feat(checker): add lvm2 checker for Alma Linux support#5674
feat(checker): add lvm2 checker for Alma Linux support#5674Noshadi-sec wants to merge 2 commits intoossf:mainfrom
Conversation
Adds CVE checker for lvm2 (Linux Logical Volume Manager 2), a base OS package in Alma Linux 8/9 not previously covered. Known CVEs: CVE-2020-8991, CVE-2010-2526 Closes ossf#2761
There was a problem hiding this comment.
Pull request overview
Adds a new binary checker for the lvm2 package to improve Alma Linux 8/9 base package coverage, plus a minimal unit test entry to validate filename-based detection.
Changes:
- Introduced a new
Lvm2CheckerwithCONTAINS_PATTERNS,FILENAME_PATTERNS,VERSION_PATTERNS, andVENDOR_PRODUCT. - Added a
test/test_checkers.pyparametrized entry forlvm2filename detection.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
cve_bin_tool/checkers/lvm2.py |
New checker implementation for detecting lvm2 and extracting versions. |
test/test_checkers.py |
Adds a filename-detection test case for the new checker. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| r"lvm", | ||
| r"lvdisplay", | ||
| r"vgdisplay", | ||
| r"pvdisplay", | ||
| r"lvchange", | ||
| r"vgchange", | ||
| r"lvmconfig", |
There was a problem hiding this comment.
Checker.get_versions() uses re.match() against the full path passed in by VersionScanner (e.g. "/usr/sbin/lvm"), so patterns like r"lvm" / r"lvdisplay" won’t match at runtime unless the path happens to start with those strings. Consider updating these filename regexes to allow optional leading directories (e.g., match the basename with (?:^|.*/)), and ideally anchor to the end so you don’t accidentally match unrelated files that merely start with the same prefix.
| r"lvm", | |
| r"lvdisplay", | |
| r"vgdisplay", | |
| r"pvdisplay", | |
| r"lvchange", | |
| r"vgchange", | |
| r"lvmconfig", | |
| r"(?:^|.*/)lvm$", | |
| r"(?:^|.*/)lvdisplay$", | |
| r"(?:^|.*/)vgdisplay$", | |
| r"(?:^|.*/)pvdisplay$", | |
| r"(?:^|.*/)lvchange$", | |
| r"(?:^|.*/)vgchange$", | |
| r"(?:^|.*/)lvmconfig$", |
| ("libnss", "libnss.so.1.0", ["nss"]), | ||
| ("libtiff", "libtiff.so.1.0", ["tiff"]), | ||
| ("lighttpd", "lighttpd", ["lighttpd"]), | ||
| ("lvm2", "lvm", ["lvm2"]), |
There was a problem hiding this comment.
This filename-based test currently uses just "lvm", but extracted package contents are typically scanned with paths (e.g. usr/sbin/lvm). Once the checker’s FILENAME_PATTERNS are updated to handle paths, it would be good to add/adjust this test case to include a representative path segment so the test matches real scanner inputs.
| ("lvm2", "lvm", ["lvm2"]), | |
| ("lvm2", "usr/sbin/lvm", ["lvm2"]), |
|
Thanks for this PR, |
Summary
Adds a new CVE checker for
lvm2(Linux Logical Volume Manager 2),a base OS package in Alma Linux 8/9 not currently covered by cve-bin-tool.
Motivation
Identified while investigating Alma Linux base package coverage as
requested in #2761. lvm2 has several known CVEs:
Changes
cve_bin_tool/checkers/lvm2.pywith CONTAINS, FILENAME, VERSION patternstest/test_checkers.pyCloses #2761