feat(package-list-parser): dpkg and rpm package list parser support (#1209)

* feat: Add package list support for distros that use rpm package manager

* feat: Add package list parser support for Debian and PopOS

* docs: rpm and dpkg package list parser changes

Author: BreadGenie

README.md

@@ -83,11 +83,11 @@ You can also use `-m` or `--merge` along with `-f --format` and `-o --output-fil
 
 > Note: For backward compatibility, we still support `csv2cve` command for producing CVEs from csv but we recommend using new `--input-file` command instead.
 
-`-L` or `--package-list` option runs a CVE scan on installed packages listed in a package list. It takes a python package list (requirements.txt) or a package list of packages of an Ubuntu or CentOS system as an input for the scan. This option is much faster and detects more CVEs than the default method of scanning binaries.
+`-L` or `--package-list` option runs a CVE scan on installed packages listed in a package list. It takes a python package list (requirements.txt) or a package list of packages of systems that has rpm or dpkg package manager as an input for the scan. This option is much faster and detects more CVEs than the default method of scanning binaries.
 
 You can get a package list of all installed packages in 
-  - an Ubuntu system by running `dpkg-query -W -f '${binary:Package}\n' > pkg-list` 
-  - a CentOS system by running `rpm -qa --queryformat '%{NAME}\n' > pkg-list` 
+  - a system using dpkg package mananger by running `dpkg-query -W -f '${binary:Package}\n' > pkg-list` 
+  - a system using rpm package mananger by running `rpm -qa --queryformat '%{NAME}\n' > pkg-list` 
 
 in the terminal and provide it as an input by running `cve-bin-tool -L pkg-list` for a full package scan.
 

cve_bin_tool/package_list_parser/__init__.py

@@ -23,7 +23,10 @@
 
 ROOT_PATH = join(dirname(__file__), "..")
 PYPI_CSV = join(ROOT_PATH, "package_list_parser", "pypi_list.csv")
-SUPPORTED_DISTROS = ["ubuntu", "centos"]
+
+DEB_DISTROS = ["debian", "pop", "ubuntu"]
+RPM_DISTROS = ["centos", "fedora", "opensuse", "rhel"]
+SUPPORTED_DISTROS = RPM_DISTROS + DEB_DISTROS
 
 
 class PackageListParser:
@@ -53,7 +56,7 @@ def parse_list(self):
 
             LOGGER.info(f"Scanning {distro.id().capitalize()} package list.")
 
-            if "ubuntu" in distro.id():
+            if distro.id() in DEB_DISTROS:
                 installed_packages = run(
                     [
                         "dpkg-query",
@@ -62,7 +65,7 @@ def parse_list(self):
                     ],
                     stdout=PIPE,
                 )
-            elif "centos" in distro.id():
+            elif distro.id() in RPM_DISTROS:
                 installed_packages = run(
                     [
                         "rpm",
@@ -158,8 +161,8 @@ def check_file(self):
                 raise EmptyTxtError(input_file)
 
         if not input_file.endswith("requirements.txt"):
-            if "ubuntu" in distro.id():
-                # Simulate installation on Ubuntu using apt-get to check if the file is valid
+            if distro.id() in DEB_DISTROS:
+                # Simulate installation on Debian based system using apt-get to check if the file is valid
                 output = run(
                     [f"xargs", "-a", input_file, "apt-get", "install", "-s"],
                     stderr=PIPE,
@@ -171,7 +174,7 @@ def check_file(self):
                         raise InvalidListError(
                             f"Invalid Package list\n{output.stderr.decode('utf-8')}"
                         )
-            elif "centos" in distro.id():
+            elif distro.id() in RPM_DISTROS:
                 output = run(
                     [f"xargs", "-a", input_file, "rpm", "-qi"],
                     stderr=PIPE,

doc/MANUAL.md

@@ -335,7 +335,7 @@ The output will look like following:
 
 ### -L PACKAGE_LIST, --package-list PACKAGE_LIST
 
-This option runs a CVE scan on installed packages listed in a package list. It takes a python package list (requirements.txt) or a package list of packages of an Ubuntu system as an input for the scan. This option is much faster and detects more CVEs than the default method of scanning binaries.
+This option runs a CVE scan on installed packages listed in a package list. It takes a python package list (requirements.txt) or a package list of packages of systems that has rpm or dpkg package manager as an input for the scan. This option is much faster and detects more CVEs than the default method of scanning binaries.
 
 An example of the package list for Linux systems:
 
@@ -349,8 +349,8 @@ python3
 
 > Note: The packages in the package list should be installed in the system before the scan. Run 
   - `pip install -r requirements.txt` to install python packages
-  - `sudo apt-get install $(cat package-list)` for packages in an Ubuntu system
-  - `sudo yum install $(cat package-list)`for packages in a CentOS system
+  - `sudo apt-get install $(cat package-list)` for packages in a Debian based system
+  - `sudo yum install $(cat package-list)`for packages in a CentOS/Fedora system
 
 > Note: Don't use invalid package names in the package list, as it will throw errors.
 
@@ -359,9 +359,9 @@ You can test it using our [test package list](https://github.com/intel/cve-bin-t
 ```console
 cve-bin-tool -L test/txt/test_ubuntu_list.txt
 ```
-You can get a package list of all installed packages in 
-  - an Ubuntu system by running `dpkg-query -W -f '${binary:Package}\n' > pkg-list` 
-  - a CentOS system by running `rpm -qa --queryformat '%{NAME}\n' > pkg-list` 
+You can get a package list of all installed packages in   
+  - a system using dpkg package mananger by running `dpkg-query -W -f '${binary:Package}\n' > pkg-list` 
+  - a system using rpm package mananger by running `rpm -qa --queryformat '%{NAME}\n' > pkg-list` 
 
 in the terminal and provide it as an input by running `cve-bin-tool -L pkg-list` for a full package scan.