diff --git a/README.md b/README.md index f3669bd..50923e7 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,14 @@ NOTE: To mention multiple directories, use comma as a separator and don't includ **Optional** Provide input filename for triage data. The supported format is CycloneDX VEX, OpenVEX and CSAF. Find more information [here](https://github.com/intel/cve-bin-tool#providing-triage-input). +### `disable_data_source` + +**Optional** Comma-separated list of data sources to disable (CURL, EPSS, GAD, NVD, OSV, PURL2CPE, REDHAT, RSD) + +### `skips` + +**Optional** This option allows one to skip (disable) a comma-separated list of checkers and language parsers. + ### `filter_triage` **Optional** Provide a filter_triage flag in addition to triage_input_file that filters out vulnerabilities marked as 'not affected' and 'false positive' in the triage input file from the security tab. diff --git a/action.yml b/action.yml index daab633..115544c 100644 --- a/action.yml +++ b/action.yml @@ -31,6 +31,12 @@ inputs: vex_file: required: false description: 'Provide input filename for triage data.' + disable_data_source: + required: false + description: 'While scanning, CVE Binary Tool will disable these data sources.' + skips: + required: false + description: 'While scanning, CVE Binary Tool will skip these checks.' filter_triage: required: false default: true @@ -63,6 +69,8 @@ runs: --sbom-format '${{ inputs.sbom_format }}' --alerts-based-on-file '${{inputs.alerts_based_on_file}}' --vex-file '${{ inputs.vex_file }}' + --disable-data-source '${{ inputs.disable_data_source }}' + --skips '${{ inputs.skips }}' --filter-triage '${{inputs.filter_triage}}' shell: bash - uses: actions/upload-artifact@v4 @@ -70,6 +78,7 @@ runs: name: cve_reports path: | scan-result.html + scan-result.json scan-result.pdf SBOM.json SBOM.spdx diff --git a/src/cve_bin_tool.py b/src/cve_bin_tool.py index ea6b6b1..b0ef60b 100644 --- a/src/cve_bin_tool.py +++ b/src/cve_bin_tool.py @@ -12,20 +12,34 @@ class CVE_BIN_TOOL: - def update_db(self, nvd_api_key): - command = ["cve-bin-tool"] + def update_db( + self, + dir, + nvd_api_key, + disable_data_source=None, + skips=None, + ): + command = [ + "cve-bin-tool", + dir + ] if nvd_api_key: command.append("--nvd-api-key") command.append(nvd_api_key) else: command.append("--nvd") command.append("json-mirror") + if disable_data_source: + command.append("--disable-data-source") + command.append(disable_data_source) + if skips: + command.append("--skips") + command.append(skips) subprocess.run(command) def scan( self, dir, - filter_triage=False, scan_mode="repo-only", formats=[], output=None, @@ -35,6 +49,9 @@ def scan( sbom_output="SBOM.json", vex_file=None, triage_input_file=None, + disable_data_source=None, + skips=None, + filter_triage=False, ): json_data = [] captured_output = "" @@ -72,8 +89,15 @@ def scan( # Backwards compatibility with old arg name command.append("--vex-file") command.append(triage_input_file) + if disable_data_source: + command.append("--disable-data-source") + command.append(disable_data_source) + if skips: + command.append("--skips") + command.append(skips) if filter_triage: command.append("--filter-triage") + print(f"Running command: {' '.join(command)}") captured_output += subprocess.run( command, capture_output=True, text=True ).stdout @@ -81,7 +105,8 @@ def scan( with open(f"{output}.json") as fd: try: json_output = json.load(fd) - except Exception: + except Exception as e: + print(f"Error reading JSON output: {e}") json_output = [] for obj in json_output: obj["type"] = "Library" diff --git a/src/generate_sarif.py b/src/generate_sarif.py index 47bc80a..f4b629a 100644 --- a/src/generate_sarif.py +++ b/src/generate_sarif.py @@ -75,10 +75,13 @@ def write_file(self, output_file): fd.write(json.dumps(self.sarif_file)) def check_cves_in_json(self): + print(f"Checking for CVEs in {self.json_file_path}") if not self.json_file_path.is_file(): + print(f"File {self.json_file_path} does not exist.") return False with open(self.json_file_path) as fp: json_data = json.load(fp) + print(f"Found {len(json_data)} CVEs in {self.json_file_path}") return bool(len(json_data)) def extract_vulnerablities_from_json(self): diff --git a/src/scanner.py b/src/scanner.py index f2a4554..40534c1 100644 --- a/src/scanner.py +++ b/src/scanner.py @@ -71,6 +71,16 @@ def main(): help="Provide input filename for triage data.", required=False, ) + parser.add_argument( + "--disable-data-source", + help="Disable data sources for the scan.", + required=False, + ) + parser.add_argument( + "--skips", + help="Skip checkers for the scan.", + required=False, + ) parser.add_argument( "--filter-triage", help="Filter vulnerabilities based on triage data.", @@ -95,7 +105,12 @@ def main(): exit(1) cve_bin_tool = CVE_BIN_TOOL() - cve_bin_tool.update_db(args.nvd_api_key) + cve_bin_tool.update_db( + args.directory, + args.nvd_api_key, + args.disable_data_source, + args.skips, + ) # backwards compatibility for folk still using triage-input-file instead of vex-file if args.triage_input_file and not args.vex_file: @@ -125,6 +140,8 @@ def main(): sbom_format=args.sbom_format, sbom_output=f"{args.sbom_output}.{output_extension}", vex_file=args.vex_file, + disable_data_source=args.disable_data_source, + skips=args.skips, filter_triage=args.filter_triage, ) diff --git a/test/test_cve_bin_tool.py b/test/test_cve_bin_tool.py index b1ea048..2393cdb 100644 --- a/test/test_cve_bin_tool.py +++ b/test/test_cve_bin_tool.py @@ -89,7 +89,7 @@ def test_update_db(self, mocker: MockerFixture): mocker.patch("subprocess.run") spy_subprocess = mocker.spy(subprocess, "run") cve_bin_tool_scanner = cve_bin_tool.CVE_BIN_TOOL() - cve_bin_tool_scanner.update_db("NVD_API_KEY") + cve_bin_tool_scanner.update_db(".", "NVD_API_KEY") spy_subprocess.assert_called_once_with( [ "cve-bin-tool",