Merge branch 'main' into timeout_fix

.github/workflows/build-wheel.yml

@@ -1,10 +1,13 @@
 name: Build pip wheel
 
+permissions: read-all
+
 on:
   push:
     branches: [ "main" ]
   workflow_dispatch:
 
+jobs:
   build:
     name: Build wheel
     runs-on: ubuntu-latest
@@ -17,10 +20,10 @@ on:
       matrix:
         python-version:
         - "3.12"
-    if: github.repository == 'intel/cve-bin-tool' && github.ref == 'refs/heads/main' # run on origin repo only
+    if: github.repository == 'intel/cve-bin-tool' # run on origin repo only
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
       with:
         egress-policy: audit
 
@@ -41,11 +44,11 @@ on:
         echo "tar=$(cd dist/ && echo *.tar.gz)" >> $GITHUB_OUTPUT
         echo "whl=$(cd dist/ && echo *.tar.gz)" >> $GITHUB_OUTPUT
     - name: Attest Build Provenance for tar
-      uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1
+      uses: actions/attest-build-provenance@534b352d658f90498fd148d231fdbf88f3886a3a # v1.3.1
       with:
         subject-path: "dist/${{ steps.filename.outputs.tar }}"
     - name: Attest Build Provenance for whl
-      uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1
+      uses: actions/attest-build-provenance@534b352d658f90498fd148d231fdbf88f3886a3a # v1.3.1
       with:
         subject-path: "dist/${{ steps.filename.outputs.whl }}"
     # TODO Upload to pypi on release creation

.github/workflows/codeql-analysis.yml

@@ -42,7 +42,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
       with:
         egress-policy: audit
 
@@ -51,7 +51,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
+      uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
+      uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10

.github/workflows/coverity.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
       with:
         egress-policy: audit
 

.github/workflows/cve_bin_tool_action.yml

@@ -6,10 +6,11 @@ on:
 
 permissions:
   contents: read
-  security-events: write
 
 jobs:
   scan:
+    permissions:
+      security-events: write
     runs-on: ubuntu-latest
     steps:
       - uses: intel/cve-bin-tool-action@main

.github/workflows/cve_scan.yml

@@ -15,7 +15,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 

.github/workflows/dependency-review.yml

@@ -17,11 +17,11 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 
       - name: 'Checkout Repository'
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2
+        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3

.github/workflows/formatting.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 

.github/workflows/linting.yml

@@ -18,7 +18,7 @@ jobs:
         tool: ['isort', 'black', 'pyupgrade', 'flake8', 'bandit', 'gitlint', 'mypy', 'interrogate']
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 

.github/workflows/sbom.yml

@@ -22,7 +22,7 @@ jobs:
         python: ['3.8', '3.9', '3.10', '3.11', '3.12']
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 

.github/workflows/scorecard.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 

.github/workflows/spelling.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
       with:
         egress-policy: audit
 

.github/workflows/testing.yml

@@ -1,5 +1,7 @@
 name: Testing
 
+permissions: read-all
+
 on:
   push:
   pull_request:
@@ -37,7 +39,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           disable-sudo: true
           egress-policy: block
@@ -74,7 +76,7 @@ jobs:
     timeout-minutes: 60
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -201,7 +203,7 @@ jobs:
       LONG_TESTS: 1
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -337,7 +339,7 @@ jobs:
           test/test_cvedb.py
       - name: Upload code coverage to codecov
         if: env.sbom != 'true'
-        uses: codecov/codecov-action@6d798873df2b1b8e5846dba6fb86631229fbcb17 # v4.4.0
+        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
         with:
           files: ./coverage.xml
           flags: longtests
@@ -363,7 +365,7 @@ jobs:
       EXTERNAL_SYSTEM: 1
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -496,7 +498,7 @@ jobs:
       PYTHONIOENCODING: 'utf8'
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 
@@ -581,7 +583,7 @@ jobs:
       - name: Test PDF generation on Windows
         run: pytest test/test_output_engine.py -k test_output_pdf --cov --cov-append --cov-report=xml
       - name: Upload code coverage to codecov
-        uses: codecov/codecov-action@6d798873df2b1b8e5846dba6fb86631229fbcb17 # v4.4.0
+        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
         with:
           files: ./coverage.xml
           flags: win-longtests

.github/workflows/update-cache.yml

@@ -22,7 +22,7 @@ jobs:
     timeout-minutes: 60
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 

.github/workflows/update-js-dependencies.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 

.github/workflows/update-pre-commit.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 

.github/workflows/update-spdx-header.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 

README.md

@@ -425,7 +425,8 @@ CVE Data Download:
   <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-u-nowdailyneverlatest---update-nowdailyneverlatest">-u {now,daily,never,latest}, --update {now,daily,never,latest}</a>
                         update schedule for data sources and exploits database (default: daily)
   <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#--nvd-api-key-nvd_api_key">--nvd-api-key NVD_API_KEY</a>
-                        specify NVD API key (used to improve NVD rate limit)
+                        Specify NVD API key (used to improve NVD rate limit).
+                        Set to `no` to ignore any keys in the environment.
   <a href="https://github.com/intel/cve-bin-tool/blob/main/doc/MANUAL.md#-d-nvdosvgadcurl-nvdosvgadcurl----disable-data-source-nvdosvgadcurl-nvdosvgadcurl-">-d DISABLE_DATA_SOURCE, --disable-data-source DISABLE_DATA_SOURCE</a>
                         comma-separated list of data sources (CURL, EPSS, GAD, NVD, OSV, REDHAT, RSD) to disable (default: NONE) 
 

cve_bin_tool/checkers/dnsmasq.py

@@ -22,7 +22,7 @@ class DnsmasqChecker(Checker):
     VERSION_PATTERNS = [
         r"dnsmasq-[a-z_]*([0-9]+\.[0-9]+)",
         r"([0-9]+\.[0-9]+)\r?\nDnsmasq version %s",
-        r"Dnsmasq version %s  %s\r?\n([0-9]+\.[0-9]+)",
+        r"Dnsmasq version (?:|%s  %s\r?\n)([0-9]+\.[0-9]+)",
         r"([0-9]+\.[0-9]+)\r?\nstarted, version %s DNS disabled",
     ]
     VENDOR_PRODUCT = [

cve_bin_tool/cli.py

@@ -49,6 +49,7 @@
     gad_source,
     nvd_source,
     osv_source,
+    purl2cpe_source,
     redhat_source,
 )
 from cve_bin_tool.error_handler import (
@@ -151,7 +152,12 @@ def main(argv=None):
         "--nvd-api-key",
         action="store",
         default="",
-        help="specify NVD API key (used to improve NVD rate limit)",
+        help=textwrap.dedent(
+            """\
+            Specify NVD API key (used to improve NVD rate limit).
+            Set to `no` to ignore any keys in the environment.
+            """
+        ),
     )
     data_source_disable_help = f'comma-separated list of data sources ({", ".join(DataSourceSupport.available_data_sources())}) to disable (default: NONE)'
     data_sources_group.add_argument(
@@ -722,6 +728,10 @@ def main(argv=None):
         source_epss = epss_source.Epss_Source()
         enabled_sources.append(source_epss)
 
+    if "PURL2CPE" not in disabled_sources:
+        source_purl2cpe = purl2cpe_source.PURL2CPE_Source()
+        enabled_sources.append(source_purl2cpe)
+
     if "NVD" not in disabled_sources:
         source_nvd = nvd_source.NVD_Source(
             nvd_type=nvd_type,

cve_bin_tool/cvedb.py

@@ -7,6 +7,7 @@
 from __future__ import annotations
 
 import asyncio
+import contextlib
 import datetime
 import json
 import logging
@@ -28,6 +29,7 @@
     gad_source,
     nvd_source,
     osv_source,
+    purl2cpe_source,
 )
 from cve_bin_tool.error_handler import ERROR_CODES, CVEDBError, ErrorMode, SigningError
 from cve_bin_tool.fetch_json_db import Fetch_JSON_DB
@@ -58,6 +60,7 @@ class CVEDB:
         epss_source.Epss_Source,
         osv_source.OSV_Source,
         gad_source.GAD_Source,
+        purl2cpe_source.PURL2CPE_Source,
         nvd_source.NVD_Source,  # last to avoid data overwrites
     ]
 
@@ -1186,3 +1189,11 @@ def fetch_from_mirror(self, mirror, pubkey, ignore_signature, log_signature_erro
         else:
             self.clear_cached_data()
             return -1
+
+    @contextlib.contextmanager
+    def with_cursor(self):
+        cursor = self.db_open_and_get_cursor()
+        try:
+            yield cursor
+        finally:
+            self.db_close()

cve_bin_tool/data_sources/epss_source.py

@@ -67,7 +67,9 @@ async def download_epss_data(self):
             # Check if the file is older than 24 hours
             if time_difference > timedelta(hours=24):
                 try:
-                    async with aiohttp.ClientSession(headers=HTTP_HEADERS) as session:
+                    async with aiohttp.ClientSession(
+                        headers=HTTP_HEADERS, trust_env=True
+                    ) as session:
                         async with session.get(self.DATA_SOURCE_LINK) as response:
                             response.raise_for_status()
                             self.LOGGER.info("Getting EPSS data...")
@@ -87,7 +89,9 @@ async def download_epss_data(self):
 
         else:
             try:
-                async with aiohttp.ClientSession(headers=HTTP_HEADERS) as session:
+                async with aiohttp.ClientSession(
+                    headers=HTTP_HEADERS, trust_env=True
+                ) as session:
                     async with session.get(self.DATA_SOURCE_LINK) as response:
                         response.raise_for_status()
                         self.LOGGER.info("Getting EPSS data...")

cve_bin_tool/data_sources/nvd_source.py

@@ -88,6 +88,13 @@ def __init__(
         # store the nvd api key for use later
         self.nvd_api_key = nvd_api_key
 
+        # if nvd_api_key was set to "No" then unset it
+        # This makes it easier to disable usage from the command line
+        # and over-riding existing environment variables.
+        if self.nvd_api_key.lower() == "no":
+            self.nvd_api_key = ""
+            LOGGER.info("NVD API Key was set to 'no' and will not be used")
+
     async def get_cve_data(self):
         """Retrieves the CVE data from the data source."""
         await self.fetch_cves()