intel
bug: HTML report generator fails due to unknown severity
Description
HTML report generator fails due to unknown severity "HIGH-EXPLOIT"
To reproduce
Steps to reproduce the behaviour:
- Scan using this command: cve-bin-tool -S critical -S high --detailed -l info --affected-versions --exploits mac_build/theapp.app -f json,html -o mac_build/vulnerability
Expected behaviour: HTML report is generated correctly
Actual behaviour: HTML report generation fails due to unexpected severity
Version/platform info
Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.3
Installed from pypi or github? pypi
Operating system: macOS
Python version (e.g. python3 --version): Python 3.10
Running in any particular CI environment we should know about? Gitlab
Anything else?
Relevant vulnerability.json snippet
{
"vendor": "webmproject",
"product": "libvpx",
"version": "1.11.0",
"cve_number": "CVE-2023-5217",
"severity": "HIGH-EXPLOIT",
"score": "8.8",
"source": "NVD",
"cvss_version": "3",
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"paths": "[redacted]/MacOS/ffmpeg",
"remarks": "NewFound",
"comments": "",
"description": "Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
"affected_versions": "< 1.13.1"
},
cve-bin-tool callstack
INFO cve_bin_tool.OutputEngine - HTML report __init__.py:1029
stored at
/Users/gitlabrunner/builds/Ln3Astbb/0/git/l
uxion/mac_build/vulnerability.html
╭───────────────────── Traceback (most recent call last) ──────────────────────╮
│ /Users/gitlabrunner/.ci-python-venv/bin/cve-bin-tool:8 in <module> │
│ │
│ 5 from cve_bin_tool.cli import main │
│ 6 if __name__ == '__main__': │
│ 7 │ sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0]) │
│ ❱ 8 │ sys.exit(main()) │
│ 9 │
│ │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/cli.py:1103 in main │
│ │
│ 1100 │ │ ) │
│ 1101 │ │ │
│ 1102 │ │ if not args["quiet"]: │
│ ❱ 1103 │ │ │ output.output_file_wrapper(output_formats) │
│ 1104 │ │ │ if args["backport_fix"] or args["available_fix"]: │
│ 1105 │ │ │ │ distro_info = args["backport_fix"] or args["available │
│ 1106 │ │ │ │ is_backport = True if args["backport_fix"] else False │
│ │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/output_engine/__init__.py:977 in output_file_wrapper │
│ │
│ 974 │ def output_file_wrapper(self, output_types=["console"]): │
│ 975 │ │ """Call output_file method for all output types.""" │
│ 976 │ │ for output_type in output_types: │
│ ❱ 977 │ │ │ self.output_file(output_type) │
│ 978 │ │
│ 979 │ def output_file(self, output_type="console"): │
│ 980 │ │ """Generate a file for list of CVE""" │
│ │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/output_engine/__init__.py:1037 in output_file │
│ │
│ 1034 │ │ │ │ self.output_cves(f, output_type) │
│ 1035 │ │ else: │
│ 1036 │ │ │ with open(self.filename, "w", encoding="utf8") as f: │
│ ❱ 1037 │ │ │ │ self.output_cves(f, output_type) │
│ 1038 │ │
│ 1039 │ def check_file_path(self, filepath: str, output_type: str, prefix │
│ 1040 │ │ """Generate a new filename if file already exists.""" │
│ │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/output_engine/__init__.py:752 in output_cves │
│ │
│ 749 │ │ │ │ self.metrics, │
│ 750 │ │ │ ) │
│ 751 │ │ elif output_type == "html": │
│ ❱ 752 │ │ │ output_html( │
│ 753 │ │ │ │ self.all_cve_data, │
│ 754 │ │ │ │ self.all_cve_version_info, │
│ 755 │ │ │ │ self.scanned_dir, │
│ │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/output_engine/html.py:279 in output_html │
│ │
│ 276 │ │ │ cve_remarks["NOT AFFECTED"] += len(cve_by_remark[Remarks.N │
│ 277 │ │ │ │
│ 278 │ │ │ for cve in cve_data["cves"]: │
│ ❱ 279 │ │ │ │ cve_severity[cve.severity] += 1 │
│ 280 │ │ │ │
│ 281 │ │ │ # hid is unique for each product │
│ 282 │ │ │ if product_info.vendor != "UNKNOWN": │
╰──────────────────────────────────────────────────────────────────────────────╯
KeyError: 'HIGH-EXPLOIT'
I'm not sure if this is related to our other severity bug (fix is in code review) or if it's due to the fact that there's an expectation of the value being "high, medium, low" (as in, "high-exploit" isn't a valid severity), but we should definitely handle this more gracefully. Thanks for letting us know!
Hi again, thanks for getting back to me.
Just some more info FYI, the issue disappeared when I removed the --exploits flag, so it seems to be related to that.