration/usage changes, and so on.
 
-Triage details can be re-used on other projects so, for example, triage on a Linux base image could be applied to multiple containers using that image.
+Triage details can be reused on other projects so, for example, triage on a Linux base image could be applied to multiple containers using that image.
 
 For more information and usage of triage information with the tool kindly have a look [here](https://cve-bin-tool.readthedocs.io/en/latest/triaging_process.html).
 
@@ -508,6 +508,7 @@ Output:
                         specify type of software bill of materials (sbom) to generate (default: spdx)
   <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#--sbom-format">--sbom-format {tag,json,yaml}</a>
                         specify format of software bill of materials (sbom) to generate (default: tag)
+  --strip-scan-dir      strip scan directory from sbom evidence location paths and CVE paths (useful with a firmware dump)
 
 Vex Output:
   Arguments related to Vex output document.

cve_bin_tool/checkers/README.md

@@ -35,7 +35,7 @@ from cve_bin_tool.checkers import Checker
 class CurlChecker(Checker):
 ```
 
-Every checker may contain following 5 class attributes specific to product(ex: curl)
+Every checker may contain following 5 class attributes specific to product (ex: curl)
 you are making checker for:
 
 1. CONTAINS_PATTERNS - list of commonly found strings in the binary of the product
@@ -45,7 +45,7 @@ you are making checker for:
 NVD.
 5. IGNORE_PATTERNS (optional) - list of patterns that could cause false positives (e.g. error messages that mention specific product/versions)
 
-`CONTAINS_PATTERN`, `FILENAME_PATTERNS` and `VERSION_PATTERNS` supports regex to cover
+`CONTAINS_PATTERN`, `FILENAME_PATTERNS`, `VERSION_PATTERNS` and `IGNORE_PATTERNS` supports regex to cover
 wide range of use cases.
 
 Once the checker is added, its name should also be added to `__init__.py` (so

cve_bin_tool/cli.py

@@ -348,9 +348,9 @@ def main(argv=None):
         help="specify format of software bill of materials (sbom) to generate (default: tag)",
     )
     output_group.add_argument(
-        "--sbom-strip-root",
+        "--strip-scan-dir",
         action="store_true",
-        help="strip SBOM root from evidence location paths (useful when building SBOM from firmware dump)",
+        help="strip scan directory from sbom evidence location paths and CVE paths (useful with a firmware dump)",
         default=False,
     )
     vex_output_group = parser.add_argument_group(
@@ -1250,7 +1250,7 @@ def main(argv=None):
             sbom_type=args["sbom_type"],
             sbom_format=args["sbom_format"],
             sbom_root=sbom_root,
-            sbom_strip_root=args["sbom_strip_root"],
+            strip_scan_dir=args["strip_scan_dir"],
             offline=args["offline"],
         )
 

cve_bin_tool/output_engine/__init__.py

@@ -32,6 +32,7 @@
     intermediate_output,
 )
 from cve_bin_tool.sbom_manager.generate import SBOMGenerate
+from cve_bin_tool.util import strip_path
 from cve_bin_tool.version import VERSION
 from cve_bin_tool.vex_manager.generate import VEXGenerate
 
@@ -44,6 +45,7 @@ def save_intermediate(
     products_with_cve: int,
     products_without_cve: int,
     total_files: int,
+    strip_scan_dir: bool = False,
 ):
     """Save the intermediate report"""
 
@@ -54,6 +56,7 @@ def save_intermediate(
         products_with_cve,
         products_without_cve,
         total_files,
+        strip_scan_dir,
     )
     with open(filename, "w") as f:
         json.dump(inter_output, f, indent="    ")
@@ -62,14 +65,18 @@ def save_intermediate(
 def output_csv(
     all_cve_data: dict[ProductInfo, CVEData],
     all_cve_version_info: dict[str, VersionInfo] | None,
+    scanned_dir: str,
     outfile,
     detailed: bool = False,
     affected_versions: int = 0,
     metrics: bool = False,
+    strip_scan_dir: bool = False,
 ):
     """Output a CSV of CVEs"""
     formatted_output = format_output(
         all_cve_data,
+        scanned_dir,
+        strip_scan_dir,
         all_cve_version_info,
         detailed,
         affected_versions,
@@ -123,11 +130,13 @@ def output_pdf(
         is_report,
         products_with_cve,
         all_cve_version_info,
+        scanned_dir: str,
         outfile,
         merge_report,
         affected_versions: int = 0,
         exploits: bool = False,
         metrics: bool = False,
+        strip_scan_dir: bool = False,
         all_product_data=None,
     ):
         """Output a PDF of CVEs"""
@@ -321,7 +330,15 @@ def output_pdf(
                             "comments": cve.comments,
                         }
                     )
-                    path_elements = ", ".join(cve_data["paths"])
+                    if strip_scan_dir:
+                        path_elements = ", ".join(
+                            [
+                                strip_path(path, scanned_dir)
+                                for path in cve_data["paths"]
+                            ]
+                        )
+                    else:
+                        path_elements = ", ".join(cve_data["paths"])
                     for path_element in path_elements.split(","):
                         path_entry = {
                             "vendor": product_info.vendor,
@@ -589,11 +606,13 @@ def output_pdf(
         is_report,
         products_with_cve,
         all_cve_version_info,
+        scanned_dir: str,
         outfile,
         merge_report,
         affected_versions: int = 0,
         exploits: bool = False,
         all_product_data=None,
+        strip_scan_dir: bool = False,
     ):
         """Output a PDF of CVEs
         Required module: Reportlab not found"""
@@ -629,6 +648,7 @@ class OutputEngine:
         sbom_type (str)
         sbom_format (str)
         sbom_root (str)
+        strip_scan_dir (bool)
         offline (bool)
 
     Methods:
@@ -667,7 +687,7 @@ def __init__(
         sbom_type: str = "spdx",
         sbom_format: str = "tag",
         sbom_root: str = "CVE_SBOM",
-        sbom_strip_root: bool = False,
+        strip_scan_dir: bool = False,
         vex_filename: str = "",
         vex_type: str = "",
         vex_product_info: dict[str, str] = {},
@@ -699,7 +719,7 @@ def __init__(
         self.sbom_type = sbom_type
         self.sbom_format = sbom_format
         self.sbom_root = sbom_root
-        self.sbom_strip_root = sbom_strip_root
+        self.strip_scan_dir = strip_scan_dir
         self.offline = offline
         self.organized_arguements = organized_arguements
         self.sbom_packages = {}
@@ -716,43 +736,51 @@ def output_cves(self, outfile, output_type="console"):
             output_json(
                 self.all_cve_data,
                 self.all_cve_version_info,
+                self.scanned_dir,
                 outfile,
                 self.detailed,
                 self.affected_versions,
                 self.metrics,
+                self.strip_scan_dir,
             )
         elif output_type == "json2":
             output_json2(
                 self.all_cve_data,
                 self.all_cve_version_info,
+                self.scanned_dir,
                 self.time_of_last_update,
                 outfile,
                 self.affected_versions,
                 self.organized_arguements,
                 self.detailed,
                 self.exploits,
                 self.metrics,
+                self.strip_scan_dir,
             )
         elif output_type == "csv":
             output_csv(
                 self.all_cve_data,
                 self.all_cve_version_info,
+                self.scanned_dir,
                 outfile,
                 self.detailed,
                 self.affected_versions,
                 self.metrics,
+                self.strip_scan_dir,
             )
         elif output_type == "pdf":
             output_pdf(
                 self.all_cve_data,
                 self.is_report,
                 self.products_with_cve,
                 self.all_cve_version_info,
+                self.scanned_dir,
                 outfile,
                 self.merge_report,
                 self.affected_versions,
                 self.exploits,
                 self.metrics,
+                self.strip_scan_dir,
             )
         elif output_type == "html":
             output_html(
@@ -768,15 +796,18 @@ def output_cves(self, outfile, output_type="console"):
                 self.logger,
                 outfile,
                 self.affected_versions,
+                self.strip_scan_dir,
             )
         else:  # console, or anything else that is unrecognised
             output_console(
                 self.all_cve_data,
                 self.all_cve_version_info,
+                self.scanned_dir,
                 self.time_of_last_update,
                 self.affected_versions,
                 self.exploits,
                 self.metrics,
+                self.strip_scan_dir,
                 self.all_product_data,
                 self.offline,
                 None,
@@ -789,6 +820,7 @@ def output_cves(self, outfile, output_type="console"):
                 self.append,
                 self.tag,
                 self.scanned_dir,
+                self.strip_scan_dir,
                 self.products_with_cve,
                 self.products_without_cve,
                 self.total_files,
@@ -819,7 +851,7 @@ def output_cves(self, outfile, output_type="console"):
                 self.sbom_type,
                 self.sbom_format,
                 self.sbom_root,
-                self.sbom_strip_root,
+                self.strip_scan_dir,
                 self.logger,
             )
             sbomgen.generate_sbom()

cve_bin_tool/output_engine/console.py

@@ -18,7 +18,7 @@
 from ..input_engine import Remarks
 from ..linkify import linkify_cve
 from ..theme import cve_theme
-from ..util import ProductInfo, VersionInfo
+from ..util import ProductInfo, VersionInfo, strip_path
 from ..version import VERSION
 from .util import (
     format_path,
@@ -47,10 +47,12 @@ def output_console(*args: Any):
 def _output_console_nowrap(
     all_cve_data: dict[ProductInfo, CVEData],
     all_cve_version_info: dict[str, VersionInfo],
+    scanned_dir: str,
     time_of_last_update: datetime,
     affected_versions: int,
     exploits: bool = False,
     metrics: bool = False,
+    strip_scan_dir: bool = False,
     all_product_data=None,
     offline: bool = False,
     width: int = None,
@@ -286,13 +288,17 @@ def validate_cell_length(cell_name, cell_type):
         color = "green"
         for cve_data in cve_by_paths[remarks]:
             path_root = format_path(cve_data["paths"])
+            if strip_scan_dir:
+                path_root_0 = strip_path(path_root[0], scanned_dir)
+            else:
+                path_root_0 = path_root[0]
             cells = [
                 Text.styled(validate_cell_length(cve_data["vendor"], "Vendor "), color),
                 Text.styled(
                     validate_cell_length(cve_data["product"], "Product "), color
                 ),
                 Text.styled(cve_data["version"], color),
-                Text.styled(validate_cell_length(path_root[0], "Root "), color),
+                Text.styled(validate_cell_length(path_root_0, "Root "), color),
                 Text.styled(validate_cell_length(path_root[1], "Path "), color),
             ]
             table.add_row(*cells)