Checker fails - AttributeError: 'NoneType' object has no attribute 'group'

[anthonyharrison]

Checker fails during directory scan

╭─────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮
│ /usr/lib/python3.9/runpy.py:197 in _run_module_as_main │
│ │
│ 194 │ main_globals = sys.modules["main"].dict │
│ 195 │ if alter_argv: │
│ 196 │ │ sys.argv[0] = mod_spec.origin │
│ ❱ 197 │ return _run_code(code, main_globals, None, │
│ 198 │ │ │ │ │ "main", mod_spec) │
│ 199 │
│ 200 def run_module(mod_name, init_globals=None, │
│ │
│ /usr/lib/python3.9/runpy.py:87 in _run_code │
│ │
│ 84 │ │ │ │ │ loader = loader, │
│ 85 │ │ │ │ │ package = pkg_name, │
│ 86 │ │ │ │ │ spec = mod_spec) │
│ ❱ 87 │ exec(code, run_globals) │
│ 88 │ return run_globals │
│ 89 │
│ 90 def _run_module_code(code, init_globals=None, │
│ │
│ /root/Documents/git_repo/cve_latest/lib/python3.9/site-packages/cve_bin_tool/cli.py:468 in │
│ │
│ │
│ 465 │ if os.getenv("NO_EXIT_CVE_NUM"): │
│ 466 │ │ main() │
│ 467 │ else: │
│ ❱ 468 │ │ sys.exit(main()) │
│ 469 │
│ │
│ /root/Documents/git_repo/cve_latest/lib/python3.9/site-packages/cve_bin_tool/cli.py:407 in main │
│ │
│ 404 │ │ │ ) │
│ 405 │ │ │ version_scanner.remove_skiplist(skips) │
│ 406 │ │ │ version_scanner.print_checkers() │
│ ❱ 407 │ │ │ for scan_info in version_scanner.recursive_scan(args["directory"]): │
│ 408 │ │ │ │ if scan_info: │
│ 409 │ │ │ │ │ product_info, path = scan_info │
│ 410 │ │ │ │ │ LOGGER.debug(f"{product_info}: {path}") │
│ │
│ /root/Documents/git_repo/cve_latest/lib/python3.9/site-packages/cve_bin_tool/version_scanner.py: │
│ 258 in recursive_scan │
│ │
│ 255 │ │ │ if os.path.isdir(scan_path): │
│ 256 │ │ │ │ for filepath in self.walker([scan_path]): │
│ 257 │ │ │ │ │ self.file_stack.append(filepath) │
│ ❱ 258 │ │ │ │ │ yield from self.scan_and_or_extract_file(ectx, filepath) │
│ 259 │ │ │ │ │ self.file_stack.pop() │
│ 260 │ │ │ elif os.path.isfile(scan_path): │
│ 261 │ │ │ │ self.file_stack.append(scan_path) │
│ │
│ /root/Documents/git_repo/cve_latest/lib/python3.9/site-packages/cve_bin_tool/version_scanner.py: │
│ 250 in scan_and_or_extract_file │
│ │
│ 247 │ │ │ for filename in self.walker([ectx.extract(filepath)]): │
│ 248 │ │ │ │ clean_path = self.clean_file_path(filename) │
│ 249 │ │ │ │ self.file_stack.append(f" contains {clean_path}") │
│ ❱ 250 │ │ │ │ yield from self.scan_and_or_extract_file(ectx, filename) │
│ 251 │ │ │ │ self.file_stack.pop() │
│ 252 │ │
│ 253 │ def recursive_scan(self, scan_path): │
│ │
│ /root/Documents/git_repo/cve_latest/lib/python3.9/site-packages/cve_bin_tool/version_scanner.py: │
│ 239 in scan_and_or_extract_file │
│ │
│ 236 │ def scan_and_or_extract_file(self, ectx, filepath): │
│ 237 │ │ """Runs extraction if possible and desired otherwise scans.""" │
│ 238 │ │ # Scan the file │
│ ❱ 239 │ │ yield from self.scan_file(filepath) │
│ 240 │ │ # Attempt to extract the file and scan the contents │
│ 241 │ │ if ectx.can_extract(filepath): │
│ 242 │ │ │ if not self.should_extract: │
│ │
│ /root/Documents/git_repo/cve_latest/lib/python3.9/site-packages/cve_bin_tool/version_scanner.py: │
│ 162 in scan_file │
│ │
│ 159 │ │ # If python package then strip the lines to avoid detecting other product strin │
│ 160 │ │ if "PKG-INFO: " in output or "METADATA: " in output: │
│ 161 │ │ │ py_lines = "\n".join(lines.splitlines()[:3]) │
│ ❱ 162 │ │ │ yield from self.run_python_package_checkers(filename, py_lines) │
│ 163 │ │ │
│ 164 │ │ yield from self.run_checkers(filename, lines) │
│ 165 │
│ │
│ /root/Documents/git_repo/cve_latest/lib/python3.9/site-packages/cve_bin_tool/version_scanner.py: │
│ 172 in run_python_package_checkers │
│ │
│ 169 │ │ There are no actual checkers. │
│ 170 │ │ The ProductInfo is computed without the help of any checkers from PKG-INFO or ME │
│ 171 │ │ """ │
│ ❱ 172 │ │ product = search(compile(r"^Name: (.+)$", MULTILINE), lines).group(1) │
│ 173 │ │ version = search(compile(r"^Version: (.+)$", MULTILINE), lines).group(1) │
│ 174 │ │ │
│ 175 │ │ with VendorFetch() as vendor_fetch: │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
AttributeError: 'NoneType' object has no attribute 'group'

File being processed was METADATA file within dateutil-zoneinfo.tar.gz within dateutil Python site-packages.

METADATA contents

{
    "metadata_version": 2.0,
    "releases_url": [
        "https://dateutil.github.io/tzdata/tzdata/",
        "ftp://ftp.iana.org/tz/releases/"
    ],
    "tzdata_file": "tzdata2017b.tar.gz",
    "tzdata_file_sha512": "3e090dba1f52e4c63b4930b28f4bf38b56aabd6728f23094cb5801d10f4e464f17231f17b75b88
66714bf98199c166ea840de0787b75b2274aa419a4e14bbc4d",
    "tzversion": "2017b",
    "zonegroups": [
        "africa",
        "antarctica",
        "asia",
        "australasia",
        "europe",
        "northamerica",
        "southamerica",
        "pacificnew",
        "etcetera",
        "systemv",
        "factory",
        "backzone",
        "backward"
    ]
}

[maxhbr]

I still seem to have this or an similar issue:

╭───────────────────── Traceback (most recent call last) ──────────────────────╮
│                                                                              │
│ /usr/local/bin/cve-bin-tool:8 in <module>                                    │
│                                                                              │
│   5 from cve_bin_tool.cli import main                                        │
│   6 if __name__ == '__main__':                                               │
│   7 │   sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])     │
│ ❱ 8 │   sys.exit(main())                                                     │
│   9                                                                          │
│ /opt/cve-bin-tool.venv/lib/python3.8/site-packages/cve_bin_tool/cli.py:491   │
│ in main                                                                      │
│                                                                              │
│   488 │   │   │   │   │   triage_data = parsed_data.get(product_info, {"defa │
│   489 │   │   │   │   │   # Ignore paths from triage_data if we are scanning │
│   490 │   │   │   │   │   triage_data["paths"] = {path}                      │
│ ❱ 491 │   │   │   │   │   cve_scanner.get_cves(product_info, triage_data)    │
│   492 │   │   │   total_files = version_scanner.total_scanned_files          │
│   493 │   │                                                                  │
│   494 │   │   if args["merge"]:                                              │
│                                                                              │
│ /opt/cve-bin-tool.venv/lib/python3.8/site-packages/cve_bin_tool/cve_scanner. │
│ py:90 in get_cves                                                            │
│                                                                              │
│    87 │   │   │   else:                                                      │
│    88 │   │   │   │   # Handle a.b.c<string> e.g. 1.20.9rel1                 │
│    89 │   │   │   │   pv = re.search(r"\d[.\d]*", product_info.version)      │
│ ❱  90 │   │   parsed_version = parse_version(pv.group(0))                    │
│    91 │   │                                                                  │
│    92 │   │   self.cursor.execute(query, [vendor, product_info.product, str( │
│    93                                                                        │
╰──────────────────────────────────────────────────────────────────────────────╯
AttributeError: 'NoneType' object has no attribute 'group'

[BreadGenie]

@maxhbr can you give us some idea on what you scanned?

[maxhbr]

I scanned the result of:

$ wget https://fw.gl-inet.com/firmware/mt1300/release/openwrt-mt1300-3.203-0809.bin
$ binwalk -e openwrt-mt1300-3.203-0809.bin

It is just a random openwrt router firmeware, unpacked via binwalk.

[anthonyharrison]

What options did you specify to the cve-bin-tool? And are you using the released version from PyPi or the latest development version from GitHub. To help could you run the cve-bin-tool using the debug log setting and post the results?

…

On Sun, 9 Jan 2022, 13:13 Maximilian Huber, ***@***.***> wrote: I scanned the result of: $ wget https://fw.gl-inet.com/firmware/mt1300/release/openwrt-mt1300-3.203-0809.bin $ binwalk -e openwrt-mt1300-3.203-0809.bin It is just a random openwrt router firmeware, unpacked via binwalk. — Reply to this email directly, view it on GitHub <#1300 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACAID2Y6XQWT6NFFYYTDAB3UVGCW7ANCNFSM5BLRH77A> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[anthonyharrison]

I have run the scan on the firmware using the latest released version (3.0) and have managed to get the error message. The issue is with the version of an xml2 component (found when using debug logging option). DEBUG cve_bin_tool.VersionScanner - /root/Documents/test9/_openwrt-mt1300-3.203-0809.bin.extrac version_scanner.py:224 ted/squashfs-root/usr/lib/libxml2.so.2.9.9 is xml2 DEBUG cve_bin_tool - ProductInfo(vendor='xmlsoft', product='libxml2', version=''): cli.py:487 /root/Documents/test9/_openwrt-mt1300-3.203-0809.bin.extracted/squashfs-root/usr/lib/libxml2.so.2.9.9 The version value is not valid which is why there is an error. Need to have a look at this... On Sun, 9 Jan 2022 at 13:22, Anthony Harrison ***@***.***> wrote:

…

What options did you specify to the cve-bin-tool? And are you using the released version from PyPi or the latest development version from GitHub. To help could you run the cve-bin-tool using the debug log setting and post the results? On Sun, 9 Jan 2022, 13:13 Maximilian Huber, ***@***.***> wrote: > I scanned the result of: > > $ wget https://fw.gl-inet.com/firmware/mt1300/release/openwrt-mt1300-3.203-0809.bin > $ binwalk -e openwrt-mt1300-3.203-0809.bin > > It is just a random openwrt router firmeware, unpacked via binwalk. > > — > Reply to this email directly, view it on GitHub > <#1300 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ACAID2Y6XQWT6NFFYYTDAB3UVGCW7ANCNFSM5BLRH77A> > . > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. > > You are receiving this because you authored the thread.Message ID: > ***@***.***> >

[anthonyharrison]

Issue seems to be with the xml2 checker returning a version of "" and not UNKNOWN. The xml2 checker sets the default value of new_guess to "". This should be "UNKNOWN"

[anthonyharrison]

Raised issue #1517

Thanks @maxhbr