Articles on BreadGenie's Blog

GSoC - Week 11

msuhailbh07@gmail.com (BreadGenie) — Thu, 19 Aug 2021 02:33:16 +0000

GSoC period is over. I'm a bit sad but happy that it happened. I was able to learn a lot and was able to hangout with some of the coolest people I've ever met. Thank you to my mentors (Terri, John, Anthony, Harmandeep and Saurabh) and fellow contributors (Sahil, Harsh and Dmitry Volodin) for helping me out through the whole period.

My eyes may be taking a rest after my LASIK surgery while you are reading this. Probably the longest rest without any screens for my whole life. Excited and a bit nervous of how I will have to handle time without any electronic equipments for a week. Hoping everyone will stay healthy and hydrated.

Until next time
- Bread

GSoC - Week 10

msuhailbh07@gmail.com (BreadGenie) — Thu, 19 Aug 2021 02:26:17 +0000

Hello everyone!

What did you do this week?

Wrote docs for backported fix utility and added explicit distro specification for the same.

What is coming up next?

Improving backported fix utility and extend support to redhat distros.

Did you get stuck anywhere?

No.

GSoC Week - 9

msuhailbh07@gmail.com (BreadGenie) — Wed, 11 Aug 2021 11:14:52 +0000

Semester Exams :/ See ya next week! 👋🏻

GSoC - Week 8

msuhailbh07@gmail.com (BreadGenie) — Wed, 04 Aug 2021 12:31:48 +0000

Hello everyone!

What did you do this week?

I worked on reducing the verbosity of the tool, fixing a bug where the scanner throws error due to the scanned file being not what the tool expects (METADATA file present in python packages) and made checkers for pigz and sane-backends.

What is coming up next?

Improving backported package prompt utility and adding checkers.

Did you get stuck anywhere?

No.

GSoC - Week 7

msuhailbh07@gmail.com (BreadGenie) — Tue, 27 Jul 2021 08:02:15 +0000

Hello everyone!

What did you do this week?

I worked on adding a backported package prompt utility which outputs whether the packages scanned are backported or not and made checkers for open-vm-tools, nano, pscs-lite and poppler.

What is coming up next?

Improving backported package prompt utility and adding checkers.

Did you get stuck anywhere?

No.

GSoC - Week 6

msuhailbh07@gmail.com (BreadGenie) — Wed, 21 Jul 2021 15:41:42 +0000

Hello everyone!

What did you do this week?

I worked on the binary scanner of the CVE Binary Tool and managed to improve the performance by ~60% (Benchmarks) and made checkers for Lua, mdadm, mtr and TrouSerS.

What is coming up next?

Adding backported package prompt utility and adding checkers.

Did you get stuck anywhere?

No.

GSoC - Week 5

msuhailbh07@gmail.com (BreadGenie) — Wed, 14 Jul 2021 05:38:21 +0000

Hello everyone!

What did you do this week?

I have extended the package list parser support for distros using pacman package manager and made checkers for gupnp, kbd, hunspell and kexec-tools.

What is coming up next?

Improving the package list parser utility and adding checkers.

Did you get stuck anywhere?

No.

GSoC - Week 4

msuhailbh07@gmail.com (BreadGenie) — Wed, 07 Jul 2021 06:37:32 +0000

Hello everyone!

What did you do this week?

I have added the package list parser support for distros with dpkg or rpm package manager. Currently the package list parser support is extended to CentOS, Debian, Fedora, OpenSUSE, PopOS!, RedHat Enterprise Linux and Ubuntu. I have made checkers for enscript, cryptsetup, gpgme and cronie.

What is coming up next?

Possibly adding package list parser support for distros using pacman package manager like Manjaro Linux and Arch Linux and add checkers.

Did you get stuck anywhere?

No.

GSoC - Week 3

msuhailbh07@gmail.com (BreadGenie) — Mon, 28 Jun 2021 15:30:34 +0000

Hello everyone!

What did you do this week?

I have almost completed the package list parser for CentOS package lists, since I downloaded the wrong .iso file for Fedora I chose to jump to CentOS (^-^"), and made checkers for ftp, bolt, gnome-shell and accountsservice. The package list parser could potentially work on any systems that use the rpm package manager since I'm using it to fetch the installed packages.

What is coming up next?

Adding package list parser support for Fedora and other distros and add checkers.

Did you get stuck anywhere?

No.

GSoC - Week 2

msuhailbh07@gmail.com (BreadGenie) — Tue, 22 Jun 2021 10:13:40 +0000

Hello everyone!

What did you do this week?

I have almost completed the package list parser for Ubuntu package lists and made checkers for ftp and logrotate and wrote docs for python and ubuntu package list parser. The package list parser will also work on Debian systems since I'm using dpkg-query to fetch the installed packages.

What is coming up next?

Adding package list parser support for Fedora and add checkers.

Did you get stuck anywhere?

No.

GSoC - Week 1

msuhailbh07@gmail.com (BreadGenie) — Tue, 15 Jun 2021 10:49:57 +0000

Hello everyone!

What did you do this week?

I have almost completed the package list parser for python packages and made a checker for dpkg. I have also tried to improve checker support for python packages and hopefully won't hit false positives.

Some insights on why package list parsers are made when we already have checkers

Package list parsers are much faster than the usual scanning with checkers.
Package list parsers takes an input, requiremens.txt, where the package names are listed and then use the pip freeze command to collect the installed python packages to find product name and version values and is then compared with the requirements.txt to filter out the needed packages. Then the vendor values are fetched from a CSV file containing vendor, product values. Finally the vendor, product, version values are used to query the CVE database.
But the the checkers have to scan the files in a package one by one to find the necessary version strings and product name which consumes a lot of time.
Benchmarks
- Using Checkers
- Using Package list parser
That's ~7.3x faster than using checkers. :D (Scanning all my user installed python packages)
Package list parsers can detect more products than checkers
Since package list parser doesn't depend on checkers it can detect more vendor-product pairs than scanning using checkers (but can hit some false positives too, eg: commonmark and zstandard).
Here 4 unique products are scanned while using checkers and 9 unique products (just the products with vendor-product pairs in the CVE database)while using package list parser.

What is coming up next?

Refactoring the parser code for better runtime, writing the docs for parser and adding checkers.

Did you get stuck anywhere?

No.

GSoC - Week 0

msuhailbh07@gmail.com (BreadGenie) — Wed, 09 Jun 2021 14:13:22 +0000

Hello Everyone!
I'm Muhammed Suhail, a pre-final year student at GEC Palakkad.

I'll be working on CVE Binary Tool this summer on adding a tool for the CVE Binary tool that reads a package list (like requirements.txt) and scan for CVEs for the packages in the list which will immensely improve the time for scanning packages compared to binary scans.

What did you do this week?

I worked on implementing the parser specifically for the PyPI packages list, which takes a requirements.txt (for now) file as an input using a -L or --package-list flag and extracts the necessary values for the CVE Binary Tool to check for CVEs under the hood.

What will you be doing for the rest of the week?

I will be further improving the parser for PyPI packages and will be adding the checkers for some of those packages to the CVE Binary Tool.

Did you get stuck anywhere?

Yup, I had a bit of difficulty in understanding pytest parametrization.
Also one of the tests I wrote is unstable for now. So I will be rewriting that after I brainstorm how to make it stable this week.

Looking forward to a fruitful summer with mentors and fellow contributors :D

Articles on BreadGenie's Blog

GSoC - Week 11

GSoC - Week 10

What did you do this week?

What is coming up next?

Did you get stuck anywhere?

GSoC Week - 9

GSoC - Week 8

What did you do this week?

What is coming up next?

Did you get stuck anywhere?

GSoC - Week 7

What did you do this week?

What is coming up next?

Did you get stuck anywhere?

GSoC - Week 6

What did you do this week?

What is coming up next?

Did you get stuck anywhere?

GSoC - Week 5

What did you do this week?

What is coming up next?

Did you get stuck anywhere?

GSoC - Week 4

What did you do this week?

What is coming up next?

Did you get stuck anywhere?

GSoC - Week 3

What did you do this week?

What is coming up next?

Did you get stuck anywhere?

GSoC - Week 2

What did you do this week?

What is coming up next?

Did you get stuck anywhere?

GSoC - Week 1

What did you do this week?

Some insights on why package list parsers are made when we already have checkers

Package list parsers are much faster than the usual scanning with checkers.

Benchmarks

Package list parsers can detect more products than checkers

What is coming up next?

Did you get stuck anywhere?

GSoC - Week 0

What did you do this week?

What will you be doing for the rest of the week?

Did you get stuck anywhere?