feat: added libseccomp checker

intel · Feb 18, 2022 · 5121ca9 · 5121ca9
1 parent ab07fb9
commit 5121ca9
Show file tree

Hide file tree

Showing 8 changed files with 69 additions and 20 deletions.
diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
@@ -181,6 +181,7 @@ libnss
 libpng
 libraryname
 librsvg
+libseccomp
 libsndfile
 libsoup
 libsqlite

diff --git a/README.md b/README.md
@@ -194,23 +194,23 @@ The following checkers are available for finding components in binary files:
 
 <!--CHECKERS TABLE BEGIN-->
 |   |  |  | Available checkers |  |  |  |
-|--------------- |--------------- |--------- |------------- |------------- |---------- |---------- |
+|--------------- |------------ |--------------- |---------- |------------- |---------- |---------- |
 | accountsservice |avahi |bash |bind |binutils |bolt |bubblewrap |
 | busybox |bzip2 |cronie |cryptsetup |cups |curl |dbus |
 | dnsmasq |dovecot |dpkg |enscript |expat |ffmpeg |freeradius |
 | ftp |gcc |gimp |glibc |gnomeshell |gnupg |gnutls |
 | gpgme |gstreamer |gupnp |haproxy |hdf5 |hostapd |hunspell |
 | icecast |icu |irssi |kbd |kerberos |kexectools |libarchive |
 | libbpg |libdb |libgcrypt |libical |libjpeg_turbo |liblas |libnss |
-| librsvg |libsndfile |libsoup |libsrtp |libssh2 |libtiff |libvirt |
-| libvncserver |libxslt |lighttpd |logrotate |lua |mariadb |mdadm |
-| memcached |mtr |mysql |nano |ncurses |nessus |netpbm |
-| nginx |node |ntp |open_vm_tools |openafs |openjpeg |openldap |
-| openssh |openssl |openswan |openvpn |p7zip |pcsc_lite |pigz |
-| png |polarssl_fedora |poppler |postgresql |pspp |python |qt |
-| radare2 |rsyslog |samba |sane_backends |sqlite |strongswan |subversion |
-| sudo |syslogng |systemd |tcpdump |trousers |varnish |webkitgtk |
-| wireshark |wpa_supplicant |xerces |xml2 |zlib |zsh | |
+| librsvg |libseccomp |libsndfile |libsoup |libsrtp |libssh2 |libtiff |
+| libvirt |libvncserver |libxslt |lighttpd |logrotate |lua |mariadb |
+| mdadm |memcached |mtr |mysql |nano |ncurses |nessus |
+| netpbm |nginx |node |ntp |open_vm_tools |openafs |openjpeg |
+| openldap |openssh |openssl |openswan |openvpn |p7zip |pcsc_lite |
+| pigz |png |polarssl_fedora |poppler |postgresql |pspp |python |
+| qt |radare2 |rsyslog |samba |sane_backends |sqlite |strongswan |
+| subversion |sudo |syslogng |systemd |tcpdump |trousers |varnish |
+| webkitgtk |wireshark |wpa_supplicant |xerces |xml2 |zlib |zsh |
 <!--CHECKERS TABLE END-->
 
 All the checkers can be found in the checkers directory, as can the

diff --git a/cve_bin_tool/checkers/__init__.py b/cve_bin_tool/checkers/__init__.py
@@ -61,6 +61,7 @@
     "liblas",
     "libnss",
     "librsvg",
+    "libseccomp",
     "libsndfile",
     "libsoup",
     "libsrtp",

diff --git a/cve_bin_tool/checkers/libseccomp.py b/cve_bin_tool/checkers/libseccomp.py
@@ -0,0 +1,18 @@
+# Copyright (C) 2022 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+"""
+CVE checker for libseccomp
+
+https://www.cvedetails.com/vulnerability-list/vendor_id-19760/product_id-53398/Libseccomp-Project-Libseccomp.html
+"""
+from cve_bin_tool.checkers import Checker
+
+
+class LibseccompChecker(Checker):
+    CONTAINS_PATTERNS = []
+    FILENAME_PATTERNS = [r"libseccomp"]
+    VERSION_PATTERNS = [
+        r"libseccomp.so.([0-9]+\.[0-9]+\.[0-9]+)"
+    ]  # patterns like this aren't ideal
+    VENDOR_PRODUCT = [("libseccomp_project", "libseccomp")]
diff --git a/doc/MANUAL.md b/doc/MANUAL.md
@@ -118,23 +118,23 @@ which is useful if you're trying the latest code from
 
 <!--CHECKERS TABLE BEGIN-->
 |   |  |  | Available checkers |  |  |  |
-|--------------- |--------------- |--------- |------------- |------------- |---------- |---------- |
+|--------------- |------------ |--------------- |---------- |------------- |---------- |---------- |
 | accountsservice |avahi |bash |bind |binutils |bolt |bubblewrap |
 | busybox |bzip2 |cronie |cryptsetup |cups |curl |dbus |
 | dnsmasq |dovecot |dpkg |enscript |expat |ffmpeg |freeradius |
 | ftp |gcc |gimp |glibc |gnomeshell |gnupg |gnutls |
 | gpgme |gstreamer |gupnp |haproxy |hdf5 |hostapd |hunspell |
 | icecast |icu |irssi |kbd |kerberos |kexectools |libarchive |
 | libbpg |libdb |libgcrypt |libical |libjpeg_turbo |liblas |libnss |
-| librsvg |libsndfile |libsoup |libsrtp |libssh2 |libtiff |libvirt |
-| libvncserver |libxslt |lighttpd |logrotate |lua |mariadb |mdadm |
-| memcached |mtr |mysql |nano |ncurses |nessus |netpbm |
-| nginx |node |ntp |open_vm_tools |openafs |openjpeg |openldap |
-| openssh |openssl |openswan |openvpn |p7zip |pcsc_lite |pigz |
-| png |polarssl_fedora |poppler |postgresql |pspp |python |qt |
-| radare2 |rsyslog |samba |sane_backends |sqlite |strongswan |subversion |
-| sudo |syslogng |systemd |tcpdump |trousers |varnish |webkitgtk |
-| wireshark |wpa_supplicant |xerces |xml2 |zlib |zsh | |
+| librsvg |libseccomp |libsndfile |libsoup |libsrtp |libssh2 |libtiff |
+| libvirt |libvncserver |libxslt |lighttpd |logrotate |lua |mariadb |
+| mdadm |memcached |mtr |mysql |nano |ncurses |nessus |
+| netpbm |nginx |node |ntp |open_vm_tools |openafs |openjpeg |
+| openldap |openssh |openssl |openswan |openvpn |p7zip |pcsc_lite |
+| pigz |png |polarssl_fedora |poppler |postgresql |pspp |python |
+| qt |radare2 |rsyslog |samba |sane_backends |sqlite |strongswan |
+| subversion |sudo |syslogng |systemd |tcpdump |trousers |varnish |
+| webkitgtk |wireshark |wpa_supplicant |xerces |xml2 |zlib |zsh |
 <!--CHECKERS TABLE END-->
 
 For a quick overview of usage and how it works, you can also see [the readme file](README.md).

diff --git a/test/condensed-downloads/libseccomp-2.3.1-4.el7.x86_64.rpm.tar.gz b/test/condensed-downloads/libseccomp-2.3.1-4.el7.x86_64.rpm.tar.gz
diff --git a/test/condensed-downloads/libseccomp-2.5.0-4.fc34.x86_64.rpm.tar.gz b/test/condensed-downloads/libseccomp-2.5.0-4.fc34.x86_64.rpm.tar.gz
diff --git a/test/test_data/libseccomp.py b/test/test_data/libseccomp.py
@@ -0,0 +1,29 @@
+# Copyright (C) 2022 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+    {
+        "product": "libseccomp",
+        "version": "2.3.1",
+        "version_strings": ["libseccomp.so.2.3.1"],
+    },
+    {
+        "product": "libseccomp",
+        "version": "2.5.0",
+        "version_strings": ["libseccomp.so.2.5.0"],
+    },
+]
+package_test_data = [
+    {
+        "url": "http://mirror.centos.org/centos/7/os/x86_64/Packages/",
+        "package_name": "libseccomp-2.3.1-4.el7.x86_64.rpm",
+        "product": "libseccomp",
+        "version": "2.3.1",
+    },
+    {
+        "url": "https://download-ib01.fedoraproject.org/pub/fedora/linux/releases/34/Everything/x86_64/os/Packages/l/",
+        "package_name": "libseccomp-2.5.0-4.fc34.x86_64.rpm",
+        "product": "libseccomp",
+        "version": "2.5.0",
+    },
+]