fix: gcc checker does not detect multiple versions in a file

[alext-w]

Description

As briefly discussed in #4058 (this comment and further on), it seems like the gcc checker only reports the first version it found in a file (strings output order-wise). This is not a SBOM library issue as in #4058, it is indeed a lower-level checker part that reports only one version entry.

While preparing this report, I looked at the code and I'm no longer sure this is strictly a bug, as the get_version() code for the Checker base class does not seem to take this case into account at all. There is some preparation for multiple hits in VersionScanner.run_checkers() (lines 262-266 in version_scanner.py as of right now), but by quick inspection there's no checker that returns multiple results (certainly not the gcc one). So please feel free to reclassify this as a feature request.

I have noticed that when running cve-bin-tool on a pintool - an analysis program that runs within the Intel Pin binary instrumentation and analysis framework. There's probably a way to create a smaller binary for tests (e.g., linking together several object files produced by different compiler versions), but it was simpler and faster for me to just use the Pin example.

To reproduce

Steps to reproduce the behaviour:

1. Download and unpack Intel Pin 3.30: Intel Pin release downloads
2. Unpack the downloaded file and cd to source/tools/MyPinTool directory within the unpacked one
3. Run make
4. The compilation will produce a MyPinTool.so file in obj-intel64 subdirectory. A ready-made version is also attached (MyPinTool.tar.gz).
5. Note that strings shows two GCC versions (the older one is from files linked into MyPinTool from Pin's precompiled files, and the newer one is from my host system, Fedora 40):

   $ strings obj-intel64/MyPinTool.so |grep GNU
   GCC: (GNU) 11.2.0
   GCC: (GNU) 14.1.1 20240607 (Red Hat 14.1.1-5)
   __GNU_EH_FRAME_HDR

6. Scan the file using cve-bin-tool e.g., like the below, and observe that only one version is reported:

$ cve-bin-tool -l debug -d CURL,EPSS,GAD,OSV,PURL2CPE,REDHAT,RSD --offline --disable-validation-check --disable-version-check source/tools/MyPinTool/obj-intel64/MyPinTool.so
<...>
DEBUG    cve_bin_tool.VersionScanner - Scanning file: /tmp/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/MyPinTool/obj-intel64/MyPinTool.so                                                               version_scanner.py:215
           INFO     cve_bin_tool - filename = /tmp/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/MyPinTool/obj-intel64/MyPinTool.so                                                                                  version_scanner.py:256
           DEBUG    cve_bin_tool.VersionScanner - /tmp/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/MyPinTool/obj-intel64/MyPinTool.so contains gcc 11.2.0                                                          version_scanner.py:283
           DEBUG    cve_bin_tool - ProductInfo(vendor='gnu', product='gcc', version='11.2.0', location='/usr/bin/gcc'): /tmp/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/MyPinTool/obj-intel64/MyPinTool.so                   cli.py:1042
           DEBUG    cve_bin_tool.CVEScanner - Known CVEs in ProductInfo(vendor='gnu', product='gcc', version='11.2.0', location='/usr/bin/gcc')                                                                             cve_scanner.py:281
           INFO     cve_bin_tool.CVEScanner - 1 CVE(s) in gnu.gcc version 11.2.0                                                                                                                                            cve_scanner.py:285
[19:01:24] DEBUG    cve_bin_tool.VersionScanner - Done scanning file: /tmp/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/MyPinTool/obj-intel64/MyPinTool.so                                                          version_scanner.py:299
           INFO     cve_bin_tool - Overall CVE summary:                                                                                                                                                                            cli.py:1069
           INFO     cve_bin_tool - There are 1 products with known CVEs detected                                                                                                                                                   cli.py:1070
           INFO     cve_bin_tool - Known CVEs in ('gnu.gcc', '11.2.0'):                                                                                                                                                            cli.py:1081
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃                                                                                                     CVE BINARY TOOL version: 3.3.1dev0                                                                                                     ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

 • Report Generated: 2024-06-12  19:01:24                                                                                                                                                                                                     
 • Time of last update of CVE Data: 2024-06-12  18:34:39                                                                                                                                                                                      
╭─────────────╮
│ CVE SUMMARY │
╰─────────────╯
┏━━━━━━━━━━┳━━━━━━━┓
┃ Severity ┃ Count ┃
┡━━━━━━━━━━╇━━━━━━━┩
│ CRITICAL │ 0     │
│ HIGH     │ 0     │
│ MEDIUM   │ 1     │
│ LOW      │ 0     │
│ UNKNOWN  │ 0     │
└──────────┴───────┘
╭─────────────╮
│ CPE SUMMARY │
╰─────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ Latest Upstream Stable Version ┃ CRITICAL CVEs Count ┃ HIGH CVEs Count ┃ MEDIUM CVEs Count ┃ LOW CVEs Count ┃ UNKNOWN CVEs Count ┃ TOTAL CVEs Count ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩
│ gnu    │ gcc     │ 11.2.0  │ UNKNOWN (offline mode)         │ 0                   │ 0               │ 1                 │ 0              │ 0                  │ 1                │
└────────┴─────────┴─────────┴────────────────────────────────┴─────────────────────┴─────────────────┴───────────────────┴────────────────┴────────────────────┴──────────────────┘
╭─────────────────╮
│  NewFound CVEs  │
╰─────────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ CVE Number    ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
│ gnu    │ gcc     │ 11.2.0  │ CVE-2023-4039 │ NVD    │ MEDIUM   │ 4.8 (v3)             │
└────────┴─────────┴─────────┴───────────────┴────────┴──────────┴──────────────────────┘
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ Root               ┃ Filename     ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━┩
│ gnu    │ gcc     │ 11.2.0  │ Root 0 (see below) │ MyPinTool.so │
└────────┴─────────┴─────────┴────────────────────┴──────────────┘


Root 0 : /tmp/pin-3.30-98830-g1d7b601b3-gcc-linux/source/tools/MyPinTool/obj-intel64
╭───────────────────────────────────────────────╮
│  Products with No Identified Vulnerabilities  │
╰───────────────────────────────────────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━┩
└────────┴─────────┴─────────┘

Expected behaviour: both versions, 11.2.0 and 14.1.1, are detected and reported
Actual behaviour: only the first one is

Version/platform info

• Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): current main as of commit e9f1ea8
• Installed from: Github
• Operating system: Fedora 40
• Python version: 3.12.3
• Running in any particular CI environment we should know about? (e.g. Github Actions): no

[alext-w]

Any chance this will get looked at any time soon? If not I'll probably need to dive in myself :)

[terriko]

I'm on the road and only popping in to keep code reviews and merges moving, so I likely won't work on it in the next 2 weeks and I'm guessing our GSoC folk are busy with their projects. Feel free to dive in!