Merge branch 'main' into version_compare

terriko · Nov 1, 2023 · 86cbb70 · 86cbb70
2 parents a1f5ce1 + c0c9889
commit 86cbb70
Show file tree

Hide file tree

Showing 18 changed files with 217 additions and 54 deletions.
diff --git a/.github/workflows/cve_scan.yml b/.github/workflows/cve_scan.yml
@@ -22,7 +22,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: '3.x'
+          python-version: '3.11'
           cache: 'pip'
           cache-dependency-path: '**/requirements.txt'
       - name: Get date

diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml
@@ -26,7 +26,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: '3.x'
+          python-version: '3.11'
           cache: 'pip'
       - name: Install cve-bin-tool
         run: |

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -27,7 +27,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: '3.x'
+          python-version: '3.11'
           cache: 'pip'
       - name: Install pre-commit
         run: |

diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -42,7 +42,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: '3.x'
+          python-version: '3.11'
           cache: 'pip'
           cache-dependency-path: 'doc/requirements.txt'
       - name: Install doc dependencies
@@ -62,6 +62,7 @@ jobs:
     strategy:
       matrix:
         python: ['3.8', '3.9', '3.11']
+        # python 3.12 throws aiohttp package install errors
     timeout-minutes: 60
     steps:
       - name: Harden Runner

diff --git a/.github/workflows/update-js-dependencies.yml b/.github/workflows/update-js-dependencies.yml
@@ -30,7 +30,7 @@ jobs:
 
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: '3.x'
+          python-version: '3.11'
 
       - name: Update JS dependencies
         run: python .github/workflows/update_js_dependencies.py

diff --git a/.github/workflows/update-pre-commit.yml b/.github/workflows/update-pre-commit.yml
@@ -30,7 +30,7 @@ jobs:
 
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: '3.x'
+          python-version: '3.11'
 
       - name: Install pre-commit
         run: |

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -70,3 +70,11 @@ repos:
             test/test_version.py|
             test/utils.py|
         )$
+
+-   repo: https://github.com/econchick/interrogate
+    rev: 1.5.0
+    hooks:
+      - id: interrogate
+        verbose: True
+        exclude: ^(locales|presentation)
+        args: ["-vv", "-i", "-I", "-M", "-C", "-n", "-p", "-f", "60.0"]
diff --git a/cve_bin_tool/sbom_manager/__init__.py b/cve_bin_tool/sbom_manager/__init__.py
@@ -123,8 +123,9 @@ def parse_sbom(self):
                     if ref[1] == "purl":
                         # Process purl identifier
                         purl_info = PackageURL.from_string(ref[2]).to_dict()
-                        modules.append([purl_info["name"], purl_info["version"]])
-                        purl_found = True
+                        if purl_info["name"] and purl_info["version"]:
+                            modules.append([purl_info["name"], purl_info["version"]])
+                            purl_found = True
             if not purl_found:
                 if package.get("version") is not None:
                     modules.append([package["name"], package["version"]])

diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -7,6 +7,7 @@ flake8; python_version < "3.8"
 flake8==6.1.0; python_version >= "3.8"
 bandit==1.7.5
 gitlint==v0.19.1
+interrogate
 mypy==v1.5.1
 pytest>=7.2.0
 pytest-xdist

diff --git a/fuzz/fuzz_cargo_lock.py b/fuzz/fuzz_cargo_lock.py
@@ -0,0 +1,74 @@
+# Copyright (C) 2023 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import sys
+import tempfile
+from pathlib import Path
+
+import atheris
+import atheris_libprotobuf_mutator
+from google.protobuf.json_format import MessageToDict
+
+import fuzz.generated.cargo_lock_pb2 as cargo_lock_pb2
+from cve_bin_tool.cvedb import CVEDB
+from cve_bin_tool.log import LOGGER
+
+with atheris.instrument_imports():
+    from cve_bin_tool.parsers.rust import RustParser
+
+cve_db = CVEDB()
+logger = LOGGER.getChild("Fuzz")
+
+
+def CargoLockBuilder(data):
+    json_data = MessageToDict(
+        data, preserving_proto_field_name=True, including_default_value_fields=True
+    )
+
+    with open(file_path, "w") as f:
+        for package_data in json_data.get("packages", []):
+            package_name = package_data.get("name", "")
+            package_version = package_data.get("version", "")
+            f.write("[[package]]\n")
+            f.write(f'name = "{package_name}"\n')
+            f.write(f'version = "{package_version}"\n')
+            package_source = package_data.get("source", "")
+            if package_source != "":
+                f.write(f'source = "{package_source}"\n')
+            package_checksum = package_data.get("checksum", "")
+            if package_checksum != "":
+                f.write(f'checksum = "{package_checksum}"\n')
+
+            dependencies = package_data.get("dependency", [])
+            f.write("dependencies = [\n")
+            for dependency in dependencies:
+                name = dependency.get("name", "")
+                version = dependency.get("version", "")
+                url = dependency.get("url", "")
+                f.write(f' "{name}')
+                if version != "":
+                    f.write(f" {version}")
+                if url != "":
+                    f.write(f" {url}")
+                f.write('",\n')
+            f.write("]\n")
+            f.write("\n")
+
+
+def TestParseData(data):
+    try:
+        CargoLockBuilder(data)
+
+        rust_parser = RustParser(cve_db, logger)
+        rust_parser.run_checker(file_path)
+
+    except SystemExit:
+        return
+
+
+file_path = str(Path(tempfile.mkdtemp(prefix="cve-bin-tool-")) / "Cargo.lock")
+
+atheris_libprotobuf_mutator.Setup(
+    sys.argv, TestParseData, proto=cargo_lock_pb2.CargoLock
+)
+atheris.Fuzz()
diff --git a/fuzz/generated/cargo_lock_pb2.py b/fuzz/generated/cargo_lock_pb2.py
diff --git a/fuzz/proto_files/cargo_lock.proto b/fuzz/proto_files/cargo_lock.proto
@@ -0,0 +1,20 @@
+// Copyright (C) 2023 Intel Corporation
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+syntax = "proto3";
+
+message CargoLock {
+    message Package {
+        string name = 1;
+        string version = 2;
+        optional string source = 3;
+        optional string checksum = 4;
+        repeated Dependencies dependency = 5;
+    }
+    message Dependencies {
+        string name = 1;
+        optional string version = 2;
+        optional string url = 3;
+    }
+    repeated Package packages = 1;
+}