Merge branch 'main' into split-curl-libcurl

.github/workflows/codeql-analysis.yml

@@ -42,7 +42,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
       with:
         egress-policy: audit
 
@@ -51,7 +51,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2
+      uses: github/codeql-action/init@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2.21.3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2
+      uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2.21.3

.github/workflows/coverity.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
       with:
         egress-policy: audit
 

.github/workflows/cve_scan.yml

@@ -15,7 +15,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 

.github/workflows/dependency-review.yml

@@ -17,11 +17,11 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 
       - name: 'Checkout Repository'
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6
+        uses: actions/dependency-review-action@7d90b4f05fea31dde1c4a1fb3fa787e197ea93ab # v3.0.7

.github/workflows/export_data.yml

@@ -26,7 +26,7 @@ jobs:
 
     steps: 
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 

.github/workflows/formatting.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 

.github/workflows/linting.yml

@@ -20,7 +20,7 @@ jobs:
         tool: ['isort', 'black', 'pyupgrade', 'flake8', 'bandit', 'gitlint', 'mypy']
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 

.github/workflows/sbom.yml

@@ -21,7 +21,7 @@ jobs:
         python: ['3.8', '3.9', '3.10', '3.11']
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 

.github/workflows/scorecard.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 

.github/workflows/spelling.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
       with:
         egress-policy: audit
 

.github/workflows/testing.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 
@@ -56,7 +56,7 @@ jobs:
     timeout-minutes: 60
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 
@@ -126,7 +126,7 @@ jobs:
       LONG_TESTS: 1
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 
@@ -223,7 +223,7 @@ jobs:
       EXTERNAL_SYSTEM: 1
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 
@@ -317,7 +317,7 @@ jobs:
       PYTHONIOENCODING: 'utf8'
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 
@@ -387,7 +387,7 @@ jobs:
       PYTHONIOENCODING: 'utf8'
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 

.github/workflows/update-cache.yml

@@ -22,7 +22,7 @@ jobs:
     timeout-minutes: 60
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 

.github/workflows/update-js-dependencies.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 

.github/workflows/update-pre-commit.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 

.github/workflows/update-spdx-header.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
         with:
           egress-policy: audit
 

cve_bin_tool/checkers/__init__.py

@@ -34,6 +34,7 @@
     "bro",
     "bubblewrap",
     "busybox",
+    "bwm_ng",
     "bzip2",
     "c_ares",
     "capnproto",
@@ -52,6 +53,7 @@
     "curl",
     "cvs",
     "darkhttpd",
+    "dav1d",
     "davfs2",
     "dbus",
     "dhclient",
@@ -133,6 +135,7 @@
     "libarchive",
     "libass",
     "libbpg",
+    "libcoap",
     "libconfuse",
     "libcurl",
     "libdb",

cve_bin_tool/checkers/bwm_ng.py

@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for bwm-ng:
+
+https://www.cvedetails.com/product/113242/Bwm-ng-Project-Bwm-ng.html?vendor_id=26951
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class BwmNgChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [r"bwm-ng v([0-9]+\.[0-9]+\.[0-9]+)"]
+    VENDOR_PRODUCT = [("bwm-ng_project", "bwm-ng")]

cve_bin_tool/checkers/dav1d.py

@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for dav1d:
+
+https://www.cvedetails.com/product/139658/Videolan-Dav1d.html?vendor_id=5842
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class Dav1DChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [r"([0-9]+\.[0-9]+\.[0-9]+)[A-Za-z0-9 '.()%,:\r\n\/\-]*dav1d"]
+    VENDOR_PRODUCT = [("videolan", "dav1d")]

cve_bin_tool/checkers/libcoap.py

@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for libcoap:
+
+https://www.cvedetails.com/product/143502/Libcoap-Libcoap.html?vendor_id=31037
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class LibcoapChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [r"libcoap ([0-9]+\.[0-9]+\.[0-9]+)"]
+    VENDOR_PRODUCT = [("libcoap", "libcoap")]

cve_bin_tool/output_engine/__init__.py

@@ -89,7 +89,8 @@ def output_csv(
     # Trim any leading -, =, +, @, tab or CR to avoid excel macros
     for cve_entry in formatted_output:
         for key, value in cve_entry.items():
-            cve_entry[key] = value.strip("-=+@\t\r")
+            if key != "metric":
+                cve_entry[key] = value.strip("-=+@\t\r")
     fieldnames = [
         "vendor",
         "product",
@@ -100,6 +101,8 @@ def output_csv(
         "source",
         "cvss_version",
         "cvss_vector",
+        "epss_probability",
+        "epss_percentile",
         "paths",
         "remarks",
         "comments",

cve_bin_tool/output_engine/console.py

@@ -104,6 +104,12 @@ def _output_console_nowrap(
     # group cve_data by its remarks and separately by paths
     for product_info, cve_data in all_cve_data.items():
         for cve in cve_data["cves"]:
+            propability = "-"
+            percentile = "-"
+            for metric, field in cve.metric.items():
+                if metric == "EPSS":
+                    propability = str(round(field[0] * 100, 4))
+                    percentile = str(field[1])
             cve_by_remarks[cve.remarks].append(
                 {
                     "vendor": product_info.vendor,
@@ -114,6 +120,8 @@ def _output_console_nowrap(
                     "severity": cve.severity,
                     "score": cve.score,
                     "cvss_version": cve.cvss_version,
+                    "epss_propability": propability,
+                    "epss_percentile": percentile,
                 }
             )
             path_elements = ", ".join(filter(None, cve_data["paths"]))
@@ -149,6 +157,8 @@ def _output_console_nowrap(
         table.add_column("Source")
         table.add_column("Severity")
         table.add_column("Score (CVSS Version)")
+        table.add_column("EPSS propability")
+        table.add_column("EPSS percentile")
         if affected_versions != 0:
             table.add_column("Affected Versions")
 
@@ -168,6 +178,8 @@ def _output_console_nowrap(
                 Text.styled(cve_data["source"], color),
                 Text.styled(cve_data["severity"], color),
                 Text.styled(cvss_text, color),
+                Text.styled(cve_data["epss_propability"], color),
+                Text.styled(cve_data["epss_percentile"], color),
             ]
             if affected_versions != 0:
                 cells.append(Text.styled(cve_data["affected_versions"], color))

cve_bin_tool/output_engine/util.py

@@ -128,6 +128,8 @@ def format_output(
                             "severity": "LOW",
                             "score": "1.2",
                             "cvss_version": "2",
+                            "epss_probability": "1.23",
+                            "epss_percentile": "0.342",
                             "paths": "",
                             "remarks": "NewFound",
                             "comments": "",
@@ -140,6 +142,13 @@ def format_output(
         for cve in cve_data["cves"]:
             if isinstance(cve, str):
                 continue
+            # If EPSS values are not available for a given CVE, assign them a value of "-"
+            propability = "-"
+            percentile = "-"
+            for metric, field in cve.metric.items():
+                if metric == "EPSS":
+                    propability = round(field[0] * 100, 4)
+                    percentile = field[1]
             details = {
                 "vendor": product_info.vendor,
                 "product": product_info.product,
@@ -150,6 +159,9 @@ def format_output(
                 "source": cve.data_source,
                 "cvss_version": str(cve.cvss_version),
                 "cvss_vector": cve.cvss_vector,
+                # converting epss score (probability) 0-1 to 0-100
+                "epss_probability": str(propability),
+                "epss_percentile": str(percentile),
                 "paths": ", ".join(cve_data["paths"]),
                 "remarks": cve.remarks.name,
                 "comments": cve.comments,