From 5772d60dcf09de18a6fd8b44e01e45a44854217c Mon Sep 17 00:00:00 2001 From: Joydeep Tripathy <113792434+crazytrain328@users.noreply.github.com> Date: Mon, 23 Oct 2023 23:09:35 +0530 Subject: [PATCH 1/5] Update osv_source.py Debugged the code based on a basic problem that I faced while installing cve-bin-tool --- cve_bin_tool/data_sources/osv_source.py | 26 ++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/cve_bin_tool/data_sources/osv_source.py b/cve_bin_tool/data_sources/osv_source.py index 175a1edf3f..e58638fd5f 100644 --- a/cve_bin_tool/data_sources/osv_source.py +++ b/cve_bin_tool/data_sources/osv_source.py @@ -292,15 +292,18 @@ def format_data(self, all_cve_entries): severity_data.append(cve) - for package in cve_item["affected"]: - product = package["package"]["name"] + for package_data in cve_item.get("affected", []): + package = package_data.get("package", {}) + if not package: + continue + + product = package.get("name") vendor = ( - "unknown" # OSV Schema does not provide vendor names for packages - ) - if ( - "github.com/" in product - ): # if package name is of format github.com/xxxx/yyyy xxxx can be vendor name and yyyy is package name - vendor = product.split("/")[-2] # trying to guess vendor name + "unknown" + ) # OSV Schema does not provide vendor names for packages + + if "github.com/" in product: + vendor = product.split("/")[-2] product = product.split("/")[-1] affected = { @@ -315,12 +318,12 @@ def format_data(self, all_cve_entries): } events = None - for ranges in package.get("ranges", []): + for ranges in package_data.get("ranges", []): if ranges["type"] == "SEMVER": events = ranges["events"] - if events is None and "versions" in package: - versions = package["versions"] + if events is None and "versions" in package_data: + versions = package_data["versions"] if versions == []: continue @@ -353,6 +356,7 @@ def format_data(self, all_cve_entries): return severity_data, affected_data + async def get_cve_data(self): await self.update_ecosystems() From 876ecc7c0c194b8f6286adca21fa67941ba92470 Mon Sep 17 00:00:00 2001 From: Terri Oda Date: Tue, 24 Oct 2023 08:30:24 -0700 Subject: [PATCH 2/5] fix: flake8 and codeql tweaks --- cve_bin_tool/data_sources/osv_source.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cve_bin_tool/data_sources/osv_source.py b/cve_bin_tool/data_sources/osv_source.py index e58638fd5f..0823dcbe21 100644 --- a/cve_bin_tool/data_sources/osv_source.py +++ b/cve_bin_tool/data_sources/osv_source.py @@ -302,7 +302,7 @@ def format_data(self, all_cve_entries): "unknown" ) # OSV Schema does not provide vendor names for packages - if "github.com/" in product: + if product.startswith("github.com/"): vendor = product.split("/")[-2] product = product.split("/")[-1] @@ -356,7 +356,6 @@ def format_data(self, all_cve_entries): return severity_data, affected_data - async def get_cve_data(self): await self.update_ecosystems() From ff96d43113771aa731b80922c58d866a14d6212d Mon Sep 17 00:00:00 2001 From: Terri Oda Date: Tue, 24 Oct 2023 09:05:48 -0700 Subject: [PATCH 3/5] fix: blacken cve_bin_tool/data_sources/osv_source.py --- cve_bin_tool/data_sources/osv_source.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve_bin_tool/data_sources/osv_source.py b/cve_bin_tool/data_sources/osv_source.py index 0823dcbe21..7b9dc6e3ad 100644 --- a/cve_bin_tool/data_sources/osv_source.py +++ b/cve_bin_tool/data_sources/osv_source.py @@ -299,8 +299,8 @@ def format_data(self, all_cve_entries): product = package.get("name") vendor = ( - "unknown" - ) # OSV Schema does not provide vendor names for packages + "unknown" # OSV Schema does not provide vendor names for packages + ) if product.startswith("github.com/"): vendor = product.split("/")[-2] From 004c7534e8b575cc9e87f9aaff7bd3fb0caf554c Mon Sep 17 00:00:00 2001 From: Terri Oda Date: Thu, 2 Nov 2023 09:10:38 -0700 Subject: [PATCH 4/5] fix: flake8 fixes --- cve_bin_tool/data_sources/osv_source.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve_bin_tool/data_sources/osv_source.py b/cve_bin_tool/data_sources/osv_source.py index 7b9dc6e3ad..35a9e61d3e 100644 --- a/cve_bin_tool/data_sources/osv_source.py +++ b/cve_bin_tool/data_sources/osv_source.py @@ -299,8 +299,8 @@ def format_data(self, all_cve_entries): product = package.get("name") vendor = ( - "unknown" # OSV Schema does not provide vendor names for packages - ) + "unknown" # OSV Schema does not provide vendor names for packages + ) if product.startswith("github.com/"): vendor = product.split("/")[-2] From 68e0aaef6e157d1423ea007f3cadd4cf726c8bb5 Mon Sep 17 00:00:00 2001 From: Terri Oda Date: Thu, 2 Nov 2023 09:36:11 -0700 Subject: [PATCH 5/5] chore: blacken cve_bin_tool/data_sources/osv_source.py --- cve_bin_tool/data_sources/osv_source.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve_bin_tool/data_sources/osv_source.py b/cve_bin_tool/data_sources/osv_source.py index 35a9e61d3e..c8bbfea37e 100644 --- a/cve_bin_tool/data_sources/osv_source.py +++ b/cve_bin_tool/data_sources/osv_source.py @@ -300,7 +300,7 @@ def format_data(self, all_cve_entries): product = package.get("name") vendor = ( "unknown" # OSV Schema does not provide vendor names for packages - ) + ) if product.startswith("github.com/"): vendor = product.split("/")[-2]