GsoC 2025 project idea: No-scan mode

[terriko]

• Related GSoC 2025: Start here #4712

cve-bin-tool: No-scan mode

Project description

CVE Binary Tool was designed as a vulnerability scanner, but it can also be used to generate component lists and SBOMs. Some of our users have expressed an interest in having a mode where CVE-bin-tool generates SBOMs without requiring one to download and use vulnerability data. The current database takes around 2.5G of space and 20 minutes to download and process on a fast system with a lot of RAM, so it's rather understandable that people would want to skip that.

This will require some major refactoring of our database and the order in which things are done, including potentially:

1. Appropriate documentation and tests. We recommend writing these first, as documentation will help you get feedback from actual users and tests can help you do test-driven development.
2. Major refactoring to separate our component identification parts from our vulnerability identification parts. Right now they're pretty intermixed.
3. The ability to generate reports / SBOMs without making database calls at all
4. Report changes so we don't claim to have found 0 CVEs when in fact no one even looked it up

You may want to take a look at how our --offline mode works as well, not because it's a perfect example (it will also need to be refactored) but because it'll help you see the places where we're going to have problems.

This project is going to be HARD. We'll expect some proposed new architecture diagrams as part of your proposal and ideally you'll have at least a few bigger pull requests under your belt before you start this project, and you're going to need to find a way to break this project up into much smaller pieces that can be merged without breaking the tool as it stands, which is not easy. Expect that you will need to merge at least some code every week.

Related reading

• feat: no-scan mode #4110

Skills

• python
• sqlite
• network communication
• software security: knowledge of how software vulnerabilities are triaged, mitigated and solved would be very helpful here. (you can learn some of this as you go but it's worth doing some background reading to help inform your design choices)

Difficulty level

• hard
• You're really going to have to understand how cve-bin-tool works and be prepared to challenge our older architecture decisions in order to make this work.

Project Length

• 350 hours (e.g. full-time for 10 weeks or part-time for longer)
• It would be possible to do part of this project in a 175 hour project, but we may prefer candidates who have the time to do more assuming similar levels of ability

Mentor

• The primary mentor for this project will likely be @terriko but @anthonyharrison will also have a lot of feedback and recommendations about architecture changes. Please ask all questions on this issue rather than sending email so you can benefit from the expertise of other contributors and mentors. (Terri's email gets swamped regularly by other work concerns and it's likely she will miss emails send during the GSoC period, but she will answer questions asked in public on this issue or in our gitter chat.)

GSoC Participants Only

This issue is a potential project idea for GSoC 2025, and is reserved for completion by a selected GSoC contributor. Please do not work on it outside of that program. If you'd like to apply to do it through GSoC, please start by reading #4712.

[joydeep049]

Hello @terriko, @anthonyharrison
Having spent so much time contributing to cve-bin-tool, this project is very interesting and it makes a lot of sense if we are able to achieve a perfect no-scan mode.
I'm gonna look into this a bit more in detail and come back with some questions and design suggestions

Thank you!