Reporting vulnerabilities within a complex software environment
Using the CVE-Bin-Tool
- Track: Software composition and dependency management devroom
- Room: D.dependency
- Day: Sunday
- Start: 12:40
- End: 13:00
- Video with Q&A: D.dependency
- Video only: D.dependency
- Chat: Join the conversation!
Detecting known software vulnerabilities is hard to do perfectly. However, the CVE Binary Tool is a tool which has been designed to analyse and trace dependencies by performing a binary analysis that attempts to detect the versions of the libraries in compiled applications in order to determine the vulnerabilities that may be present. Since the tool was initially released, the number of libraries which can be detected has steadily increased so now over 100 libraries can be detected primarily through the effort of students working under the Google Summer of Code (GSOC) programme. Supported libraries have typically been prioritised based on the number and frequency of vulnerabilities reported in the CVE database. The latest version of tool released at the end of 2021 has added capabilities to perform vulnerability scanning of Linux distros, Python applications and to consume Software Bill of Materials (both the SPDX and CycloneDX formats are supported). Further enhancements are planned in 2022.
This presentation will describe how the tool works, how to use it in a number of use cases and show how you can contribute to further develop the capabilities of the tool.
Speakers
Anthony Harrison |