Skip to content

Commit

Permalink
fix: Remove reportlab from default install (#1626)
Browse files Browse the repository at this point in the history 
* fixes #1459

* fix: Remove reportlab from default install

* docs: Provide info on how to install cve-bin-tool[PDF]
  • Loading branch information
@terriko
terriko committed Mar 31, 2022
1 parent 09ad0cc commit af159c8
Show file tree
Hide file tree
Showing 8 changed files with 280 additions and 193 deletions.
2 changes: 2 additions & 0 deletions .github/actions/spelling/allow.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -260,6 +260,7 @@ pacman
palletsprojects
pcsc
pdf
PDFs
pdftotext
pdxjohnny
peb
Expand Down Expand Up @@ -296,6 +297,7 @@ realpython
rebasing
refactoring
regex
reportlab
Romi
rossburton
rpmfile
Expand Down
32 changes: 32 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,38 @@ Vulnerability Exchange (VEX) format by specifying `--vex` command line option.
The generated VEX file can then be used as an `--input-file` to support
a triage process.

If you wish to use PDF support, you will need to install the `reportlab`
library separately.

If you intend to use PDF support when you install cve-bin-tool you can specify it and report lab will be installed as part of the cve-bin-tool install:
```console
pip install cve-bin-tool[PDF]
```

If you've already installed cve-bin-tool you can add reportlab after the fact
using pip:

```console
pip install --upgrade reportlab
```

Note that reportlab was taken out of the default cve-bin-tool install because
it has a known CVE associated with it
([CVE-2020-28463](https://nvd.nist.gov/vuln/detail/CVE-2020-28463)). The
cve-bin-tool code uses the recommended mitigations to limit which resources
added to PDFs, as well as additional input validation. This is a bit of a
strange CVE because it describes core functionality of PDFs: external items,
such as images, can be embedded in them, and thus anyone viewing a PDF could
load an external image (similar to how viewing a web page can trigger external
loads). There's no inherent "fix" for that, only mitigations where users of
the library must ensure only expected items are added to PDFs at the time of
generation.

Since users may not want to have software installed with an open, unfixable CVE
associated with it, we've opted to make PDF support only available to users who
have installed the library themselves. Once the library is installed, the PDF
report option will function.

## Full option list

Usage:
Expand Down

0 comments on commit af159c8

Please sign in to comment.