This release is dedicated to the person who sent me cookies after I was griping about differences in Python 3.7 error handling on Twitter. They were delicious, thank you! Thanks also to the many new contributors who have joined us as part of Google Summer of Code 2022. You can see many new folk had their first commits in this release!
New Features
* CVE Binary Tool 3.1 adds support for [NVD API keys](https://nvd.nist.gov/general/news/API-Key-Announcement). An NVD API key allows registered users to make a greater number of requests to the API. At this time, the [NVD API documentation](https://nvd.nist.gov/developers) says, "The public rate limit (without an API key) is 10 requests in a rolling 60 second window; the rate limit with an API key is 100 requests in a rolling 60 second window."
* cve-bin-tool updates once per day by default to limit connections to NVD, but users in shared environments or running more frequent updates have occasionally seen 403 errors due to exceeded rate limits. Using an API key should alleviate those issues going forwards.
* New support for scanning Java and JavaScript packages has been added. (Yes, this will now detect log4j packages.) The language-specific packages we support now are Java, JavaScript and Python.
* A new offline flag (`--offline`) has been added to disable all network requests for use in isolated environments. [A guide for using --offline mode can be found here.](https://cve-bin-tool.readthedocs.io/en/latest/how_to_guides/offline.html)
* New support [VEX (Vulnerabity Expolitabity Exchange)](https://www.ntia.gov/files/ntia/publications/vex_one-page_summary.pdf ) files. Files could be generated following a scan and then used as a supported triage file.
* Extractor support has been extended to include WAR, EAR, pkg and zst files.
* New checkers: Libsrtp, libseccomp, libebml, libsolv
Changed Features
* Some users had expressed concern that they would prefer not to install the Reportlab dependency on their systems due to security concerns if the library is mis-used, so we no longer install it by default.
* Users intending to use PDF export can use `pip install cve-bin-tool[PDF]` to add reportlab to their install. or `pip install reportlab` if they decide they want it later.
* Similarly, users can `pip uninstall reportlab` at any time and cve-bin-tool will continue to function although without the ability to export PDF files. Users can generate their own using pdf reports using print-to-pdf on an HTML report if needed.
* Python 3.6 support and testing has been dropped as Python 3.6 has reached end of life. (This may affect some users on CentOS.)
New Contributors
* XDRAGON2002 made their first contribution in https://github.com/intel/cve-bin-tool/pull/1495
* DangerChamp made their first contribution in https://github.com/intel/cve-bin-tool/pull/1516
* Aadityajoshi151 made their first contribution in https://github.com/intel/cve-bin-tool/pull/1532
* vkrm1612 made their first contribution in https://github.com/intel/cve-bin-tool/pull/1536
* shoneriki made their first contribution in https://github.com/intel/cve-bin-tool/pull/1576
* yashugarg made their first contribution in https://github.com/intel/cve-bin-tool/pull/1533
* rhythmrx9 made their first contribution in https://github.com/intel/cve-bin-tool/pull/1572
* BenL-github made their first contribution in https://github.com/intel/cve-bin-tool/pull/1606
* xiongnemo made their first contribution in https://github.com/intel/cve-bin-tool/pull/1610
* Alienmaster made their first contribution in https://github.com/intel/cve-bin-tool/pull/1619
* MohitOhlyan made their first contribution in https://github.com/intel/cve-bin-tool/pull/1612
Full Change List
* refactor(package-list-parser): remove csv path by BreadGenie in https://github.com/intel/cve-bin-tool/pull/1466
* feat: Add tests for cve_scanner (1450) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1456
* ci: fix `check-spelling` workflow by Molkree in https://github.com/intel/cve-bin-tool/pull/1471
* bug: Unzip failure requires user interaction (1473) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1479
* feat: Add support for WAR and EAR archive files (1474) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1478
* refactor: find SBOM product vendor (1477) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1481
* chore: update pre-commit config by github-actions in https://github.com/intel/cve-bin-tool/pull/1455
* bug: don't follow symlinks in archives (1475) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1486
* bug: Update pdf configuration parameters (1459) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1484
* Updated spelling.yml by XDRAGON2002 in https://github.com/intel/cve-bin-tool/pull/1495
* feat: use cve-bin-tool without Reportlab (Fixes 1464) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1485
* feat: Add offline command line option (1452) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1480
* doc: improve new contributor documentation by terriko in https://github.com/intel/cve-bin-tool/pull/1467
* ci: add filetype to allowed word list by terriko in https://github.com/intel/cve-bin-tool/pull/1497
* feat: Remove support for python 3.6 (1488) by XDRAGON2002 in https://github.com/intel/cve-bin-tool/pull/1498
* feat: added Libsrtp checker (1489) by XDRAGON2002 in https://github.com/intel/cve-bin-tool/pull/1500
* chore: added LGTM badges to readme (1380) by XDRAGON2002 in https://github.com/intel/cve-bin-tool/pull/1501
* feat: Add support for scanning Java packages (1463) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1476
* chore: update pre-commit config by github-actions in https://github.com/intel/cve-bin-tool/pull/1499
* test: Move NVD queries to LONG_TESTS due to rate limits (fixes 1509) by terriko in https://github.com/intel/cve-bin-tool/pull/1511
* chore: modify detected languages in github by terriko in https://github.com/intel/cve-bin-tool/pull/1508
* Gave output types its own subheading by DangerChamp in https://github.com/intel/cve-bin-tool/pull/1516
* test: Move backported fix tests to LONG_TESTS (1502) by XDRAGON2002 in https://github.com/intel/cve-bin-tool/pull/1512
* Moved --offline up to "Most popular usage options" by DangerChamp in https://github.com/intel/cve-bin-tool/pull/1514
* fix(cve_scanner): fix `canonical_convert` by Molkree in https://github.com/intel/cve-bin-tool/pull/1519
* Replace "Github" with "GitHub" by Aadityajoshi151 in https://github.com/intel/cve-bin-tool/pull/1532
* Correction by vkrm1612 in https://github.com/intel/cve-bin-tool/pull/1536
* feat: add NVD API key by terriko in https://github.com/intel/cve-bin-tool/pull/1529
* ci: remove NVD_API_KEY from CI because it isn't working by terriko in https://github.com/intel/cve-bin-tool/pull/1549
* fix: Only import pdftotext if installed (Fixes 1419) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1545
* doc: Publish FOSDEM 2022 slides (Fixes 1546) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1547
* fix: set default version for xml2 checker to UNKNOWN (Fixes 1517) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1524
* Updated so it shows the correct versions of Python by DangerChamp in https://github.com/intel/cve-bin-tool/pull/1515
* doc: keep pdftotext windows install instructions (partial revert 1515) by terriko in https://github.com/intel/cve-bin-tool/pull/1550
* doc: add info on syncing to origin/main and rebasing by terriko in https://github.com/intel/cve-bin-tool/pull/1540
* test(available-fix): mock cve data by BreadGenie in https://github.com/intel/cve-bin-tool/pull/1513
* CI: Add bandit to pre-commit (fixes 1110) by terriko in https://github.com/intel/cve-bin-tool/pull/1523
* doc: fix incorrect hyperlink (Fixes 1553) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1554
* ci: split CI into separate files by Molkree in https://github.com/intel/cve-bin-tool/pull/1552
* feat: improve locality of defaults (1352) by XDRAGON2002 in https://github.com/intel/cve-bin-tool/pull/1560
* doc: Add details on language specific checking (Fixes 1551) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1561
* refactor: replace pkg_resources with importlib (1521) by XDRAGON2002 in https://github.com/intel/cve-bin-tool/pull/1542
* changed windows_tests timeout-minutes to 30 by shoneriki in https://github.com/intel/cve-bin-tool/pull/1576
* refactor: migrate from urllib to requests by BreadGenie in https://github.com/intel/cve-bin-tool/pull/1569
* feat: Add support for Javascript package scanning (Fixes 1453) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1548
* New checker: gnome librsvg by yashugarg in https://github.com/intel/cve-bin-tool/pull/1533
* refactor: add type hints in util.py by rhythmrx9 in https://github.com/intel/cve-bin-tool/pull/1572
* ci(pre-commit): add gitlint by BreadGenie in https://github.com/intel/cve-bin-tool/pull/1573
* feat: added libseccomp checker by yashugarg in https://github.com/intel/cve-bin-tool/pull/1556
* ci: run bandit on test code by rhythmrx9 in https://github.com/intel/cve-bin-tool/pull/1579
* feat(checker): libebml checker by rhythmrx9 in https://github.com/intel/cve-bin-tool/pull/1559
* feat(checker): libsolv checker by rhythmrx9 in https://github.com/intel/cve-bin-tool/pull/1562
* ci: switch format_checker to run in ci by rhythmrx9 in https://github.com/intel/cve-bin-tool/pull/1593
* fix: asyncio warnings (1558) by XDRAGON2002 in https://github.com/intel/cve-bin-tool/pull/1592
* fix: windows helper script test (1264) by XDRAGON2002 in https://github.com/intel/cve-bin-tool/pull/1594
* refactor: add type hints in version_scanner.py by rhythmrx9 in https://github.com/intel/cve-bin-tool/pull/1581
* chore: update pre-commit config by github-actions in https://github.com/intel/cve-bin-tool/pull/1566
* refactor: add type hints in strings.py and file.py by rhythmrx9 in https://github.com/intel/cve-bin-tool/pull/1565
* feat: find common strings in CONTAINS_PATTERNS from helper_scripts.py by rhythmrx9 in https://github.com/intel/cve-bin-tool/pull/1586
* feat: retry if NVD API Key is invalid by terriko in https://github.com/intel/cve-bin-tool/pull/1574
* ci: run gitlint on PR title by rhythmrx9 in https://github.com/intel/cve-bin-tool/pull/1597
* fix: entry point error (1323) by XDRAGON2002 in https://github.com/intel/cve-bin-tool/pull/1601
* fix: python 3.10 DeprecationWarnings by rhythmrx9 in https://github.com/intel/cve-bin-tool/pull/1605
* test: disable test_01_nist_scrape in test_cvedb.py by rhythmrx9 in https://github.com/intel/cve-bin-tool/pull/1609
* fix: add dynamic version to egg_updater.py by BenL-github in https://github.com/intel/cve-bin-tool/pull/1606
* fix: mark cli.py as non-executable (fixes 1590) by xiongnemo in https://github.com/intel/cve-bin-tool/pull/1610
* feat: Modified format_checkers to add checker name to dictionary allow by yashugarg in https://github.com/intel/cve-bin-tool/pull/1571
* doc: typo and formatting fixes by Alienmaster in https://github.com/intel/cve-bin-tool/pull/1619
* ci: upgrade black (fixes 1621) by terriko in https://github.com/intel/cve-bin-tool/pull/1622
* fix: Sphinx update 1613 by Alienmaster in https://github.com/intel/cve-bin-tool/pull/1620
* doc: improved finndability for issue (1611) by MohitOhlyan in https://github.com/intel/cve-bin-tool/pull/1612
* fix: add explicit setuptools package config by terriko in https://github.com/intel/cve-bin-tool/pull/1625
* doc: improve limitations section (1496) by XDRAGON2002 in https://github.com/intel/cve-bin-tool/pull/1604
* feat: add support for VEX (Fixes 1570) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1583
* feat: extractor support for .pkg and .zst packages by yashugarg in https://github.com/intel/cve-bin-tool/pull/1580
* feat: Add XML schema validation (Fixes 1507) by anthonyharrison in https://github.com/intel/cve-bin-tool/pull/1544
* fix: Remove reportlab from default install by terriko in https://github.com/intel/cve-bin-tool/pull/1626
* fix: add None checks to run_java_checker by terriko in https://github.com/intel/cve-bin-tool/pull/1630
* docs: add link to offline guide, rearrange order by terriko in https://github.com/intel/cve-bin-tool/pull/1633
* test: add test for null byte in filename by terriko in https://github.com/intel/cve-bin-tool/pull/1635
* fix: fix egg_updater for installed packages by terriko in https://github.com/intel/cve-bin-tool/pull/1638
* fix: Default to UNKNOWN in java version checker by terriko in https://github.com/intel/cve-bin-tool/pull/1637
* feat: Bump version to 3.1 for release by terriko in https://github.com/intel/cve-bin-tool/pull/1640
* fix: add excel macro filter for csv output by terriko in https://github.com/intel/cve-bin-tool/pull/1634
**Full Changelog**: https://github.com/intel/cve-bin-tool/compare/v3.0...v3.1