Merge pull request #241 from FReeshabh/nextPR

Added a checker for gnutls

Author: terriko

cve_bin_tool/checkers/__init__.py

@@ -4,6 +4,7 @@
     "curl",
     "expat",
     "ffmpeg",
+    "gnutls",
     "icu",
     "kerberos",
     "libgcrypt",

cve_bin_tool/checkers/gnutls.py

@@ -0,0 +1,36 @@
+#!/usr/bin/env python3
+"""
+CVE checker for GnuTLS
+References:
+https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-4433/GNU-Gnutls.html
+"""
+import os
+from ..util import regex_find
+
+
+def get_version(lines, filename):
+    """
+    returns version information for gnutls found in given file.
+    Verfies using the tools gnutls-cli
+    Verifies using the libraries libgnutls.so and libgnutls-dane.so
+
+    VPkg: gnu, gnutls
+    VPkg: gnutls, gnutls
+    """
+    regex = [r"gnutls-cli ([0-9]+\.[0-9]+\.[0-9]+)"]
+
+    for modulename, binary_names in (
+        {
+            "gnutls-serv": ["gnutls-serv"],
+            "gnutls-cli": ["gnutls-cli", "libgnutls.so", "libgnutls-dane.so"],
+        }
+    ).items():
+        for check in binary_names:
+            if check in os.path.split(filename)[-1]:
+                return {
+                    "is_or_contains": "is",
+                    "modulename": modulename,
+                    "version": regex_find(lines, *regex),
+                }
+
+    return {}

test/binaries/test-gnutls-cli-2.3.11.c

@@ -0,0 +1,11 @@
+#include <stdio.h>
+
+int main() {
+	printf("This program is designed to test the cve-bin-tool checker.");
+	printf("It outputs a few strings normally associated with gnutls-cli 2.3.11");
+	printf("They appear below this line.");
+	printf("------------------");
+	printf("gnutls-cli 2.3.11");
+
+	return 0;
+}

test/binaries/test-gnutls-serv-2.3.11.c

@@ -0,0 +1,11 @@
+#include <stdio.h>
+
+int main() {
+	printf("This program is designed to test the cve-bin-tool checker.");
+	printf("It outputs a few strings normally associated with gnutls-serv 2.3.11");
+	printf("They appear below this line.");
+	printf("------------------");
+	printf("gnutls-serv 2.3.11");
+
+	return 0;
+}

test/test_scanner.py

@@ -91,14 +91,14 @@ def _binary_test(self, binary, package, version, are_in, not_in):
         # Run the scan
         cves = self.scan_file(binary)
         # Make sure the package and version are in the results
-        self.assertIn(package, cves)
-        self.assertIn(version, cves[package])
+        self.assertIn(package, list(cves.keys()))
+        self.assertIn(version, list(cves[package].keys()))
         # Test for CVEs known in this version
         for ensure_in in are_in:
-            self.assertIn(ensure_in, cves[package][version])
+            self.assertIn(ensure_in, list(cves[package][version].keys()))
         # Test for a CVE that is not in this version
         for ensure_out in not_in:
-            self.assertNotIn(ensure_out, cves[package][version])
+            self.assertNotIn(ensure_out, list(cves[package][version].keys()))
 
     def _file_test(self, url, filename, package, version):
         """ Helper function to get a file (presumed to be a real copy
@@ -245,6 +245,28 @@ def test_ffmpeg_4_1_4(self):
             ],
         )
 
+    def test_gnutls_2_3_11(self):
+        """Scanning test-gnutls-{binary}-2.3.11.out"""
+        for binary in ["cli", "serv"]:
+            with self.subTest(binary=binary):
+                self._binary_test(
+                    "test-gnutls-{}-2.3.11.out".format(binary),
+                    "gnutls-cli",
+                    "2.3.11",
+                    [
+                        # known cves in 2.3.11
+                        "CVE-2008-1948",
+                        "CVE-2008-1949",
+                        "CVE-2008-1950",
+                    ],
+                    [
+                        # an older cve from before 2.3.11
+                        "CVE-2004-2531",
+                        # an newer cve from after 2.3.11
+                        "CVE-2017-7869",
+                    ],
+                )
+
     def test_jpeg_2_0_1(self):
         """Scanning test-libjpeg-turbo-2.0.1"""
         self._binary_test(