The CVE Binary Tool scans for several common, vulnerable open source components such as OpenSSL, libpng, libxml2, and expat to let you know if a given directory or binary file includes common libraries with known vulnerabilities known as CVEs(Common Vulnerabilities and Exposures). It is also available as a python package from PyPI.
Github Link: https://github.com/intel/cve-bin-tool/
Docker Container & Image
Docker container is a running instance of an image. You can use Command Line Interface (CLI) commands to run, start, stop, move, or delete a container. You can also provide configuration for the network and environment variables. Docker container is an isolated and secure application platform, but it can share and access resources running in a different host or container.
An image is a read-only template with instructions for creating a Docker container. A docker image is described in a text file called a Dockerfile, which has a simple, well-defined syntax. An image does not have states and never changes. Docker Engine provides the core Docker technology that enables images and containers.
How to create a Docker image for CVE Binary Tool?
Docker images can be very helpful. They provide a convenient way to package up applications and preconfigured environments, which you can use privately or share publicly with other Docker users.
We are going to create a Dockerfile of cve_bin_tool for demonstration purposes. You can use the same recipe to create your custom Docker image.
Create a Dockerfile
To create your Docker image, we will have to first create an Dockerfile in the root of the repository, containing the necessary information to create the environment.
Start by setting the Python base image for our container, which for this example will be the python:3.8-slim-buster.
You can choose whatever suits you the best. Some Python base images can be found here.
FROM python:3.8-slim-busterAdd some Python environment variables to get rid of .pyc generation and to turn off buffering. (Optional)
# Keeps Python from generating .pyc files in the container
ENV PYTHONDONTWRITEBYTECODE=1
# Turns off buffering for easier container logging
ENV PYTHONUNBUFFERED=1Now, set the working directory for our project inside our Docker container. Let's name it 'cve_bin_tool'.
WORKDIR /cve_bin_toolInstall CVE Binary Tool inside your docker image
RUN python -m pip install pip install cve-bin-toolAlternatively, You can also choose to install the development version from Github. (You will have to install git inside your docker image.)
RUN apt update && apt install -y git# or Install using githubRUN python -m pip install git+https://github.com/intel/cve-bin-tool
Finally, let's run CVE Binary Tool to fetch CVE data from NVD.
RUN python -m cve_bin_tool.cli -u now -e / /We have specified -e / / as we just want to fetch the CVE entries from NVD. You can change this as per your requirement.
Set up your Docker container to fetch the NVD Data every time you open your Docker image by using:
CMD ["python","-m","cve_bin_tool.cli","cve_bin_tool"]For doing everything manually, use:
CMD ["/bin/bash"]Your Dockerfile will look something like this:
Development version (Installation using Github)—
To build the image simply run:
docker build ${cve-bin-tool} -t "cve-bin-tool:latest"Here ${cve-bin-tool} is the directory path to your Dockerfile and "cve-bin-tool" is the name of your Docker image and latest implies the tag
How to use the Docker image
If you want to mount a directory to your Docker image while initializing it, simply use:
docker run -it -v ${directory_to_scan}:${directory_in_docker} cve_bin_toolHere ${directory_to_scan} is the path to the directory on your host machine which you want to scan. And ${directory_in_docker} is the path in the Docker image where you mount the above directory. For us, it will be —
docker run -it -v /home/scan_this_code:/cve_bin_toolThe --interactive -i flag keeps STDIN open. While the --tty -t allocates a pseudo-TTY. In layman terms, the docker container will be opened in an interactive instance. Without this, the image instance will execute in the background and you won’t be able to run any other commands.
You can also create a docker-compose file with all this configuration.
Create a Docker Compose File
Docker Compose is a tool for running multi-container applications on Docker defined using the Compose file format. A Compose file is used to define how the one or more containers that make up your application are configured.
We are going to create a docker-compose file with all the configurations that we need while initializing the docker image. This way we won’t have to mount the scan directory every time.
- The
versiontag is used to define the Compose file format. You can read more from here. services— We have to define the services we want to use for our application. For my application, I only have one service called cve_bin_tool.- The
stdin_openandttytag is used to keep my container running. This works the same as-itflag pair we discussed earlier. - Here
environmentcontains any environment variable. We are updating the time zone of our docker image. imagespecifies the Docker image and the tag for which you are building the docker-compose file.volumeVolumes are the preferred mechanism for persisting data generated by and used by Docker containers (from the host machine to the container). Read more about volume and mount here- Finally,
commandcontains your default configuration for cve-bin-tool. Here, we have enabled incremental updates and provided the default scanning directory. You can also persist the.cacheand database by specifying the path involumes.
You can read the detailed documentation about docker-compose here.
Once you have a Compose file, you can create and start your application with a single command:
docker-compose up#For interactive instance, use:
docker-compose run cve_bin_tool /bin/sh
Terminate your docker instance by simply using:
docker-compose downYou can apply the same approach for building Docker Image for other python projects.
Checkout my instances of docker images:
docker run -it imsahil007/cve-bin-tool:latest
#or
docker run -it imsahil007/cve-bin-tool:devLinks:
- Dockerfile(latest stable) — https://gist.github.com/imsahil007/37adeb376dfc1ad91102a5c3a27fefe6
- Dockerfile(development) — https://gist.github.com/imsahil007/7f6aeaae4f3dde569da6c034599985c4
- docker-compose.yml — https://gist.github.com/imsahil007/4bcb0ced98bf114319de2e4e204749d0
- https://hub.docker.com/repository/docker/imsahil007/cve-bin-tool
