Merge branch 'main' into fix--test_source_osv

Author: Saksham-Sirohi

.github/actions/spelling/allow.txt

@@ -480,6 +480,7 @@ msmtp
 msys
 mtr
 mupdf
+musl
 mutt
 myapp
 myappvendor
@@ -817,6 +818,7 @@ wsl
 www
 wzao
 Xchange
+XDG
 XDRAGON
 xerces
 Xiph

.github/workflows/codeql-analysis.yml

@@ -51,7 +51,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+      uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+      uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19

.github/workflows/fuzzing.yml

@@ -95,7 +95,7 @@ jobs:
           PYTHONPATH: ${{ github.workspace }}
         run: |
           cd fuzz
-          export PYTHONPATH="$PYTHONPATH:/generated"
+          export PYTHONPATH="$PYTHONPATH:./generated"
           fuzzing_scripts=($(ls *.py))
           echo "Found Fuzzing scripts: ${fuzzing_scripts[@]}"
           current_week=($(date -u +%U))

.github/workflows/testing.yml

@@ -847,7 +847,7 @@ jobs:
           path: ~/conda_pkgs_dir
           key: ${{ runner.os }}-conda-${{ env.CACHE_NUMBER }}-${{
             hashFiles('requirements.txt') }}
-      - uses: conda-incubator/setup-miniconda@505e6394dae86d6a5c7fbb6e3fb8938e3e863830 # v3.1.1
+      - uses: conda-incubator/setup-miniconda@835234971496cad1653abb28a638a281cf32541f # v3.2.0
         with:
           auto-update-conda: true
           activate-environment: pdftotext

README.md

@@ -16,7 +16,7 @@ CVE Binary Tool uses the NVD API but is not endorsed or certified by the NVD.
 
 The tool has two main modes of operation:
 
-1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are <!-- NUMBER OF CHECKERS START-->408<!--NUMBER OF CHECKERS END--> checkers.  Our initial focus was on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
+1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are <!-- NUMBER OF CHECKERS START-->409<!--NUMBER OF CHECKERS END--> checkers.  Our initial focus was on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
 
 2. Tools for scanning known component lists in various formats, including .csv, several linux distribution package lists, language specific package scanners and several Software Bill of Materials (SBOM) formats.  
 
@@ -226,7 +226,7 @@ The following checkers are available for finding components in binary files:
 
 <!--CHECKERS TABLE BEGIN-->
 |   |  |  | Available checkers |  |  |  |
-|--------------- |------------- |------------------ |---------------- |--------------- |----------------- |------------- |
+|--------------- |-------------- |------------------ |---------------- |-------------- |--------------- |----------------- |
 | accountsservice |acpid |apache_http_server |apcupsd |apparmor |apr |asn1c |
 | assimp |asterisk |atftp |augeas |avahi |axel |bash |
 | bind |binutils |bird |bison |bluez |boa |boinc |
@@ -262,30 +262,30 @@ The following checkers are available for finding components in binary files:
 | lzo2 |mailx |mariadb |mbedtls |mdadm |memcached |micropython |
 | minetest |mini_httpd |minicom |minidlna |miniupnpc |miniupnpd |moby |
 | modsecurity |monit |mosquitto |motion |mp4v2 |mpg123 |mpv |
-| msmtp |mtr |mupdf |mutt |mysql |nano |nasm |
-| nbd |ncurses |neon |nessus |netatalk |netdata |netkit_ftp |
-| netpbm |nettle |nghttp2 |nginx |ngircd |nmap |node |
-| ntfs_3g |ntp |ntpsec |oath_toolkit |ofono |open_iscsi |open_vm_tools |
-| openafs |openblas |opencv |openjpeg |openldap |opensc |openssh |
-| openssl |openswan |openvpn |openvswitch |orc |p7zip |pango |
-| patch |pcre |pcre2 |pcsc_lite |perl |php |picocom |
-| pigz |pixman |pjsip |png |polarssl_fedora |poppler |postgresql |
-| ppp |privoxy |procps_ng |proftpd |protobuf_c |pspp |pure_ftpd |
-| putty |python |qemu |qpdf |qt |quagga |radare2 |
-| radvd |raptor |rauc |rdesktop |readline |redis |rpm |
-| rsync |rsyslog |rtl_433 |rtmpdump |ruby |runc |rust |
-| samba |sane_backends |sasl |sdl |seahorse |shadowsocks_libev |snapd |
-| sngrep |snort |socat |sofia_sip |speex |spice |sqlite |
-| squashfs |squid |sslh |stellarium |strongswan |stunnel |subversion |
-| sudo |suricata |sylpheed |syslogng |sysstat |systemd |tar |
-| tbb |tcpdump |tcpreplay |terminology |tesseract |thrift |thttpd |
-| thunderbird |timescaledb |tinyproxy |tor |toybox |tpm2_tss |traceroute |
-| transmission |trousers |ttyd |twonky_server |u_boot |udisks |unbound |
-| unixodbc |upx |util_linux |uwsgi |varnish |vim |vlc |
-| vorbis_tools |vsftpd |wavpack |webkitgtk |wget |wireshark |wolfssl |
-| wpa_supplicant |xerces |xml2 |xpdf |xscreensaver |xwayland |xz |
-| yasm |zabbix |zbar |zchunk |zeek |zlib |znc |
-| zsh |zstandard | | | | | |
+| msmtp |mtr |mupdf |musl |mutt |mysql |nano |
+| nasm |nbd |ncurses |neon |nessus |netatalk |netdata |
+| netkit_ftp |netpbm |nettle |nghttp2 |nginx |ngircd |nmap |
+| node |ntfs_3g |ntp |ntpsec |oath_toolkit |ofono |open_iscsi |
+| open_vm_tools |openafs |openblas |opencv |openjpeg |openldap |opensc |
+| openssh |openssl |openswan |openvpn |openvswitch |orc |p7zip |
+| pango |patch |pcre |pcre2 |pcsc_lite |perl |php |
+| picocom |pigz |pixman |pjsip |png |polarssl_fedora |poppler |
+| postgresql |ppp |privoxy |procps_ng |proftpd |protobuf_c |pspp |
+| pure_ftpd |putty |python |qemu |qpdf |qt |quagga |
+| radare2 |radvd |raptor |rauc |rdesktop |readline |redis |
+| rpm |rsync |rsyslog |rtl_433 |rtmpdump |ruby |runc |
+| rust |samba |sane_backends |sasl |sdl |seahorse |shadowsocks_libev |
+| snapd |sngrep |snort |socat |sofia_sip |speex |spice |
+| sqlite |squashfs |squid |sslh |stellarium |strongswan |stunnel |
+| subversion |sudo |suricata |sylpheed |syslogng |sysstat |systemd |
+| tar |tbb |tcpdump |tcpreplay |terminology |tesseract |thrift |
+| thttpd |thunderbird |timescaledb |tinyproxy |tor |toybox |tpm2_tss |
+| traceroute |transmission |trousers |ttyd |twonky_server |u_boot |udisks |
+| unbound |unixodbc |upx |util_linux |uwsgi |varnish |vim |
+| vlc |vorbis_tools |vsftpd |wavpack |webkitgtk |wget |wireshark |
+| wolfssl |wpa_supplicant |xerces |xml2 |xpdf |xscreensaver |xwayland |
+| xz |yasm |zabbix |zbar |zchunk |zeek |zlib |
+| znc |zsh |zstandard | | | | |
 <!--CHECKERS TABLE END-->
 
 All the checkers can be found in the checkers directory, as can the

cve_bin_tool/available_fix/debian_cve_tracker.py

@@ -4,18 +4,16 @@
 from __future__ import annotations
 
 from json import dump, load
-from pathlib import Path
 from time import time
 
 from cve_bin_tool.cve_scanner import CVEData
+from cve_bin_tool.database_defaults import DISK_LOCATION_DEFAULT
 from cve_bin_tool.log import LOGGER
 from cve_bin_tool.output_engine.util import ProductInfo, format_output
 from cve_bin_tool.util import make_http_requests
 
 JSON_URL = "https://security-tracker.debian.org/tracker/data/json"
-DEB_CVE_JSON_PATH = (
-    Path("~").expanduser() / ".cache" / "cve-bin-tool" / "debian_cve_data.json"
-)
+DEB_CVE_JSON_PATH = DISK_LOCATION_DEFAULT / "debian_cve_data.json"
 
 UBUNTU_DEBIAN_MAP = {
     "hirsute": "bullseye",

cve_bin_tool/checkers/__init__.py

@@ -271,6 +271,7 @@
     "msmtp",
     "mtr",
     "mupdf",
+    "musl",
     "mutt",
     "mysql",
     "nano",

cve_bin_tool/checkers/musl.py

@@ -0,0 +1,23 @@
+# Copyright (C) 2025 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for musl
+
+https://www.cvedetails.com/product/39652/Musl-libc-Musl.html?vendor_id=16859
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class MuslChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [
+        r"([0-9]+\.[0-9]+\.[0-9]+)[ -~\t\r\n]*MUSL_LOCPATH",
+        r"musl libc[ -~\t\r\n]*\r?\n([0-9]+\.[0-9]+\.[0-9]+)",
+    ]
+    VENDOR_PRODUCT = [("musl-libc", "musl")]

cve_bin_tool/cli.py

@@ -42,7 +42,7 @@
 from cve_bin_tool.config import ConfigParser
 from cve_bin_tool.config_generator import config_generator
 from cve_bin_tool.cve_scanner import CVEScanner
-from cve_bin_tool.cvedb import CVEDB, OLD_CACHE_DIR
+from cve_bin_tool.cvedb import CVEDB
 from cve_bin_tool.data_sources import (
     DataSourceSupport,
     curl_source,
@@ -53,6 +53,7 @@
     purl2cpe_source,
     redhat_source,
 )
+from cve_bin_tool.database_defaults import OLD_CACHE_DIR
 from cve_bin_tool.error_handler import (
     ERROR_CODES,
     CVEDataMissing,
@@ -353,6 +354,9 @@ def main(argv=None):
         help="strip scan directory from sbom evidence location paths and CVE paths (useful with a firmware dump)",
         default=False,
     )
+    output_group.add_argument(
+        "--no-scan", action="store_true", help="No-Scan Mode", default=False
+    )
     vex_output_group = parser.add_argument_group(
         "Vex Output", "Arguments related to Vex output document."
     )
@@ -1121,6 +1125,7 @@ def main(argv=None):
                 error_mode=error_mode,
                 validate=not args["disable_validation_check"],
                 sources=enabled_sources,
+                no_scan=args["no_scan"],
             )
             version_scanner.remove_skiplist(skips)
             LOGGER.info(f"Number of checkers: {version_scanner.number_of_checkers()}")
@@ -1137,19 +1142,24 @@ def main(argv=None):
             for scan_info in version_scanner.recursive_scan(args["directory"]):
                 if scan_info:
                     product_info, path = scan_info
-                    LOGGER.debug(f"{product_info}: {path}")
+                    LOGGER.debug(f"Product Info: {product_info}, Path: {path}")
                     # add product_info to parsed_data to check for with vex file
                     if product_info in parsed_data:
                         # update the paths in triage_data with the new path
                         triage_data = parsed_data[product_info]
+                        LOGGER.debug("Product info in parsed data")
+                        LOGGER.debug(f"Triage Data: {triage_data}")
                         triage_data["paths"].add(path)
                     else:
                         # create a new entry if product_info not in parsed_data
+                        LOGGER.debug("Product info not in parsed data")
                         triage_data = {"default": {}, "paths": {path}}
+                        LOGGER.debug(f"Triage Data: {triage_data}")
                         parsed_data[product_info] = triage_data
 
                     cve_scanner.get_cves(product_info, triage_data)
             total_files = version_scanner.total_scanned_files
+            LOGGER.info(f"Total files: {total_files}")
 
         if args["merge"]:
             cve_scanner = merge_cve_scanner

cve_bin_tool/cve_scanner.py

@@ -11,7 +11,7 @@
 
 from rich.console import Console
 
-from cve_bin_tool.cvedb import DBNAME, DISK_LOCATION_DEFAULT
+from cve_bin_tool.database_defaults import DBNAME, DISK_LOCATION_DEFAULT
 from cve_bin_tool.error_handler import ErrorMode
 from cve_bin_tool.input_engine import TriageData
 from cve_bin_tool.log import LOGGER