Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions cve_bin_tool/checkers/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
"curl",
"expat",
"ffmpeg",
"gnutls",
"icu",
"kerberos",
"libgcrypt",
Expand Down
36 changes: 36 additions & 0 deletions cve_bin_tool/checkers/gnutls.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#!/usr/bin/env python3
"""
CVE checker for GnuTLS
References:
https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-4433/GNU-Gnutls.html
"""
import os
from ..util import regex_find


def get_version(lines, filename):
"""
returns version information for gnutls found in given file.
Verfies using the tools gnutls-cli
Verifies using the libraries libgnutls.so and libgnutls-dane.so

VPkg: gnu, gnutls
VPkg: gnutls, gnutls
"""
regex = [r"gnutls-cli ([0-9]+\.[0-9]+\.[0-9]+)"]

for modulename, binary_names in (
{
"gnutls-serv": ["gnutls-serv"],
"gnutls-cli": ["gnutls-cli", "libgnutls.so", "libgnutls-dane.so"],
}
).items():
for check in binary_names:
if check in os.path.split(filename)[-1]:
return {
"is_or_contains": "is",
"modulename": modulename,
"version": regex_find(lines, *regex),
}

return {}
11 changes: 11 additions & 0 deletions test/binaries/test-gnutls-cli-2.3.11.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#include <stdio.h>

int main() {
printf("This program is designed to test the cve-bin-tool checker.");
printf("It outputs a few strings normally associated with gnutls-cli 2.3.11");
printf("They appear below this line.");
printf("------------------");
printf("gnutls-cli 2.3.11");

return 0;
}
11 changes: 11 additions & 0 deletions test/binaries/test-gnutls-serv-2.3.11.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#include <stdio.h>

int main() {
printf("This program is designed to test the cve-bin-tool checker.");
printf("It outputs a few strings normally associated with gnutls-serv 2.3.11");
printf("They appear below this line.");
printf("------------------");
printf("gnutls-serv 2.3.11");

return 0;
}
30 changes: 26 additions & 4 deletions test/test_scanner.py
Original file line number Diff line number Diff line change
Expand Up @@ -91,14 +91,14 @@ def _binary_test(self, binary, package, version, are_in, not_in):
# Run the scan
cves = self.scan_file(binary)
# Make sure the package and version are in the results
self.assertIn(package, cves)
self.assertIn(version, cves[package])
self.assertIn(package, list(cves.keys()))
self.assertIn(version, list(cves[package].keys()))
# Test for CVEs known in this version
for ensure_in in are_in:
self.assertIn(ensure_in, cves[package][version])
self.assertIn(ensure_in, list(cves[package][version].keys()))
# Test for a CVE that is not in this version
for ensure_out in not_in:
self.assertNotIn(ensure_out, cves[package][version])
self.assertNotIn(ensure_out, list(cves[package][version].keys()))

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made these error messages a little more easy to read


def _file_test(self, url, filename, package, version):
""" Helper function to get a file (presumed to be a real copy
Expand Down Expand Up @@ -245,6 +245,28 @@ def test_ffmpeg_4_1_4(self):
],
)

def test_gnutls_2_3_11(self):
"""Scanning test-gnutls-{binary}-2.3.11.out"""
for binary in ["cli", "serv"]:
with self.subTest(binary=binary):
self._binary_test(
"test-gnutls-{}-2.3.11.out".format(binary),
"gnutls-cli",
"2.3.11",
[
# known cves in 2.3.11
"CVE-2008-1948",
"CVE-2008-1949",
"CVE-2008-1950",
],
[
# an older cve from before 2.3.11
"CVE-2004-2531",
# an newer cve from after 2.3.11
"CVE-2017-7869",
],
)

def test_jpeg_2_0_1(self):
"""Scanning test-libjpeg-turbo-2.0.1"""
self._binary_test(
Expand Down