Manually bind vulnerabilities to software components

In this tutorial, we will use CVEScan manual_binds connector to attach otherwise unidentified vulnerabilities to given software components.

Create binds configurations

We will start by creating a manual_binds.yml file in your working directory and define a first vulnerability impacting software components in it.

manual_binds.yml
CVE-2024-8176:
  "expat":
    description: "This is a manual bind for expat"
    version_criteria:
      - ">=": "1.95.0"

You can see that binds are indexed by vulnerability, followed by sofware components. Then each can define one or multiple impacted configurations.

manual_binds.yml
CVE-2024-8176:
  "expat":
    description: "This is a manual bind for expat"
    version_criteria:
      - ">=": "1.95.0"
  "libexpat":
    description: "This is a manual bind for libexpat"
    version_criteria:
      - ">=": "1.95.0"
        "<": "2.2.2"
      - "2.3.0"

Tooltip

You can specify a custom filepath for manual binds by editing your CVEScan configuration file with

config.yml
connectors:
  manual_binds:
    filepath: /my/custom/path

Configure CVEScan detection step

Manual binds are not taken into account by default. To enable them, you need to add the manual_binds key in CVEScan's match connectors configuration.

{ .yml .copy title="config.yml" hl_lines="4" } connectors: match: - nvd - osv - manual_binds