Fix result and report id fetching in monthly-report script

[timopollmeier]

What

The result fetching in the monthly-report script is adjusted in the following ways:

• The selected hosts now also include ones that were last updated after the requested month. Otherwise they would be missing even if they were also updated in the requested month.
• The number of results for a host is no longer limited by the "Rows per page" setting.
• Instead of counting all results, only the distinct vulnerabilities (VTs) are counted. The new counting method also considers only the latest occurrence of a vulnerability in case the severity level has changed in the meantime.

Also, The monthly-report script now looks for reports in identifiers modified in the given month.

A new ++reports option has been added to choose whether to skip getting the reports (only returning the vulnerability counts), get the last report in the selected month or get a list of all reports in the selected month.
For this the argument parsing and help/usage text are changed to use argparse.

Why

Overall, this should make the script behave more as expected. The new result counts by distinct VT should be more informative than the previous number that could be influenced by how many times a host was scanned.
The report id change addresses the problem that the shown report ids could previously be outside the selected date range.

References

GEA-1215

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[github-actions]

Conventional Commits Report

😢 No conventional commits found.

👉 Learn more about the conventional commits usage at Greenbone.

[github-actions]

🔍 Vulnerabilities of harbor-os.greenbone.net/community/gvm-tools:1246-merge-amd64

📦 Image Reference harbor-os.greenbone.net/community/gvm-tools:1246-merge-amd64

digest	sha256:bf0f024204cf9c7f3a99cf4ae09dc083a5aa1d649c9794954046ca72bf5a358b
vulnerabilities
size	72 MB
packages	163

📦 Base Image debian:stable-20250811-slim

also known as	stable-slim
digest	sha256:a1c1968fb091b256477e675a99ab3fa6f4c2d047ae7f506f92255cf5f0c2cf5e
vulnerabilities

python3.13 3.13.5-2 (deb) pkg:deb/debian/[email protected]?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.13.5-2 Fixed version Not Fixed EPSS Score 0.09% EPSS Percentile 26th percentile Description There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 python3.13 3.13.6-1 python3.12 python3.11 [bookworm] - python3.11 (Minor issue) python3.9 [bullseye] - python3.9 (Minor issue) python2.7 [bullseye] - python2.7 (EOL in bullseye LTS) tarfile.StreamError: seeking backwards is not allowed due to unskipped block with bad checksum python/cpython#130577 gh-130577: tarfile now validates archives to ensure member offsets are non-negative python/cpython#137027 https://mail.python.org/archives/list/[email protected]/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/ Fixed by: python/cpython@7040aa5 (main) Fixed by: python/cpython@cdae923 (3.13-branch) Affected range >=3.13.5-2 Fixed version Not Fixed EPSS Score 0.09% EPSS Percentile 26th percentile Description The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service. python3.13 3.13.6-1 python3.12 python3.11 [bookworm] - python3.11 (Minor issue) python3.9 [bullseye] - python3.9 (Minor issue; can be fixed in next update) python2.7 [bullseye] - python2.7 (EOL in bullseye LTS) pypy3 [trixie] - pypy3 (Minor issue) [bookworm] - pypy3 (Minor issue) [bullseye] - pypy3 (Minor issue; DoS) jython (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109376) [trixie] - jython (Minor issue) [bookworm] - jython (Minor issue) [bullseye] - jython (EOL in bullseye LTS) https://mail.python.org/archives/list/[email protected]/thread/K5PIYLR6EP3WR7ZOKKYQUWEDNQVUXOYM/ Worst case quadratic complexity in HTMLParser python/cpython#135462 gh-135462: Fix quadratic complexity in processing special input in HTMLParser python/cpython#135464 python/cpython@6eb6c5d (main) python/cpython@d851f8e (v3.14.0b3) python/cpython@4455cba (3.13-branch)

tar 1.35+dfsg-3.1 (deb) pkg:deb/debian/[email protected]%2Bdfsg-3.1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1.35+dfsg-3.1 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 11th percentile Description GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). Disputed tar issue, works as documented per upstream: https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md Affected range >=1.35+dfsg-3.1 Fixed version Not Fixed EPSS Score 3.25% EPSS Percentile 87th percentile Description Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges. This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag tar (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328228; unimportant)

glibc 2.41-12 (deb) pkg:deb/debian/[email protected]?os_distro=trixie&os_name=debian&os_version=13 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.16% EPSS Percentile 38th percentile Description In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern glibc (unimportant) eglibc (unimportant) https://sourceware.org/bugzilla/show_bug.cgi?id=24269 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.23% EPSS Percentile 46th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22853 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.38% EPSS Percentile 58th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22852 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.70% EPSS Percentile 71st percentile Description GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.14% EPSS Percentile 35th percentile Description GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc (unimportant) Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850 Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 2.05% EPSS Percentile 83rd percentile Description In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep. glibc (unimportant) eglibc (unimportant) https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141 https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html No treated as vulnerability: https://sourceware.org/glibc/wiki/Security%20Exceptions Affected range >=2.41-12 Fixed version Not Fixed EPSS Score 0.37% EPSS Percentile 58th percentile Description The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. glibc (unimportant) eglibc (unimportant) That's standard POSIX behaviour implemented by (e)glibc. Applications using glob need to impose limits for themselves

systemd 257.7-1 (deb) pkg:deb/debian/[email protected]?os_distro=trixie&os_name=debian&os_version=13 Affected range >=257.7-1 Fixed version Not Fixed EPSS Score 0.09% EPSS Percentile 27th percentile Description An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=257.7-1 Fixed version Not Fixed EPSS Score 0.10% EPSS Percentile 28th percentile Description An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=257.7-1 Fixed version Not Fixed EPSS Score 0.13% EPSS Percentile 33rd percentile Description An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." systemd (unimportant) Disputed by upstream https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf Affected range >=257.7-1 Fixed version Not Fixed EPSS Score 0.07% EPSS Percentile 21st percentile Description systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. systemd (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357) [wheezy] - systemd (/etc/tmpfiles.d not supported in Wheezy) https://bugzilla.redhat.com/show_bug.cgi?id=859060 only relevant to systems running systemd along with selinux

coreutils 9.7-3 (deb) pkg:deb/debian/[email protected]?os_distro=trixie&os_name=debian&os_version=13 Affected range >=9.7-3 Fixed version Not Fixed EPSS Score 0.02% EPSS Percentile 3rd percentile Description A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data. coreutils (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106733; unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2368764 https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00036.html https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00040.html https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633 https://www.openwall.com/lists/oss-security/2025/05/27/2 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507 Crash in CLI tool, no security impact Affected range >=9.7-3 Fixed version Not Fixed EPSS Score 0.06% EPSS Percentile 17th percentile Description In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. coreutils (unimportant) http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html https://www.openwall.com/lists/oss-security/2018/01/04/3 Documentation patches proposed: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html Neutralised by kernel hardening

sqlite3 3.46.1-7 (deb) pkg:deb/debian/[email protected]?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.46.1-7 Fixed version Not Fixed EPSS Score 0.21% EPSS Percentile 44th percentile Description A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect. sqlite3 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005974) sqlite (unimportant) https://github.com/guyinatuxedo/sqlite3_record_leaking https://bugzilla.redhat.com/show_bug.cgi?id=2054793 https://sqlite.org/forum/forumpost/056d557c2f8c452ed5bb9c215414c802b215ce437be82be047726e521342161e Negligible security impact

python-pip 25.1.1+dfsg-1 (deb) pkg:deb/debian/[email protected]%2Bdfsg-1?os_distro=trixie&os_name=debian&os_version=13 Affected range >=25.1.1+dfsg-1 Fixed version Not Fixed EPSS Score 2.54% EPSS Percentile 85th percentile Description An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely python-pip (unimportant) https://cowlicks.website/posts/arbitrary-code-execution-from-pips-extra-index-url.html pip is inherently affected by malicious packages, use packages from Debian instead :-)

util-linux 2.41-5 (deb) pkg:deb/debian/[email protected]?os_distro=trixie&os_name=debian&os_version=13 Affected range >=2.41-5 Fixed version Not Fixed EPSS Score 0.03% EPSS Percentile 5th percentile Description A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. util-linux (unimportant) https://bugzilla.redhat.com/show_bug.cgi?id=2053151 https://lore.kernel.org/util-linux/[email protected]/T/#u util-linux/util-linux@faa5a3a util-linux in Debian does build with readline support but chfn and chsh are provided by src:shadow and util-linux is configured with --disable-chfn-chsh

apt 3.0.3 (deb) pkg:deb/debian/[email protected]?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.0.3 Fixed version Not Fixed EPSS Score 1.51% EPSS Percentile 80th percentile Description It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. apt (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480) Not exploitable in Debian, since no keyring URI is defined

openssl 3.5.1-1 (deb) pkg:deb/debian/[email protected]?os_distro=trixie&os_name=debian&os_version=13 Affected range >=3.2.1-3 Fixed version Not Fixed EPSS Score 0.11% EPSS Percentile 30th percentile Description OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf openssl/openssl#24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html

shadow 1:4.17.4-2 (deb) pkg:deb/debian/shadow@1:4.17.4-2?os_distro=trixie&os_name=debian&os_version=13 Affected range >=1:4.17.4-2 Fixed version Not Fixed EPSS Score 0.33% EPSS Percentile 55th percentile Description initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. shadow (unimportant) See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so unknown usernames are not recorded on login failures

perl 5.40.1-6 (deb) pkg:deb/debian/[email protected]?os_distro=trixie&os_name=debian&os_version=13 Affected range >=5.40.1-6 Fixed version Not Fixed EPSS Score 0.16% EPSS Percentile 37th percentile Description _is_safe in the File::Temp module for Perl does not properly handle symlinks. perl (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776268) http://thread.gmane.org/gmane.comp.security.oss.general/6174/focus=6177 File:Temp::_is_safe() allows unsafe traversal of symlinks [rt.cpan.org #69106] Perl-Toolchain-Gang/File-Temp#14

pcre2 10.45-1 (deb) pkg:deb/debian/[email protected]?os_distro=trixie&os_name=debian&os_version=13 Affected range >=10.45-1 Fixed version Not Fixed Description The PCRE2 library is a set of C functions that implement regular expression pattern matching. In version 10.45, a heap-buffer-overflow read vulnerability exists in the PCRE2 regular expression matching engine, specifically within the handling of the (*scs:...) (Scan SubString) verb when combined with (*ACCEPT) in src/pcre2_match.c. This vulnerability may potentially lead to information disclosure if the out-of-bounds data read during the memcmp affects the final match result in a way observable by the attacker. This issue has been resolved in version 10.46. pcre2 [bookworm] - pcre2 (Vulnerable code not present) [bullseye] - pcre2 (Vulnerable code not present) Introduced with: PCRE2Project/pcre2@237899f (pcre2-10.45-RC1) Fixed by: PCRE2Project/pcre2@a141712 (pcre2-10.46)