Hello everyone!
I am Niraj Kamdar, a third year undergraduate at DA-IICT - India. I will be working with CVE Binary Tool under the umbrella of Python Software Foundation.
What is the CVE Binary Tool?
The CVE Binary Tool scans for a number of common, vulnerable open source components like openssl, libpng, libxml2, expat etc. to let you know if a given directory or binary file includes common libraries with known vulnerabilities.
How it works?
We have checkers for popular open source libraries which contains methods which look at the strings found in a binary file to see if they match certain unique strings found in an open source library and try to guess it's version. We have a scanner module which recursively scans every binary file of the given directory and parse strings from the binary file and forward it to every checkers and checkers determine the vendor, product and version and pass it to the scanner then scanner look into local copy of NVD database and finds all the vulnerabilities associated with the given product and displays it. We supports many output formats like JSON, CSV and a nice console format.
What did I do in Community Bonding Period?
I have fixed several bugs (like stale egg info, extractor bugs in windows etc.), written faster native python solution to replace c strings extension module and refactored whole checkers module to use object-oriented approach to reduce repetition of code. Previously, we have to write several functions when we were creating a checker, now all we need to do is write 5 class attributes. If you want to learn more about how to write a checker? checkout our contributing checker guidelines.
I also had video conference meetings with my mentors scheduled every week on Wednesday where we discussed about the project design and implementation aspects. Since, my project involves adding concurrency to the CVE Binary Tool. I was studying asyncio and concurrent.futures modules during this time. My mentor has also helped me and recommended few articles.
What am I doing this week?
I will be working on removing compiler dependency of test_scanner which is part of my GSoC project. I have started 3-4 days early and I have already finished first task of this week which was splitting cli.py module into cli.py and scanner.py.
Have I got stuck anywhere?
While I was working on removing compiler dependency of test_scanner issue, I came to know that I also have to add some binary strings to that compiler normally add because we are using file utility to check if file we are scanning is binary and It isn't currently flagging file generated by me as a binary file due to lack of signatures that normally can be found in a binary file. I have mentioned this problem to my mentors and I guess they will reply me soon. Meanwhile, I will be look into this myself.