I'm Harmandeep Singh, a third-year undergrad in B.Tech CSE at Guru Nanak Dev University, Amritsar, India and I'll be working with CVE Binary Tool this summer under the umbrella of Python Software Foundation. My task will be to improve the Output of cve-bin-tool and other smaller issues.
What is the CVE Binary Tool?
The CVE Binary Tool scans for a number of common, vulnerable open source components like openssl, libpng, libxml2, expat etc. to let you know if a given directory or binary file includes common libraries with known vulnerabilities.
How it works?
We have checkers for popular open source libraries which contains methods which look at the strings found in a binary file to see if they match certain unique strings found in an open source library and try to guess it's version. We have a scanner module which recursively scans every binary file of the given directory and parse strings from the binary file and forward it to every checkers and checkers determine the vendor, product and version and pass it to the scanner then scanner look into local copy of NVD database and finds all the vulnerabilities associated with the given product and displays it. We supports many output formats like JSON, CSV and a nice console format.
What did I do in Community Bonding Period?
know this year is tough for many of us. There were several things that we all wanted to achieve but couldn't due to this pandemic. In this year where everything is changing at a very fast pace and it's hard to predict when this will be over, I wanted to start early so that if anything goes wrong I will have time to figure out something. So, I started working on the HTML Report generation process. My first task was to create a template that will describe the structure of the final output. After getting the template design approved from the mentors. I started working to make this base template modular by dividing it into smaller components so that it is easy to maintain HTML. After that my task was to update the database and add the details I needed for the HTML report.
In between all this, I had weekly meetings with the mentors and they guided and approved what I was doing.
What am I doing this week?
I have few PRs that needs to get merged and they are related to the HTML report. This week I'll work on some smaller issues that need to be solved to make tool consistent. Currently, we are using 'package' for 'product' as well as 'module' and that creates confusion. After the PRs are merged I'll start working on linking HTML as an output type for cve-bin-tool.
Have I got stuck anywhere?
Few places were challenging like when I was working to update the database. As I was not familiar with the cvedb.py, it took me some time to make the desired changes. While other smaller problems were easy to fix.