Skip to content

Fix multiple instances issue #5012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Fix multiple instances issue #5012

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c14af51
chore: update checkers table
web-flow Apr 7, 2025
a2978f4
Merge pull request #1 from Gyan-max/chore-update-table
Gyan-max Apr 7, 2025
1685300
test: improve performance of language scanner tests
Gyan-max Apr 7, 2025
e941da5
fix: Add --update-only flag for database updates without scanning
Gyan-max Apr 7, 2025
c67e643
style: Fix code formatting with Black
Gyan-max Apr 7, 2025
89ed3d3
Resolve merge conflicts in MANUAL.md checkers table
Gyan-max Apr 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
118 changes: 60 additions & 58 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ CVE Binary Tool uses the NVD API but is not endorsed or certified by the NVD.
The tool has two main modes of operation:

1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are <!-- NUMBER OF CHECKERS START-->408<!--NUMBER OF CHECKERS END--> checkers. Our initial focus was on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.
1. A binary scanner which helps you determine which packages may have been included as part of a piece of software. There are <!-- NUMBER OF CHECKERS START-->407<!--NUMBER OF CHECKERS END--> checkers. Our initial focus was on common, vulnerable open source components such as openssl, libpng, libxml2 and expat.

2. Tools for scanning known component lists in various formats, including .csv, several linux distribution package lists, language specific package scanners and several Software Bill of Materials (SBOM) formats.

Expand Down Expand Up @@ -227,65 +228,66 @@ The following checkers are available for finding components in binary files:
<!--CHECKERS TABLE BEGIN-->
| | | | Available checkers | | | |
|--------------- |------------- |------------------ |---------------- |--------------- |----------------- |------------- |
|--------------- |------------- |------------------ |--------------- |----------------- |------------- |--------------- |
| accountsservice |acpid |apache_http_server |apcupsd |apparmor |apr |asn1c |
| assimp |asterisk |atftp |augeas |avahi |axel |bash |
| bind |binutils |bird |bison |bluez |boa |boinc |
| botan |bro |bubblewrap |busybox |bwm_ng |bzip2 |c_ares |
| cairo |capnproto |ceph |cflow |chess |chrony |civetweb |
| clamav |clang |collectd |commons_compress |connman |coreutils |cpio |
| cpp_httplib |cronie |cryptsetup |cups |cups_filters |curl |cvs |
| darkhttpd |dav1d |davfs2 |dbus |debianutils |dhclient |dhcpcd |
| dhcpd |djvulibre |dlt_daemon |dmidecode |dnsmasq |docker |domoticz |
| dosfstools |dotnet |dovecot |doxygen |dpkg |dropbear |e2fsprogs |
| ed |elfutils |emacs |enscript |exfatprogs |exim |exiv2 |
| f2fs_tools |faad2 |fastd |ffmpeg |file |firefox |firejail |
| flac |fluidsynth |freeradius |freerdp |fribidi |frr |fuse |
| gawk |gcc |gdal |gdb |gdk_pixbuf |gettext |ghostscript |
| gimp |git |glib |glibc |gmp |gnomeshell |gnupg |
| gnutls |go |gpgme |gpsd |graphicsmagick |grep |grub2 |
| gsasl |gstreamer |guile |gupnp |gvfs |gzip |haproxy |
| harfbuzz |haserl |hdf5 |heimdal |hostapd |hunspell |hwloc |
| i2pd |icecast |icu |imagemagick |indent |inetutils |iperf3 |
| ipmitool |ipsec_tools |iptables |irssi |iucode_tool |iwd |jack2 |
| jacksondatabind |janus |jasper |jbig |jhead |jq |json_c |
| kbd |keepalived |kerberos |kexectools |kodi |kubernetes |ldns |
| lftp |libarchive |libass |libbpg |libcap |libcoap |libconfuse |
| libcurl |libdb |libde265 |libebml |libevent |libexpat |libgcrypt |
| libgd |libgit2 |libheif |libical |libidn2 |libinput |libjpeg |
| libjpeg_turbo |libksba |liblas |liblouis |libmatroska |libmemcached |libmicrohttpd |
| libmodbus |libnss |libopenmpt |libpcap |libraw |libreoffice |libreswan |
| librsvg |librsync |libsamplerate |libseccomp |libsndfile |libsolv |libsoup |
| libsrtp |libssh |libssh2 |libtasn1 |libtiff |libtomcrypt |libupnp |
| libuv |libvips |libvirt |libvncserver |libvorbis |libvpx |libxslt |
| libyaml |libyang |lighttpd |linux_kernel |linuxptp |lldpd |llvm |
| logrotate |lrzip |lua |luajit |lxc |lynx |lz4 |
| lzo2 |mailx |mariadb |mbedtls |mdadm |memcached |micropython |
| minetest |mini_httpd |minicom |minidlna |miniupnpc |miniupnpd |moby |
| modsecurity |monit |mosquitto |motion |mp4v2 |mpg123 |mpv |
| msmtp |mtr |mupdf |mutt |mysql |nano |nasm |
| nbd |ncurses |neon |nessus |netatalk |netdata |netkit_ftp |
| netpbm |nettle |nghttp2 |nginx |ngircd |nmap |node |
| ntfs_3g |ntp |ntpsec |oath_toolkit |ofono |open_iscsi |open_vm_tools |
| openafs |openblas |opencv |openjpeg |openldap |opensc |openssh |
| openssl |openswan |openvpn |openvswitch |orc |p7zip |pango |
| patch |pcre |pcre2 |pcsc_lite |perl |php |picocom |
| pigz |pixman |pjsip |png |polarssl_fedora |poppler |postgresql |
| ppp |privoxy |procps_ng |proftpd |protobuf_c |pspp |pure_ftpd |
| putty |python |qemu |qpdf |qt |quagga |radare2 |
| radvd |raptor |rauc |rdesktop |readline |redis |rpm |
| rsync |rsyslog |rtl_433 |rtmpdump |ruby |runc |rust |
| samba |sane_backends |sasl |sdl |seahorse |shadowsocks_libev |snapd |
| sngrep |snort |socat |sofia_sip |speex |spice |sqlite |
| squashfs |squid |sslh |stellarium |strongswan |stunnel |subversion |
| sudo |suricata |sylpheed |syslogng |sysstat |systemd |tar |
| tbb |tcpdump |tcpreplay |terminology |tesseract |thrift |thttpd |
| thunderbird |timescaledb |tinyproxy |tor |toybox |tpm2_tss |traceroute |
| transmission |trousers |ttyd |twonky_server |u_boot |udisks |unbound |
| unixodbc |upx |util_linux |uwsgi |varnish |vim |vlc |
| vorbis_tools |vsftpd |wavpack |webkitgtk |wget |wireshark |wolfssl |
| wpa_supplicant |xerces |xml2 |xpdf |xscreensaver |xwayland |xz |
| yasm |zabbix |zbar |zchunk |zeek |zlib |znc |
| zsh |zstandard | | | | | |
| assimp |asterisk |atftp |avahi |axel |bash |bind |
| binutils |bird |bison |bluez |boa |boinc |botan |
| bro |bubblewrap |busybox |bwm_ng |bzip2 |c_ares |cairo |
| capnproto |ceph |cflow |chess |chrony |civetweb |clamav |
| clang |collectd |commons_compress |connman |coreutils |cpio |cpp_httplib |
| cronie |cryptsetup |cups |cups_filters |curl |cvs |darkhttpd |
| dav1d |davfs2 |dbus |debianutils |dhclient |dhcpcd |dhcpd |
| djvulibre |dlt_daemon |dmidecode |dnsmasq |docker |domoticz |dosfstools |
| dotnet |dovecot |doxygen |dpkg |dropbear |e2fsprogs |ed |
| elfutils |emacs |enscript |exfatprogs |exim |exiv2 |f2fs_tools |
| faad2 |fastd |ffmpeg |file |firefox |firejail |flac |
| fluidsynth |freeradius |freerdp |fribidi |frr |fuse |gawk |
| gcc |gdal |gdb |gdk_pixbuf |gettext |ghostscript |gimp |
| git |glib |glibc |gmp |gnomeshell |gnupg |gnutls |
| go |gpgme |gpsd |graphicsmagick |grep |grub2 |gsasl |
| gstreamer |guile |gupnp |gvfs |gzip |haproxy |harfbuzz |
| haserl |hdf5 |heimdal |hostapd |hunspell |hwloc |i2pd |
| icecast |icu |imagemagick |indent |inetutils |iperf3 |ipmitool |
| ipsec_tools |iptables |irssi |iucode_tool |iwd |jack2 |jacksondatabind |
| janus |jasper |jbig |jhead |jq |json_c |kbd |
| keepalived |kerberos |kexectools |kodi |kubernetes |ldns |lftp |
| libarchive |libass |libbpg |libcap |libcoap |libconfuse |libcurl |
| libdb |libde265 |libebml |libevent |libexpat |libgcrypt |libgd |
| libgit2 |libheif |libical |libidn2 |libinput |libjpeg |libjpeg_turbo |
| libksba |liblas |liblouis |libmatroska |libmemcached |libmicrohttpd |libmodbus |
| libnss |libopenmpt |libpcap |libraw |libreoffice |libreswan |librsvg |
| librsync |libsamplerate |libseccomp |libsndfile |libsolv |libsoup |libsrtp |
| libssh |libssh2 |libtasn1 |libtiff |libtomcrypt |libupnp |libuv |
| libvips |libvirt |libvncserver |libvorbis |libvpx |libxslt |libyaml |
| libyang |lighttpd |linux_kernel |linuxptp |lldpd |llvm |logrotate |
| lrzip |lua |luajit |lxc |lynx |lz4 |lzo2 |
| mailx |mariadb |mbedtls |mdadm |memcached |micropython |minetest |
| mini_httpd |minicom |minidlna |miniupnpc |miniupnpd |moby |modsecurity |
| monit |mosquitto |motion |mp4v2 |mpg123 |mpv |msmtp |
| mtr |mupdf |mutt |mysql |nano |nasm |nbd |
| ncurses |neon |nessus |netatalk |netdata |netkit_ftp |netpbm |
| nettle |nghttp2 |nginx |ngircd |nmap |node |ntfs_3g |
| ntp |ntpsec |oath_toolkit |ofono |open_iscsi |open_vm_tools |openafs |
| openblas |opencv |openjpeg |openldap |opensc |openssh |openssl |
| openswan |openvpn |openvswitch |orc |p7zip |pango |patch |
| pcre |pcre2 |pcsc_lite |perl |php |picocom |pigz |
| pixman |pjsip |png |polarssl_fedora |poppler |postgresql |ppp |
| privoxy |procps_ng |proftpd |protobuf_c |pspp |pure_ftpd |putty |
| python |qemu |qpdf |qt |quagga |radare2 |radvd |
| raptor |rauc |rdesktop |readline |redis |rpm |rsync |
| rsyslog |rtl_433 |rtmpdump |ruby |runc |rust |samba |
| sane_backends |sasl |sdl |seahorse |shadowsocks_libev |snapd |sngrep |
| snort |socat |sofia_sip |speex |spice |sqlite |squashfs |
| squid |sslh |stellarium |strongswan |stunnel |subversion |sudo |
| suricata |sylpheed |syslogng |sysstat |systemd |tar |tbb |
| tcpdump |tcpreplay |terminology |tesseract |thrift |thttpd |thunderbird |
| timescaledb |tinyproxy |tor |toybox |tpm2_tss |traceroute |transmission |
| trousers |ttyd |twonky_server |u_boot |udisks |unbound |unixodbc |
| upx |util_linux |uwsgi |varnish |vim |vlc |vorbis_tools |
| vsftpd |wavpack |webkitgtk |wget |wireshark |wolfssl |wpa_supplicant |
| xerces |xml2 |xpdf |xscreensaver |xwayland |xz |yasm |
| zabbix |zbar |zchunk |zeek |zlib |znc |zsh |
| zstandard | | | | | | |
<!--CHECKERS TABLE END-->

All the checkers can be found in the checkers directory, as can the
Expand Down
29 changes: 28 additions & 1 deletion cve_bin_tool/cli.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -486,6 +486,12 @@ def main(argv=None):
)

database_group = parser.add_argument_group("Database Management")
database_group.add_argument(
"--update-only",
action="store_true",
help="update the database without scanning any files or directories",
default=False,
)
database_group.add_argument(
"--import-json",
action="store",
Expand Down Expand Up @@ -909,6 +915,11 @@ def main(argv=None):
)
return ERROR_CODES[CVEDBOutdatedSchema]

# If running in update-only mode, exit now
if args.get("update_only", False):
LOGGER.info("Database update completed. Exiting without scanning.")
return 0

# CVE Database validation
if not cvedb_orig.check_cve_entries():
with ErrorHandler(mode=error_mode, logger=LOGGER):
Expand Down Expand Up @@ -965,6 +976,22 @@ def main(argv=None):
"Use -F --filter only when you want to filter out intermediate reports on the basis of tag"
)

# Handle --update-only flag
if args.get("update_only", False):
LOGGER.info("Running in update-only mode")
# Force the update regardless of update setting
db_update = "now"
# Skip input validation
if (
not args["directory"]
and not args["input_file"]
and not args["package_list"]
and not args["merge"]
and not args["sbom_file"]
and not args["vex_file"]
):
args["directory"] = "" # Set a dummy value to pass validation

# Input validation
if (
not args["directory"]
Expand Down Expand Up @@ -1099,7 +1126,7 @@ def main(argv=None):
LOGGER.info(f"Number of checkers: {version_scanner.number_of_checkers()}")
version_scanner.print_checkers()
LOGGER.debug(
"If the checkers arent loading properly: https://cve-bin-tool.readthedocs.io/en/latest/CONTRIBUTING.html#help-my-checkers-aren-t-loading"
"If the checkers aren't loading properly: https://cve-bin-tool.readthedocs.io/en/latest/CONTRIBUTING.html#help-my-checkers-aren-t-loading"
)
LOGGER.info(
f"Number of language checkers: {version_scanner.number_of_language_checkers()}"
Expand Down
75 changes: 75 additions & 0 deletions doc/MANUAL.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,9 @@
- [Database Management](#database-management)
- [--export EXPORT](#--export-export)
- [--import IMPORT](#--import-import)
- [--update-only update the database without scanning any files or directories](#--update-only-update-the-database-without-scanning-any-files-or-directories)
- [--import-json IMPORT_JSON](#--import-json-import_json)
import database from json files chopped by years
- [Deprecated Arguments](#deprecated-arguments)
- [-x, --extract](#-x---extract)
- [--report](#--report)
Expand Down Expand Up @@ -216,6 +219,11 @@ which is useful if you're trying the latest code from
-r RUNS, --runs RUNS comma-separated list of checkers to enable

Database Management:
--export EXPORT
make a copy of the database
--import IMPORT
import a copy of the database
--update-only update the database without scanning any files or directories
--import-json IMPORT_JSON
import database from json files chopped by years
--ignore-sig do not verify PGP signature while importing json data
Expand Down Expand Up @@ -244,6 +252,7 @@ which is useful if you're trying the latest code from
<!--CHECKERS TABLE BEGIN-->
| | | | Available checkers | | | |
|--------------- |------------- |------------------ |---------------- |--------------- |----------------- |------------- |
|--------------- |------------- |------------------ |--------------- |----------------- |------------- |--------------- |
| accountsservice |acpid |apache_http_server |apcupsd |apparmor |apr |asn1c |
| assimp |asterisk |atftp |augeas |avahi |axel |bash |
| bind |binutils |bird |bison |bluez |boa |boinc |
Expand Down Expand Up @@ -303,6 +312,64 @@ which is useful if you're trying the latest code from
| wpa_supplicant |xerces |xml2 |xpdf |xscreensaver |xwayland |xz |
| yasm |zabbix |zbar |zchunk |zeek |zlib |znc |
| zsh |zstandard | | | | | |
| assimp |asterisk |atftp |avahi |axel |bash |bind |
| binutils |bird |bison |bluez |boa |boinc |botan |
| bro |bubblewrap |busybox |bwm_ng |bzip2 |c_ares |cairo |
| capnproto |ceph |cflow |chess |chrony |civetweb |clamav |
| clang |collectd |commons_compress |connman |coreutils |cpio |cpp_httplib |
| cronie |cryptsetup |cups |cups_filters |curl |cvs |darkhttpd |
| dav1d |davfs2 |dbus |debianutils |dhclient |dhcpcd |dhcpd |
| djvulibre |dlt_daemon |dmidecode |dnsmasq |docker |domoticz |dosfstools |
| dotnet |dovecot |doxygen |dpkg |dropbear |e2fsprogs |ed |
| elfutils |emacs |enscript |exfatprogs |exim |exiv2 |f2fs_tools |
| faad2 |fastd |ffmpeg |file |firefox |firejail |flac |
| fluidsynth |freeradius |freerdp |fribidi |frr |fuse |gawk |
| gcc |gdal |gdb |gdk_pixbuf |gettext |ghostscript |gimp |
| git |glib |glibc |gmp |gnomeshell |gnupg |gnutls |
| go |gpgme |gpsd |graphicsmagick |grep |grub2 |gsasl |
| gstreamer |guile |gupnp |gvfs |gzip |haproxy |harfbuzz |
| haserl |hdf5 |heimdal |hostapd |hunspell |hwloc |i2pd |
| icecast |icu |imagemagick |indent |inetutils |iperf3 |ipmitool |
| ipsec_tools |iptables |irssi |iucode_tool |iwd |jack2 |jacksondatabind |
| janus |jasper |jbig |jhead |jq |json_c |kbd |
| keepalived |kerberos |kexectools |kodi |kubernetes |ldns |lftp |
| libarchive |libass |libbpg |libcap |libcoap |libconfuse |libcurl |
| libdb |libde265 |libebml |libevent |libexpat |libgcrypt |libgd |
| libgit2 |libheif |libical |libidn2 |libinput |libjpeg |libjpeg_turbo |
| libksba |liblas |liblouis |libmatroska |libmemcached |libmicrohttpd |libmodbus |
| libnss |libopenmpt |libpcap |libraw |libreoffice |libreswan |librsvg |
| librsync |libsamplerate |libseccomp |libsndfile |libsolv |libsoup |libsrtp |
| libssh |libssh2 |libtasn1 |libtiff |libtomcrypt |libupnp |libuv |
| libvips |libvirt |libvncserver |libvorbis |libvpx |libxslt |libyaml |
| libyang |lighttpd |linux_kernel |linuxptp |lldpd |llvm |logrotate |
| lrzip |lua |luajit |lxc |lynx |lz4 |lzo2 |
| mailx |mariadb |mbedtls |mdadm |memcached |micropython |minetest |
| mini_httpd |minicom |minidlna |miniupnpc |miniupnpd |moby |modsecurity |
| monit |mosquitto |motion |mp4v2 |mpg123 |mpv |msmtp |
| mtr |mupdf |mutt |mysql |nano |nasm |nbd |
| ncurses |neon |nessus |netatalk |netdata |netkit_ftp |netpbm |
| nettle |nghttp2 |nginx |ngircd |nmap |node |ntfs_3g |
| ntp |ntpsec |oath_toolkit |ofono |open_iscsi |open_vm_tools |openafs |
| openblas |opencv |openjpeg |openldap |opensc |openssh |openssl |
| openswan |openvpn |openvswitch |orc |p7zip |pango |patch |
| pcre |pcre2 |pcsc_lite |perl |php |picocom |pigz |
| pixman |pjsip |png |polarssl_fedora |poppler |postgresql |ppp |
| privoxy |procps_ng |proftpd |protobuf_c |pspp |pure_ftpd |putty |
| python |qemu |qpdf |qt |quagga |radare2 |radvd |
| raptor |rauc |rdesktop |readline |redis |rpm |rsync |
| rsyslog |rtl_433 |rtmpdump |ruby |runc |rust |samba |
| sane_backends |sasl |sdl |seahorse |shadowsocks_libev |snapd |sngrep |
| snort |socat |sofia_sip |speex |spice |sqlite |squashfs |
| squid |sslh |stellarium |strongswan |stunnel |subversion |sudo |
| suricata |sylpheed |syslogng |sysstat |systemd |tar |tbb |
| tcpdump |tcpreplay |terminology |tesseract |thrift |thttpd |thunderbird |
| timescaledb |tinyproxy |tor |toybox |tpm2_tss |traceroute |transmission |
| trousers |ttyd |twonky_server |u_boot |udisks |unbound |unixodbc |
| upx |util_linux |uwsgi |varnish |vim |vlc |vorbis_tools |
| vsftpd |wavpack |webkitgtk |wget |wireshark |wolfssl |wpa_supplicant |
| xerces |xml2 |xpdf |xscreensaver |xwayland |xz |yasm |
| zabbix |zbar |zchunk |zeek |zlib |znc |zsh |
| zstandard | | | | | | |
<!--CHECKERS TABLE END-->

For a quick overview of usage and how it works, you can also see [the readme file](README.md).
Expand Down Expand Up @@ -1487,6 +1554,14 @@ This option allows you to make a copy of the database. This is typically require

This option allows you to import a copy of the database (typically created using the `--export` option). If the specified file does not exist, this operation has no effect.

### --update-only update the database without scanning any files or directories

This option allows you to update the database without scanning any files or directories. This is useful when you want to update the database without running any scans.

### --import-json IMPORT_JSON

This option allows you to import a copy of the database from JSON files chopped by years. This is useful when you want to import a pre-existing database from JSON files.

## Deprecated Arguments

### -x, --extract
Expand Down
6 changes: 6 additions & 0 deletions doc/how_to_guides/multiple_scans_at_once.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ To update (without scanning) you can use the following command:
cve-bin-tool -u now
```

Alternatively, you can use the dedicated update-only flag:

```
cve-bin-tool --update-only
```

We recommend once per day, but this can be more frequently or less frequently depending on your needs. Ideally, you want to be sure this completes before you kick off any other scans, so that you aren't checking against a partial database.

## Step 2: Scan
Expand Down
Loading