GsoC 2025 project idea: No-scan mode

[terriko]

• Related GSoC 2025: Start here #4712

cve-bin-tool: No-scan mode

Project description

CVE Binary Tool was designed as a vulnerability scanner, but it can also be used to generate component lists and SBOMs. Some of our users have expressed an interest in having a mode where CVE-bin-tool generates SBOMs without requiring one to download and use vulnerability data. The current database takes around 2.5G of space and 20 minutes to download and process on a fast system with a lot of RAM, so it's rather understandable that people would want to skip that.

This will require some major refactoring of our database and the order in which things are done, including potentially:

1. Appropriate documentation and tests. We recommend writing these first, as documentation will help you get feedback from actual users and tests can help you do test-driven development.
2. Major refactoring to separate our component identification parts from our vulnerability identification parts. Right now they're pretty intermixed.
3. The ability to generate reports / SBOMs without making database calls at all
4. Report changes so we don't claim to have found 0 CVEs when in fact no one even looked it up

You may want to take a look at how our --offline mode works as well, not because it's a perfect example (it will also need to be refactored) but because it'll help you see the places where we're going to have problems.

This project is going to be HARD. We'll expect some proposed new architecture diagrams as part of your proposal and ideally you'll have at least a few bigger pull requests under your belt before you start this project, and you're going to need to find a way to break this project up into much smaller pieces that can be merged without breaking the tool as it stands, which is not easy. Expect that you will need to merge at least some code every week.

Related reading

• feat: no-scan mode #4110

Skills

• python
• sqlite
• network communication
• software security: knowledge of how software vulnerabilities are triaged, mitigated and solved would be very helpful here. (you can learn some of this as you go but it's worth doing some background reading to help inform your design choices)

Difficulty level

• hard
• You're really going to have to understand how cve-bin-tool works and be prepared to challenge our older architecture decisions in order to make this work.

Project Length

• 350 hours (e.g. full-time for 10 weeks or part-time for longer)
• It would be possible to do part of this project in a 175 hour project, but we may prefer candidates who have the time to do more assuming similar levels of ability

Mentor

• The primary mentor for this project will likely be @terriko but @anthonyharrison will also have a lot of feedback and recommendations about architecture changes. Please ask all questions on this issue rather than sending email so you can benefit from the expertise of other contributors and mentors. (Terri's email gets swamped regularly by other work concerns and it's likely she will miss emails send during the GSoC period, but she will answer questions asked in public on this issue or in our gitter chat.)

GSoC Participants Only

This issue is a potential project idea for GSoC 2025, and is reserved for completion by a selected GSoC contributor. Please do not work on it outside of that program. If you'd like to apply to do it through GSoC, please start by reading #4712.

[joydeep049]

Hello @terriko, @anthonyharrison
Having spent so much time contributing to cve-bin-tool, this project is very interesting and it makes a lot of sense if we are able to achieve a perfect no-scan mode.
I'm gonna look into this a bit more in detail and come back with some questions and design suggestions

Thank you!

[joydeep049]

Hello

Gist of what we're supposed to do: (according to what I've understood)

1. The main functionality of CVE-Binary-tool is vulnerability analysis, either directly from local or from SBOM. The tool can also generate SBOMs and further analyse them (CVE-Scanning)

2. Oddly, the feature of generating SBOMs from binaries is a very useful feature and not found in many other OSS products. (Quoting @anthonyharrison from here)

3. What we want is a no-scan mode where we can generate SBOMs from binaries without actually downloading CVE data, which is about 2.5G in size and takes quite a bit of time on a computer with average specs.

We want to merge the download CVE and create CVE list parts (the red and green boxes)

5. How we are going to achieve a no-scan mode?
   -> Bypassing Database Downloads: Skip the database download step entirely.
   -> Eliminating Database Calls: Avoid all database interactions, similar to how network calls are skipped in --offline mode.
   -> Embedding CPE Information: Leverage CPE data embedded in binary checkers for vulnerability analysis by incorporating the same CPE information into the SBOM. (Referencing Terri’s comment here).
   -> Accurate Reporting: Ensure reports do not inaccurately indicate "0 CVEs found" when data sources are actually disabled.
   -> Addressing User Feedback: This initiative stems from user feedback and the observation that cve-bin-tool still attempts internet access in --offline mode. Users also seek faster SBOM generation.

This project marks the initial step towards enabling the use of tool features offline, eliminating the need for constant internet access or extensive data downloads.

If I’ve missed anything, please feel free to correct me, @terriko and @anthonyharrison .

[terriko]

I think you've got most of it in there.

In the diagram above, we want to move the first red box that says "Download CVE Data" so it becomes both optional and happens in step 2 alongside the green "Create CVE list" box which will also become optional. Triage will stay but may skip any data relevant to CVEs and only have triage related to components.

A pedantic note: We probably don't actually want to eliminate all database calls, because we now have a local mismatch database and we may want "no scan mode" to still use the purl2cpe database for component identification even in --no-scan mode. So that gives you a few cases:

• --offline mode would eliminate all external calls, period, so you'd only use locally provided mismatch data that came with the tool
• --no-scan mode would use the data sources needed for component identification (purl2cpe and mismatch) but not any used for vulnerability data

[terriko]

Oh, the sqlite data source is also used for component identification (it includes the mapping of hashes to version numbers) so would likely also stay even in --no-scan mode.

[joydeep049]

Hi @terriko @anthonyharrison

I have dropped a few questions on gitter DM that are proposal-specific.
Or should I inquire about those issues here?