fix: split curl and libcurl checkers

Fix intel#3173

Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>

cve_bin_tool/checkers/__init__.py

@@ -135,6 +135,7 @@
     "libass",
     "libbpg",
     "libconfuse",
+    "libcurl",
     "libdb",
     "libebml",
     "libgcrypt",

cve_bin_tool/checkers/curl.py

@@ -27,5 +27,5 @@ class CurlChecker(Checker):
         # r"ignoring --proxy-capath, not supported by libcurl",
     ]
     FILENAME_PATTERNS = [r"curl"]
-    VERSION_PATTERNS = [r"curl[ -/]([678]+\.[0-9]+\.[0-9]+)"]
-    VENDOR_PRODUCT = [("haxx", "curl"), ("haxx", "libcurl")]
+    VERSION_PATTERNS = [r"\r?\ncurl[ -/]([678]+\.[0-9]+\.[0-9]+)"]
+    VENDOR_PRODUCT = [("haxx", "curl")]

cve_bin_tool/checkers/libcurl.py

@@ -0,0 +1,20 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+
+"""
+CVE checker for libcurl:
+
+https://www.cvedetails.com/product/25085/Haxx-Libcurl.html?vendor_id=12682
+
+"""
+from __future__ import annotations
+
+from cve_bin_tool.checkers import Checker
+
+
+class LibcurlChecker(Checker):
+    CONTAINS_PATTERNS: list[str] = []
+    FILENAME_PATTERNS: list[str] = []
+    VERSION_PATTERNS = [r"libcurl[ -/]([678]+\.[0-9]+\.[0-9]+)"]
+    VENDOR_PRODUCT = [("haxx", "libcurl")]

test/config/cve_bin_tool_config.toml

@@ -13,7 +13,7 @@ input_file = "test/csv/triage.csv"
 skips = ["python", "bzip2"]
 
 # list of checkers you want to run
-runs = ["curl", "binutils"]
+runs = ["libcurl", "binutils"]
 
 [output]
 

test/config/cve_bin_tool_config.yaml

@@ -12,7 +12,7 @@ checker:
     - bzip2
   # list of checkers you want to run
   runs:
-    - curl
+    - libcurl
     - binutils
 
 output:

test/test_cli.py

@@ -324,18 +324,18 @@ def test_config_file(self, caplog, filename):
         # scan with config file and overwrite output format
         assert main(["cve-bin-tool", "-C", filename, "-l", "info"]) != 0
 
-        # assert only checkers for binutils and curl get to run
+        # assert only checkers for binutils and libcurl get to run
         assert (
             "cve_bin_tool.VersionScanner",
             logging.INFO,
-            "Checkers: binutils, curl",
+            "Checkers: binutils, libcurl",
         ) in caplog.record_tuples
 
-        # assert only CVEs of curl and libcurl get reflected. Because others are skipped
+        # assert only CVEs of libcurl get reflected. Because others are skipped
         assert (
             "cve_bin_tool",
             logging.INFO,
-            "There are 2 products with known CVEs detected",
+            "There are 1 products with known CVEs detected",
         ) in caplog.record_tuples
 
         for record in caplog.record_tuples:

test/test_config.py

@@ -21,7 +21,7 @@ class TestConfig:
         "log_level": "debug",
         "output_file": "",
         "quiet": False,
-        "runs": ["curl", "binutils"],
+        "runs": ["libcurl", "binutils"],
         "severity": "low",
         "skips": ["python", "bzip2"],
         "update": "daily",

test/test_data/curl.py

@@ -12,7 +12,6 @@
         "package_name": "curl-7.32.0-3.fc20.x86_64.rpm",
         "product": "curl",
         "version": "7.32.0",
-        "other_products": ["libcurl"],
     },
     {
         "url": "https://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/aarch64/9.1/All/",
@@ -26,20 +25,11 @@
         "package_name": "curl_7.52.1-5+deb9u10_amd64.deb",
         "product": "curl",
         "version": "7.52.1",
-        "other_products": ["libcurl"],
     },
     {
-        "url": "http://mirror.centos.org/centos/7/os/x86_64/Packages/",
-        "package_name": "libcurl-7.29.0-59.el7.x86_64.rpm",
-        "product": "libcurl",
-        "version": "7.29.0",
-        "other_products": ["curl"],
-    },
-    {
-        "url": "https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/30/Everything/x86_64/os/Packages/l/",
-        "package_name": "libcurl-7.64.0-6.fc30.x86_64.rpm",
-        "product": "libcurl",
-        "version": "7.64.0",
-        "other_products": ["curl"],
+        "url": "https://downloads.openwrt.org/releases/packages-19.07/x86_64/base/",
+        "package_name": "curl_7.66.0-3_x86_64.ipk",
+        "product": "curl",
+        "version": "7.66.0",
     },
 ]

test/test_data/libcurl.py

@@ -0,0 +1,34 @@
+# Copyright (C) 2023 Orange
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+mapping_test_data = [
+    {"product": "libcurl", "version": "7.34.0", "version_strings": ["libcurl 7.34.0"]},
+    {"product": "libcurl", "version": "7.34.0", "version_strings": ["libcurl-7.34.0"]},
+    {"product": "libcurl", "version": "7.34.0", "version_strings": ["libcurl/7.34.0"]},
+]
+package_test_data = [
+    {
+        "url": "http://ftp.br.debian.org/debian/pool/main/c/curl/",
+        "package_name": "libcurl3-gnutls_7.64.0-4+deb10u2_amd64.deb",
+        "product": "libcurl",
+        "version": "7.64.0",
+    },
+    {
+        "url": "http://mirror.centos.org/centos/7/os/x86_64/Packages/",
+        "package_name": "libcurl-7.29.0-59.el7.x86_64.rpm",
+        "product": "libcurl",
+        "version": "7.29.0",
+    },
+    {
+        "url": "https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/30/Everything/x86_64/os/Packages/l/",
+        "package_name": "libcurl-7.64.0-6.fc30.x86_64.rpm",
+        "product": "libcurl",
+        "version": "7.64.0",
+    },
+    {
+        "url": "https://downloads.openwrt.org/releases/packages-19.07/x86_64/base/",
+        "package_name": "libcurl4_7.66.0-3_x86_64.ipk",
+        "product": "libcurl",
+        "version": "7.66.0",
+    },
+]