Updating documentation for 0.3.0 release (#204)

Author: terriko

MANUAL.md

@@ -9,32 +9,51 @@ system includes common libraries with known vulnerabilities, known as CVEs
 Usage:
 `cve-bin-tool <flags> <path to directory>`
 
-    Possible output levels:
-    -v (verbose): print scan results as they're found
-       (regular): print only final summary
-    -q (quiet):   suppress all output but exit with error
-                  number indicating number of files with CVE
+Possible output levels:
+```
+  -v, --verbose         details on found issues as script runs
+  -q, --quiet           suppress output
+  -l {debug,info,warning,error,critical}, --log {debug,info,warning,error,critical}
+                        log level
+```
+Other options:
+```
+  -h, --help            show help message and exit
+  -x, --extract         autoextract compressed files
+  -s SKIPS, --skips SKIPS
+                        comma-separated list of checkers to disable
+  -m, --multithread     enable multithread
+  -u {now,daily,never}, --update {now,daily,never}
+                        update schedule for NVD database. Default is daily.
+```
 
-    Other options:
-    -x (extract): Autoextract compressed files
+Available checkers: `curl, expat, icu, kerberos, libcurl, libgcrypt, libjpeg,
+libnss, libtiff, node, openssl, png, sqlite, systemd, xerces, xml2, zlib
+`
 
 For a quick overview of usage and how it works, you can also see [the readme file](README.md).
 
 
 Table of Contents
 -----------------
-- [CVE checker for binary code User Manual](#cve-checker-for-binary-code-user-manual)
-  - [Table of Contents](#table-of-contents)
-  - [How it works](#how-it-works)
-  - [Installing](#installing)
-  - [Fixing Known Issues / What should I do if it finds something?](#fixing-known-issues--what-should-i-do-if-it-finds-something)
-  - [Limitations](#limitations)
-  - [Output Samples](#output-samples)
-    - [Default Mode](#default-mode)
-    - [Verbose Mode](#verbose-mode)
-    - [Quiet Mode](#quiet-mode)
-  - [Feedback & Contributions](#feedback--contributions)
-  - [Security Issues](#security-issues)
+- [CVE checker for binary code User Manual](#CVE-checker-for-binary-code-User-Manual)
+  - [Table of Contents](#Table-of-Contents)
+  - [How it works](#How-it-works)
+  - [Installing](#Installing)
+  - [Fixing Known Issues / What should I do if it finds something?](#Fixing-Known-Issues--What-should-I-do-if-it-finds-something)
+  - [Limitations](#Limitations)
+  - [Options:](#Options)
+    - [-x, --extract](#x---extract)
+    - [-s SKIPS, --skips SKIPS](#s-SKIPS---skips-SKIPS)
+    - [-m, --multithread enable multithread](#m---multithread-enable-multithread)
+    - [-u {now,daily,never}, --update {now,daily,never}](#u-nowdailynever---update-nowdailynever)
+  - [Output modes](#Output-modes)
+      - [Default Mode](#Default-Mode)
+    - [Verbose Mode](#Verbose-Mode)
+    - [Quiet Mode](#Quiet-Mode)
+    - [Logging modes](#Logging-modes)
+  - [Feedback & Contributions](#Feedback--Contributions)
+  - [Security Issues](#Security-Issues)
 
 How it works
 ------------
@@ -86,6 +105,12 @@ on GNU/Linux systems but you may need to install.
 - ar
 - cabextract
 
+On Windows, it requires
+- Extract 
+- ar
+- 7zip
+  
+
 Fixing Known Issues / What should I do if it finds something?
 -------------------------------------------------------------
 
@@ -102,24 +127,37 @@ even though it may now be safely mitigated and the result a false positive.
 Limitations
 -----------
 
-When running this script, Python 3 is preferred over Python 2.7. This tool
-was developed for Linux and expects a number of common Linux utilities.  It
-can be run on Windows using cygwin or other option to ensure these utilities
-are installed.
+When running this script, Python 3 is preferred over Python 2.7, as python 2.7 support will be ending soon. Linux and Windows are supported, as is usage within cygwin on windows.
 
 This tool does not scan for all possible known public vulnerabilities, it only
 scans for specific commonly vulnerable open source components.   A complete
 list of currently supported library checkers can be found in [the checkers 
 directory](https://github.com/intel/cve-bin-tool/tree/master/checkers).
 
 As the name implies, this tool is intended for use with binaries.  If you have
-access to a known list of package names and versions, you may wish to use
-another tool such as the [CVE check tool
-here](https://github.com/ikeydoherty/cve-check-tool) which covers a larger
-database of known public issues.
+access to a known list of package names and versions, we do have a helper tool called [CSV2CVE](https://github.com/intel/cve-bin-tool/blob/master/CSV2CVE.md) that can be used to look up known vulnerabilities given a comma-delimited file.  See the [documentation for CSV2CVE for more details](https://github.com/intel/cve-bin-tool/blob/master/CSV2CVE.md).
+
+Options:
+--------
+
+### -x, --extract
+
+This option allows the CVE Binary Tool to extract compressed files into a temporary directory so the contents can be scanned.  If the quiet flag is not used, the list of extracted files will be printed.
+
+### -s SKIPS, --skips SKIPS
+
+This option allows one to skip (disable) a comma-separated list of checkers.  This can be useful for improving the performance of the tool when you have some prior knowledge about what checkers may apply to the binary you are scanning.  
+
+###   -m, --multithread     enable multithread
+
+This options allows one to enable multithread mode, so that the scanner can run in parallel on many files at once. This can be used to improve performance, particularly if you are scanning a large directory or a compressed file with many files in it.
+
+### -u {now,daily,never}, --update {now,daily,never}
 
-Output Samples
---------------
+This option controls the frequency of updates for the CVE data from the National Vulnerability Database.  By default, the tool checks the staleness of the data with every run, and if the data is more than one day old, it gets an update from NVD.  You may also choose to update the data `now` (in which case all cached data is deleted and a full new download is done) or `never` in which case the staleness check is not done and no update is requested.  The `now` and `never` modes can be combined to produce alternative update schedules if daily is not the desired one.
+
+Output modes
+------------
 
 The tool has several different output modes, from most information to least as follows:
 
@@ -129,122 +167,102 @@ The tool has several different output modes, from most information to least as f
 
 Although the examples in this section show results for a single library to make them shorter and easier to read, the tool was designed to be run on entire directories and will scan all files in a directory if one is supplied.
 
-### Default Mode
+#### Default Mode
 
 The default mode for the cve-bin-tool prints only a final summary of results,
 without CVE descriptions or information while the scan is progressing. It
 outputs a CSV with the results to stdout. In the form of `package name, version,
-CVE number, CVE severity`. Below is an example of it being run on curl:
+CVE number, CVE severity`. Below is an example of it being run on our expat test file:
 
 ```
-terri@sandia:~/Code/cve-bin-tool$ cve-bin-tool /usr/bin/curl
-Connecting to NVD database and extracting the CVE list ... Please hold on.. This
-will take few minutes...
-Last Update: 2019-01-18
+(venv3.6) terri@sandia:~/Code/cve-bin-tool$ python -m cve_bin_tool.cli test/binaries/test-expat-2.0.1.out 
+Updating CVE data. This will take a few minutes.
+Last Update: 2019-08-09
 Local database has been updated in the past 24h.
-New data not downloaded.  Remove old files to force the update.
+New data not downloaded.  Use "-u now" to force an update
 
-Overall CVE summary:
+Overall CVE summary: 
 There are 1 files with known CVEs detected
-Known CVEs in curl 7.58.0:
-curl,7.58.0,CVE-2018-0500,CRITICAL
-curl,7.58.0,CVE-2018-1000120,CRITICAL
-curl,7.58.0,CVE-2018-1000121,HIGH
-curl,7.58.0,CVE-2018-1000122,CRITICAL
-curl,7.58.0,CVE-2018-1000300,CRITICAL
-curl,7.58.0,CVE-2018-1000301,CRITICAL
-curl,7.58.0,CVE-2018-16839,CRITICAL
-curl,7.58.0,CVE-2018-16842,CRITICAL
+Known CVEs in expat 2.0.1:
+expat,2.0.1,CVE-2012-6702,MEDIUM
+expat,2.0.1,CVE-2016-0718,CRITICAL
+expat,2.0.1,CVE-2016-5300,HIGH
+expat,2.0.1,CVE-2018-20843,HIGH
+expat,2.0.1,CVE-2012-0876,MEDIUM
+expat,2.0.1,CVE-2012-1147,MEDIUM
+expat,2.0.1,CVE-2012-1148,MEDIUM
+expat,2.0.1,CVE-2013-0340,MEDIUM
 ```
 
 This mode is meant to give the user enough information that they can
-investigate further, but it omits the severity information so that the tool can
-run more quickly without the additional database lookups.
+investigate further.
 
 ### Verbose Mode
 The verbose mode is another human-friendly mode.  Unlike default mode, it
 prints results per file as they're found, as well as printing the final
-summary, so you can see its progress as it traverses directories.  It also
-provides detailed descriptions of the CVEs found including severity so that
-users can make educated decisions about the risks of a given out-of-date
-library.
-
-> `1/18/2019` Verbose mode currently omits CVE descriptions
-
-Sample output on openssl1.0.2.g:
+summary, so you can see its progress as it traverses directories.  
 
+Sample output on a directory containing vulnerable curl and sqlite rpms:
 ```
-terri@sandia:~/Code/cve-bin-tool$ cve-bin-tool -v /usr/bin/openssl 
-/usr/bin/openssl contains openssl 1.0.2g
-Known CVEs in version 1.0.2g
-CVE-2017-3731 CVE-2017-3732 CVE-2016-7055 CVE-2016-7052 CVE-2016-6304 CVE-2016-2183 CVE-2016-6303 CVE-2016-6302 CVE-2016-2182 CVE-2016-2180 CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2181 CVE-2016-6306 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 CVE-2016-2176  
-CVE-2016-2105 (7.5-H)
-        Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
-CVE-2016-2106 (7.5-H)
-        Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
-CVE-2016-2107 (5.9-M)
-        The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
-CVE-2016-2109 (7.5-H)
-        The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
-CVE-2016-2176 (8.2-H)
-        The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
-CVE-2016-2177 (5.9-M)
-        OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
-CVE-2016-2178 (5.5-M)
-        The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
-CVE-2016-2179 (7.5-H)
-        The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.
-CVE-2016-2180 (7.5-H)
-        The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command.
-CVE-2016-2181 (7.5-H)
-        The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c.
-CVE-2016-2182 (9.8-C)
-        The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
-CVE-2016-2183 (5.3-M)
-        The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
-CVE-2016-6302 (7.5-H)
-        The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.
-CVE-2016-6303 (9.8-C)
-        Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
-CVE-2016-6304 (7.5-H)
-        Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
-CVE-2016-6306 (5.9-M)
-        The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
-CVE-2016-7052 (7.5-H)
-        crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
-CVE-2016-7055 (Error)
-
-CVE-2017-3731 (Error)
-
-CVE-2017-3732 (Error)
-
+(venv3.6) terri@sandia:~/Code/cve-bin-tool$ python -m cve_bin_tool.cli -v -x ~/output_test_verbose/
+Updating CVE data. This will take a few minutes.
+Last Update: 2019-08-09
+Local database has been updated in the past 24h.
+New data not downloaded.  Use "-u now" to force an update
+Checkers: curl, expat, icu, kerberos, libcurl, libgcrypt, libjpeg, libnss, libtiff, node, openssl, png, sqlite, systemd, xerces, xml2, zlib
+./usr/bin/sqlite3
+./usr/lib/libsqlite3.so.0
+./usr/lib/libsqlite3.so.0.8.6
+./usr/share/doc/sqlite-3.1.2
+./usr/share/doc/sqlite-3.1.2/README
+./usr/share/man/man1/sqlite3.1.gz
+780 blocks
+/tmp/cve-bin-tool-2qyr5nh7/sqlite-3.1.2-2.99_2.el4.at.i386.rpm.extracted/usr/lib/libsqlite3.so.0.8.6 is sqlite 3.1.2
+Known CVEs in version 3.1.2
+CVE-2018-20346, CVE-2018-20506
+/tmp/cve-bin-tool-2qyr5nh7/sqlite-3.1.2-2.99_2.el4.at.i386.rpm.extracted/usr/bin/sqlite3 is sqlite 3.UNKNOWN
+./usr/bin/curl
+./usr/share/doc/curl
+./usr/share/doc/curl/BUGS
+./usr/share/doc/curl/CHANGES
+./usr/share/doc/curl/COPYING
+./usr/share/doc/curl/FAQ
+./usr/share/doc/curl/FEATURES
+./usr/share/doc/curl/MANUAL
+./usr/share/doc/curl/README
+./usr/share/doc/curl/RESOURCES
+./usr/share/doc/curl/TODO
+./usr/share/doc/curl/TheArtOfHttpScripting
+./usr/share/man/man1/curl.1.gz
+1092 blocks
+/tmp/cve-bin-tool-2qyr5nh7/curl-7.32.0-3.fc20.x86_64.rpm.extracted/usr/bin/curl is curl 7.32.0
+Known CVEs in version 7.32.0
+CVE-2018-1000007, CVE-2014-8150, CVE-2017-7407, CVE-2016-9586, CVE-2016-8615, CVE-2016-8617, CVE-2016-8618, CVE-2016-8624, CVE-2016-5419, CVE-2016-5420, CVE-2015-3153, CVE-2014-3613, CVE-2014-0139, CVE-2016-8619, CVE-2017-1000254, CVE-2016-8616, CVE-2015-3148, CVE-2015-3143, CVE-2014-0015, CVE-2016-8623, CVE-2016-0755, CVE-2014-0138, CVE-2016-7167, CVE-2016-4802, CVE-2016-8625, CVE-2016-8621, CVE-2018-1000120, CVE-2018-16842, CVE-2017-1000100, CVE-2018-14618, CVE-2014-3707, CVE-2013-4545, CVE-2019-5436, CVE-2016-7141, CVE-2018-1000301, CVE-2018-1000122, CVE-2017-1000257, CVE-2016-0754, CVE-2018-1000121, CVE-2017-8817, CVE-2016-3739, CVE-2013-6422, CVE-2016-8622, CVE-2014-2522, CVE-2014-1263, CVE-2016-9952, CVE-2016-9953, CVE-2015-3145, CVE-2014-8151, CVE-2014-3620, CVE-2016-5421
 
 Overall CVE summary: 
-There are 1 files with known CVEs detected
-Known cves in  ['openssl1.0.2g'] :
-['CVE-2016-2105', 'CVE-2016-2106', 'CVE-2016-2107', 'CVE-2016-2109', 'CVE-2016-2176', 'CVE-2016-2177', 'CVE-2016-2178', 'CVE-2016-2179', 'CVE-2016-2180', 'CVE-2016-2181', 'CVE-2016-2182', 'CVE-2016-2183', 'CVE-2016-6302', 'CVE-2016-6303', 'CVE-2016-6304', 'CVE-2016-6306', 'CVE-2016-7052', 'CVE-2016-7055', 'CVE-2017-3731', 'CVE-2017-3732']
+There are 2 files with known CVEs detected
+Known CVEs in sqlite 3.1.2, sqlite 3.UNKNOWN, curl 7.32.0:
+sqlite,3.1.2,CVE-2018-20346,HIGH
+sqlite,3.1.2,CVE-2018-20506,HIGH
+... (Curl results omitted to save space)
 ```
 
-Note that the ones listed as "Error" are new items where the database has not yet been updated with vulnerability information.  This information could easily be found by searching for the CVE numbers using a regular search engine or through a CVE website such as http://cvedetails.com
-
-Also, please note that the severities shown are the ones from the public CVE
-databases.  The actual severity for a given product may be different based on
-what parts of the library are used and what other mitigating factors may be in
-effect.
-
-
 ### Quiet Mode
 
 As the name implies, quiet mode has no console output, and one must check the
-return code to see if any issues were found.
+return code to see if any issues were found.  The return value will be the number of files that have been found to have CVEs
 
 Below is what it returns on bash when one file is found to have CVEs:
 ```
-terri@sandia:~/Code/cve-bin-tool$ cve-bin-tool -q /usr/bin/openssl 
+terri@sandia:~/Code/cve-bin-tool$ cve-bin-tool -q ~/output_test_quiet/openssl 
 terri@sandia:~/Code/cve-bin-tool$ echo $?
 1
 ```
 
+### Logging modes
+
+The logging modes provide additional fine-grained control for debug information.
+
 Feedback & Contributions
 ------------------------