Cve-bin-tool

New features from our GSoC 2022 participants:

* **yashugarg** added a large number of tests and work on fuzzing our interfaces
* **rhythmrx9** added new data sources (we now support advisories from Gitlab, OSV and Redhat as well as NVD)
* **XDRAGON2002** for the new parsers that allow us to scan things like Ruby Gemfiles, Rust cargo files, and more.

Other interesting features in this release:

* **ffontaine** has added a large number of new checkers, pushing us well over 200 binary checkers.
* **anthonyharrison** has added initial support for NVD API 2.0. Note that at the time this was added the 2.0 version didn't work with their API keys, so the code behaves accordingly.

Thanks also to BreadGenie for code review and mentoring support as well as a number of contributions listed below. A special shout out to b31ngd3v and metabiswadeep whose first contributions are in this release but they've been the first of many, as well as the many other folk who got their first commits in via Hacktoberfest or GSoC or goodfirstissue.dev or however you found us. Thanks to everyone for being part of this release!

Preview release for 3.2.

We're currently seeing an issue in our testing system where Windows systems are taking a long time to upgrade the database to store additional data source information. Windows users are particularly encouraged to try this pre-release to see if you have any issues!

When updating your database, make sure your [NVD_API_KEY is set](https://nvd.nist.gov/developers/request-an-api-key) and you may have better results using -u now to get a fresh database.

Minor update to force a downgrade of packaging to allow use of LegacyVersion (fixes [2428](https://github.com/intel/cve-bin-tool/issues/2428))

This is intended to be a temporary fix while we finish up the 3.2 release, but I believe we will be able to backport the removal for LegacyVersion without much trouble, so there may be one more release for the 3.1 tree if it looks like 3.2 is going to take more than a week.

**Full Changelog**: [v3.1.1...v3.1.2](https://github.com/intel/cve-bin-tool/compare/v3.1.1...v3.1.2)

Minor typo necessitated a version bump + new release.

This release is dedicated to the person who sent me cookies after I was griping about differences in Python 3.7 error handling on Twitter. They were delicious, thank you! Thanks also to the many new contributors who have joined us as part of Google Summer of Code 2022. You can see many new folk had their first commits in this release!

New Features

* CVE Binary Tool 3.1 adds support for [NVD API keys.](https://nvd.nist.gov/general/news/API-Key-Announcement) An NVD API key allows registered users to make a greater number of requests to the API. At this time, the [NVD API documentation says](https://nvd.nist.gov/developers), "The public rate limit (without an API key) is 10 requests in a rolling 60 second window; the rate limit with an API key is 100 requests in a rolling 60 second window."
* cve-bin-tool updates once per day by default to limit connections to NVD, but users in shared environments or running more frequent updates have occasionally seen 403 errors due to exceeded rate limits. Using an API key should alleviate those issues going forwards.
* New support for scanning Java and JavaScript packages has been added. (Yes, this will now detect log4j packages.) The language-specific packages we support now are Java, JavaScript and Python.
* A new offline flag (--offline) has been added to disable all network requests for use in isolated environments. [A guide for using --offline mode can be found here.](https://cve-bin-tool.readthedocs.io/en/latest/how_to_guides/offline.html)
* New support [VEX (Vulnerabity Exploitablity Exchange)](https://www.ntia.gov/files/ntia/publications/vex_one-page_summary.pdf) files. Files could be generated following a scan and then used as a supported triage file.
* Extractor support has been extended to include WAR, EAR, pkg and zst files.
* New checkers: Libsrtp, libseccomp, libebml, libsolv

Changed Features

* Some users had expressed concern that they would prefer not to install the Reportlab dependency on their systems due to security concerns if the library is mis-used, so we no longer install it by default.
* Users intending to use PDF export can use pip install cve-bin-tool[PDF] to add reportlab to their install. or pip install reportlab if they decide they want it later.
* Similarly, users can pip uninstall reportlab at any time and cve-bin-tool will continue to function although without the ability to export PDF files. Users can generate their own using pdf reports using print-to-pdf on an HTML report if needed.
* Python 3.6 support and testing has been dropped as Python 3.6 has reached end of life. (This may affect some users on CentOS.)

Full Changelog: v3.1rc2...v3.1rc3