CVE Binary Tool Ideas Page for GSoC 2020
CVE Binary Tool in GSoC 2020
The CVE Binary tool team is hoping to participate in Google Summer of Code under the Python Software Foundation umbrella. You can read all about what this means at http://python-gsoc.org/
About the CVE Binary Tool
The CVE Binary Tool is a small Python script that scans for a number of common, vulnerable open source components (openssl, libpng, libxml2, expat and a few others) and will let you know if your binary code includes versions of these common libraries with known vulnerabilities.
This security tool is designed to be a minimal security check that can be made part of your continuous integration as a backup check to make sure older vulnerable code is not part of your release binaries.
We currently have two project ideas:
GSoC 2020 Project Idea: Add new checkers to the CVE Binary Tool. (Difficulty: easy) You can read about it and discuss it at that link.
- The CVE Binary Tool has only a small number of checkers, which means it can only detect CVEs in a small set of known pieces of software. The purpose of this project is to add some new ones.
GSoC 2020 Project Idea: Improve CVE Binary Tool Output (Difficulty: Intermediate) You can read about it and discuss it at that link
- Ths CVE Binary Tool currently only has human-readable console output (and some debug log levels) but it would be useful if it had machine readable output (such as json or csv formats) and improved human output (improving existing console output or branching out to more extensive reports). This project is all about making the output better.
There is also a GSoC 2020 discussion thread available for discussions that aren't directly related to one of those project ideas.
If you've got a brilliant idea you'd like to propose, please make a new issue with the 'gsoc' tag to discuss it! Students are also welcome to add "stretch goal" ideas to their application if they'd like to start with one of our ideas but have a few extra feature ideas of their own they'd like to work on at the end of the summer if everything stays on schedule. Take a look at the current open issues to see what users want.
- Follow the README and make sure you can run the tool. Try running it against random things on your hard drive and see if it finds anything. On a Linux system, your
/bindirectory usually yields some interesting results.
- Run the tests. The CVE Binary tool has a small number of unit tests. Make sure you know how to run them, and if you've never done Python unittests before you might want to read up on python's unittest library. Figure out how to run a single test!
- Write a new test. Instructions for writing tests are here This can be your first contribution!
Writing your GSoC application
Instructions on How to apply can be found on the Python GSoC website. Please don't forget to use our name (cve-bin-tool) in your application title!
Contacting the CVE Binary Tool team
IRC: Contact us on our gitter channel or using the main python-gsoc channel, #python-gsoc on freenode. (How to connect.) Note that all our developers are located in US Pacific Standard time at this time.