remove openssl.py from PR. see PR intel#5174

update python.py checker, improve VERSION_PAEETERNS format for PE info.
fix balck format issue.
update extract_version_from_pe to output valid format info.

Author: alex-cheng-techman

.github/actions/spelling/allow.txt

@@ -74,6 +74,7 @@ c
 cabextract
 cairo
 capnproto
+captive
 cbt
 CDNs
 CDX
@@ -584,6 +585,7 @@ pocoo
 polarssl
 poppler
 populatedb
+portal
 postgresql
 ppp
 Prajwal

.github/workflows/update-cache.yml

@@ -52,7 +52,7 @@ jobs:
       - name: Update database
         run: |
           [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool
-          python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out -u now
+          python -m cve_bin_tool.cli -d OSV test/assets/test-kerberos-5-1.15.1.out -u now
           python -m cve_bin_tool.mismatch_loader
           cp -r ~/.cache/cve-bin-tool cache
 

README.md

@@ -16,7 +16,7 @@ CVE Binary Tool uses the NVD API but is not endorsed or certified by the NVD.
 
 The tool has two main modes of operation:
 
-1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are <!-- NUMBER OF CHECKERS START-->409<!--NUMBER OF CHECKERS END--> checkers.  Our initial focus was on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
+1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are <!-- NUMBER OF CHECKERS START-->410<!--NUMBER OF CHECKERS END--> checkers.  Our initial focus was on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
 
 2. Tools for scanning known component lists in various formats, including .csv, several linux distribution package lists, language specific package scanners and several Software Bill of Materials (SBOM) formats.  
 
@@ -226,66 +226,66 @@ The following checkers are available for finding components in binary files:
 
 <!--CHECKERS TABLE BEGIN-->
 |   |  |  | Available checkers |  |  |  |
-|--------------- |-------------- |------------------ |---------------- |-------------- |--------------- |----------------- |
+|----------------- |--------------- |------------------ |------------- |---------------- |-------------- |--------------- |
 | accountsservice |acpid |apache_http_server |apcupsd |apparmor |apr |asn1c |
 | assimp |asterisk |atftp |augeas |avahi |axel |bash |
 | bind |binutils |bird |bison |bluez |boa |boinc |
 | botan |bro |bubblewrap |busybox |bwm_ng |bzip2 |c_ares |
-| cairo |capnproto |ceph |cflow |chess |chrony |civetweb |
-| clamav |clang |collectd |commons_compress |connman |coreutils |cpio |
-| cpp_httplib |cronie |cryptsetup |cups |cups_filters |curl |cvs |
-| darkhttpd |dav1d |davfs2 |dbus |debianutils |dhclient |dhcpcd |
-| dhcpd |djvulibre |dlt_daemon |dmidecode |dnsmasq |docker |domoticz |
-| dosfstools |dotnet |dovecot |doxygen |dpkg |dropbear |e2fsprogs |
-| ed |elfutils |emacs |enscript |exfatprogs |exim |exiv2 |
-| f2fs_tools |faad2 |fastd |ffmpeg |file |firefox |firejail |
-| flac |fluidsynth |freeradius |freerdp |fribidi |frr |fuse |
-| gawk |gcc |gdal |gdb |gdk_pixbuf |gettext |ghostscript |
-| gimp |git |glib |glibc |gmp |gnomeshell |gnupg |
-| gnutls |go |gpgme |gpsd |graphicsmagick |grep |grub2 |
-| gsasl |gstreamer |guile |gupnp |gvfs |gzip |haproxy |
-| harfbuzz |haserl |hdf5 |heimdal |hostapd |hunspell |hwloc |
-| i2pd |icecast |icu |imagemagick |indent |inetutils |iperf3 |
-| ipmitool |ipsec_tools |iptables |irssi |iucode_tool |iwd |jack2 |
-| jacksondatabind |janus |jasper |jbig |jhead |jq |json_c |
-| kbd |keepalived |kerberos |kexectools |kodi |kubernetes |ldns |
-| lftp |libarchive |libass |libbpg |libcap |libcoap |libconfuse |
-| libcurl |libdb |libde265 |libebml |libevent |libexpat |libgcrypt |
-| libgd |libgit2 |libheif |libical |libidn2 |libinput |libjpeg |
-| libjpeg_turbo |libksba |liblas |liblouis |libmatroska |libmemcached |libmicrohttpd |
-| libmodbus |libnss |libopenmpt |libpcap |libraw |libreoffice |libreswan |
-| librsvg |librsync |libsamplerate |libseccomp |libsndfile |libsolv |libsoup |
-| libsrtp |libssh |libssh2 |libtasn1 |libtiff |libtomcrypt |libupnp |
-| libuv |libvips |libvirt |libvncserver |libvorbis |libvpx |libxslt |
-| libyaml |libyang |lighttpd |linux_kernel |linuxptp |lldpd |llvm |
-| logrotate |lrzip |lua |luajit |lxc |lynx |lz4 |
-| lzo2 |mailx |mariadb |mbedtls |mdadm |memcached |micropython |
-| minetest |mini_httpd |minicom |minidlna |miniupnpc |miniupnpd |moby |
-| modsecurity |monit |mosquitto |motion |mp4v2 |mpg123 |mpv |
-| msmtp |mtr |mupdf |musl |mutt |mysql |nano |
-| nasm |nbd |ncurses |neon |nessus |netatalk |netdata |
-| netkit_ftp |netpbm |nettle |nghttp2 |nginx |ngircd |nmap |
-| node |ntfs_3g |ntp |ntpsec |oath_toolkit |ofono |open_iscsi |
-| open_vm_tools |openafs |openblas |opencv |openjpeg |openldap |opensc |
-| openssh |openssl |openswan |openvpn |openvswitch |orc |p7zip |
-| pango |patch |pcre |pcre2 |pcsc_lite |perl |php |
-| picocom |pigz |pixman |pjsip |png |polarssl_fedora |poppler |
-| postgresql |ppp |privoxy |procps_ng |proftpd |protobuf_c |pspp |
-| pure_ftpd |putty |python |qemu |qpdf |qt |quagga |
-| radare2 |radvd |raptor |rauc |rdesktop |readline |redis |
-| rpm |rsync |rsyslog |rtl_433 |rtmpdump |ruby |runc |
-| rust |samba |sane_backends |sasl |sdl |seahorse |shadowsocks_libev |
-| snapd |sngrep |snort |socat |sofia_sip |speex |spice |
-| sqlite |squashfs |squid |sslh |stellarium |strongswan |stunnel |
-| subversion |sudo |suricata |sylpheed |syslogng |sysstat |systemd |
-| tar |tbb |tcpdump |tcpreplay |terminology |tesseract |thrift |
-| thttpd |thunderbird |timescaledb |tinyproxy |tor |toybox |tpm2_tss |
-| traceroute |transmission |trousers |ttyd |twonky_server |u_boot |udisks |
-| unbound |unixodbc |upx |util_linux |uwsgi |varnish |vim |
-| vlc |vorbis_tools |vsftpd |wavpack |webkitgtk |wget |wireshark |
-| wolfssl |wpa_supplicant |xerces |xml2 |xpdf |xscreensaver |xwayland |
-| xz |yasm |zabbix |zbar |zchunk |zeek |zlib |
-| znc |zsh |zstandard | | | | |
+| cairo |capnproto |captive_portal |ceph |cflow |chess |chrony |
+| civetweb |clamav |clang |collectd |commons_compress |connman |coreutils |
+| cpio |cpp_httplib |cronie |cryptsetup |cups |cups_filters |curl |
+| cvs |darkhttpd |dav1d |davfs2 |dbus |debianutils |dhclient |
+| dhcpcd |dhcpd |djvulibre |dlt_daemon |dmidecode |dnsmasq |docker |
+| domoticz |dosfstools |dotnet |dovecot |doxygen |dpkg |dropbear |
+| e2fsprogs |ed |elfutils |emacs |enscript |exfatprogs |exim |
+| exiv2 |f2fs_tools |faad2 |fastd |ffmpeg |file |firefox |
+| firejail |flac |fluidsynth |freeradius |freerdp |fribidi |frr |
+| fuse |gawk |gcc |gdal |gdb |gdk_pixbuf |gettext |
+| ghostscript |gimp |git |glib |glibc |gmp |gnomeshell |
+| gnupg |gnutls |go |gpgme |gpsd |graphicsmagick |grep |
+| grub2 |gsasl |gstreamer |guile |gupnp |gvfs |gzip |
+| haproxy |harfbuzz |haserl |hdf5 |heimdal |hostapd |hunspell |
+| hwloc |i2pd |icecast |icu |imagemagick |indent |inetutils |
+| iperf3 |ipmitool |ipsec_tools |iptables |irssi |iucode_tool |iwd |
+| jack2 |jacksondatabind |janus |jasper |jbig |jhead |jq |
+| json_c |kbd |keepalived |kerberos |kexectools |kodi |kubernetes |
+| ldns |lftp |libarchive |libass |libbpg |libcap |libcoap |
+| libconfuse |libcurl |libdb |libde265 |libebml |libevent |libexpat |
+| libgcrypt |libgd |libgit2 |libheif |libical |libidn2 |libinput |
+| libjpeg |libjpeg_turbo |libksba |liblas |liblouis |libmatroska |libmemcached |
+| libmicrohttpd |libmodbus |libnss |libopenmpt |libpcap |libraw |libreoffice |
+| libreswan |librsvg |librsync |libsamplerate |libseccomp |libsndfile |libsolv |
+| libsoup |libsrtp |libssh |libssh2 |libtasn1 |libtiff |libtomcrypt |
+| libupnp |libuv |libvips |libvirt |libvncserver |libvorbis |libvpx |
+| libxslt |libyaml |libyang |lighttpd |linux_kernel |linuxptp |lldpd |
+| llvm |logrotate |lrzip |lua |luajit |lxc |lynx |
+| lz4 |lzo2 |mailx |mariadb |mbedtls |mdadm |memcached |
+| micropython |minetest |mini_httpd |minicom |minidlna |miniupnpc |miniupnpd |
+| moby |modsecurity |monit |mosquitto |motion |mp4v2 |mpg123 |
+| mpv |msmtp |mtr |mupdf |musl |mutt |mysql |
+| nano |nasm |nbd |ncurses |neon |nessus |netatalk |
+| netdata |netkit_ftp |netpbm |nettle |nghttp2 |nginx |ngircd |
+| nmap |node |ntfs_3g |ntp |ntpsec |oath_toolkit |ofono |
+| open_iscsi |open_vm_tools |openafs |openblas |opencv |openjpeg |openldap |
+| opensc |openssh |openssl |openswan |openvpn |openvswitch |orc |
+| p7zip |pango |patch |pcre |pcre2 |pcsc_lite |perl |
+| php |picocom |pigz |pixman |pjsip |png |polarssl_fedora |
+| poppler |postgresql |ppp |privoxy |procps_ng |proftpd |protobuf_c |
+| pspp |pure_ftpd |putty |python |qemu |qpdf |qt |
+| quagga |radare2 |radvd |raptor |rauc |rdesktop |readline |
+| redis |rpm |rsync |rsyslog |rtl_433 |rtmpdump |ruby |
+| runc |rust |samba |sane_backends |sasl |sdl |seahorse |
+| shadowsocks_libev |snapd |sngrep |snort |socat |sofia_sip |speex |
+| spice |sqlite |squashfs |squid |sslh |stellarium |strongswan |
+| stunnel |subversion |sudo |suricata |sylpheed |syslogng |sysstat |
+| systemd |tar |tbb |tcpdump |tcpreplay |terminology |tesseract |
+| thrift |thttpd |thunderbird |timescaledb |tinyproxy |tor |toybox |
+| tpm2_tss |traceroute |transmission |trousers |ttyd |twonky_server |u_boot |
+| udisks |unbound |unixodbc |upx |util_linux |uwsgi |varnish |
+| vim |vlc |vorbis_tools |vsftpd |wavpack |webkitgtk |wget |
+| wireshark |wolfssl |wpa_supplicant |xerces |xml2 |xpdf |xscreensaver |
+| xwayland |xz |yasm |zabbix |zbar |zchunk |zeek |
+| zlib |znc |zsh |zstandard | | | |
 <!--CHECKERS TABLE END-->
 
 All the checkers can be found in the checkers directory, as can the

cve_bin_tool/checkers/__init__.py

@@ -65,6 +65,7 @@
     "commons_compress",
     "connman",
     "coreutils",
+    "corosync",
     "cpio",
     "cpp_httplib",
     "cronie",
@@ -396,6 +397,7 @@
     "toybox",
     "tpm2_tss",
     "traceroute",
+    "traffic_server",
     "transmission",
     "trousers",
     "ttyd",
@@ -433,6 +435,7 @@
     "znc",
     "zsh",
     "zstandard",
+    "zziplib",
 ]
 
 VendorProductPair = collections.namedtuple("VendorProductPair", ["vendor", "product"])

cve_bin_tool/checkers/corosync.py

@@ -0,0 +1,20 @@
+# Copyright (C) 2025 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for corosync
+
+https://www.cvedetails.com/product/27835/Corosync-Corosync.html?vendor_id=13388
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class CorosyncChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [r"([0-9]+\.[0-9]+\.[0-9]+)[a-zA-Z_/%: \.\r\n]*corosync"]
+    VENDOR_PRODUCT = [("corosync", "corosync")]

cve_bin_tool/checkers/openssl.py

@@ -18,9 +18,6 @@ class OpensslChecker(Checker):
     CONTAINS_PATTERNS = [r"part of OpenSSL", r"openssl.cnf", r"-DOPENSSL_"]
     FILENAME_PATTERNS = [r"libssl.so.", r"libcrypto.so"]
     VERSION_PATTERNS = [
-        # for general format: OpenSSL 1.0.2u¡BOpenSSL 3.0.0¡BOpenSSL 1.1.1k
-        r"OpenSSL\s+([0-9]+\.[0-9]+\.[0-9]+[a-z]*)",
-        
         r"OpenSSL ([0-9]+\.[0-9]+\.[0-9]+[a-z]*) [a-zA-Z0-9 ]+\r?\n(?:%s \(Library: %s\)|[a-zA-Z0-9:,_ \.\-\r\n]*OPENSSLDIR|ssl)",
         r"(?:%s \(Library: %s\)\r?\n|OPENSSLDIR[a-zA-Z0-9:/ \"\-\r\n]*)OpenSSL ([0-9]+\.[0-9]+\.[0-9]+[a-z]*) [a-zA-Z0-9 ]+",
     ]

cve_bin_tool/checkers/traffic_server.py

@@ -0,0 +1,20 @@
+# Copyright (C) 2025 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for traffic_server
+
+https://www.cvedetails.com/product/19990/Apache-Traffic-Server.html?vendor_id=45
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class TrafficServerChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [r"Traffic Server ([0-9]+\.[0-9]+\.[0-9]+)"]
+    VENDOR_PRODUCT = [("apache", "traffic_server")]

cve_bin_tool/checkers/zziplib.py

@@ -0,0 +1,20 @@
+# Copyright (C) 2025 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for zziplib
+
+https://www.cvedetails.com/product/36035/Zziplib-Project-Zziplib.html?vendor_id=16135
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class ZziplibChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [r"zziplib ([0-9]+\.[0-9]+\.[0-9]+)"]
+    VENDOR_PRODUCT = [("zziplib_project", "zziplib")]

cve_bin_tool/data_sources/nvd_source.py

@@ -49,11 +49,11 @@ class NVD_Source(Data_Source):
     CACHEDIR = DISK_LOCATION_DEFAULT
     BACKUPCACHEDIR = DISK_LOCATION_BACKUP
     FEED_NVD = "https://nvd.nist.gov/vuln/data-feeds"
-    FEED_MIRROR = "https://mirror.cveb.in/nvd/json/cve/1.1"
+    FEED_MIRROR = "https://v4.mirror.cveb.in/nvd/json/cve/1.1"
     LOGGER = LOGGER.getChild("CVEDB")
     NVDCVE_FILENAME_TEMPLATE = NVD_FILENAME_TEMPLATE
     META_LINK_NVD = "https://nvd.nist.gov"
-    META_LINK_MIRROR = "https://mirror.cveb.in/nvd/json/cve/1.1"
+    META_LINK_MIRROR = "https://v4.mirror.cveb.in/nvd/json/cve/1.1"
     META_REGEX_NVD = re.compile(r"feeds\/json\/.*-[0-9]*\.[0-9]*-[0-9]*\.meta")
     META_REGEX_MIRROR = re.compile(r"nvdcve-[0-9]*\.[0-9]*-[0-9]*\.meta")
     RANGE_UNSET = ""
@@ -583,17 +583,20 @@ async def cache_update(
         if len(gzip_data) == 0:
             self.LOGGER.debug(f"Missing data for {filename}")
             return
-        json_data = gzip.decompress(gzip_data)
-        gotsha = hashlib.sha256(json_data).hexdigest().upper()
-        async with FileIO(filepath, "wb") as filepath_handle:
-            await filepath_handle.write(gzip_data)
-        # Raise error if there was an issue with the sha
-        if gotsha != sha:
-            # Remove the file if there was an issue
-            # exit(100)
-            filepath.unlink()
-            with ErrorHandler(mode=self.error_mode, logger=self.LOGGER):
-                raise SHAMismatch(f"{url} (have: {gotsha}, want: {sha})")
+        try:
+            json_data = gzip.decompress(gzip_data)
+            gotsha = hashlib.sha256(json_data).hexdigest().upper()
+            async with FileIO(filepath, "wb") as filepath_handle:
+                await filepath_handle.write(gzip_data)
+            # Raise error if there was an issue with the sha
+            if gotsha != sha:
+                # Remove the file if there was an issue
+                # exit(100)
+                filepath.unlink()
+                with ErrorHandler(mode=self.error_mode, logger=self.LOGGER):
+                    raise SHAMismatch(f"{url} (have: {gotsha}, want: {sha})")
+        except Exception:
+            self.LOGGER.warning(f"Invalid data in {filename}, skipping")
 
     def load_nvd_year(self, year: int) -> dict[str, str | object]:
         """
@@ -621,3 +624,5 @@ def nvd_years(self) -> list[int]:
             int(filename.split(".")[-3].split("-")[-1])
             for filename in glob.glob(str(Path(self.cachedir) / "nvdcve-1.1-*.json.gz"))
         )
+        # FIXME: temporary workaround so we don't try to load bad year data
+        # return list(range(2020, 2025))

cve_bin_tool/version.py

@@ -8,7 +8,7 @@
 from cve_bin_tool.log import LOGGER
 from cve_bin_tool.util import make_http_requests
 
-VERSION: str = "3.4.1rc0"
+VERSION: str = "3.4.1"
 
 HTTP_HEADERS: dict = {
     "User-Agent": f"cve-bin-tool/{VERSION} (https://github.com/intel/cve-bin-tool/)",