bug: Offline operation, sqlite checker attempts internet access and results in error

[bufferattack]

Description

completely offline installation errors on sqlite.py file line 34 even when using the --offline argument. Even when trying to skip the checker.

NOTE 1, this is a completely offline installation. cve-bin-tool is temperamental by insisting on having internet access across the installation process even after attempting to use offline downloaded packages. NOTE 2: After installation, nonexistent cache/directories prohibit offline database import (another bug) unless tool is run initially first to build the cache/directories, then import is possible. If you've installed cve-bin-tool online, then you will not be able to duplicate this issue. NOTE 3: Attempting to skip the "sqlite" checker and the error in this submission is still happening. It is probable that the checker is not actually being skipped; this may be another possible bug?

To reproduce

cve-bin-tool --offline -s sqlite /usr/bin/7z

Expected behaviour: no access to internet should be attempted by tool. Actual behaviour: access query is attempted AND error is not handled.

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.3 Installed from pypi or github? pip3 Operating system: Linux/Windows (other platforms are unsupported but feel free to report issues anyhow)

• On Linux (or Windows Subsystem for Linux) you can run uname -a kali 2024.2
• On Windows you can run systeminfo | findstr /B /C:"OS Name" /C:"OS Version" Python version (e.g. python3 --version): 3.11.9 Running in any particular CI environment we should know about? (e.g. Github Actions)

Anything else?

┌──(user㉿kali-purple)-[~/…/lib/python3.11/site-packages/cve_bin_tool] └─$ /home/user/.local/bin/cve-bin-tool --offline -s sqlite /usr/bin/7z [14:40:22] INFO cve_bin_tool - CVE Binary Tool v3.3 cli.py:571 INFO cve_bin_tool - This product uses the NVD API but is not endorsed or certified by the NVD. cli.py:572 WARNING cve_bin_tool - Not verifying CVE DB cache cli.py:810 INFO cve_bin_tool.CVEDB - There are 278373 CVE entries in the database cvedb.py:362 INFO cve_bin_tool.CVEDB - There are 260087 CVE entries from NVD in the database cvedb.py:364 INFO cve_bin_tool.CVEDB - There are 18284 CVE entries from REDHAT in the database cvedb.py:364 INFO cve_bin_tool.CVEDB - There are 2 CVE entries from GAD in the database cvedb.py:364 INFO cve_bin_tool.CVEDB - There are 278373 CVE entries in the database cvedb.py:362 INFO cve_bin_tool.CVEDB - There are 260087 CVE entries from NVD in the database cvedb.py:364 INFO cve_bin_tool.CVEDB - There are 18284 CVE entries from REDHAT in the database cvedb.py:364 INFO cve_bin_tool.CVEDB - There are 2 CVE entries from GAD in the database cvedb.py:364 INFO cve_bin_tool - CVE database contains CVEs from National Vulnerability Database (NVD), Open Source Vulnerability cli.py:832 Database (OSV), Gitlab Advisory Database (GAD) and RedHat
INFO cve_bin_tool - CVE database last updated on 16 August 2024 at 14:09:50 cli.py:835 ERROR cve_bin_tool - An error occurred while fetching https://www.sqlite.org/changes.html: util.py:281 HTTPSConnectionPool(host='www.sqlite.org', port=443): Max retries exceeded with url: /changes.html (Caused by
NameResolutionError("<urllib3.connection.HTTPSConnection object at 0x7ff81fc36bd0>: Failed to resolve
'www.sqlite.org' ([Errno -3] Temporary failure in name resolution)"))
╭─────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮ │ /home/user/.local/bin/cve-bin-tool:8 in │ │ │ │ 5 from cve_bin_tool.cli import main │ │ 6 if name == 'main': │ │ 7 │ sys.argv[0] = re.sub(r'(-script.pyw|.exe)?$', '', sys.argv[0]) │ │ ❱ 8 │ sys.exit(main()) │ │ 9 │ │ │ │ /home/user/.local/lib/python3.11/site-packages/cve_bin_tool/cli.py:1012 in main │ │ │ │ 1009 │ │ │ │ │ cve_scanner.get_cves(product_info, triage_data) │ │ 1010 │ │ if args["directory"]: │ │ 1011 │ │ │ sbom_root = args["directory"] │ │ ❱ 1012 │ │ │ version_scanner = VersionScanner( │ │ 1013 │ │ │ │ should_extract=args["extract"], │ │ 1014 │ │ │ │ exclude_folders=args["exclude"], │ │ 1015 │ │ │ │ error_mode=error_mode, │ │ │ │ /home/user/.local/lib/python3.11/site-packages/cve_bin_tool/version_scanner.py:58 in init │ │ │ │ 55 │ │ │ update_egg() │ │ 56 │ │ │ │ 57 │ │ # Load checkers if not given │ │ ❱ 58 │ │ self.checkers = checkers or self.load_checkers() │ │ 59 │ │ self.score = score │ │ 60 │ │ self.total_scanned_files = 0 │ │ 61 │ │ self.exclude_folders = exclude_folders + [".git"] │ │ │ │ /home/user/.local/lib/python3.11/site-packages/cve_bin_tool/version_scanner.py:80 in │ │ load_checkers │ │ │ │ 77 │ @classmethod │ │ 78 │ def load_checkers(cls) -> dict[str, type[Checker]]: │ │ 79 │ │ """Loads CVE checkers""" │ │ ❱ 80 │ │ checkers = dict( │ │ 81 │ │ │ map( │ │ 82 │ │ │ │ lambda checker: (checker.name, checker.load()), │ │ 83 │ │ │ │ importlib_metadata.entry_points().select(group=cls.CHECKER_ENTRYPOINT), │ │ │ │ /home/user/.local/lib/python3.11/site-packages/cve_bin_tool/version_scanner.py:82 in │ │ │ │ 79 │ │ """Loads CVE checkers""" │ │ 80 │ │ checkers = dict( │ │ 81 │ │ │ map( │ │ ❱ 82 │ │ │ │ lambda checker: (checker.name, checker.load()), │ │ 83 │ │ │ │ importlib_metadata.entry_points().select(group=cls.CHECKER_ENTRYPOINT), │ │ 84 │ │ │ ) │ │ 85 │ │ ) │ │ │ │ /usr/lib/python3.11/importlib/metadata/init.py:202 in load │ │ │ │ 199 │ │ return the named object. │ │ 200 │ │ """ │ │ 201 │ │ match = self.pattern.match(self.value) │ │ ❱ 202 │ │ module = import_module(match.group('module')) │ │ 203 │ │ attrs = filter(None, (match.group('attr') or '').split('.')) │ │ 204 │ │ return functools.reduce(getattr, attrs, module) │ │ 205 │ │ │ │ /usr/lib/python3.11/importlib/init.py:126 in import_module │ │ │ │ 123 │ │ │ if character != '.': │ │ 124 │ │ │ │ break │ │ 125 │ │ │ level += 1 │ │ ❱ 126 │ return _bootstrap._gcd_import(name[level:], package, level) │ │ 127 │ │ 128 │ │ 129 _RELOADING = {} │ │ in _gcd_import:1204 │ │ in _find_and_load:1176 │ │ in _find_and_load_unlocked:1147 │ │ in _load_unlocked:690 │ │ in exec_module:940 │ │ in _call_with_frames_removed:241 │ │ │ │ /home/user/.local/lib/python3.11/site-packages/cve_bin_tool/checkers/sqlite.py:50 in │ │ │ │ 47 │ return version_map │ │ 48 │ │ 49 │ │ ❱ 50 class SqliteChecker(Checker): │ │ 51 │ CONTAINS_PATTERNS = [ │ │ 52 │ │ r"unable to open a temporary database file for storing temporary tables", │ │ 53 │ │ r"json_object() requires an even number of arguments", │ │ │ │ /home/user/.local/lib/python3.11/site-packages/cve_bin_tool/checkers/sqlite.py:66 in │ │ SqliteChecker │ │ │ │ 63 │ │ │ 64 │ mapdb = VersionSignatureDb("sqlite", get_version_map, 30) │ │ 65 │ with mapdb: │ │ ❱ 66 │ │ VERSION_MAP = mapdb.get_mapping_data() │ │ 67 │ │ │ 68 │ def guess_contains(self, lines): │ │ 69 │ │ """Tries to determine if a file includes sqlite""" │ │ │ │ /home/user/.local/lib/python3.11/site-packages/cve_bin_tool/version_signature.py:100 in │ │ get_mapping_data │ │ │ │ 97 │ │ │ │ (time.time(),), │ │ 98 │ │ │ ) │ │ 99 │ │ │ │ │ ❱ 100 │ │ │ for mapping in self.mapping_function(): │ │ 101 │ │ │ │ self.cursor.execute( │ │ 102 │ │ │ │ │ f"INSERT INTO {self.table_name} (version, sourceId) VALUES (?, ?)", │ │ 103 │ │ │ │ │ (mapping[0], mapping[1]), │ │ │ │ /home/user/.local/lib/python3.11/site-packages/cve_bin_tool/checkers/sqlite.py:34 in │ │ get_version_map │ │ │ │ 31 │ │ │ 32 │ # timeout = 300s = 5minutes. This is a guess. │ │ 33 │ response = make_http_requests("text", url=changeurl, timeout=300) │ │ ❱ 34 │ lines = response.splitlines() │ │ 35 │ │ │ 36 │ last_version = "UNKNOWN" │ │ 37 │ for line in lines: │ ╰──────────────────────────────────────────────────────────────────────────────────────────────────╯