Release highlights
This release comes with the finished products from our two Google Summer of Code 2024 contributors:
- GSoC 2024 contributor @mastersans has improved our triage workflow and VEX support.
- GSoC 2024 contributor @inosmeet has added PURL identifier support and improved tooling for reducing false positives.
Thank you especially to @anthonyharrison , @BenL-github and @terriko for being Google Summer of Code mentors for us this year. For more details about these projects, see the "Improved VEX support" and "PURL and mismatch database" sections below.
This release also includes
- numerous new and improved binary checkers thanks to @ffontaine
- improvements both to our fuzzing infrastructure and fixes for issues found (shout out to @joydeep049 who laid a lot of groundwork here)
- many other bug fixes and features listed below.
Thanks also to the many new bug reporters who gave us feedback this release. Your feedback has been instrumental in making cve-bin-tool better, and we're so glad you've been willing to work with us as we try to find fixes for your issues. We love finding out how people use cve-bin-tool and ways we can make it more useful to you!
Breaking changes
The --triage--input-file
flag has been replaced by --vex-input
. (See VEX section below for details.)
Improved VEX support
GSoC 2024 contributor @mastersans has improved the CVE Binary Tool by revamping the VEX workflow to integrate Lib4vex, which now handles both parsing and generating VEX files. This update aligns the sbom_manager with the vex_manager structure, enhancing overall functionality.
The focus was on integrating advanced VEX triage features, which involved a thorough refactoring of the existing workflow. This includes support for various VEX formats like CSAF, OpenVEX, and CycloneDX. Key enhancements include linking Components in the File being scanned using identifiers such as bom-ref and Package URL (purl) to precisely identify Product_Info (product, version, and vendor). Specifically, bom-ref is used in CycloneDX VEX, while purl is used in CSAF and OpenVEX formats. These identifiers help in accurately pinpointing product details like vendor and release.
The triage process has also been streamlined: the old --triage-input-file flag is replaced with the new --vex-file flag. This new flag automatically detects the VEX format and whether the file is standalone or paired with a companion file. Additionally, the --filter-triage flag allows you to filter out vulnerabilities marked as NotAffected and FalsePositive in the VEX document, ensuring that only relevant vulnerabilities are reported.
The new triaging documentation can be found here: https://cve-bin-tool.readthedocs.io/en/latest/triaging_process.html
PURL and Mismatch database
GSoC 2024 contributor @inosmeet has added support for PURL identifiers and the purl2cpe database to our code, as well as a new "mismatch" database to help us fine tune product name matching.
Previously, our code assumed that the product name in a language dependency list would match the product name in our vulnerability data sources, and this sometimes produced false positives when product names were re-used across languages/vendors. Using PURLs to more precisely identify components from language scans and the purl2cpe database to look up human-verified matches in the vulnerability database should increase cve-bin-tool's accuracy.
The mismatch database provides another way to fine-tune results by allowing us to drop name collisions that are causing false positives. For example, there may be multiple languages with a package named "xml" -- if they had entries in the vulnerability databases then purl2cpe would handle finding the right one, but if they had no matches then we fallback to a search and sometimes found an incorrect set of vulnerabilities. This allows us to explicitly define mistaken matches and exclude them from results.
The new mismatch documentation can be found here: https://cve-bin-tool.readthedocs.io/en/latest/mismatch_data.html
What's Changed
Open for list of pull requests merged (quite long)
- chore: update SBOM for Python 3.8 by @github-actions in #4028
- chore: update SBOM for Python 3.12 by @github-actions in #4027
- chore: update SBOM for Python 3.9 by @github-actions in #4026
- chore: update SBOM for Python 3.11 by @github-actions in #4025
- chore: update SBOM for Python 3.10 by @github-actions in #4024
- feat: add fix to allow detection of python3.11 on DLL file by @jananir640 in #4023
- chore(deps): bump codecov/codecov-action from 4.1.0 to 4.3.0 by @dependabot in #4017
- chore(deps): bump github/codeql-action from 3.24.9 to 3.24.10 by @dependabot in #4010
- chore(deps): bump actions/dependency-review-action from 4.1.3 to 4.2.5 by @dependabot in #3999
- chore(deps): bump actions/setup-python from 5.0.0 to 5.1.0 by @dependabot in #3985
- chore(deps): bump github/codeql-action from 3.24.10 to 3.25.0 by @dependabot in #4034
- feat: added PURL generation to PhpParser by @joydeep049 in #4016
- feat: added PURL generation for r parser by @inosmeet in #4035
- chore(deps-dev): bump black from 24.3.0 to 24.4.0 by @dependabot in #4030
- chore(deps): bump peter-evans/create-pull-request from 6.0.2 to 6.0.3 by @dependabot in #4029
- feat: added PURL generation to DartParser by @mastersans in #4004
- chore(deps): bump sphinx from 7.2.6 to 7.3.5 in /doc by @dependabot in #4039
- chore: set dev version number by @terriko in #4036
- feat(checker): add ttyd checker by @ffontaine in #4031
- chore: update checkers table by @github-actions in #4043
- chore(deps): bump sphinx from 7.3.5 to 7.3.6 in /doc by @dependabot in #4050
- chore(deps): bump peter-evans/create-pull-request from 6.0.3 to 6.0.4 by @dependabot in #4048
- chore(deps): bump github/codeql-action from 3.25.0 to 3.25.1 by @dependabot in #4047
- feat: Adding locations in CycloneDX reports by @Mayankrai449 in #3989
- fix: update openssl checker by @ffontaine in #4051
- fix: fix symlink handling by @ffontaine in #4054
- chore(deps): bump sphinx from 7.3.6 to 7.3.7 in /doc by @dependabot in #4056
- chore: update SBOM for Python 3.8 by @github-actions in #4068
- chore: update SBOM for Python 3.9 by @github-actions in #4067
- chore: update SBOM for Python 3.10 by @github-actions in #4066
- chore: update SBOM for Python 3.12 by @github-actions in #4065
- chore: update SBOM for Python 3.11 by @github-actions in #4064
- chore(deps): bump github/codeql-action from 3.25.1 to 3.25.2 by @dependabot in #4071
- chore(deps): bump myst-parser from 2.0.0 to 3.0.0 in /doc by @dependabot in #4074
- chore: removed Old cyclonedx and spdx parser from sbom manager by @ranjanmangla1 in #4076
- fix: update binutils pattern by @ffontaine in #4077
- chore: use unique tempdir prefixes in fuzzing temp dirs (fixes: #3960) by @ranjanmangla1 in #4022
- fix: TypeError in RenvLockBuilder by @joydeep049 in #4061
- fix: improve cryptsetup checker by @ffontaine in #4086
- fix: parse CPE names correctly #4041 by @fthdrmzzz in #4063
- fix: improved cpe parsing in sbom code by @ranjanmangla1 in #4082
- ci: reduce dependabot scan frequency by @terriko in #4080
- chore(deps): bump myst-parser from 3.0.0 to 3.0.1 by @dependabot in #4098
- chore(deps): bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 by @dependabot in #4091
- chore(deps): bump github/codeql-action from 3.25.2 to 3.25.3 by @dependabot in #4090
- chore(deps): bump conda-incubator/setup-miniconda from 3.0.3 to 3.0.4 by @dependabot in #4089
- fix: add additional ppp CPE ID by @ffontaine in #4092
- chore: update SBOM for Python 3.8 by @github-actions in #4097
- chore: update SBOM for Python 3.10 by @github-actions in #4096
- chore: update SBOM for Python 3.9 by @github-actions in #4095
- chore: update SBOM for Python 3.12 by @github-actions in #4094
- chore: update SBOM for Python 3.11 by @github-actions in #4093
- chore: update pre-commit config by @github-actions in #4099
- chore(deps): bump actions/dependency-review-action from 4.2.5 to 4.3.2 by @dependabot in #4109
- chore(deps): bump codecov/codecov-action from 4.3.0 to 4.3.1 by @dependabot in #4108
- chore(deps): bump step-security/harden-runner from 2.7.0 to 2.7.1 by @dependabot in #4107
- chore: update SBOM for Python 3.8 by @github-actions in #4106
- chore: update SBOM for Python 3.10 by @github-actions in #4105
- chore: update SBOM for Python 3.12 by @github-actions in #4104
- chore: update SBOM for Python 3.9 by @github-actions in #4103
- chore: update SBOM for Python 3.11 by @github-actions in #4102
- feat: upload slsa to github on testing ci build job by @pdxjohnny in #4113
- ci: update Testing workflow with harden-runner recommendations by @michaelwknott in #4114
- chore(deps-dev): bump pre-commit from 3.7.0 to 3.7.1 by @dependabot in #4121
- chore(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in #4124
- chore: update SBOM for Python 3.8 by @github-actions in #4120
- chore: update SBOM for Python 3.9 by @github-actions in #4119
- chore: update SBOM for Python 3.10 by @github-actions in #4118
- chore: update SBOM for Python 3.12 by @github-actions in #4117
- chore: update SBOM for Python 3.11 by @github-actions in #4116
- chore(deps): bump github/codeql-action from 3.25.3 to 3.25.4 by @dependabot in #4123
- chore(deps): bump actions/attest-build-provenance from 1.0.0 to 1.1.1 by @dependabot in #4122
- ci: build wheel only on origin, make sbom test more robust by @terriko in #4126
- chore(deps): bump codecov/codecov-action from 4.3.1 to 4.4.0 by @dependabot in #4134
- chore(deps): bump github/codeql-action from 3.25.4 to 3.25.5 by @dependabot in #4133
- chore: update SBOM for Python 3.8 by @github-actions in #4132
- chore: update SBOM for Python 3.9 by @github-actions in #4131
- chore: update SBOM for Python 3.10 by @github-actions in #4130
- chore: update SBOM for Python 3.12 by @github-actions in #4129
- chore: update SBOM for Python 3.11 by @github-actions in #4128
- chore(deps): requests>=2.32.0 due to session bug by @terriko in #4136
- chore(deps): bump codecov/codecov-action from 4.4.0 to 4.4.1 by @dependabot in #4147
- chore(deps): bump step-security/harden-runner from 2.7.1 to 2.8.0 by @dependabot in #4146
- chore(deps): bump github/codeql-action from 3.25.5 to 3.25.6 by @dependabot in #4145
- test: added test for generate_sbom function by @inosmeet in #4060
- chore: update SBOM for Python 3.8 by @github-actions in #4144
- chore: update SBOM for Python 3.9 by @github-actions in #4143
- chore: update SBOM for Python 3.10 by @github-actions in #4142
- chore: update SBOM for Python 3.12 by @github-actions in #4141
- chore: update SBOM for Python 3.11 by @github-actions in #4140
- ci: openSSF scorecard fixes, fix build-wheel by @terriko in #4149
- chore: update SBOM for Python 3.8 by @github-actions in #4155
- chore: update SBOM for Python 3.9 by @github-actions in #4154
- chore: update SBOM for Python 3.10 by @github-actions in #4153
- chore: update SBOM for Python 3.11 by @github-actions in #4152
- chore: update SBOM for Python 3.12 by @github-actions in #4151
- chore(deps): bump github/codeql-action from 3.25.6 to 3.25.7 by @dependabot in #4156
- feat: removed version info from purls in language parsers by @inosmeet in #4159
- docs: minor docstring fix by @mastersans in #4157
- Add missing source entry for REDHAT by @r-vdp in #4161
- ci: add jobs line in build-wheel.yml by @terriko in #4162
- ci: put write permission in job by @terriko in #4163
- fix: update dnsmasq checker by @ffontaine in #4165
- fix: let epss work behind proxy by @terriko in #4166
- chore: update SBOM for Python 3.8 by @github-actions in #4172
- chore: update SBOM for Python 3.10 by @github-actions in #4171
- chore: update SBOM for Python 3.9 by @github-actions in #4170
- chore: update SBOM for Python 3.11 by @github-actions in #4169
- chore: update SBOM for Python 3.12 by @github-actions in #4168
- chore(deps): bump github/codeql-action from 3.25.7 to 3.25.8 by @dependabot in #4176
- chore(deps): bump actions/attest-build-provenance from 1.1.1 to 1.2.0 by @dependabot in #4173
- chore(deps): bump actions/dependency-review-action from 4.3.2 to 4.3.3 by @dependabot in #4175
- chore(deps): bump step-security/harden-runner from 2.7.1 to 2.8.1 by @dependabot in #4174
- fix: disable nvd_api_key, test disabled sources by @terriko in #4167
- feat: Separated data source integration from previous PR by @inosmeet in #4179
- feat: added a function to utilize purl integration by @inosmeet in #4164
- feat: purl in productinfo by @mastersans in #4185
- feat: cyclonedx vex generation by @mastersans in #4150
- fix: remove alias mechanism from osv by @ffontaine in #4187
- chore: update SBOM for Python 3.8 by @github-actions in #4193
- chore: update SBOM for Python 3.9 by @github-actions in #4192
- chore: update SBOM for Python 3.10 by @github-actions in #4191
- chore: update SBOM for Python 3.12 by @github-actions in #4190
- chore: update SBOM for Python 3.11 by @github-actions in #4189
- Added 'YAFFS' as valid binary format by @gvozzolo in #4202
- refactor: changed language parsers and query by @inosmeet in #4188
- fix: use real filenames in language parsers by @terriko in #4204
- chore(deps): bump actions/attest-build-provenance from 1.2.0 to 1.3.1 by @dependabot in #4196
- chore(deps): bump codecov/codecov-action from 4.4.1 to 4.5.0 by @dependabot in #4197
- chore(deps): bump github/codeql-action from 3.25.8 to 3.25.10 by @dependabot in #4198
- feat: Documentation and plugin system for parsers by @pdxjohnny in #4200
- feat: vex parser class in addition to purl support to generation by @mastersans in #4177
- fix: handle disabled_sources in get_vendor_product_pairs by @ffontaine in #4208
- feat: added deduplication database table by @inosmeet in #4206
- chore(deps): bump actions/attest-build-provenance from 1.3.1 to 1.3.2 by @dependabot in #4215
- chore(deps): bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 by @dependabot in #4214
- chore: update SBOM for Python 3.8 by @github-actions in #4213
- chore: update SBOM for Python 3.12 by @github-actions in #4212
- chore: update SBOM for Python 3.10 by @github-actions in #4211
- chore: update SBOM for Python 3.11 by @github-actions in #4210
- feat: no entrypoint registration required in tree by @pdxjohnny in #4207
- chore: update SBOM for Python 3.9 by @github-actions in #4209
- feat: added purl2cpe into our database by @inosmeet in #4218
- feat: improved purl for productinfo by @inosmeet in #4222
- fix: make EPSS behave like other data sources by @terriko in #4125
- fix: [Snyk] min vers for indirect depdencies with vulns by @terriko in #4224
- docs: adding a new data source by @terriko in #4217
- refactor: renamed deduplication database to mismatch by @inosmeet in #4225
- chore(deps): bump github/codeql-action from 3.25.10 to 3.25.11 by @dependabot in #4234
- chore: update SBOM for Python 3.12 by @github-actions in #4233
- feat: added script to populate deduplication database by @inosmeet in #4223
- chore: update SBOM for Python 3.8 by @github-actions in #4232
- chore: update SBOM for Python 3.9 by @github-actions in #4231
- chore: update SBOM for Python 3.11 by @github-actions in #4230
- chore: update SBOM for Python 3.10 by @github-actions in #4229
- refactor: sbom_manager by @mastersans in #4237
- docs: documentation regarding vex commands by @mastersans in #4227
- docs: mismatch_loader by @inosmeet in #4245
- feat: disabled failing tests by @inosmeet in #4247
- feat(checker): add libopenmpt checker by @ffontaine in #4249
- feat: added flags for mismatch_loader by @inosmeet in #4246
- test: openvex parse and generation test by @mastersans in #4244
- feat: command line arguements for vex by @mastersans in #4226
- chore(deps): bump actions/dependency-review-action from 4.3.3 to 4.3.4 by @dependabot in #4252
- chore(deps): bump actions/attest-build-provenance from 1.3.2 to 1.3.3 by @dependabot in #4253
- chore(deps): bump github/codeql-action from 3.25.11 to 3.25.12 by @dependabot in #4251
- chore(deps): bump actions/setup-python from 5.1.0 to 5.1.1 by @dependabot in #4250
- chore: remove plotly from triage.json by @mastersans in #4267
- feat: added yaml checks for mismatch_relations file by @inosmeet in #4264
- chore: update SBOM for Python 3.8 by @terriko in #4263
- chore: update SBOM for Python 3.9 by @terriko in #4262
- chore: update SBOM for Python 3.11 by @terriko in #4261
- chore: update SBOM for Python 3.10 by @terriko in #4260
- test: mismatch_loader by @inosmeet in #4248
- chore(deps): bump sphinx from 7.3.7 to 7.4.0 by @dependabot in #4254
- feat: added ci script that updates mismatch database by @inosmeet in #4236
- feat: added mismatch information for python's zstandard by @inosmeet in #4239
- fix: improve handling of triage data by @r-vdp in #4160
- chore: update SBOM for Python 3.8 by @github-actions in #4273
- chore: update SBOM for Python 3.9 by @github-actions in #4272
- chore: update SBOM for Python 3.10 by @github-actions in #4271
- chore: update SBOM for Python 3.11 by @github-actions in #4270
- chore: update pre-commit config by @github-actions in #4228
- refactor: decode_cpe23 by @inosmeet in #4268
- chore(deps): bump sphinx from 7.4.0 to 7.4.7 by @dependabot in #4274
- refactor: table init + add bonus purl2cpe init by @terriko in #4241
- feat: enabled mismatch feature for remaining parsers by @inosmeet in #4269
- fix: failing vex test by @mastersans in #4287
- chore: update SBOM for Python 3.12 by @terriko in #4259
- refactor: moved repetitive code from parsers to a generic function by @inosmeet in #4292
- chore(deps): bump step-security/harden-runner from 2.8.1 to 2.9.0 by @dependabot in #4277
- chore(deps): bump actions/setup-python from 5.1.0 to 5.1.1 by @dependabot in #4278
- test: purl2cpe database by @inosmeet in #4280
- build(deps): Move setuptools to requirements.txt (from dev reqs) by @cpswan in #4291
- feat: new issue template for mismatch information by @inosmeet in #4283
- chore(deps-dev): bump pre-commit from 3.7.1 to 3.8.0 by @dependabot in #4286
- chore(deps): bump github/codeql-action from 3.25.12 to 3.25.15 by @dependabot in #4285
- chore(deps): bump ossf/scorecard-action from 2.3.3 to 2.4.0 by @dependabot in #4284
- ci: use intel-provided github runners by @terriko in #4293
- chore: update pre-commit config by @github-actions in #4297
- docs: documentation regarding vex and triage by @mastersans in #4299
- chore: update SBOM for Python 3.8 by @github-actions in #4304
- chore: update SBOM for Python 3.9 by @github-actions in #4305
- chore: update SBOM for Python 3.11 by @github-actions in #4303
- chore: update SBOM for Python 3.12 by @github-actions in #4302
- chore: update SBOM for Python 3.10 by @github-actions in #4301
- ci: Removed the terms mentioned in Issue #4314 by @muddi900 in #4316
- fix: TypeError in fuzz_python_requirement_parser in fuzzing reports #… by @hassaanshafqatt in #4312
- feat: convert mismatch utility into a standalone entity by @inosmeet in #4300
- feat: add support for yarn (fixes #4266) by @vpavankalyan in #4290
- feat: improved triage process by @mastersans in #4279
- test: Reduce tests run in short tests jobs by @terriko in #4319
- feat: new json format for output by @mastersans in #3980
- fix: improve schema validation for bandit by @terriko in #4320
- chore(deps): bump min versions per snyk by @terriko in #4318
- feat: checker-experiment by @joydeep049 in #3873
- fix: list of available language parsers (fixes #4334) by @anthonyharrison in #4336
- test: PURL generation for language parsers by @inosmeet in #4332
- fix: 0 cve pdf report was not generating by @terriko in #4329
- chore: update SBOM for Python 3.8 by @github-actions in #4341
- chore: update SBOM for Python 3.9 by @github-actions in #4340
- chore: update SBOM for Python 3.12 by @github-actions in #4339
- chore: update SBOM for Python 3.10 by @github-actions in #4338
- chore: update SBOM for Python 3.11 by @github-actions in #4337
- fix: vulnerabilities being missed in SBOMs (fixes #4178) by @anthonyharrison in #4335
- test: mismatch cli utility by @inosmeet in #4346
- chore(deps): bump step-security/harden-runner from 2.9.0 to 2.9.1 by @dependabot in #4344
- chore(deps): bump github/codeql-action from 3.25.15 to 3.26.0 by @dependabot in #4342
- ci: disable csv cve scan temporarily by @terriko in #4347
- docs: mismatch cli utility by @inosmeet in #4348
- fix: triage with directory scanning and documentation for TRIAGE.json by @mastersans in #4349
- ci: re-enable windows tests that previously failed by @terriko in #4351
- fix: Help users learn about the mirrors by @terriko in #4352
- test: skip
test_language_package
in long tests by @muddi900 in #4327 - refactor: renamed data directory to mismatch_data by @inosmeet in #4356
- feat: diagram of triage workflow by @mastersans in #4366
- ci: mismatch yml checker needs new directory name by @terriko in #4358
- chore(deps): bump github/codeql-action from 3.26.0 to 3.26.2 by @dependabot in #4365
- chore: update SBOM for Python 3.9 by @github-actions in #4364
- chore: update SBOM for Python 3.8 by @github-actions in #4363
- chore: update SBOM for Python 3.12 by @github-actions in #4362
- chore: update SBOM for Python 3.10 by @github-actions in #4361
- chore: update SBOM for Python 3.11 by @github-actions in #4360
- fix: set packaging minimum version by @ffontaine in #4367
- fix: improve hostapd checker by @ffontaine in #4368
- fix: halt if pdf selected but unavailable by @terriko in #4354
- chore: bump version to 3.4rc0 for pre-release by @terriko in #4357
- test: regression test for 0 cve pdf report by @terriko in #4371
- feat(checker): add jasper checker by @ffontaine in #4378
- feat(checker): add ghostscript checker by @ffontaine in #4379
- feat(checker): add libyaml checker by @ffontaine in #4377
- test: re-enable some disabled tests by @terriko in #4376
- chore: fix documentation and remove older test by @mastersans in #4374
- chore: update checkers table by @github-actions in #4381
- chore(deps): bump actions/attest-build-provenance from 1.3.3 to 1.4.2 by @dependabot in #4389
- chore(deps): bump github/codeql-action from 3.26.2 to 3.26.5 by @dependabot in #4390
- chore: update SBOM for Python 3.9 by @github-actions in #4388
- chore: update SBOM for Python 3.8 by @github-actions in #4387
- chore: update SBOM for Python 3.12 by @github-actions in #4386
- chore: update SBOM for Python 3.10 by @github-actions in #4385
- chore: update SBOM for Python 3.11 by @github-actions in #4384
- fix: remove excessively noisy cvedb debug message by @terriko in #4395
- docs: Add json2 output format (fixes #4333) by @anthonyharrison in #4397
- chore: bump version to 3.4rc1 by @terriko in #4382
- fix: Reduce debug noise by @anthonyharrison in #4400
- fix: update jq checker by @ffontaine in #4399
- fix: modernize cvss score loading by @terriko in #4373
- fix: update test data for lib4vex 0.2.0 (fixes #4402) by @anthonyharrison in #4403
- chore: min version of lib4vex to 0.2.0 by @terriko in #4404
- chore: update SBOM for Python 3.8 by @github-actions in #4409
- chore: update SBOM for Python 3.9 by @github-actions in #4410
- chore: update SBOM for Python 3.10 by @github-actions in #4408
- chore: update SBOM for Python 3.11 by @github-actions in #4406
- chore: update SBOM for Python 3.12 by @github-actions in #4407
- chore: update pre-commit config by @github-actions in #4405
- chore(deps): bump actions/upload-artifact from 4.3.1 to 4.4.0 by @dependabot in #4411
- chore(deps): bump github/codeql-action from 3.26.5 to 3.26.6 by @dependabot in #4413
- chore(deps): bump actions/setup-python from 5.1.1 to 5.2.0 by @dependabot in #4412
- feat: auto detect for vex and added linkage check by @mastersans in #4415
- chore: bump version to 3.4 release by @terriko in #4416
- fix: handle : in filenames better by @ffontaine in #4418
- fix: update dovecot checker by @ffontaine in #4419
- fix: Backwards compatibility for vex triage by @terriko in #4421
- chore(deps): bump actions/attest-build-provenance from 1.4.2 to 1.4.3 by @dependabot in #4430
- chore: update SBOM for Python 3.8 by @github-actions in #4428
- chore: update SBOM for Python 3.9 by @github-actions in #4425
- chore: update SBOM for Python 3.10 by @github-actions in #4426
- chore: update SBOM for Python 3.11 by @github-actions in #4427
- chore: update SBOM for Python 3.12 by @github-actions in #4424
- fix: Incorrect validation of purl (fixes #4420) by @anthonyharrison in #4422
- feat(checker): add mp4v2 checker by @ffontaine in #4380
- fix: improve comment propagation from lib4vex by @terriko in #4423
- chore: update checkers table by @github-actions in #4431
- chore: 3.4rc2 version number by @terriko in #4432
- chore: bump version to 3.4 by @terriko in #4435
- Match cve_metrics foreign key to the metrics table definition by @steven-hh-ding in #4436
- fix: fix glibc patterns by @ffontaine in #4437
- fix: handle unset serial number by @terriko in #4440
- fix: prepend justification to comments by @terriko in #4442
- chore: update SBOM for Python 3.8 by @github-actions in #4447
- chore: update SBOM for Python 3.9 by @github-actions in #4448
- chore: update SBOM for Python 3.10 by @github-actions in #4446
- chore: update SBOM for Python 3.12 by @github-actions in #4445
- chore: update SBOM for Python 3.11 by @github-actions in #4444
- docs: update argument list by @AryanBakliwal in #4443
- chore(deps): bump step-security/harden-runner from 2.9.1 to 2.10.1 by @dependabot in #4451
- docs: fix broken GAD link by @terriko in #4454
- fix: match cli arguments description by @AryanBakliwal in #4456
Open for list of feature/doc/bugfix merged (no chore or ci updates; slightly less long)
- feat: add fix to allow detection of python3.11 on DLL file by @jananir640 in #4023
- feat: added PURL generation to PhpParser by @joydeep049 in #4016
- feat: added PURL generation for r parser by @inosmeet in #4035
- feat: added PURL generation to DartParser by @mastersans in #4004
- feat(checker): add ttyd checker by @ffontaine in #4031
- feat: Adding locations in CycloneDX reports by @Mayankrai449 in #3989
- fix: update openssl checker by @ffontaine in #4051
- fix: fix symlink handling by @ffontaine in #4054
- fix: update binutils pattern by @ffontaine in #4077
- fix: TypeError in RenvLockBuilder by @joydeep049 in #4061
- fix: improve cryptsetup checker by @ffontaine in #4086
- fix: parse CPE names correctly #4041 by @fthdrmzzz in #4063
- fix: improved cpe parsing in sbom code by @ranjanmangla1 in #4082
- fix: add additional ppp CPE ID by @ffontaine in #4092
- feat: upload slsa to github on testing ci build job by @pdxjohnny in #4113
- test: added test for generate_sbom function by @inosmeet in #4060
- feat: removed version info from purls in language parsers by @inosmeet in #4159
- docs: minor docstring fix by @mastersans in #4157
- Add missing source entry for REDHAT by @r-vdp in #4161
- fix: update dnsmasq checker by @ffontaine in #4165
- fix: let epss work behind proxy by @terriko in #4166
- fix: disable nvd_api_key, test disabled sources by @terriko in #4167
- feat: Separated data source integration from previous PR by @inosmeet in #4179
- feat: added a function to utilize purl integration by @inosmeet in #4164
- feat: purl in productinfo by @mastersans in #4185
- feat: cyclonedx vex generation by @mastersans in #4150
- fix: remove alias mechanism from osv by @ffontaine in #4187
- Added 'YAFFS' as valid binary format by @gvozzolo in #4202
- refactor: changed language parsers and query by @inosmeet in #4188
- fix: use real filenames in language parsers by @terriko in #4204
- feat: Documentation and plugin system for parsers by @pdxjohnny in #4200
- feat: vex parser class in addition to purl support to generation by @mastersans in #4177
- fix: handle disabled_sources in get_vendor_product_pairs by @ffontaine in #4208
- feat: added deduplication database table by @inosmeet in #4206
- feat: no entrypoint registration required in tree by @pdxjohnny in #4207
- feat: added purl2cpe into our database by @inosmeet in #4218
- feat: improved purl for productinfo by @inosmeet in #4222
- fix: make EPSS behave like other data sources by @terriko in #4125
- fix: [Snyk] min vers for indirect depdencies with vulns by @terriko in #4224
- docs: adding a new data source by @terriko in #4217
- refactor: renamed deduplication database to mismatch by @inosmeet in #4225
- feat: added script to populate deduplication database by @inosmeet in #4223
- refactor: sbom_manager by @mastersans in #4237
- docs: documentation regarding vex commands by @mastersans in #4227
- docs: mismatch_loader by @inosmeet in #4245
- feat: disabled failing tests by @inosmeet in #4247
- feat(checker): add libopenmpt checker by @ffontaine in #4249
- feat: added flags for mismatch_loader by @inosmeet in #4246
- test: openvex parse and generation test by @mastersans in #4244
- feat: command line arguements for vex by @mastersans in #4226
- feat: added yaml checks for mismatch_relations file by @inosmeet in #4264
- test: mismatch_loader by @inosmeet in #4248
- feat: added ci script that updates mismatch database by @inosmeet in #4236
- feat: added mismatch information for python's zstandard by @inosmeet in #4239
- fix: improve handling of triage data by @r-vdp in #4160
- refactor: decode_cpe23 by @inosmeet in #4268
- refactor: table init + add bonus purl2cpe init by @terriko in #4241
- feat: enabled mismatch feature for remaining parsers by @inosmeet in #4269
- fix: failing vex test by @mastersans in #4287
- refactor: moved repetitive code from parsers to a generic function by @inosmeet in #4292
- test: purl2cpe database by @inosmeet in #4280
- build(deps): Move setuptools to requirements.txt (from dev reqs) by @cpswan in #4291
- feat: new issue template for mismatch information by @inosmeet in #4283
- docs: documentation regarding vex and triage by @mastersans in #4299
- fix: TypeError in fuzz_python_requirement_parser in fuzzing reports #… by @hassaanshafqatt in #4312
- feat: convert mismatch utility into a standalone entity by @inosmeet in #4300
- feat: add support for yarn (fixes #4266) by @vpavankalyan in #4290
- feat: improved triage process by @mastersans in #4279
- test: Reduce tests run in short tests jobs by @terriko in #4319
- feat: new json format for output by @mastersans in #3980
- fix: improve schema validation for bandit by @terriko in #4320
- feat: checker-experiment by @joydeep049 in #3873
- fix: list of available language parsers (fixes #4334) by @anthonyharrison in #4336
- test: PURL generation for language parsers by @inosmeet in #4332
- fix: 0 cve pdf report was not generating by @terriko in #4329
- fix: vulnerabilities being missed in SBOMs (fixes #4178) by @anthonyharrison in #4335
- test: mismatch cli utility by @inosmeet in #4346
- docs: mismatch cli utility by @inosmeet in #4348
- fix: triage with directory scanning and documentation for TRIAGE.json by @mastersans in #4349
- fix: Help users learn about the mirrors by @terriko in #4352
- test: skip
test_language_package
in long tests by @muddi900 in #4327 - refactor: renamed data directory to mismatch_data by @inosmeet in #4356
- feat: diagram of triage workflow by @mastersans in #4366
- fix: set packaging minimum version by @ffontaine in #4367
- fix: improve hostapd checker by @ffontaine in #4368
- fix: halt if pdf selected but unavailable by @terriko in #4354
- test: regression test for 0 cve pdf report by @terriko in #4371
- feat(checker): add jasper checker by @ffontaine in #4378
- feat(checker): add ghostscript checker by @ffontaine in #4379
- feat(checker): add libyaml checker by @ffontaine in #4377
- test: re-enable some disabled tests by @terriko in #4376
- fix: remove excessively noisy cvedb debug message by @terriko in #4395
- docs: Add json2 output format (fixes #4333) by @anthonyharrison in #4397
- fix: Reduce debug noise by @anthonyharrison in #4400
- fix: update jq checker by @ffontaine in #4399
- fix: modernize cvss score loading by @terriko in #4373
- fix: update test data for lib4vex 0.2.0 (fixes #4402) by @anthonyharrison in #4403
- feat: auto detect for vex and added linkage check by @mastersans in #4415
- fix: handle : in filenames better by @ffontaine in #4418
- fix: update dovecot checker by @ffontaine in #4419
- fix: Backwards compatibility for vex triage by @terriko in #4421
- fix: Incorrect validation of purl (fixes #4420) by @anthonyharrison in #4422
- feat(checker): add mp4v2 checker by @ffontaine in #4380
- fix: improve comment propagation from lib4vex by @terriko in #4423
- Match cve_metrics foreign key to the metrics table definition by @steven-hh-ding in #4436
- fix: fix glibc patterns by @ffontaine in #4437
- fix: handle unset serial number by @terriko in #4440
- fix: prepend justification to comments by @terriko in #4442
- docs: update argument list by @AryanBakliwal in #4443
- docs: fix broken GAD link by @terriko in #4454
New Contributors
- @ranjanmangla1 made their first contribution in #4076
- @fthdrmzzz made their first contribution in #4063
- @r-vdp made their first contribution in #4161
- @cpswan made their first contribution in #4291
- @muddi900 made their first contribution in #4316
- @hassaanshafqatt made their first contribution in #4312
- @vpavankalyan made their first contribution in #4290
- @steven-hh-ding made their first contribution in #4436
Full Changelog: v3.3...v3.4