From a5e446c8653dbea015bb7d52651d2c52f8fb96ea Mon Sep 17 00:00:00 2001 From: Joydeep Tripathy <113792434+crazytrain328@users.noreply.github.com> Date: Thu, 2 Nov 2023 23:31:51 +0530 Subject: [PATCH] fix: KeyError in format_data function (#3452) * Update osv_source.py Debugged the code based on a basic problem that I faced while installing cve-bin-tool * fix: flake8 and codeql tweaks * chore: blacken cve_bin_tool/data_sources/osv_source.py --------- Co-authored-by: Terri Oda --- cve_bin_tool/data_sources/osv_source.py | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/cve_bin_tool/data_sources/osv_source.py b/cve_bin_tool/data_sources/osv_source.py index 175a1edf3f..c8bbfea37e 100644 --- a/cve_bin_tool/data_sources/osv_source.py +++ b/cve_bin_tool/data_sources/osv_source.py @@ -292,15 +292,18 @@ def format_data(self, all_cve_entries): severity_data.append(cve) - for package in cve_item["affected"]: - product = package["package"]["name"] + for package_data in cve_item.get("affected", []): + package = package_data.get("package", {}) + if not package: + continue + + product = package.get("name") vendor = ( "unknown" # OSV Schema does not provide vendor names for packages ) - if ( - "github.com/" in product - ): # if package name is of format github.com/xxxx/yyyy xxxx can be vendor name and yyyy is package name - vendor = product.split("/")[-2] # trying to guess vendor name + + if product.startswith("github.com/"): + vendor = product.split("/")[-2] product = product.split("/")[-1] affected = { @@ -315,12 +318,12 @@ def format_data(self, all_cve_entries): } events = None - for ranges in package.get("ranges", []): + for ranges in package_data.get("ranges", []): if ranges["type"] == "SEMVER": events = ranges["events"] - if events is None and "versions" in package: - versions = package["versions"] + if events is None and "versions" in package_data: + versions = package_data["versions"] if versions == []: continue