Cve-bin-tool

Potentially the final release candidate for CVE Binary Tool 3.1. (Note the change in naming scheme to match the pip upload)

Second pre-release. This one has all features expected for release and will undergo some additional validation before final release.

Pre-release for what will eventually be 3.1. There are a few PRs still in progress, and you can see what remains to be updated in the [3.1 milestone](https://github.com/intel/cve-bin-tool/milestone/7). The release notes below are auto-generated by GitHub.

The CVE Binary Tool 3.0 release includes improved tools for checking known lists of packages including Linux distributions, improved methods of communication with NVD to get vulnerability data, additional checkers, and significant refactoring to streamline the output.

New feature highlights:
* **SBOM Scanning**: CVE Binary Tool can now take Software Bill of Materials (SBOM) files to help users improve their supply chain security data for all known dependencies. The initial feature can handle some versions of SPDX, CycloneDX and SWID formats. More information on SBOM scanning can be found here: https://github.com/intel/cve-bin-tool/blob/main/doc/how_to_guides/sbom.md
* **Known vulnerability information**: Users scanning some linux distro packages can now get additional information about fixes available for those platforms.
* **Vulnerability Data**: The default method for getting NVD vulnerability lists has been changed. Previously we downloaded full yearly JSON files if anything in the year had changed, the new API allows us to get only the latest changes. Users may see a speedup during the update phase as a result.
* **(Breaking change) Return codes:** The return codes used by CVE Binary Tool have changed.
* A 0 will be returned if no CVEs are found, a 1 will be returned if any CVEs were found (no matter how many), and codes 2+ indicate operational errors. A full list of error codes is available here: https://github.com/intel/cve-bin-tool/blob/main/cve_bin_tool/error_handler.py
* Previously we returned the number of CVEs found, but this could exceed the expected range for return codes and cause unexpected behaviour.

Thanks especially to our 2021 GSoC students, BreadGenie, imsahil007 and peb-peb whose final GSoC contributions are part of this release.

A full list of changes is available in GitHub. https://github.com/intel/cve-bin-tool/releases/tag/v3.0

Commit messages use the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) format.

Release date: 04 Aug 2021

The 2.2.1 release relaxes the behaviour when file extraction fails, which was causing problems for some users scanning files with .exe and .apk file extensions using the previous release. In 2.2 all extraction fails caused the tool to halt and throw an exception, in 2.2.1 the tool will log a warning and continue.

Release date: 08 Jul 2021

The 2.2 release contains a number of bugfixes and improvements thanks to the many students who contributed as part of our Google Summer of Code selection process. Congratulations to BreadGenie, imsahil007 and peb-peb who will be continuing to work with us for the next few months!

New feature highlights:
- CVE Binary Tool can now be used to get lists of vulnerabilities affecting a python requirements.txt file, as well as lists of packages installed on .deb or .rpm based systems (Thanks to BreadGenie)
- Scan reports can now be merged (Thanks to imsahil007)
- Reports can now be generated in PDF format (Thanks to anthonyharrison)
- A new helper script is available to help new contributors find appropriate patterns for new checkers (Thanks to peb-peb)
- Reports can now be generated even if no CVEs are found (Thanks to BreadGenie)
- We've added rate limiting for our NVD requests (Thanks to nisamson, param211, bhargavh)

There are also a number of new checkers and bug fixes.

Thanks also to jerinjtitus, Molkree, alt-glitch, CabTheProgrammer, Romi-776, chaitanyamogal, Rahul2044, utkarsh147-del , SinghHrmn, SaurabhK122, pdxjohnny and terriko for their contributions to this release.