You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As briefly discussed in #4058 (this comment and further on), it seems like the gcc checker only reports the first version it found in a file (strings output order-wise). This is not a SBOM library issue as in #4058, it is indeed a lower-level checker part that reports only one version entry.
While preparing this report, I looked at the code and I'm no longer sure this is strictly a bug, as the get_version() code for the Checker base class does not seem to take this case into account at all. There is some preparation for multiple hits in VersionScanner.run_checkers() (lines 262-266 in version_scanner.py as of right now), but by quick inspection there's no checker that returns multiple results (certainly not the gcc one). So please feel free to reclassify this as a feature request.
I have noticed that when running cve-bin-tool on a pintool - an analysis program that runs within the Intel Pin binary instrumentation and analysis framework. There's probably a way to create a smaller binary for tests (e.g., linking together several object files produced by different compiler versions), but it was simpler and faster for me to just use the Pin example.
Unpack the downloaded file and cd to source/tools/MyPinTool directory within the unpacked one
Run make
The compilation will produce a MyPinTool.so file in obj-intel64 subdirectory. A ready-made version is also attached (MyPinTool.tar.gz).
Note that strings shows two GCC versions (the older one is from files linked into MyPinTool from Pin's precompiled files, and the newer one is from my host system, Fedora 40):
I'm on the road and only popping in to keep code reviews and merges moving, so I likely won't work on it in the next 2 weeks and I'm guessing our GSoC folk are busy with their projects. Feel free to dive in!
Description
As briefly discussed in #4058 (this comment and further on), it seems like the
gcc
checker only reports the first version it found in a file (strings
output order-wise). This is not a SBOM library issue as in #4058, it is indeed a lower-level checker part that reports only one version entry.While preparing this report, I looked at the code and I'm no longer sure this is strictly a bug, as the
get_version()
code for theChecker
base class does not seem to take this case into account at all. There is some preparation for multiple hits inVersionScanner.run_checkers()
(lines 262-266 inversion_scanner.py
as of right now), but by quick inspection there's no checker that returns multiple results (certainly not thegcc
one). So please feel free to reclassify this as a feature request.I have noticed that when running
cve-bin-tool
on a pintool - an analysis program that runs within the Intel Pin binary instrumentation and analysis framework. There's probably a way to create a smaller binary for tests (e.g., linking together several object files produced by different compiler versions), but it was simpler and faster for me to just use the Pin example.To reproduce
Steps to reproduce the behaviour:
cd
tosource/tools/MyPinTool
directory within the unpacked onemake
MyPinTool.so
file inobj-intel64
subdirectory. A ready-made version is also attached (MyPinTool.tar.gz).strings
shows two GCC versions (the older one is from files linked intoMyPinTool
from Pin's precompiled files, and the newer one is from my host system, Fedora 40):cve-bin-tool
e.g., like the below, and observe that only one version is reported:Expected behaviour: both versions, 11.2.0 and 14.1.1, are detected and reported
Actual behaviour: only the first one is
Version/platform info
cve-bin-tool --version
): currentmain
as of commit e9f1ea8The text was updated successfully, but these errors were encountered: