imsahil007's Blog

Week 2: Merging Intermediate Reports using cli

imsahil007
Published: 06/17/2021

What did you do this week?
I worked on saving intermediate reports along with some metadata and later merge them. This will improve the triage and tracking of reports from different end-users. The strucutre of these new intermediate reports look like this:
{
    "metadata": {
        "timestamp": "2021-06-17.00-00-30",
        "tag": "backend",
        "scanned_dir": "/home/path/",
        "products_with_cve": 139,
        "products_without_cve": 2,
        "total_files": 49
    },
    "report": [
        {
            "vendor": "gnu",
            "product": "gcc",
            "version": "9.0.1",
            "cve_number": "CVE-2019-15847",
            "severity": "HIGH",
            "score": "7.5",
            "cvss_version": "3",
            "paths": "/home/path/glib.tar.gz,/home/path/gcc.tar.gz",
            "remarks": "NewFound",
            "comments": ""
        },
    ]
}
I have added 3 parameters in cve-bin-tool cli for same:
  • -a INTERMEDIATE_PATH, --append INTERMEDIATE_PATH : This will create intermediate reports on current scans and save them in `INTERMEDIATE_PATH`
  • -t TAG, --tag TAG : This will add a unique tag in intermediate reports so that users can differentiate between mulitple intermediate reports.
  • -m INTERMEDIATE_REPORTS, --merge INTERMEDIATE_REPORTS : This will take a list of comma-separated paths and merge them. Users can use this along with `-f --format` and `-o --output-file` to get output in other formats


  • What is coming up next?
    I am going to work on the documentation and testing of above-added features in the upcoming weeks.
    Possible addition of some filters while using `-m --merge` argument.
    A wepage based utitlity to merge these intermediate reports rather than using `-m --merge`.

    Did you get stuck anywhere?
    No

    View Blog Post

    Week 1: Intermediate JSON Reports

    imsahil007
    Published: 06/07/2021

    Hey there! I am Sahil, a second-year MCA student at the University of Hyderabad - India. I will be working with CVE Binary Tool under the umbrella of Python Software Foundation.

    About the project
    The CVE Binary Tool scans for a number of common, vulnerable open source components such as openssl, libpng, libxml2, and expat to let you know if a given directory or binary file includes common libraries with known vulnerabilities., known as CVE

    What did I do in Community Bonding Period?
    I have been contributing to CVE Binary Tool for quite some time now. We are planning to use the new NVD API for fetching updated CVE entries. More about this here. So, I researched about it. I went through the whole documentation. This will help me in the later weeks if we plan to migrate to this API.

    What am I doing this week?
    I am going to work on a medium to save intermediate reports in JSON format. This will improve the triage and tracking of reports from different end-users. I am planning to add a --append argument which will keep separate copies of these intermediate JSON(s). I have to decide the structure of these intermediate reports and verify if there can be an alternate(better) way to saving them.

    Have I got stuck anywhere?
    Not yet.

    Looking forward to this summer! xD
    View Blog Post