vulnxscan: Add cve-bin-tool scanner

[henrirosten]

Adds cve-bin-tool scanner to vulnxscan.

Why do we use cve-bin-tool fork instead of the upstream or the version in nixpkgs?
The main reason is, both the upstream and the nixpkgs versions require an older version of python packaging. This project (vulnxscan) also requires packaging, but it needs a newer version. This results a conflict in python dependencies. The cve-bin-tool fork we are using in this PR attempts to resolve the upstream cve-bin-tool python dependencies issues so that newer version of packaging can be used in cve-bin-tool. As soon as the issue is properly resoved upstream and in nixpkgs, we should change vulnxscan to also start using the cve-bin-tool version from nixpkgs.

[henrirosten]

We decided to not merge this for now.

The main problem is that cve-bin-tool reports way too many false positives. As an example, in a recent test run on a Ghaf target, cve-bin-tool reported the following vulnerabilities that were not reported by any other scanners:

# Run vulnxscan, including the changes from this PR:
vulnxscan.py /path/to/ghaf/result
...
# Find vulnerabilities reported by cve-bin-tool, not reported by any other scanner:
csvsql --verbose --query "select * from vulns where cvebin == '1' and sum == '1'" vulns.csv | csvcut -C sortcol | csvlook

We end-up with the following list of vulns:

| vuln_id        | url                                             | package  | version | grype |   osv | cvebin | vulnix | sum |
| -------------- | ----------------------------------------------- | -------- | ------- | ----- | ----- | ------ | ------ | --- |
| CVE-2023-35945 | https://nvd.nist.gov/vuln/detail/CVE-2023-35945 | nghttp2  | 1.51.0  | False | False |   True |  False |   1 |
| CVE-2023-29469 | https://nvd.nist.gov/vuln/detail/CVE-2023-29469 | libxml2  | 2.10.4  | False | False |   True |  False |   1 |
| CVE-2023-28484 | https://nvd.nist.gov/vuln/detail/CVE-2023-28484 | libxml2  | 2.10.4  | False | False |   True |  False |   1 |
| CVE-2023-2828  | https://nvd.nist.gov/vuln/detail/CVE-2023-2828  | bind     | 9.18.16 | False | False |   True |  False |   1 |
| CVE-2023-1579  | https://nvd.nist.gov/vuln/detail/CVE-2023-1579  | binutils | 2.40    | False | False |   True |  False |   1 |
| CVE-2023-0361  | https://nvd.nist.gov/vuln/detail/CVE-2023-0361  | gnutls   | 3.8.0   | False | False |   True |  False |   1 |
| CVE-2022-43680 | https://nvd.nist.gov/vuln/detail/CVE-2022-43680 | expat    | 2.5.0   | False | False |   True |  False |   1 |
| CVE-2022-38177 | https://nvd.nist.gov/vuln/detail/CVE-2022-38177 | bind     | 9.18.16 | False | False |   True |  False |   1 |
| CVE-2022-25310 | https://nvd.nist.gov/vuln/detail/CVE-2022-25310 | fribidi  | 1.0.12  | False | False |   True |  False |   1 |
| CVE-2022-25309 | https://nvd.nist.gov/vuln/detail/CVE-2022-25309 | fribidi  | 1.0.12  | False | False |   True |  False |   1 |
| CVE-2022-25308 | https://nvd.nist.gov/vuln/detail/CVE-2022-25308 | fribidi  | 1.0.12  | False | False |   True |  False |   1 |
| CVE-2022-3080  | https://nvd.nist.gov/vuln/detail/CVE-2022-3080  | bind     | 9.18.16 | False | False |   True |  False |   1 |
| CVE-2022-2795  | https://nvd.nist.gov/vuln/detail/CVE-2022-2795  | bind     | 9.18.16 | False | False |   True |  False |   1 |
| CVE-2022-1122  | https://nvd.nist.gov/vuln/detail/CVE-2022-1122  | openjpeg | 2.5.0   | False | False |   True |  False |   1 |
| CVE-2021-25220 | https://nvd.nist.gov/vuln/detail/CVE-2021-25220 | bind     | 9.18.16 | False | False |   True |  False |   1 |
| CVE-2021-25219 | https://nvd.nist.gov/vuln/detail/CVE-2021-25219 | bind     | 9.18.16 | False | False |   True |  False |   1 |
| CVE-2021-25214 | https://nvd.nist.gov/vuln/detail/CVE-2021-25214 | bind     | 9.18.16 | False | False |   True |  False |   1 |
| CVE-2021-3575  | https://nvd.nist.gov/vuln/detail/CVE-2021-3575  | openjpeg | 2.5.0   | False | False |   True |  False |   1 |
| CVE-2021-3502  | https://nvd.nist.gov/vuln/detail/CVE-2021-3502  | avahi    | 0.8     | False | False |   True |  False |   1 |

Quick manual triage:

• CVE-2023-35945: not valid: impacts envoy
• CVE-2023-29469: not valid: libxml2 2.10.4 is not impacted
• CVE-2023-28484: not valid: libxml2 2.10.4 is not impacted
• CVE-2023-2828: not valid: bind 9.18.16 is not impacted
• CVE-2023-1579: not valid: binutils 2.40 is not impacted
• CVE-2023-0361: not valid: gnutls 3.8.0 is not impacted
• CVE-2022-43680: not valid: expat 2.5.0 is not impacted
• CVE-2022-38177: not valid: bind 9.18.16 is not impacted
• CVE-2022-25310: not valid: fribidi 1.0.12 is not impacted
• CVE-2022-25309: not valid: fribidi 1.0.12 is not impacted
• CVE-2022-25308: not valid: fribidi 1.0.12 is not impacted
• CVE-2022-3080: not valid: bind 9.18.16 is not impacted
• CVE-2022-2795: not valid: bind 9.18.16 is not impacted
• CVE-2022-1122: not valid: openjpeg 2.5.0 is not impacted
• CVE-2021-25220: not valid: bind 9.18.16 is not impacted
• CVE-2021-25219: not valid: bind 9.18.16 is not impacted
• CVE-2021-25214: not valid: bind 9.18.16 is not impacted
• CVE-2021-3575: not valid: openjpeg 2.5.0 is not impacted
• CVE-2021-3502: not valid: avahi 0.8 is not impacted

Clearly, there's something wrong with the way cve-bin-tool matches vulnerable components (versions).