feat: checker version "do not match" patterns (#2777)

metabiswadeep · terriko · web-flow · commit 6cfdc43f1e71 · 2023-05-10T11:16:32.000-07:00
* Fixes #2700 Add IGNORE_PATTERNS to check against false version patterns. This allows you to explicitly avoid false positives against things like specific error messages that mention version numbers. --------- Co-authored-by: Terri Oda <terri.oda@intel.com>
diff --git a/cve_bin_tool/checkers/README.md b/cve_bin_tool/checkers/README.md
@@ -35,14 +35,15 @@ from cve_bin_tool.checkers import Checker
 class CurlChecker(Checker):
 ```
 
-Every checker must contain following 4 class attributes specific to product(ex: curl)
+Every checker may contain following 5 class attributes specific to product(ex: curl)
 you are making checker for:
 
 1. CONTAINS_PATTERNS - list of commonly found strings in the binary of the product
 2. FILENAME_PATTERNS - list of different filename for the product
 3. VERSION_PATTERNS - list of version patterns found in binary of the product.
 4. VENDOR_PRODUCT - list of vendor product pairs for the product as they appear in
 NVD.
+5. IGNORE_PATTERNS (optional) - list of patterns that could cause false positives (e.g. error messages that mention specific product/versions)
 
 `CONTAINS_PATTERN`, `FILENAME_PATTERNS` and `VERSION_PATTERNS` supports regex to cover
 wide range of use cases.
diff --git a/cve_bin_tool/checkers/__init__.py b/cve_bin_tool/checkers/__init__.py
@@ -328,6 +328,10 @@ def __new__(cls, name, bases, props):
                     raise InvalidCheckerError(
                         f"Checker {name} has a VENDOR_PRODUCT string that is not lowercase"
                     )
+        if cls.IGNORE_PATTERNS is None:
+            cls.IGNORE_PATTERNS = []
+        else:
+            cls.IGNORE_PATTERNS = list(map(re.compile, cls.IGNORE_PATTERNS))
         # Compile regex
         cls.CONTAINS_PATTERNS = list(map(re.compile, cls.CONTAINS_PATTERNS))
         cls.VERSION_PATTERNS = list(map(re.compile, cls.VERSION_PATTERNS))
@@ -342,6 +346,7 @@ class Checker(metaclass=CheckerMetaClass):
     VERSION_PATTERNS: list[str] = []
     FILENAME_PATTERNS: list[str] = []
     VENDOR_PRODUCT: list[tuple[str, str]] = []
+    IGNORE_PATTERNS: list[str] = []
 
     def guess_contains(self, lines):
         if any(pattern.search(lines) for pattern in self.CONTAINS_PATTERNS):
@@ -358,6 +363,8 @@ def get_version(self, lines, filename):
             version_info["is_or_contains"] = "contains"
 
         if "is_or_contains" in version_info:
-            version_info["version"] = regex_find(lines, self.VERSION_PATTERNS)
+            version_info["version"] = regex_find(
+                lines, self.VERSION_PATTERNS, self.IGNORE_PATTERNS
+            )
 
         return version_info
diff --git a/cve_bin_tool/util.py b/cve_bin_tool/util.py
@@ -93,14 +93,19 @@ def __missing__(self, key: str) -> list[CVE] | set[str]:
         return self[key]
 
 
-def regex_find(lines: str, version_patterns: list[Pattern[str]]) -> str:
+def regex_find(
+    lines: str, version_patterns: list[Pattern[str]], ignore: list[Pattern[str]]
+) -> str:
     """Search a set of lines to find a match for the given regex"""
     new_guess = ""
 
     for pattern in version_patterns:
         match = pattern.search(lines)
         if match:
             new_guess = match.group(1).strip()
+            for i in ignore:
+                if str(i) in str(new_guess) or str(new_guess) in str(i):
+                    new_guess = ""
             break
     if new_guess != "":
         new_guess = new_guess.replace("_", ".")
diff --git a/test/test_checkers.py b/test/test_checkers.py
@@ -1,6 +1,8 @@
 # Copyright (C) 2021 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+from __future__ import annotations
+
 import re
 import sys
 
@@ -25,11 +27,13 @@ class MyChecker(Checker):
             VERSION_PATTERNS = [r"for"]
             FILENAME_PATTERNS = [r"myproduct"]
             VENDOR_PRODUCT = [("myvendor", "myproduct")]
+            IGNORE_PATTERNS = [r"ignore"]
 
         assert type(MyChecker.CONTAINS_PATTERNS[0]) == Pattern
         assert type(MyChecker.VERSION_PATTERNS[0]) == Pattern
         assert type(MyChecker.FILENAME_PATTERNS[0]) == Pattern
         assert type(MyChecker.VENDOR_PRODUCT[0]) == VendorProductPair
+        assert type(MyChecker.IGNORE_PATTERNS[0]) == Pattern
 
     def test_no_vpkg(self):
         with pytest.raises(AssertionError) as e:
@@ -39,6 +43,7 @@ class MyChecker(Checker):
                 VERSION_PATTERNS = [r"for"]
                 FILENAME_PATTERNS = [r"myproduct"]
                 PRODUCT_NAME = "mychecker"
+                IGNORE_PATTERNS = [r"ignore"]
 
         assert e.value.args[0] == "MyChecker needs at least one vendor product pair"
 
@@ -139,3 +144,20 @@ def test_filename_is(self, checker_name, file_name, expected_results):
 
                 for result, expected_result in zip(results, expected_results):
                     assert result["is_or_contains"] == "is"
+
+    class MyFakeChecker(Checker):
+        CONTAINS_PATTERNS: list[str] = []
+        FILENAME_PATTERNS: list[str] = [r"checker"]
+        VERSION_PATTERNS = [r"mychecker-([0-9].[0-9]+)"]
+        VENDOR_PRODUCT = [("my", "checker")]
+        IGNORE_PATTERNS = [r"mychecker-5.6"]
+
+    string = "Some other lines. \n Ignore this version pattern mychecker-5.6. \n Consider this version pattern mychecker-5.8. \n Some more lines."
+    lines = string.split("\n")
+    checker = MyFakeChecker()
+
+    result1 = checker.get_version(lines[1], "")
+    assert result1["version"] == "UNKNOWN"
+
+    result2 = checker.get_version(lines[2], "")
+    assert result2["version"] == "5.8"
