Update documentation for 1.0 release (#640)

* add release notes
* regenerate output for CSV2CVE.md
* remove some obsolete output from MANUAL.md
* update version info to be 1.0
* mark us as Production/stable in setup.py and fix the license data

Author: terriko

CSV2CVE.md

@@ -41,33 +41,16 @@ wontwork,no,7.7
 Example output:
 ---------------
 ```console
-(venv3.6) terri@sandia:~/Code/cve-bin-tool$ python -m cve_bin_tool.csv2cve test.csv 
+(venv3.7) [terri@cedar cve-bin-tool]$ python -m cve_bin_tool.csv2cve test/csv/test.csv 
 cve_bin_tool.CVEDB - INFO - Using cached CVE data (<24h old). Use -u now to update immediately.
-
-+=================================================================+
-|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 +=================================================================+
-||     ____  __        __  _____      ______    __    __    _    ||
-||    /$$$$| \$\      /$/ |$$$$$|    |$$$$$$\  |$$|  |$$\  |$|   ||
-||   |$$      \$\    /$/  |$____     |$____$/  |$$|  |$$$\ |$|   ||
-||   |$$       \$\  /$/   |$$$$$| == |$$$$$$\  |$$|  |$|\$\|$|   ||
-||   |$$        \$\/$/    |$____  `` |$_____$  |$$|  |$| \$$$|   ||
-||    \$$$$|     \$$/     |$$$$$|    |$$$$$$/  |$4|  |$|  \$$|   ||
-||     `````      ``       ``````     ``````    ```   ``   ```   ||
-||     ____________    ________      ________     __             ||
-||    |$$$$$$$$$$$$|  /$$$$$$$$\    /$$$$$$$$\   |$$|            ||
-||         |$$|      |$$|    |$$|  |$$|    |$$|  |$$|            ||
-||         |$$|      |$$|    |$$|  |$$|    |$$|  |$$|            ||
-||         |$$|      |$$|    |$$|  |$$|    |$$|  |$$|            ||
-||         |$$|      |$$|    |$$|  |$$|    |$$|  |$$|_______     ||
-||         |$$|       \$$$$$$$$/    \$$$$$$$$/   |$$$$$$$$$$|    ||
-||         ````        ````````      ````````    ````````````    ||
+|   ___ _    __ ____    ___  ___  _   _    _____  ___  ___  _     |                         
+|  / __| \  / /| ___]  |   )[   ]| \ | |  [_   _]| _ || _ || |    |                                   
+| | |__ \ \/ / | _]_ = | <   | | | |\| | =  | |  ||_||||_||| |__  |                               
+|  \___| \__/  |___ ]  |___)[___]|_| \_|    |_|  |___||___||____| |
+|                                                                 |
 +=================================================================+
-|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-+=================================================================+
-
-+=================================================================+
-|   CVE Binary Tool Report Generated: 2020-04-24  04:04:27        |
+|   CVE Binary Tool Report Generated: 2020-04-30  11:04:24        |
 +=================================================================+
 
 +=================================================================+
@@ -117,4 +100,4 @@ cve_bin_tool.CVEDB - INFO - Using cached CVE data (<24h old). Use -u now to upda
 +--------------------+-----------+--------------------+-----------+
 | no                 | 7.7       | UNKNOWN            | UNKNOWN   |
 +--------------------+-----------+--------------------+-----------+
-```
+

MANUAL.md

@@ -171,6 +171,8 @@ This option controls the frequency of updates for the CVE data from the National
 Output modes
 ------------
 
+Although the examples in this section show results for a single library to make them shorter and easier to read, the tool was designed to be run on entire directories and will scan all files in a directory if one is supplied.
+
 ### -o OUTPUT_FILE, --output-file OUTPUT_FILE
 
 This option allows you to specify the filename for the report, rather than having CVE Binary Tool generate it by itself.
@@ -227,44 +229,10 @@ libgcrypt,1.6.0,CVE-2018-6829,HIGH
 
 ### Output verbosity
 
-The tool has several different output modes, from most information to least as follows:
-
-1. Regular mode (no flag) prints only the final summary of findings
-2. Quiet mode (-q) suppresses all output but exits with an error number indicating the number of files with known CVEs.  This is intended for continuous integration and headless tests, while the other modes are all more human-friendly.
-3. Log mode (-l log_level) prints logs of the specified log_level and above. The default log level is info. The logs can be suppressed by using quiet mode.
-
-Although the examples in this section show results for a single library to make them shorter and easier to read, the tool was designed to be run on entire directories and will scan all files in a directory if one is supplied.
-
-#### Default Mode
-
-The default mode for the cve-bin-tool prints only a final summary of results,
-without CVE descriptions or information while the scan is progressing. It
-outputs a CSV with the results to stdout. In the form of `package name, version,
-CVE number, CVE severity`. Below is an example of it being run on our expat test file:
-
-```console
-(venv3.6) terri@sandia:~/Code/cve-bin-tool$ python -m cve_bin_tool.cli test/binaries/test-expat-2.0.1.out 
-Updating CVE data. This will take a few minutes.
-Last Update: 2019-08-09
-Local database has been updated in the past 24h.
-New data not downloaded.  Use "-u now" to force an update
-
-Overall CVE summary: 
-There are 1 files with known CVEs detected
-Known CVEs in expat 2.0.1:
-expat,2.0.1,CVE-2012-6702,MEDIUM
-expat,2.0.1,CVE-2016-0718,CRITICAL
-expat,2.0.1,CVE-2016-5300,HIGH
-expat,2.0.1,CVE-2018-20843,HIGH
-expat,2.0.1,CVE-2012-0876,MEDIUM
-expat,2.0.1,CVE-2012-1147,MEDIUM
-expat,2.0.1,CVE-2012-1148,MEDIUM
-expat,2.0.1,CVE-2013-0340,MEDIUM
-```
-
-This mode is meant to give the user enough information that they can
-investigate further.
+As well as the modes above, there are two other output options to decrease or increase the number of messages printed:
 
+1. Quiet mode (-q) suppresses all output but exits with an error number indicating the number of files with known CVEs.  This is intended for continuous integration and headless tests, while the other modes are all more human-friendly.
+2. Log mode (-l log_level) prints logs of the specified log_level and above. The default log level is info. The logs can be suppressed by using quiet mode.
 
 ### Quiet Mode
 
@@ -279,7 +247,8 @@ terri@sandia:~/Code/cve-bin-tool$ echo $?
 1
 ```
 
-Note that errors are returned as negative numbers.
+Note that errors are returned as negative numbers.  Any positive number
+indicates that CVEs may be present in the code.  A good result here is 0.
 
 ### Logging modes
 

README.md

@@ -139,12 +139,12 @@ Windows has `ar` and `Expand` installed in default, but `7z` in particular might
 CSV2CVE
 -------
 
-The CVE Binary Tool package also includes a tool called `csv2cve` which is a helper tool that allows you to search the local database for a list of known packages.  This can be useful if the list of packages is known.
+The CVE Binary Tool package also includes a tool called `csv2cve` which is a helper tool that allows you to search the local database for a list of known products.  This can be useful if the list of products is known.
 
 Usage:
 `csv2cve <csv_file>`
 
-The CSV file must contain the following columns: `vendor,package,version` where the vendor and package names are exact matches to the strings in the National Vulnerability Database.  You can read more about how to find the correct string in [the checker documentation](https://github.com/intel/cve-bin-tool/blob/master/cve_bin_tool/checkers/README.md), and the [csv2cve manual](https://github.com/intel/cve-bin-tool/blob/master/CSV2CVE.md) has more information on using this tool.
+The CSV file must contain the following columns: `vendor,product,version` where the vendor and product names are exact matches to the strings in the National Vulnerability Database.  You can read more about how to find the correct string in [the checker documentation](https://github.com/intel/cve-bin-tool/blob/master/cve_bin_tool/checkers/README.md), and the [csv2cve manual](https://github.com/intel/cve-bin-tool/blob/master/CSV2CVE.md) has more information on using this tool.
 
 Note that `csv2cve`, unlike `cve-bin-tool`, will work on *any* product known in the National Vulnerability Database, not only those that have checkers written.
 

RELEASE.md

@@ -0,0 +1,119 @@
+# CVE Binary Tool Release Notes
+
+## CVE Binary Tool 1.0
+
+Release Date: 20 Apr 2020
+
+This release includes major improvements to the way NVD data is used and
+stored.  **If you have tried the development tree from Github, you may wish
+to run `cve-bin-tool -u now` after you upgrade to remove old data.**
+
+There are now three output formats:
+
+* Console (like before only prettier)
+* CSV (comma-delimted text, suitable for import into spreadsheets)
+* JSON (suitable for machine parsing)
+
+And 17 new checkers (as well as improved tests for some of the old):
+* binutils
+* bluez
+* bzip2
+* ffmpeg
+* gnutls
+* gstreamer
+* hostapd
+* libcurl
+* libdb
+* ncurses
+* ngnix
+* openssh
+* python
+* rsyslog
+* strongswan
+* syslogng
+* varnish
+
+Thanks to our many new and returning contributors for this 1.0 release.  We have 21 new contributors since I last thanked people in 0.3.0:
+
+* @abhaykatheria
+* @ableabhinav
+* @AkechiShiro
+* @ananthan-123
+* @bigbird555
+* @brainwane
+* @FReeshabh
+* @hur
+* @k-udupa2000
+* @mariuszskon
+* @Niraj-Kamdar
+* @nitishsaini706
+* @oh6hay
+* @param211
+* @Purvanshsingh
+* @SaurabhK122
+* @sbs2001
+* @shreyamalviya
+* @SinghHrmn
+* @svnv
+* @utkarsh261
+
+And I'd like to make a quick list of our previous contributors, some of whom have continued to be active for this release:
+
+* @bksahu
+* @CaptainDaVinci
+* @GiridharPrasath
+* @pdxjohnny
+* @PrajwalM2212
+* @rossburton
+* @sanketsaurav
+* @sannanansari
+* @terriko
+* @wzao1515
+
+
+Thanks also to the many people who reported bugs and helped us make things
+better!  
+
+I want to particularly thank all those involved with Google Summer
+of Code -- not only have you made our code better, but you've also helped us
+improve our onboarding process and just brought a huge amount of energy to
+this project in 2020.  
+
+
+
+## CVE Binary Tool 0.3.1
+Release Date: 27 Nov 2019
+
+This release contains fixes so the CVE Binary Tool handles the new CVSS 3.1 data correctly.  
+
+You may also notice some new checkers thanks to our Hacktoberfest participants!  We're still working on more robust tests before they're fully supported, but we figured it was more fun to give you the preview than specifically withold them.  Have fun, and please file bugs if anything doesn't work for you so we know how to best to target our testing.
+
+## CVE Binary Tool 0.3.0
+Release date: 13 Aug 2019
+
+The 0.3.0 release adds Windows support to the cve-bin-tool, with many thanks to @wzao1515 who has been doing amazing work as our Google Summer of Code Student!  
+
+New checkers in this release:
+* icu
+* kerberos
+* libgcrypt
+* libjpeg
+* sqlite
+* systemd
+
+New flags:
+* -s / --skip 
+  * allows you to disable a list of checkers
+* -m / --multithread 
+  * lets the scanner run in multithreaded mode for improved performance
+* -u / --update 
+  * allows you to choose if the CVE information is updated.  Default is daily.
+
+This release also contains a number of bugfixes and improved signatures.  
+
+Many thanks to our new contributors in this release:
+@wzao1515 @PrajwalM2212 @rossburton @GiridharPrasath @sannanansari @sanketsaurav @bksahu @CaptainDaVinci 
+As well as the many people who reported bugs and helped us make things better!
+
+## CVE Binary Tool 0.2.0
+Initial release, 18 Jan 2019.

cve_bin_tool/version.py

@@ -1 +1 @@
-VERSION = "0.3.2"
+VERSION = "1.0"

setup.py

@@ -27,9 +27,9 @@
     license="GPLv3",
     keywords=["security", "tools", "CVE"],
     classifiers=[
-        "Development Status :: 4 - Beta",
+        "Development Status :: 5 - Production/Stable",
         "Intended Audience :: Developers",
-        "License :: OSI Approved :: MIT License",
+        "License :: OSI Approved :: GNU General Public License (GPL)",
         "Natural Language :: English",
         "Operating System :: OS Independent",
         "Programming Language :: Python :: 3.6",