cve-bin-tool
cve-bin-tool copied to clipboard
intel
GSoC 2022: Start Here
Google Summer of Code 2022 has been announced! CVE Binary Tool is hoping to participate in 2022 under the Python Software Foundation umbrella.
This year contributors can be anyone over 18 (you do not need to be enrolled in a post-secondary institution) and projects can be either 175hrs of work or 350hrs of work (with pay scaling appropriately). We don't fully know the details of the timing, but the hours and start/end dates will be more flexible than in the past.
About CVE Binary Tool
The CVE Binary Tool is a free, open source tool to help you find known vulnerabilities in software, using data from the National Vulnerability Database (NVD) list of Common Vulnerabilities and Exposures (CVEs).
The tool has two main modes of operation:
- A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are around 100 checkers which focus on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
- Tools for scanning known component lists in various formats, including .csv, several linux distribution package lists, and several Software Bill of Materials (SBOM) formats.
It is intended to be used as part of your continuous integration system to enable regular vulnerability scanning and give you early warning of known issues in your supply chain.
Dates:
- Organizations apply February 2022. We won't know for sure if we're in until after applications close. We'll be listed as part of "Python Software Foundation"
- Contributors apply April 2022.
Project ideas:
- #1525 (intermediate)
- #1526 (beginner to intermediate)
- #1608 (beginner to intermediate)
- #1618 (intermediate to advanced)
- We've got a brainstorming thread for GSoC project ideas started. The brainstorming thread is an "all ideas are worth discussing" thread -- not all of these will be viable GSoC projects.
Getting started:
- Getting started guide for GSoC contributors (cut and pasted below)
It can be really overwhelming figuring out how to start in a new project, so here's some steps we recommend:
Getting Started:
-
Follow the README and make sure you can run the tool. Try running it against random things on your hard drive and see if it finds anything. On a Linux system, your
/bindirectory usually yields some interesting results. -
Run the tests. The CVE Binary tool has a number of unit tests. Make sure you know how to run them, and if you've never used pytest before, you might want to read up on it (we also have some tests still using python's unittest, but we're tending towrads pytest for new tests). Figure out how to run a single test!
-
Read the documentation. That should help you figure out what the tool is for and how people use it in more detail.
-
Read the new contributor guide
Some potential first contributions:
- File issues. You might encounter a bug or something confusing in the documentation. Let us know if you do!
- Update documentation. We especially appreciate documentation feedback from new users, since your "beginner mind" means you see things differently than experienced users, and will catch places where the documentation could be more detailed or improved.
- Write a new test. Instructions for writing tests are here. This can be your first contribution!
- Try fixing a bug. We have a few flagged as "good first issue". A number of those are new checkers, which although they might sound challenging are often pretty easy to write. Instructions on how to add a new checker are here.
We expect prospective GSoC students to have made at least one code contribution if they want their application to be considered, so now's a good time to get that going! You can ask for as much help as you need.
Got stuck?
- Ask in the GSoC tagged issues! (GSoC 2022 getting started is a good place, or file a new issue with your question.)
- We have a chat server on gitter. That allows for "live" chat but no one's actually sitting there 24/7 so you should expect to post your question and get an answer hours later when someone sees it.
