diff --git a/cve_bin_tool/checkers/__init__.py b/cve_bin_tool/checkers/__init__.py index 5fc11e4368..1ec63b5ac4 100644 --- a/cve_bin_tool/checkers/__init__.py +++ b/cve_bin_tool/checkers/__init__.py @@ -4,6 +4,7 @@ "curl", "expat", "ffmpeg", + "gnutls", "icu", "kerberos", "libgcrypt", diff --git a/cve_bin_tool/checkers/gnutls.py b/cve_bin_tool/checkers/gnutls.py new file mode 100644 index 0000000000..30363d3bf2 --- /dev/null +++ b/cve_bin_tool/checkers/gnutls.py @@ -0,0 +1,36 @@ +#!/usr/bin/env python3 +""" +CVE checker for GnuTLS +References: +https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-4433/GNU-Gnutls.html +""" +import os +from ..util import regex_find + + +def get_version(lines, filename): + """ + returns version information for gnutls found in given file. + Verfies using the tools gnutls-cli + Verifies using the libraries libgnutls.so and libgnutls-dane.so + + VPkg: gnu, gnutls + VPkg: gnutls, gnutls + """ + regex = [r"gnutls-cli ([0-9]+\.[0-9]+\.[0-9]+)"] + + for modulename, binary_names in ( + { + "gnutls-serv": ["gnutls-serv"], + "gnutls-cli": ["gnutls-cli", "libgnutls.so", "libgnutls-dane.so"], + } + ).items(): + for check in binary_names: + if check in os.path.split(filename)[-1]: + return { + "is_or_contains": "is", + "modulename": modulename, + "version": regex_find(lines, *regex), + } + + return {} diff --git a/test/binaries/test-gnutls-cli-2.3.11.c b/test/binaries/test-gnutls-cli-2.3.11.c new file mode 100644 index 0000000000..f66ebb19eb --- /dev/null +++ b/test/binaries/test-gnutls-cli-2.3.11.c @@ -0,0 +1,11 @@ +#include + +int main() { + printf("This program is designed to test the cve-bin-tool checker."); + printf("It outputs a few strings normally associated with gnutls-cli 2.3.11"); + printf("They appear below this line."); + printf("------------------"); + printf("gnutls-cli 2.3.11"); + + return 0; +} diff --git a/test/binaries/test-gnutls-serv-2.3.11.c b/test/binaries/test-gnutls-serv-2.3.11.c new file mode 100644 index 0000000000..00ea55bc82 --- /dev/null +++ b/test/binaries/test-gnutls-serv-2.3.11.c @@ -0,0 +1,11 @@ +#include + +int main() { + printf("This program is designed to test the cve-bin-tool checker."); + printf("It outputs a few strings normally associated with gnutls-serv 2.3.11"); + printf("They appear below this line."); + printf("------------------"); + printf("gnutls-serv 2.3.11"); + + return 0; +} diff --git a/test/test_scanner.py b/test/test_scanner.py index 490372cd99..03d7bebf4a 100644 --- a/test/test_scanner.py +++ b/test/test_scanner.py @@ -91,14 +91,14 @@ def _binary_test(self, binary, package, version, are_in, not_in): # Run the scan cves = self.scan_file(binary) # Make sure the package and version are in the results - self.assertIn(package, cves) - self.assertIn(version, cves[package]) + self.assertIn(package, list(cves.keys())) + self.assertIn(version, list(cves[package].keys())) # Test for CVEs known in this version for ensure_in in are_in: - self.assertIn(ensure_in, cves[package][version]) + self.assertIn(ensure_in, list(cves[package][version].keys())) # Test for a CVE that is not in this version for ensure_out in not_in: - self.assertNotIn(ensure_out, cves[package][version]) + self.assertNotIn(ensure_out, list(cves[package][version].keys())) def _file_test(self, url, filename, package, version): """ Helper function to get a file (presumed to be a real copy @@ -245,6 +245,28 @@ def test_ffmpeg_4_1_4(self): ], ) + def test_gnutls_2_3_11(self): + """Scanning test-gnutls-{binary}-2.3.11.out""" + for binary in ["cli", "serv"]: + with self.subTest(binary=binary): + self._binary_test( + "test-gnutls-{}-2.3.11.out".format(binary), + "gnutls-cli", + "2.3.11", + [ + # known cves in 2.3.11 + "CVE-2008-1948", + "CVE-2008-1949", + "CVE-2008-1950", + ], + [ + # an older cve from before 2.3.11 + "CVE-2004-2531", + # an newer cve from after 2.3.11 + "CVE-2017-7869", + ], + ) + def test_jpeg_2_0_1(self): """Scanning test-libjpeg-turbo-2.0.1""" self._binary_test(