From fbeab025bbe546ec2194d6fc396cdf7798dab3c8 Mon Sep 17 00:00:00 2001 From: FReeshabh Date: Tue, 29 Oct 2019 13:22:30 -0500 Subject: [PATCH 1/6] Added a checker for gnutls new file: gnutls.py --- cve_bin_tool/checkers/gnutls.py | 35 +++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 cve_bin_tool/checkers/gnutls.py diff --git a/cve_bin_tool/checkers/gnutls.py b/cve_bin_tool/checkers/gnutls.py new file mode 100644 index 0000000000..f00926f8a0 --- /dev/null +++ b/cve_bin_tool/checkers/gnutls.py @@ -0,0 +1,35 @@ +#!/usr/bin/env python3 +""" +CVE checker for GnuTLS +References: +https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-4433/GNU-Gnutls.html +""" +from ..util import regex_find + +def get_version(lines, filename) +""" +returns version information for gnutls found in given file. +Verfies using the tools gnutls-cli and gnu-serv +Verifies using the libraries libgnutls.so and libgnutls-dane.so +""" +regex = [r"gnutls-cli ([3]+\.[0-9]+\.[0-9]+)"] +regex_2 = [r"gnutls-serv ([3]+\.[0-9]+\.[0-9]+)"] +version_info = dict() +if filename[::-1].startswith(("gnutls-cli")[::-1]): + version_info["is_or_contains"] = "is" +if filename[::-1].startswith(("gnutls-serv")[::-1]): + version_info["is_or_contains"] = "is" + +if "is_or_contains" in version_info: + version_info["modulename"] = "gnutls-cli" + version_info["version"] = regex_find(lines, *regex) +elif "is_or_contains" in version_info: + version_info["modulename"] = "gnutls-serv" + version_info["version"] = regex_find(lines, *regex2) + +elif "libgnutls.so" in filename: + version_info["is_or_contains"] = "is" +elif "libgnutls-dane.so" in filename: + version_info["is_or_contains"] = "is" + +return version_info \ No newline at end of file From 2013a1dc4c39eee87b7a48c0f8f7e18e315c510e Mon Sep 17 00:00:00 2001 From: FReeshabh Date: Tue, 29 Oct 2019 13:24:41 -0500 Subject: [PATCH 2/6] Added gnutls to init file modified: __init__.py --- cve_bin_tool/checkers/__init__.py | 1 + 1 file changed, 1 insertion(+) diff --git a/cve_bin_tool/checkers/__init__.py b/cve_bin_tool/checkers/__init__.py index 673fddb690..d099ada1df 100644 --- a/cve_bin_tool/checkers/__init__.py +++ b/cve_bin_tool/checkers/__init__.py @@ -3,6 +3,7 @@ "bluez", "curl", "expat", + "gnutls" "icu", "kerberos", "libgcrypt", From 01bae3d978993858b7b0aa8e5747ad2031b3aadb Mon Sep 17 00:00:00 2001 From: FReeshabh Date: Tue, 29 Oct 2019 13:25:32 -0500 Subject: [PATCH 3/6] Missing comma modified: __init__.py --- cve_bin_tool/checkers/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve_bin_tool/checkers/__init__.py b/cve_bin_tool/checkers/__init__.py index d099ada1df..5479bf1677 100644 --- a/cve_bin_tool/checkers/__init__.py +++ b/cve_bin_tool/checkers/__init__.py @@ -3,7 +3,7 @@ "bluez", "curl", "expat", - "gnutls" + "gnutls", "icu", "kerberos", "libgcrypt", From 4e87e8605a1a8e10ef94f517d1b2fc6ed35bc515 Mon Sep 17 00:00:00 2001 From: FReeshabh Date: Tue, 29 Oct 2019 13:29:37 -0500 Subject: [PATCH 4/6] Fixed major problems with the code(editor trouble) modified: gnutls.py --- cve_bin_tool/checkers/gnutls.py | 45 +++++++++++++++------------------ 1 file changed, 20 insertions(+), 25 deletions(-) diff --git a/cve_bin_tool/checkers/gnutls.py b/cve_bin_tool/checkers/gnutls.py index f00926f8a0..9c5d32459a 100644 --- a/cve_bin_tool/checkers/gnutls.py +++ b/cve_bin_tool/checkers/gnutls.py @@ -6,30 +6,25 @@ """ from ..util import regex_find -def get_version(lines, filename) -""" -returns version information for gnutls found in given file. -Verfies using the tools gnutls-cli and gnu-serv -Verifies using the libraries libgnutls.so and libgnutls-dane.so -""" -regex = [r"gnutls-cli ([3]+\.[0-9]+\.[0-9]+)"] -regex_2 = [r"gnutls-serv ([3]+\.[0-9]+\.[0-9]+)"] -version_info = dict() -if filename[::-1].startswith(("gnutls-cli")[::-1]): - version_info["is_or_contains"] = "is" -if filename[::-1].startswith(("gnutls-serv")[::-1]): - version_info["is_or_contains"] = "is" - -if "is_or_contains" in version_info: - version_info["modulename"] = "gnutls-cli" - version_info["version"] = regex_find(lines, *regex) -elif "is_or_contains" in version_info: - version_info["modulename"] = "gnutls-serv" - version_info["version"] = regex_find(lines, *regex2) +def get_version(lines, filename): + """ + returns version information for gnutls found in given file. + Verfies using the tools gnutls-cli + Verifies using the libraries libgnutls.so and libgnutls-dane.so + """ + regex = [r"gnutls-cli ([3]+\.[0-9]+\.[0-9]+)"] + version_info = dict() + if filename[::-1].startswith(("gnutls-cli")[::-1]): + version_info["is_or_contains"] = "is" + if filename[::-1].startswith(("gnutls-serv")[::-1]): + version_info["is_or_contains"] = "is" -elif "libgnutls.so" in filename: - version_info["is_or_contains"] = "is" -elif "libgnutls-dane.so" in filename: - version_info["is_or_contains"] = "is" + if "is_or_contains" in version_info: + version_info["modulename"] = "gnutls-cli" + version_info["version"] = regex_find(lines, *regex) + elif "libgnutls.so" in filename: + version_info["is_or_contains"] = "is" + elif "libgnutls-dane.so" in filename: + version_info["is_or_contains"] = "is" -return version_info \ No newline at end of file + return version_info \ No newline at end of file From 1c02c900e309116675d304274cb4886f1144136e Mon Sep 17 00:00:00 2001 From: FReeshabh Date: Tue, 29 Oct 2019 13:32:23 -0500 Subject: [PATCH 5/6] Added Vpkg and newline at the end modified: gnutls.py --- cve_bin_tool/checkers/gnutls.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cve_bin_tool/checkers/gnutls.py b/cve_bin_tool/checkers/gnutls.py index 9c5d32459a..a9eefb2d29 100644 --- a/cve_bin_tool/checkers/gnutls.py +++ b/cve_bin_tool/checkers/gnutls.py @@ -11,6 +11,8 @@ def get_version(lines, filename): returns version information for gnutls found in given file. Verfies using the tools gnutls-cli Verifies using the libraries libgnutls.so and libgnutls-dane.so + + VPkg: gnutls, gnutls """ regex = [r"gnutls-cli ([3]+\.[0-9]+\.[0-9]+)"] version_info = dict() @@ -27,4 +29,4 @@ def get_version(lines, filename): elif "libgnutls-dane.so" in filename: version_info["is_or_contains"] = "is" - return version_info \ No newline at end of file + return version_info From ff14b13797b4aaf3911adde3ba40e0e14b1d810b Mon Sep 17 00:00:00 2001 From: John Andersen Date: Wed, 30 Oct 2019 13:27:17 -0700 Subject: [PATCH 6/6] gnutls test and improved no cves error messages in TestScanner Signed-off-by: John Andersen --- cve_bin_tool/checkers/gnutls.py | 34 ++++++++++++++----------- test/binaries/test-gnutls-cli-2.3.11.c | 11 ++++++++ test/binaries/test-gnutls-serv-2.3.11.c | 11 ++++++++ test/test_scanner.py | 30 +++++++++++++++++++--- 4 files changed, 67 insertions(+), 19 deletions(-) create mode 100644 test/binaries/test-gnutls-cli-2.3.11.c create mode 100644 test/binaries/test-gnutls-serv-2.3.11.c diff --git a/cve_bin_tool/checkers/gnutls.py b/cve_bin_tool/checkers/gnutls.py index a9eefb2d29..30363d3bf2 100644 --- a/cve_bin_tool/checkers/gnutls.py +++ b/cve_bin_tool/checkers/gnutls.py @@ -4,29 +4,33 @@ References: https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-4433/GNU-Gnutls.html """ +import os from ..util import regex_find + def get_version(lines, filename): """ returns version information for gnutls found in given file. - Verfies using the tools gnutls-cli + Verfies using the tools gnutls-cli Verifies using the libraries libgnutls.so and libgnutls-dane.so + VPkg: gnu, gnutls VPkg: gnutls, gnutls """ - regex = [r"gnutls-cli ([3]+\.[0-9]+\.[0-9]+)"] - version_info = dict() - if filename[::-1].startswith(("gnutls-cli")[::-1]): - version_info["is_or_contains"] = "is" - if filename[::-1].startswith(("gnutls-serv")[::-1]): - version_info["is_or_contains"] = "is" + regex = [r"gnutls-cli ([0-9]+\.[0-9]+\.[0-9]+)"] - if "is_or_contains" in version_info: - version_info["modulename"] = "gnutls-cli" - version_info["version"] = regex_find(lines, *regex) - elif "libgnutls.so" in filename: - version_info["is_or_contains"] = "is" - elif "libgnutls-dane.so" in filename: - version_info["is_or_contains"] = "is" + for modulename, binary_names in ( + { + "gnutls-serv": ["gnutls-serv"], + "gnutls-cli": ["gnutls-cli", "libgnutls.so", "libgnutls-dane.so"], + } + ).items(): + for check in binary_names: + if check in os.path.split(filename)[-1]: + return { + "is_or_contains": "is", + "modulename": modulename, + "version": regex_find(lines, *regex), + } - return version_info + return {} diff --git a/test/binaries/test-gnutls-cli-2.3.11.c b/test/binaries/test-gnutls-cli-2.3.11.c new file mode 100644 index 0000000000..f66ebb19eb --- /dev/null +++ b/test/binaries/test-gnutls-cli-2.3.11.c @@ -0,0 +1,11 @@ +#include + +int main() { + printf("This program is designed to test the cve-bin-tool checker."); + printf("It outputs a few strings normally associated with gnutls-cli 2.3.11"); + printf("They appear below this line."); + printf("------------------"); + printf("gnutls-cli 2.3.11"); + + return 0; +} diff --git a/test/binaries/test-gnutls-serv-2.3.11.c b/test/binaries/test-gnutls-serv-2.3.11.c new file mode 100644 index 0000000000..00ea55bc82 --- /dev/null +++ b/test/binaries/test-gnutls-serv-2.3.11.c @@ -0,0 +1,11 @@ +#include + +int main() { + printf("This program is designed to test the cve-bin-tool checker."); + printf("It outputs a few strings normally associated with gnutls-serv 2.3.11"); + printf("They appear below this line."); + printf("------------------"); + printf("gnutls-serv 2.3.11"); + + return 0; +} diff --git a/test/test_scanner.py b/test/test_scanner.py index 490372cd99..03d7bebf4a 100644 --- a/test/test_scanner.py +++ b/test/test_scanner.py @@ -91,14 +91,14 @@ def _binary_test(self, binary, package, version, are_in, not_in): # Run the scan cves = self.scan_file(binary) # Make sure the package and version are in the results - self.assertIn(package, cves) - self.assertIn(version, cves[package]) + self.assertIn(package, list(cves.keys())) + self.assertIn(version, list(cves[package].keys())) # Test for CVEs known in this version for ensure_in in are_in: - self.assertIn(ensure_in, cves[package][version]) + self.assertIn(ensure_in, list(cves[package][version].keys())) # Test for a CVE that is not in this version for ensure_out in not_in: - self.assertNotIn(ensure_out, cves[package][version]) + self.assertNotIn(ensure_out, list(cves[package][version].keys())) def _file_test(self, url, filename, package, version): """ Helper function to get a file (presumed to be a real copy @@ -245,6 +245,28 @@ def test_ffmpeg_4_1_4(self): ], ) + def test_gnutls_2_3_11(self): + """Scanning test-gnutls-{binary}-2.3.11.out""" + for binary in ["cli", "serv"]: + with self.subTest(binary=binary): + self._binary_test( + "test-gnutls-{}-2.3.11.out".format(binary), + "gnutls-cli", + "2.3.11", + [ + # known cves in 2.3.11 + "CVE-2008-1948", + "CVE-2008-1949", + "CVE-2008-1950", + ], + [ + # an older cve from before 2.3.11 + "CVE-2004-2531", + # an newer cve from after 2.3.11 + "CVE-2017-7869", + ], + ) + def test_jpeg_2_0_1(self): """Scanning test-libjpeg-turbo-2.0.1""" self._binary_test(