Merge branch 'main' into triage-process

mastersans · Aug 8, 2024 · 49f9d9e · 49f9d9e
2 parents 0171b4b + 7abee04
commit 49f9d9e
Show file tree

Hide file tree

Showing 52 changed files with 3,103 additions and 2,214 deletions.
diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
@@ -40,6 +40,7 @@ bcca
 bdbd
 bdist
 bestpractices
+bfb
 bhargavh
 bigbird
 bind
@@ -67,8 +68,10 @@ bzip
 c
 cabextract
 capnproto
+cbt
 CDNs
 ceph
+cfa
 cfea
 cff
 chaitanyamogal
@@ -136,6 +139,8 @@ dgst
 dhclient
 dhcpcd
 dhcpd
+dio
+Dio
 distro
 distros
 dmidecode
@@ -175,6 +180,7 @@ exiv
 expat
 exploitability
 Exploitablity
+extenstion
 f
 faad
 facebook
@@ -192,6 +198,7 @@ filterdiv
 firefox
 flac
 fluidsynth
+flutterchina
 freeradius
 freerdp
 FReeshabh
@@ -217,6 +224,7 @@ Gemfiles
 geopy
 getenv
 gettext
+GHSA
 gimp
 Giridhar
 git
@@ -386,6 +394,7 @@ lz
 mailx
 malloc
 malware
+Management
 Manjaro
 mariadb
 mariuszskon
@@ -427,14 +436,16 @@ msys
 mtr
 mupdf
 mutt
+myapp
+myappvendor
 myfork
 mypy
 mysource
 mysql
 Mystylesheet
 MYUSERNAME
-namespaces
 namespace
+namespaces
 nano
 nasm
 nbd
@@ -463,6 +474,7 @@ noreferrer
 nosec
 nowdailynever
 nplurals
+npm
 ntfs
 ntia
 ntp
@@ -570,6 +582,7 @@ renv
 reportlab
 requirementstxt
 rhythmrx
+Rishabh
 Romi
 rossburton
 rpm
@@ -652,6 +665,7 @@ tesseract
 testfiles
 tgz
 thrift
+throughout
 thttpd
 thunderbird
 timeline
@@ -696,9 +710,11 @@ utf
 util
 utkarsh
 utm
+uuid
 varnish
 venv
 VEXs
+vextype
 vfy
 vim
 virtualenv
@@ -709,6 +725,7 @@ Vorbis
 vorbis
 VPkg
 vsftpd
+Vulnerability
 Vulnerabity
 vulnerablities
 vulnerablity

diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
@@ -1,12 +1,5 @@
 Interoperability
-csvjsonconsolehtml
 cyclonedx
-nvdjson
-mirrorapiapi
-jsonapi
-jsonapiapi
-lowmediumhighcritical
-nowdailyneverlatest
 rdf
 sbom
 spdx

diff --git a/.github/workflows/build-wheel.yml b/.github/workflows/build-wheel.yml
@@ -10,7 +10,7 @@ on:
 jobs:
   build:
     name: Build wheel
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     permissions:
       id-token: write
       attestations: write

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -26,7 +26,7 @@ permissions:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-22.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     permissions:
       actions: read
       contents: read
@@ -51,7 +51,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+      uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+      uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -11,7 +11,7 @@ permissions:
 
 jobs:
   coverity:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     steps:
     - name: Harden Runner
       uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0

diff --git a/.github/workflows/cve_bin_tool_action.yml b/.github/workflows/cve_bin_tool_action.yml
@@ -11,7 +11,7 @@ jobs:
   scan:
     permissions:
       security-events: write
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     steps:
       - uses: intel/cve-bin-tool-action@main
         with:

diff --git a/.github/workflows/cve_scan.yml b/.github/workflows/cve_scan.yml
@@ -11,8 +11,8 @@ permissions:
 jobs:
   cve_scan:
     name: CVE scan on dependencies
-    runs-on: ubuntu-22.04
-    timeout-minutes: 10
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
+    timeout-minutes: 30
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   dependency-review:
-    runs-on: ubuntu-22.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0

diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml
@@ -16,7 +16,7 @@ jobs:
       contents: write  # for peter-evans/create-pull-request to create branch
       pull-requests: write  # for peter-evans/create-pull-request to create a PR
     name: Update checkers table
-    runs-on: ubuntu-22.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0

diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml
@@ -12,7 +12,7 @@ permissions:
 jobs:
   fuzzing:
     name: Fuzzing
-    runs-on: ubuntu-22.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     if: github.event.repository.fork == false   
     steps:
       - name: Check out code  

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -11,7 +11,7 @@ permissions:
 jobs:
   linting:
     name: Linting
-    runs-on: ubuntu-22.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     strategy:
       fail-fast: false
       matrix:

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -16,7 +16,7 @@ jobs:
       pull-requests: write  # for peter-evans/create-pull-request to create a PR
     name: Generate SBOM
     if: github.repository == 'intel/cve-bin-tool'  # for SBOM generation on forks
-    runs-on: ubuntu-22.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     strategy:
       matrix:
         python: ['3.8', '3.9', '3.10', '3.11', '3.12']

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -15,7 +15,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecard analysis
-    runs-on: ubuntu-22.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     permissions:
       security-events: write
       id-token: write
@@ -32,7 +32,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif

diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml
@@ -11,7 +11,7 @@ jobs:
       contents: read
       pull-requests: read
       actions: read
-    runs-on: ubuntu-22.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     steps:
     - name: Harden Runner
       uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0

diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -36,7 +36,7 @@ jobs:
           github.head_ref
         )
       )
-    runs-on: ubuntu-22.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
@@ -69,11 +69,11 @@ jobs:
     name: Linux tests
     permissions:
       contents: read
-    runs-on: ubuntu-22.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     strategy:
       matrix:
         python: ['3.8', '3.9', '3.11', '3.12']
-    timeout-minutes: 60
+    timeout-minutes: 90
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
@@ -197,8 +197,8 @@ jobs:
           github.head_ref
         )
       )
-    runs-on: ubuntu-22.04
-    timeout-minutes: 90
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
+    timeout-minutes: 120
     env:
       LONG_TESTS: 1
     steps:
@@ -359,7 +359,7 @@ jobs:
           github.head_ref
         )
       )
-    runs-on: ubuntu-22.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     timeout-minutes: 45
     env:
       EXTERNAL_SYSTEM: 1

diff --git a/.github/workflows/update-cache.yml b/.github/workflows/update-cache.yml
@@ -23,7 +23,7 @@ jobs:
   linux:
     if: github.repository == 'intel/cve-bin-tool'
     name: Update linux cached database
-    runs-on: ubuntu-20.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     timeout-minutes: 60
     steps:
       - name: Harden Runner

diff --git a/.github/workflows/update-js-dependencies.yml b/.github/workflows/update-js-dependencies.yml
@@ -18,7 +18,7 @@ jobs:
     permissions:
       contents: write  # for peter-evans/create-pull-request to create branch
       pull-requests: write  # for peter-evans/create-pull-request to create a PR
-    runs-on: ubuntu-20.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
 
     steps:
       - name: Harden Runner

diff --git a/.github/workflows/update-pre-commit.yml b/.github/workflows/update-pre-commit.yml
@@ -18,7 +18,7 @@ jobs:
     permissions:
       contents: write  # for peter-evans/create-pull-request to create branch
       pull-requests: write  # for peter-evans/create-pull-request to create a PR
-    runs-on: ubuntu-20.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
 
     steps:
       - name: Harden Runner

diff --git a/.github/workflows/update-spdx-header.yml b/.github/workflows/update-spdx-header.yml
@@ -19,7 +19,7 @@ jobs:
       contents: write  # for peter-evans/create-pull-request to create branch
       pull-requests: write  # for peter-evans/create-pull-request to create a PR
     name: Update spdx header
-    runs-on: ubuntu-20.04
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
 
     steps:
       - name: Harden Runner

diff --git a/.github/workflows/validate-yml.yml b/.github/workflows/validate-yml.yml
@@ -8,7 +8,7 @@ on:
 
 jobs:
   validate-yml:
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
 
     steps:
       - name: Harden Runner

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -20,7 +20,7 @@ repos:
       exclude: ^fuzz/generated/
 
 -   repo: https://github.com/asottile/pyupgrade
-    rev: v3.16.0
+    rev: v3.17.0
     hooks:
     - id: pyupgrade
       exclude: ^fuzz/generated/
@@ -45,7 +45,7 @@ repos:
     - id: gitlint
 
 -   repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.10.1
+    rev: v1.11.1
     hooks:
     - id: mypy
       additional_dependencies:

diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -2,13 +2,13 @@ black==24.4.2
 isort; python_version < "3.8"
 isort==5.13.2; python_version >= "3.8"
 pre-commit; python_version <= "3.8"
-pre-commit==3.7.1; python_version > "3.8"
+pre-commit==3.8.0; python_version > "3.8"
 flake8; python_version < "3.8"
 flake8==7.1.0; python_version >= "3.8"
 bandit==1.7.9
 gitlint==v0.19.1
 interrogate
-mypy==v1.10.1
+mypy==v1.11.1
 pytest>=7.2.0
 pytest-xdist
 pytest-cov

diff --git a/doc/MANUAL.md b/doc/MANUAL.md
@@ -858,7 +858,7 @@ The type of SBOM is assumed to be SPDX unless specified using the `--sbom` optio
 This option is used as a part of a filtering/triaging process using Vulnerablity Exploitability eXchange (VEX) file. The tool supports VEX files in given formats including
 [CSAF](https://oasis-open.github.io/csaf-documentation/), [CycloneDX](https://cyclonedx.org/capabilities/vex/) and [OpenVEX](https://edu.chainguard.dev/open-source/sbom/what-is-openvex/)
 
-| SBOM Type | Format   | Filename extension |
+| VEX Type  | Format   | Filename extension |
 | --------- | -------- | ------------------ |
 | CycloneDX | JSON     | .json              |
 | CSAF      | JSON     | .json              |

diff --git a/doc/images/filter-triage.png b/doc/images/filter-triage.png
diff --git a/doc/images/standalone-triage.png b/doc/images/standalone-triage.png