Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vulnxscan: Add cve-bin-tool scanner #75

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

henrirosten
Copy link
Collaborator

@henrirosten henrirosten commented Jun 28, 2023

Adds cve-bin-tool scanner to vulnxscan.

Why do we use cve-bin-tool fork instead of the upstream or the version in nixpkgs?
The main reason is, both the upstream and the nixpkgs versions require an older version of python packaging. This project (vulnxscan) also requires packaging, but it needs a newer version. This results a conflict in python dependencies. The cve-bin-tool fork we are using in this PR attempts to resolve the upstream cve-bin-tool python dependencies issues so that newer version of packaging can be used in cve-bin-tool. As soon as the issue is properly resoved upstream and in nixpkgs, we should change vulnxscan to also start using the cve-bin-tool version from nixpkgs.

@henrirosten henrirosten force-pushed the vulnxscan_add_cve_bin_tool branch from e342ccd to f30739c Compare June 29, 2023 06:17
@henrirosten henrirosten force-pushed the vulnxscan_add_cve_bin_tool branch from f30739c to bc4ffb5 Compare August 9, 2023 08:43
@henrirosten
Copy link
Collaborator Author

We decided to not merge this for now.

The main problem is that cve-bin-tool reports way too many false positives. As an example, in a recent test run on a Ghaf target, cve-bin-tool reported the following vulnerabilities that were not reported by any other scanners:

# Run vulnxscan, including the changes from this PR:
vulnxscan.py /path/to/ghaf/result
...
# Find vulnerabilities reported by cve-bin-tool, not reported by any other scanner:
csvsql --verbose --query "select * from vulns where cvebin == '1' and sum == '1'" vulns.csv | csvcut -C sortcol | csvlook

We end-up with the following list of vulns:

| vuln_id        | url                                             | package  | version | grype |   osv | cvebin | vulnix | sum |
| -------------- | ----------------------------------------------- | -------- | ------- | ----- | ----- | ------ | ------ | --- |
| CVE-2023-35945 | https://nvd.nist.gov/vuln/detail/CVE-2023-35945 | nghttp2  | 1.51.0  | False | False |   True |  False |   1 |
| CVE-2023-29469 | https://nvd.nist.gov/vuln/detail/CVE-2023-29469 | libxml2  | 2.10.4  | False | False |   True |  False |   1 |
| CVE-2023-28484 | https://nvd.nist.gov/vuln/detail/CVE-2023-28484 | libxml2  | 2.10.4  | False | False |   True |  False |   1 |
| CVE-2023-2828  | https://nvd.nist.gov/vuln/detail/CVE-2023-2828  | bind     | 9.18.16 | False | False |   True |  False |   1 |
| CVE-2023-1579  | https://nvd.nist.gov/vuln/detail/CVE-2023-1579  | binutils | 2.40    | False | False |   True |  False |   1 |
| CVE-2023-0361  | https://nvd.nist.gov/vuln/detail/CVE-2023-0361  | gnutls   | 3.8.0   | False | False |   True |  False |   1 |
| CVE-2022-43680 | https://nvd.nist.gov/vuln/detail/CVE-2022-43680 | expat    | 2.5.0   | False | False |   True |  False |   1 |
| CVE-2022-38177 | https://nvd.nist.gov/vuln/detail/CVE-2022-38177 | bind     | 9.18.16 | False | False |   True |  False |   1 |
| CVE-2022-25310 | https://nvd.nist.gov/vuln/detail/CVE-2022-25310 | fribidi  | 1.0.12  | False | False |   True |  False |   1 |
| CVE-2022-25309 | https://nvd.nist.gov/vuln/detail/CVE-2022-25309 | fribidi  | 1.0.12  | False | False |   True |  False |   1 |
| CVE-2022-25308 | https://nvd.nist.gov/vuln/detail/CVE-2022-25308 | fribidi  | 1.0.12  | False | False |   True |  False |   1 |
| CVE-2022-3080  | https://nvd.nist.gov/vuln/detail/CVE-2022-3080  | bind     | 9.18.16 | False | False |   True |  False |   1 |
| CVE-2022-2795  | https://nvd.nist.gov/vuln/detail/CVE-2022-2795  | bind     | 9.18.16 | False | False |   True |  False |   1 |
| CVE-2022-1122  | https://nvd.nist.gov/vuln/detail/CVE-2022-1122  | openjpeg | 2.5.0   | False | False |   True |  False |   1 |
| CVE-2021-25220 | https://nvd.nist.gov/vuln/detail/CVE-2021-25220 | bind     | 9.18.16 | False | False |   True |  False |   1 |
| CVE-2021-25219 | https://nvd.nist.gov/vuln/detail/CVE-2021-25219 | bind     | 9.18.16 | False | False |   True |  False |   1 |
| CVE-2021-25214 | https://nvd.nist.gov/vuln/detail/CVE-2021-25214 | bind     | 9.18.16 | False | False |   True |  False |   1 |
| CVE-2021-3575  | https://nvd.nist.gov/vuln/detail/CVE-2021-3575  | openjpeg | 2.5.0   | False | False |   True |  False |   1 |
| CVE-2021-3502  | https://nvd.nist.gov/vuln/detail/CVE-2021-3502  | avahi    | 0.8     | False | False |   True |  False |   1 |

Quick manual triage:

Clearly, there's something wrong with the way cve-bin-tool matches vulnerable components (versions).

Adds cve-bin-tool scanner to vulnxscan

Signed-off-by: Henri Rosten <[email protected]>
@henrirosten henrirosten force-pushed the vulnxscan_add_cve_bin_tool branch from bc4ffb5 to 7eee82c Compare August 11, 2023 11:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant