Skip to content

Commit af159c8

Browse files
terrikoterriko
authored
fix: Remove reportlab from default install (#1626)
* fixes #1459 * fix: Remove reportlab from default install * docs: Provide info on how to install cve-bin-tool[PDF]
1 parent 09ad0cc commit af159c8

File tree

8 files changed

+280
-193
lines changed

8 files changed

+280
-193
lines changed

.github/actions/spelling/allow.txt

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -260,6 +260,7 @@ pacman
260260
palletsprojects
261261
pcsc
262262
pdf
263+
PDFs
263264
pdftotext
264265
pdxjohnny
265266
peb
@@ -296,6 +297,7 @@ realpython
296297
rebasing
297298
refactoring
298299
regex
300+
reportlab
299301
Romi
300302
rossburton
301303
rpmfile

README.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,38 @@ Vulnerability Exchange (VEX) format by specifying `--vex` command line option.
9898
The generated VEX file can then be used as an `--input-file` to support
9999
a triage process.
100100

101+
If you wish to use PDF support, you will need to install the `reportlab`
102+
library separately.
103+
104+
If you intend to use PDF support when you install cve-bin-tool you can specify it and report lab will be installed as part of the cve-bin-tool install:
105+
```console
106+
pip install cve-bin-tool[PDF]
107+
```
108+
109+
If you've already installed cve-bin-tool you can add reportlab after the fact
110+
using pip:
111+
112+
```console
113+
pip install --upgrade reportlab
114+
```
115+
116+
Note that reportlab was taken out of the default cve-bin-tool install because
117+
it has a known CVE associated with it
118+
([CVE-2020-28463](https://nvd.nist.gov/vuln/detail/CVE-2020-28463)). The
119+
cve-bin-tool code uses the recommended mitigations to limit which resources
120+
added to PDFs, as well as additional input validation. This is a bit of a
121+
strange CVE because it describes core functionality of PDFs: external items,
122+
such as images, can be embedded in them, and thus anyone viewing a PDF could
123+
load an external image (similar to how viewing a web page can trigger external
124+
loads). There's no inherent "fix" for that, only mitigations where users of
125+
the library must ensure only expected items are added to PDFs at the time of
126+
generation.
127+
128+
Since users may not want to have software installed with an open, unfixable CVE
129+
associated with it, we've opted to make PDF support only available to users who
130+
have installed the library themselves. Once the library is installed, the PDF
131+
report option will function.
132+
101133
## Full option list
102134

103135
Usage:

0 commit comments

Comments
 (0)