cve-bin-tool
cve-bin-tool copied to clipboard
Published
20 hours ago •
intel
intel
fix: gcc checker does not detect multiple versions in a file
Description
As briefly discussed in #4058 (this comment and further on), it seems like the gcc checker only reports the first version it found in a file (strings output order-wise). This is not a SBOM library issue as in #4058, it is indeed a lower-level checker part that reports only one version entry.
While preparing this report, I looked at the code and I'm no longer sure this is strictly a bug, as the get_version() code for the Checker base class does not seem to take this case into account at all. There is some preparation for multiple hits in VersionScanner.run_checkers() (lines 262-266 in version_scanner.py as of right now), but by quick inspection there's no checker that returns multiple results (certainly not the gcc one). So please feel free to reclassify this as a feature request.
I have noticed that when running cve-bin-tool on a pintool - an analysis program that runs within the Intel Pin binary instrumentation and analysis framework. There's probably a way to create a smaller binary for tests (e.g., linking together several object files produced by different compiler versions), but it was simpler and faster for me to just use the Pin example.
To reproduce
Steps to reproduce the behaviour:
- Download and unpack Intel Pin 3.30: Intel Pin release downloads
- Unpack the downloaded file and
cdtosource/tools/MyPinTooldirectory within the unpacked one - Run
make - The compilation will produce a
MyPinTool.sofile inobj-intel64subdirectory. A ready-made version is also attached (MyPinTool.tar.gz). - Note that
stringsshows two GCC versions (the older one is from files linked intoMyPinToolfrom Pin's precompiled files, and the newer one is from my host system, Fedora 40):$ strings obj-intel64/MyPinTool.so |grep GNU GCC: (GNU) 11.2.0 GCC: (GNU) 14.1.1 20240607 (Red Hat 14.1.1-5) __GNU_EH_FRAME_HDR - Scan the file using
cve-bin-toole.g., like the below, and observe that only one version is reported:
$ cve-bin-tool -l debug -d CURL,EPSS,GAD,OSV,PURL2CPE,REDHAT,RSD --offline --disable-validation-check --disable-version-check source/tools/MyPinTool/obj-intel64/MyPinTool.so
<...>
DEBUG cve_bin_tool.VersionScanner - Scanning file: /tmp/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/MyPinTool/obj-intel64/MyPinTool.so version_scanner.py:215
INFO cve_bin_tool - filename = /tmp/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/MyPinTool/obj-intel64/MyPinTool.so version_scanner.py:256
DEBUG cve_bin_tool.VersionScanner - /tmp/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/MyPinTool/obj-intel64/MyPinTool.so contains gcc 11.2.0 version_scanner.py:283
DEBUG cve_bin_tool - ProductInfo(vendor='gnu', product='gcc', version='11.2.0', location='/usr/bin/gcc'): /tmp/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/MyPinTool/obj-intel64/MyPinTool.so cli.py:1042
DEBUG cve_bin_tool.CVEScanner - Known CVEs in ProductInfo(vendor='gnu', product='gcc', version='11.2.0', location='/usr/bin/gcc') cve_scanner.py:281
INFO cve_bin_tool.CVEScanner - 1 CVE(s) in gnu.gcc version 11.2.0 cve_scanner.py:285
[19:01:24] DEBUG cve_bin_tool.VersionScanner - Done scanning file: /tmp/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/MyPinTool/obj-intel64/MyPinTool.so version_scanner.py:299
INFO cve_bin_tool - Overall CVE summary: cli.py:1069
INFO cve_bin_tool - There are 1 products with known CVEs detected cli.py:1070
INFO cve_bin_tool - Known CVEs in ('gnu.gcc', '11.2.0'): cli.py:1081
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CVE BINARY TOOL version: 3.3.1dev0 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
• Report Generated: 2024-06-12 19:01:24
• Time of last update of CVE Data: 2024-06-12 18:34:39
╭─────────────╮
│ CVE SUMMARY │
╰─────────────╯
┏━━━━━━━━━━┳━━━━━━━┓
┃ Severity ┃ Count ┃
┡━━━━━━━━━━╇━━━━━━━┩
│ CRITICAL │ 0 │
│ HIGH │ 0 │
│ MEDIUM │ 1 │
│ LOW │ 0 │
│ UNKNOWN │ 0 │
└──────────┴───────┘
╭─────────────╮
│ CPE SUMMARY │
╰─────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ Latest Upstream Stable Version ┃ CRITICAL CVEs Count ┃ HIGH CVEs Count ┃ MEDIUM CVEs Count ┃ LOW CVEs Count ┃ UNKNOWN CVEs Count ┃ TOTAL CVEs Count ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩
│ gnu │ gcc │ 11.2.0 │ UNKNOWN (offline mode) │ 0 │ 0 │ 1 │ 0 │ 0 │ 1 │
└────────┴─────────┴─────────┴────────────────────────────────┴─────────────────────┴─────────────────┴───────────────────┴────────────────┴────────────────────┴──────────────────┘
╭─────────────────╮
│ NewFound CVEs │
╰─────────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ CVE Number ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
│ gnu │ gcc │ 11.2.0 │ CVE-2023-4039 │ NVD │ MEDIUM │ 4.8 (v3) │
└────────┴─────────┴─────────┴───────────────┴────────┴──────────┴──────────────────────┘
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ Root ┃ Filename ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━┩
│ gnu │ gcc │ 11.2.0 │ Root 0 (see below) │ MyPinTool.so │
└────────┴─────────┴─────────┴────────────────────┴──────────────┘
Root 0 : /tmp/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/MyPinTool/obj-intel64
╭───────────────────────────────────────────────╮
│ Products with No Identified Vulnerabilities │
╰───────────────────────────────────────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━┩
└────────┴─────────┴─────────┘
Expected behaviour: both versions, 11.2.0 and 14.1.1, are detected and reported Actual behaviour: only the first one is
Version/platform info
- Version of CVE-bin-tool( e.g. output of
cve-bin-tool --version): currentmainas of commit e9f1ea8c8fdff0cb8e0f25142b39db55adc6556b - Installed from: Github
- Operating system: Fedora 40
- Python version: 3.12.3
- Running in any particular CI environment we should know about? (e.g. Github Actions): no
