intel
fix: fix filename and root display
root is set to filename and filename is set to " - " since https://github.com/intel/cve-bin-tool/commit/a8d9eebbf109448e13a734eadeda1d3f04a3b194 which seems completely wrong:
╭─────────────────╮
│ NewFound CVEs │
╰─────────────────╯
┏━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ Root ┃ Filename ┃
┡━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━┩
│ sudo_project │ sudo │ 1.9.5p2 │ sudo_logsrvd │ - │
│ sudo_project │ sudo │ 1.9.5p2 │ sudo_sendlog │ - │
So fix this issue to get this display:
╭─────────────────╮
│ NewFound CVEs │
╰─────────────────╯
┏━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ Root ┃ Filename ┃
┡━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━┩
│ sudo_project │ sudo │ 1.9.5p2 │ /usr/sbin │ sudo_logsrvd │
│ sudo_project │ sudo │ 1.9.5p2 │ /usr/sbin │ sudo_sendlog │
Signed-off-by: Fabrice Fontaine [email protected]
@ffontaine Maybe the root/filename columns are misleading but the original aim was to try and identify the files within an archive where the vulnerable component was. The '-' was to indicate the component was not in an archive and indicated that the file was in the directory being scanned.
Current behaviour seems to be:
Outside of archive: filename is in "root", "-" indicates that's the end. In archive: filename in "filename" and "root" shows the path inside the archive
That's clear when you know what's happening but I agree it's kind of strange if you don't know that's what they're set to.
I'm guessing what people would want is something more like "full path and filename." Where full path for a regular file could just be a path, and full path for an archive might be something like "/path/to/archive/archive.zip -> /path/inside/archive" (the -> might not be the right character, but something that helps people pick out the archive filename might help and whitespace would do that.)
Or do either of you have something else in mind for what you'd want to see?
OK, then the name root and filename are indeed completely misleading. I really like you proposition @terriko.
fullpath would be really great.
Let me explain you a little bit my use case. I'm using cve-bin-tool to scan embedded firmwares. Most of the time I'm retrieving them from the manufacturer or from a flash dump. For extraction purpose, I'm using binwalk which is a well known tool being able to extract a lot of filesystems from squashfs to jffs2, etc. Then, I'm using cve-bin-tool to see if there is vulnerable components in the extracted firmware. If a vulnerable component is found, the fullpath is really needed as sometimes you could have two or three different versions of libssl.so. This means that the filename will always be the same.
@ffontaine @terriko I agree that the column headings are confusing as they represent different elements dependent on whether the 'root' is an archive or not.
I have now done some experiments with a directory which contains both archives and files and note that we need to modify the behaviour of archive reporting as well as the reported 'filename' is not necessarily the actual file with the vulnerability. There therefore needs to be a further modification to the format_path function
If we report the basename of the file, it is probable that due to the length of the full path, the full path will be truncated and therfore will not be shown so I also propose that we make some modifications to the output to make this more usable.
I attach updated versions of util.py (with an updated format_path function) and console.py with an enhanced console output function
console.py.txt
util.py.txt
@anthonyharrison, your proposal is nice.
My only suggestion would be replace See File 0 by Path 0 (see below) or Root 0 (see below).
Indeed, /usr/sbin is not a file but a directory.
Otherwise, this is perfect, thanks.
@ffontaine
I think these updates to the code in console.py will do what you need.
def validate_path_length(path_name, path_type):
# If long pathname replace with a note
if len(path_name) > 45:
if [path_name, path_type] not in note_data:
note_data.append([path_name, path_type])
return path_type + str(note_data.index([path_name, path_type])) + " (see below)"
return path_name
for cve_data in cve_by_paths[remarks]:
path_root = format_path(cve_data["paths"])
cells = [
Text.styled(cve_data["vendor"], color),
Text.styled(cve_data["product"], color),
Text.styled(cve_data["version"], color),
Text.styled(validate_path_length(path_root[0], "Root "), color),
Text.styled(validate_path_length(path_root[1], "Path "), color),
]
table.add_row(*cells)
# Show truncated filenames if necessary
if len(note_data) > 0:
console.print("\n")
i = 0
for note in note_data:
# Note is a tuple [pathname, pathtype]
console.print(f"{note[1]} {i} : {note[0]}")
i = i + 1
Thanks, should I close this PR and let you open a new one with your proposal?
Finally, I decided to update this PR with your proposal. It should be noted that I didn't updated the pdf display which is "broken" for any "long" filename or path (e.g. bash_4.4.18-2ubuntu1_amd64.deb is too long)
Updating this branch so it can take advantage of the CI fixes done last week. I'm expecting we might need a couple of test updates with the display changes and this is hopefully the easy way for me to see what those need to be.
I opened PR #1910, if you passed the physical argument to pdftotext, it will keep the original layout and not put the new columns at the end of the list.