Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve usability for folk trying to scan component lists who forgot --input file #1649

Closed
terriko opened this issue Apr 28, 2022 · 2 comments · Fixed by #1668
Closed

improve usability for folk trying to scan component lists who forgot --input file #1649

terriko opened this issue Apr 28, 2022 · 2 comments · Fixed by #1668
Labels
discussion Discussion thread or meeting minutes that may not have any trivially fixable code issues associated enhancement New feature or request
Milestone
3.2

Comments

@terriko
Copy link
Contributor

terriko commented Apr 28, 2022
edited
Loading

Right now, if you try to do cve-bin-tool componentlist.csv then cve-bin-tool attempts to do a binary scan on the file you specified. Since .csv isn't a binary file or a recognized package type, it then skips the file (effectively doing nothing) and tells you no cves were found.

probably what you wanted was for it to scan the list of components inside that .csv file, though. This used to be pretty obvious when we used a separate utility (csv2cve) but now that we handle a lot of different BOM files that wouldn't make sense.

Some possible resolutions, which could be combined:

  1. Print a warning message (preferably at the end of output) if the file specified looks like one of our valid input file types.
  2. Print a warning message (preferably at the end of output) if the file specified looks like any sort of text file that we aren't going to get a good binary scan for.
  3. If it's a valid input file, scan it as an input file even if --input-file wasn't specified (beware how this is done so we don't also start scanning random files in archives or directories. This needs to trigger only when a single file is specified.)
  4. Provide a separate utility similar to csv2cve but with a more inclusive name (cve-list-scan-tool ?) to help people avoid this mistake. csv2cve is basically syntactic sugar (it calls the same code but looks "prettier") and I don't mind providing that if it will help people minimize mistakes or make it easier for people to understand that the "bin" part of cve-bin-tool is now optional.

Thoughts? I'd like to see a warning message at minimum, but I sort of feel like 3 & 4 are probably bigger upgrades to the user experience.
@terriko terriko added enhancement New feature or request discussion Discussion thread or meeting minutes that may not have any trivially fixable code issues associated labels Apr 28, 2022
@terriko terriko added this to the 3.2 milestone Apr 28, 2022
@cheekety
Copy link

cheekety commented May 2, 2022

A warning message based on the file type would be good. I would like to work on this.

@XDRAGON2002
Copy link
Contributor

Even I believe 3 would be a better option, maybe have both 1 & 3 letting the user know that the scan has been performed based on the file without the -i parameter, similar to how search engines have "maybe you meant _ instead of _".

@b31ngd3v b31ngd3v mentioned this issue May 13, 2022
Merged
terriko pushed a commit that referenced this issue May 31, 2022
@b31ngd3v
feat: improve usability when --input_file is missing (#1649) (#1668)
55bb795 
* fixes: #1649
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion Discussion thread or meeting minutes that may not have any trivially fixable code issues associated enhancement New feature or request
Projects
None yet
Milestone
3.2
Development

Successfully merging a pull request may close this issue.

feat: improve usability when --input_file is missing (#1649)
3 participants
@terriko @XDRAGON2002 @cheekety