Add basic json output

[mariuszskon]

Currently, CVE Binary Tool only outputs results in CSV format. It might be good to allow a wider range of uses by implementing alternative output formats such as JSON.

This pull requests implements very naive JSON output:

$ python -m cve_bin_tool.cli -f json test/binaries/test-expat-2.0.1.out 
cve_bin_tool.CVEDB - INFO - Using cached CVE data (<24h old). Use -u now to update immediately.
cve_bin_tool.Scanner - INFO - Checkers: bluez, curl, expat, ffmpeg, gnutls, icu, kerberos, libcurl, libdb, libgcrypt, libjpeg, libnss, libtiff, node, openssh, openssl, png, python, sqlite, systemd, xerces, xml2, zlib
cve_bin_tool - INFO - None
cve_bin_tool.Scanner - INFO - test/binaries/test-expat-2.0.1.out contains expat 2.0.1
cve_bin_tool.Scanner - INFO - Known CVEs in version 2.0.1
cve_bin_tool.Scanner - INFO - CVE-2012-0876, CVE-2012-1147, CVE-2012-1148, CVE-2012-6702, CVE-2013-0340, CVE-2015-1283, CVE-2016-0718, CVE-2016-4472, CVE-2016-5300, CVE-2018-20843, CVE-2017-9233, CVE-2019-15903
cve_bin_tool - INFO - 
cve_bin_tool - INFO - Overall CVE summary: 
cve_bin_tool - INFO - There are 1 files with known CVEs detected
cve_bin_tool - INFO - Known CVEs in ('expat', '2.0.1'):
{"expat": {"2.0.1": {"CVE-2012-0876": "MEDIUM", "CVE-2012-1147": "MEDIUM", "CVE-2012-1148": "MEDIUM", "CVE-2012-6702": "MEDIUM", "CVE-2013-0340": "MEDIUM", "CVE-2015-1283": "MEDIUM", "CVE-2016-0718": "CRITICAL", "CVE-2016-4472": "HIGH", "CVE-2016-5300": "HIGH", "CVE-2018-20843": "HIGH", "CVE-2017-9233": "HIGH", "CVE-2019-15903": "HIGH"}}}

Immediately obvious to me is that the JSON is not structured intuitively. I would suggest further changes like adding not having the key be the CVE and value be the severity, but rather have each version contain a list of objects structured like this:

{"cve": "CVE-2012-0876", "severity": "MEDIUM"}

This might be better implemented by modifying the code relating to scanner.all_cves rather than working around the problem in the JSON formatter. This would mean adding other similar formats, like XML, would be very nice and easy.

Another question, is whether this should be considered an "output mode" in the command line arguments. Based on the manual, it seems that "output mode" only deals with the verbosity of the output, but then again, this is the first non-CSV format 😃

Anyway, thanks in advance for reviewing this.

[terriko]

I'm pretty sure I'm going to merge #410 soon, so maybe we could make this fit with the framework that's started there?

[terriko]

Merging #410 has made this patch no longer mergeable. I think the idea is sound, but you'll need to put the json output code into the new OutputEngine.py before this can be merged.

[mariuszskon]

I have updated my branch to ensure it is compatible with the latest improvements in #410

I also took the opportunity to format the JSON in my preferred style, let me know what you think:

{"zlib": {"1.2.8": [{"cve": "CVE-2016-9840", "severity": "HIGH"}, {"cve": "CVE-2016-9841", "severity": "CRITICAL"}, {"cve": "CVE-2016-9842", "severity": "HIGH"}, {"cve": "CVE-2016-9843", "severity": "CRITICAL"}]}}

[johnandersen777]

@mariuszskon Could you please include a test for this? For example, run the checker in each output mode, and ensure the output can be loaded successfully by either json.load(s) or csv reader?

[mariuszskon]

@pdxjohnny That's a great idea.
In the spirit of keeping this PR on topic, I will add JSON tests here when I can, and then open a separate PR for CSVs.

[mariuszskon]

Hi @pdxjohnny, I have added the tests.

[terriko]

I can't decide if this should be cve_number (rather than cve) for consistency, since we use cve_number just about anywhere we refer to a single number (as opposed to a list of cves). I think rather than hold up a review for this I'm going to just merge, but we might have to revisit when we see what the dffml team decides they actually want out of the json output and whether the difference matters to them. @pdxjohnny if you have an opinion now, maybe we could open an issue to discuss what "ideal" json output will look like?

[terriko]

Hurrah for mock tests!

[mariuszskon]

Thanks for your guidance @terriko and @pdxjohnny! Glad I could help out.