It's Niraj again and today, I will be sharing my code contribution of the fifth week of the GSoC.
The CVE Binary Tool package also includes a tool called csv2cve which is a helper tool that allows you to search the local database for a list of known vendor, product and version. It takes a list of vendor, product and version from a CSV file and outputs a list of CVEs known to affect those products.
csv2cve is a separate module which supports all the command line arguments supported by cve-bin-tool with just a one difference instead of taking directory to scan as an input it takes a CSV file as an input.
If you want to know more about csv2cve, checkout our official user-manual
One of the big things that people often have to do with lists of known CVEs is to figure out which of them really apply to their product (and ignore any false positives), as well as just decide which ones they'll fix and which ones they may ignore. I would expect people to, say, export to CSV and then open that in their spreadsheet reader and make notes, but then if they run a new scan they have to redo it all again.
One of my goal for GSoC is to extend functionality of csv2cve for other formats like JSON and allow cve-bin-tool to accept some form of triage data and incorporate that into the output so that people could spend less time re-triaging.
So, my plan is to replace csv2cve with new input_engine module which will introduce a new flag
-i to specify input file. It will handle parsing different input format and triage data. With this new architecture, we can retire csv2cve and have everything run via a flag on cve-bin-tool.
I have created the input_engine module that supports parsing data from any input format (currently CSV and JSON). User can now add remarks field in CSV or JSON which can have any value from following values:
- NewFound (1, n, N)
- Unexplored (2, u, U)
- Confirmed (3, c, C)
- Mitigated, (4, m, M)
- Ignored (5, i, I)
I have also provided aliases for this values. All the characters denoted in parenthesis are aliases for that specific value. Output will be displayed in the same order as priority given to the remarks.
One can implement functionality of aliases using dictionary but that won't look that much idiomatic. So, I have implemented remarks functionality using enum with custom constructor.
class Remarks(OrderedEnum): NewFound = 1, "1", "NewFound", "n", "N" Unexplored = 2, "2", "Unexplored", "u", "U", "" Mitigated = 4, "4", "Mitigated", "m", "M" Confirmed = 3, "3", "Confirmed", "c", "C" Ignored = 5, "5", "Ignored", "i", "I" def __new__(cls, value, *aliases): obj = object.__new__(cls) obj._value_ = value for alias in aliases: cls._value2member_map_[alias] = obj return obj
I have also added --input-file(-i) option in the cli.py to specify input file which will be parsed by input_engine and this parsed data will be used by output_engine to display CVEs according to remarks.
User can now use
--input-file option to produce list of CVEs
cve-bin-tool -i=test.csv) or supplement triage data while scanning directory so that output will be sorted according to remarks (Usage:
cve-bin-tool -i=test.csv /path/to/scan).
As you can see in below output snippet, CVEs are now categorized according to remarks specified in input file.
I have also added test cases for input_engine and removed test cases for old csv2cve.
I have exams this week from 6th July to 9th July. So, I won't be able to do much during this week but I will spend my weekend improving input_engine.