Add PE metadata extraction for Python version in checker

Author: alex-cheng-techman

cve_bin_tool/checkers/openssl.py

@@ -18,6 +18,9 @@ class OpensslChecker(Checker):
     CONTAINS_PATTERNS = [r"part of OpenSSL", r"openssl.cnf", r"-DOPENSSL_"]
     FILENAME_PATTERNS = [r"libssl.so.", r"libcrypto.so"]
     VERSION_PATTERNS = [
+        # for general format: OpenSSL 1.0.2u¡BOpenSSL 3.0.0¡BOpenSSL 1.1.1k
+        r"OpenSSL\s+([0-9]+\.[0-9]+\.[0-9]+[a-z]*)",
+        
         r"OpenSSL ([0-9]+\.[0-9]+\.[0-9]+[a-z]*) [a-zA-Z0-9 ]+\r?\n(?:%s \(Library: %s\)|[a-zA-Z0-9:,_ \.\-\r\n]*OPENSSLDIR|ssl)",
         r"(?:%s \(Library: %s\)\r?\n|OPENSSLDIR[a-zA-Z0-9:/ \"\-\r\n]*)OpenSSL ([0-9]+\.[0-9]+\.[0-9]+[a-z]*) [a-zA-Z0-9 ]+",
     ]

cve_bin_tool/checkers/openssl.py.bak

@@ -0,0 +1,27 @@
+# Copyright (C) 2021 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for openssl
+
+References:
+https://www.openssl.org/news/vulnerabilities.html
+http://www.cvedetails.com/vulnerability-list/vendor_id-217/product_id-383/Openssl-Openssl.html
+
+RSS feed: http://www.cvedetails.com/vulnerability-feed.php?vendor_id=217&product_id=383&version_id=&orderby=3&cvssscoremin=0
+"""
+from cve_bin_tool.checkers import Checker
+
+
+class OpensslChecker(Checker):
+    CONTAINS_PATTERNS = [r"part of OpenSSL", r"openssl.cnf", r"-DOPENSSL_"]
+    FILENAME_PATTERNS = [r"libssl.so.", r"libcrypto.so"]
+    VERSION_PATTERNS = [
+        # for general format: OpenSSL 1.0.2u�BOpenSSL 3.0.0�BOpenSSL 1.1.1k
+        r"OpenSSL\s+([0-9]+\.[0-9]+\.[0-9]+[a-z]*)",
+        
+        r"OpenSSL ([0-9]+\.[0-9]+\.[0-9]+[a-z]*) [a-zA-Z0-9 ]+\r?\n(?:%s \(Library: %s\)|[a-zA-Z0-9:,_ \.\-\r\n]*OPENSSLDIR|ssl)",
+        r"(?:%s \(Library: %s\)\r?\n|OPENSSLDIR[a-zA-Z0-9:/ \"\-\r\n]*)OpenSSL ([0-9]+\.[0-9]+\.[0-9]+[a-z]*) [a-zA-Z0-9 ]+",
+    ]
+    VENDOR_PRODUCT = [("openssl", "openssl")]

cve_bin_tool/checkers/python.py

@@ -19,6 +19,9 @@ class PythonChecker(Checker):
     ]
     FILENAME_PATTERNS = [r"python"]
     VERSION_PATTERNS = [
+        # to match the data from PE file
+        r"[Pp]ython ([0-9]+\.[0-9]+\.[0-9]+)",
+        
         r"src\\python[23]\\Python-([23]+\.[0-9]+\.[0-9]+)",
         r"python(?:[23]+\.[0-9]+)-([23]+\.[0-9]+\.[0-9]+)",
         r"pymalloc_debug\r?\n([23]+\.[0-9]+\.[0-9]+)",

cve_bin_tool/checkers/python.py.bak

@@ -0,0 +1,29 @@
+# Copyright (C) 2021 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+"""
+CVE checker for Python
+References:
+https://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-18230/Python-Python.html
+
+
+"""
+from cve_bin_tool.checkers import Checker
+
+
+class PythonChecker(Checker):
+    CONTAINS_PATTERNS = [
+        r"Fatal Python error: unable to decode the command line argument",
+        r"Internal error in the Python interpreter",
+        r"CPython",
+    ]
+    FILENAME_PATTERNS = [r"python"]
+    VERSION_PATTERNS = [
+        r"src\\python[23]\\Python-([23]+\.[0-9]+\.[0-9]+)",
+        r"python(?:[23]+\.[0-9]+)-([23]+\.[0-9]+\.[0-9]+)",
+        r"pymalloc_debug\r?\n([23]+\.[0-9]+\.[0-9]+)",
+        r"([23]+\.[0-9]+\.[0-9]+)\r?\nPython %s",
+        r"([23]+\.[0-9]+\.[0-9]+)\r?\n%\.80s \(%\.80s\) %\.80s",
+        r"tags/v([23]+\.[0-9]+\.[0-9]+)\r?\n",
+    ]
+    VENDOR_PRODUCT = [("python_software_foundation", "python"), ("python", "python")]

cve_bin_tool/version_scanner.py

@@ -231,6 +231,27 @@ def is_linux_kernel(self, filename: str) -> tuple[bool, str | None]:
 
         return False, output
 
+	# used to get product name, version, vendor info PE metadata
+    def extract_version_from_pe(self, filename: str) -> str:
+        info = ""
+        try:
+            import pefile
+            with pefile.PE(filename) as pe:
+            #pe = pefile.PE(filename)
+                for fileinfo in pe.FileInfo:
+                    for entry in fileinfo:
+                        if entry.Key == b'StringFileInfo':
+                            for st in entry.StringTable:
+                                entries = st.entries
+                                product_name = entries.get(b'ProductName', b'').decode(errors='ignore')
+                                product_version = entries.get(b'ProductVersion', b'').decode(errors='ignore')
+                                company_name = entries.get(b'CompanyName', b'').decode(errors='ignore')
+                                info = (f" {product_name} {product_version} {company_name}")
+                                self.logger.debug(f"peFile.PE Metadata:{info}")
+        except Exception as e:
+            LOGGER.debug(f"[PE Metadata] Failed to parse PE file {filename}: {e}")
+        return info
+
     def scan_file(self, filename: str) -> Iterator[ScanInfo]:
         """Scans a file to see if it contains any of the target libraries,
         and whether any of those contain CVEs"""
@@ -261,6 +282,7 @@ def scan_file(self, filename: str) -> Iterator[ScanInfo]:
 
         # parse binary file's strings
         lines = parse_strings(filename)
+        lines += self.extract_version_from_pe(filename)
 
         if self.no_scan:
             yield from self.run_checkers(filename, lines)

dummy_vex_output

@@ -0,0 +1,256 @@
+{
+  "document": {
+    "category": "csaf_vex",
+    "csaf_version": "2.0",
+    "notes": [
+      {
+        "category": "summary",
+        "title": "Technical Summary",
+        "text": "Auto generated CSAF document"
+      }
+    ],
+    "publisher": {
+      "category": "vendor",
+      "name": "TestVendor",
+      "namespace": "https://www.example.com",
+      "contact_details": "TestVendor"
+    },
+    "title": "",
+    "tracking": {
+      "current_release_date": "2025-06-19T06:59:24Z",
+      "generator": {
+        "date": "2025-06-19T06:59:24Z",
+        "engine": {
+          "name": "csaf-tool",
+          "version": "0.3.2"
+        }
+      },
+      "id": "TESTPRODUCT-1.0-VEX",
+      "initial_release_date": "2025-06-19T06:59:24Z",
+      "revision_history": [
+        {
+          "date": "2025-06-19T06:59:24Z",
+          "number": "1",
+          "summary": "None"
+        }
+      ],
+      "status": "final",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "branches": [
+      {
+        "category": "vendor",
+        "name": "TestVendor",
+        "branches": [
+          {
+            "category": "product_name",
+            "name": "TestProduct",
+            "branches": [
+              {
+                "category": "product_version",
+                "name": "1.0",
+                "product": {
+                  "name": "TestVendor TestProduct 1.0",
+                  "product_id": "CSAFPID_0001",
+                  "product_identification_helper": {
+                    "sbom_urls": [
+                      "file:///D:/PythonEnv/dev/cve-bin-tool"
+                    ]
+                  }
+                }
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-1234-1004",
+      "notes": [
+        {
+          "category": "description",
+          "title": "CVE description",
+          "text": "https://nvd.nist.gov/vuln/detail/CVE-1234-1004"
+        }
+      ],
+      "product_status": {
+        "under_investigation": [
+          "CSAFPID_0001"
+        ]
+      },
+      "threats": [
+        {
+          "category": "impact",
+          "details": "",
+          "date": "2025-06-19T06:59:24Z",
+          "product_ids": [
+            "CSAFPID_0001"
+          ]
+        }
+      ]
+    },
+    {
+      "cve": "CVE-1234-1005",
+      "notes": [
+        {
+          "category": "description",
+          "title": "CVE description",
+          "text": "https://nvd.nist.gov/vuln/detail/CVE-1234-1005"
+        }
+      ],
+      "product_status": {
+        "known_not_affected": [
+          "CSAFPID_0001"
+        ]
+      },
+      "flags": [
+        {
+          "date": "2025-06-19T06:59:24Z",
+          "label": "component_not_present",
+          "product_ids": [
+            "CSAFPID_0001"
+          ]
+        }
+      ],
+      "threats": [
+        {
+          "category": "impact",
+          "details": "Detail field populated.",
+          "date": "2025-06-19T06:59:24Z",
+          "product_ids": [
+            "CSAFPID_0001"
+          ]
+        }
+      ]
+    },
+    {
+      "cve": "CVE-1234-1006",
+      "notes": [
+        {
+          "category": "description",
+          "title": "CVE description",
+          "text": "https://nvd.nist.gov/vuln/detail/CVE-1234-1006"
+        }
+      ],
+      "product_status": {
+        "under_investigation": [
+          "CSAFPID_0001"
+        ]
+      },
+      "threats": [
+        {
+          "category": "impact",
+          "details": "Data field populated.",
+          "date": "2025-06-19T06:59:24Z",
+          "product_ids": [
+            "CSAFPID_0001"
+          ]
+        }
+      ]
+    },
+    {
+      "cve": "CVE-1234-1007",
+      "notes": [
+        {
+          "category": "description",
+          "title": "CVE description",
+          "text": "https://nvd.nist.gov/vuln/detail/CVE-1234-1007"
+        }
+      ],
+      "product_status": {
+        "fixed": [
+          "CSAFPID_0001"
+        ]
+      },
+      "threats": [
+        {
+          "category": "impact",
+          "details": "Data field populated.",
+          "date": "2025-06-19T06:59:24Z",
+          "product_ids": [
+            "CSAFPID_0001"
+          ]
+        }
+      ]
+    },
+    {
+      "cve": "CVE-1234-1008",
+      "notes": [
+        {
+          "category": "description",
+          "title": "CVE description",
+          "text": "https://nvd.nist.gov/vuln/detail/CVE-1234-1008"
+        }
+      ],
+      "product_status": {
+        "under_investigation": [
+          "CSAFPID_0001"
+        ]
+      },
+      "threats": [
+        {
+          "category": "impact",
+          "details": "",
+          "date": "2025-06-19T06:59:24Z",
+          "product_ids": [
+            "CSAFPID_0001"
+          ]
+        }
+      ]
+    },
+    {
+      "cve": "CVE-1234-1009",
+      "notes": [
+        {
+          "category": "description",
+          "title": "CVE description",
+          "text": "https://nvd.nist.gov/vuln/detail/CVE-1234-1009"
+        }
+      ],
+      "product_status": {
+        "under_investigation": [
+          "CSAFPID_0001"
+        ]
+      },
+      "threats": [
+        {
+          "category": "impact",
+          "details": "",
+          "date": "2025-06-19T06:59:24Z",
+          "product_ids": [
+            "CSAFPID_0001"
+          ]
+        }
+      ]
+    },
+    {
+      "cve": "CVE-1234-1010",
+      "notes": [
+        {
+          "category": "description",
+          "title": "CVE description",
+          "text": "https://nvd.nist.gov/vuln/detail/CVE-1234-1010"
+        }
+      ],
+      "product_status": {
+        "under_investigation": [
+          "CSAFPID_0001"
+        ]
+      },
+      "threats": [
+        {
+          "category": "impact",
+          "details": "",
+          "date": "2025-06-19T06:59:24Z",
+          "product_ids": [
+            "CSAFPID_0001"
+          ]
+        }
+      ]
+    }
+  ]
+}

output.cve-bin-tool.2025-06-19.14-59-23.csv

@@ -0,0 +1,8 @@
+vendor,product,version,cve_number,severity,score,source,cvss_version,cvss_vector,paths,remarks,comments
+vendor0,product0,1.0,CVE-1234-1004,CRITICAL,4.2,NVD,2,C:H,,NewFound,
+vendor0,product0,1.0,CVE-1234-1005,MEDIUM,4.2,NVD,2,C:H,,NotAffected,Detail field populated.
+vendor0,product0,1.0,CVE-1234-1006,LOW,1.2,NVD,2,CVSS2.0/C:H,,NewFound,Data field populated.
+vendor0,product0,2.8.6,CVE-1234-1007,LOW,2.5,NVD,3,CVSS3.0/C:H/I:L/A:M,,Mitigated,Data field populated.
+vendor0,product0,2.8.6,CVE-1234-1008,UNKNOWN,2.5,NVD,3,CVSS3.0/C:H/I:L/A:M,,NewFound,
+vendor0,product0,2.8.6,CVE-1234-1009,MEDIUM,2.5,NVD,3,CVSS3.0/C:H/I:L/A:M,,NewFound,
+vendor1,product1,3.2.1.0,CVE-1234-1010,HIGH,7.5,OSV,2,C:H/I:L/A:M,,NewFound,