diff --git a/cve_bin_tool/async_utils.py b/cve_bin_tool/async_utils.py index b1ad922b68..0afd6bc74d 100644 --- a/cve_bin_tool/async_utils.py +++ b/cve_bin_tool/async_utils.py @@ -24,7 +24,7 @@ # SOFTWARE." -""" Utility classes for the CVE Binary Tool """ +"""Utility classes for the CVE Binary Tool""" from __future__ import annotations diff --git a/cve_bin_tool/checkers/__init__.py b/cve_bin_tool/checkers/__init__.py index 82ab11e0b3..1744037f3d 100644 --- a/cve_bin_tool/checkers/__init__.py +++ b/cve_bin_tool/checkers/__init__.py @@ -1,7 +1,7 @@ # Copyright (C) 2021 Intel Corporation # SPDX-License-Identifier: GPL-3.0-or-later -""" CVE Checkers """ +"""CVE Checkers""" from __future__ import annotations import collections diff --git a/cve_bin_tool/cli.py b/cve_bin_tool/cli.py index 0361359d9e..c08d8c3dea 100644 --- a/cve_bin_tool/cli.py +++ b/cve_bin_tool/cli.py @@ -823,112 +823,113 @@ def main(argv=None): ) enabled_sources = [source_nvd] + enabled_sources - # Database update related settings - # Connect to the database - cvedb_orig = CVEDB( - sources=enabled_sources, - version_check=not version_check, - error_mode=error_mode, - ) - - # if OLD_CACHE_DIR (from cvedb.py) exists, print warning - if Path(OLD_CACHE_DIR).exists(): - LOGGER.warning( - f"Obsolete cache dir {OLD_CACHE_DIR} is no longer needed and can be removed." + if not args["no_scan"]: + # Database update related settings + # Connect to the database + cvedb_orig = CVEDB( + sources=enabled_sources, + version_check=not version_check, + error_mode=error_mode, ) - # Check database exists if operating in offline mode. - if args["offline"] and not cvedb_orig.check_db_exists(): - LOGGER.critical("Database does not exist.") - LOGGER.info( - "Consult the documentation at https://cve-bin-tool.readthedocs.io/en/latest/how_to_guides/offline.html to find out how to setup offline operation." - ) - return ERROR_CODES[CVEDBNotExist] + # if OLD_CACHE_DIR (from cvedb.py) exists, print warning + if Path(OLD_CACHE_DIR).exists(): + LOGGER.warning( + f"Obsolete cache dir {OLD_CACHE_DIR} is no longer needed and can be removed." + ) - if args["use_mirror"] and not args["offline"]: - if ( - cvedb_orig.fetch_from_mirror( - mirror=args["use_mirror"], + # Check database exists if operating in offline mode. + if args["offline"] and not cvedb_orig.check_db_exists(): + LOGGER.critical("Database does not exist.") + LOGGER.info( + "Consult the documentation at https://cve-bin-tool.readthedocs.io/en/latest/how_to_guides/offline.html to find out how to setup offline operation." + ) + return ERROR_CODES[CVEDBNotExist] + + if args["use_mirror"] and not args["offline"]: + if ( + cvedb_orig.fetch_from_mirror( + mirror=args["use_mirror"], + pubkey=args["verify"], + ignore_signature=args["ignore_sig"], + log_signature_error=args["log_signature_error"], + ) + == -1 + ): + return ERROR_CODES[MirrorError] + + # import database from JSON chopped by years + if args["import_json"] and cvedb_orig.check_db_exists(): + return_code = cvedb_orig.json_to_db_wrapper( + path=args["import_json"], pubkey=args["verify"], ignore_signature=args["ignore_sig"], log_signature_error=args["log_signature_error"], ) - == -1 - ): - return ERROR_CODES[MirrorError] - - # import database from JSON chopped by years - if args["import_json"] and cvedb_orig.check_db_exists(): - return_code = cvedb_orig.json_to_db_wrapper( - path=args["import_json"], - pubkey=args["verify"], - ignore_signature=args["ignore_sig"], - log_signature_error=args["log_signature_error"], - ) - # And terminate operation - return return_code - - # Export database as JSON chopped by years - if args["export_json"] and cvedb_orig.check_db_exists(): - return_code = cvedb_orig.db_to_json( - path=args["export_json"], - private_key=args["pgp_sign"], - passphrase=args["passphrase"], - ) - # And terminate operation - return return_code - - # Import database if file exists - if args["import"] and Path(args["import"]).exists(): - LOGGER.info(f'Import database from {args["import"]}') - cvedb_orig.copy_db(filename=args["import"], export=False) - - # Export database if database exists - if args["export"] and cvedb_orig.check_db_exists(): - LOGGER.info(f'Export database to {args["export"]}') - cvedb_orig.copy_db(filename=args["export"], export=True) - # And terminate operation - return 0 - - # Clear data if -u now is set - if db_update == "now": - cvedb_orig.clear_cached_data() + # And terminate operation + return return_code + + # Export database as JSON chopped by years + if args["export_json"] and cvedb_orig.check_db_exists(): + return_code = cvedb_orig.db_to_json( + path=args["export_json"], + private_key=args["pgp_sign"], + passphrase=args["passphrase"], + ) + # And terminate operation + return return_code + + # Import database if file exists + if args["import"] and Path(args["import"]).exists(): + LOGGER.info(f'Import database from {args["import"]}') + cvedb_orig.copy_db(filename=args["import"], export=False) + + # Export database if database exists + if args["export"] and cvedb_orig.check_db_exists(): + LOGGER.info(f'Export database to {args["export"]}') + cvedb_orig.copy_db(filename=args["export"], export=True) + # And terminate operation + return 0 - if db_update == "latest": - cvedb_orig.refresh_cache_and_update_db() + # Clear data if -u now is set + if db_update == "now": + cvedb_orig.clear_cached_data() + + if db_update == "latest": + cvedb_orig.refresh_cache_and_update_db() + + # update db if needed + if db_update != "never": + cvedb_orig.get_cvelist_if_stale() + else: + LOGGER.warning("Not verifying CVE DB cache") + if not cvedb_orig.check_cve_entries(): + with ErrorHandler(mode=error_mode, logger=LOGGER): + raise EmptyCache(cvedb_orig.cachedir) + if not cvedb_orig.latest_schema(): + LOGGER.critical("Database does not have the latest schema.") + LOGGER.info("Please update database, by using --update 'now'") + if args["offline"]: + LOGGER.info( + "Consult the documentation at https://cve-bin-tool.readthedocs.io/en/latest/how_to_guides/offline.html to find out how to setup offline operation." + ) + return ERROR_CODES[CVEDBOutdatedSchema] - # update db if needed - if db_update != "never": - cvedb_orig.get_cvelist_if_stale() - else: - LOGGER.warning("Not verifying CVE DB cache") + # CVE Database validation if not cvedb_orig.check_cve_entries(): with ErrorHandler(mode=error_mode, logger=LOGGER): - raise EmptyCache(cvedb_orig.cachedir) - if not cvedb_orig.latest_schema(): - LOGGER.critical("Database does not have the latest schema.") - LOGGER.info("Please update database, by using --update 'now'") - if args["offline"]: - LOGGER.info( - "Consult the documentation at https://cve-bin-tool.readthedocs.io/en/latest/how_to_guides/offline.html to find out how to setup offline operation." - ) - return ERROR_CODES[CVEDBOutdatedSchema] + raise CVEDataMissing("No data in CVE Database") - # CVE Database validation - if not cvedb_orig.check_cve_entries(): - with ErrorHandler(mode=error_mode, logger=LOGGER): - raise CVEDataMissing("No data in CVE Database") - - # Report time of last database update - db_date = time.strftime( - "%d %B %Y at %H:%M:%S", time.localtime(cvedb_orig.get_db_update_date()) - ) - LOGGER.info( - "CVE database contains CVEs from National Vulnerability Database (NVD), Open Source Vulnerability Database (OSV), Gitlab Advisory Database (GAD) and RedHat" - ) - LOGGER.info(f"CVE database last updated on {db_date}") + # Report time of last database update + db_date = time.strftime( + "%d %B %Y at %H:%M:%S", time.localtime(cvedb_orig.get_db_update_date()) + ) + LOGGER.info( + "CVE database contains CVEs from National Vulnerability Database (NVD), Open Source Vulnerability Database (OSV), Gitlab Advisory Database (GAD) and RedHat" + ) + LOGGER.info(f"CVE database last updated on {db_date}") - cvedb_orig.remove_cache_backup() + cvedb_orig.remove_cache_backup() output_formats = set(args["format"].split(",")) output_formats = [output_format.strip() for output_format in output_formats] @@ -1084,14 +1085,18 @@ def main(argv=None): # Root package for generated SBOM. Will be updated to reflect input data sbom_root = "CVE-SCAN" + if args["no_scan"]: + cvedb_orig = None + disabled_sources = None + with CVEScanner( score=score, check_metrics=metrics, epss_percentile=epss_percentile, epss_probability=epss_probability, check_exploits=args["exploits"], - exploits_list=cvedb_orig.get_exploits_list(), - disabled_sources=disabled_sources, + exploits_list=cvedb_orig.get_exploits_list() if cvedb_orig else [], + disabled_sources=disabled_sources or [], no_scan=args["no_scan"], ) as cve_scanner: triage_data: TriageData @@ -1159,7 +1164,8 @@ def main(argv=None): LOGGER.debug(f"Triage Data: {triage_data}") parsed_data[product_info] = triage_data - cve_scanner.get_cves(product_info, triage_data) + if not args["no_scan"]: + cve_scanner.get_cves(product_info, triage_data) total_files = version_scanner.total_scanned_files LOGGER.info(f"Total files: {total_files}") diff --git a/cve_bin_tool/file.py b/cve_bin_tool/file.py index 2acdd31d1f..77efd9577f 100644 --- a/cve_bin_tool/file.py +++ b/cve_bin_tool/file.py @@ -62,24 +62,24 @@ def check_fake_test(_filename: str, signature: bytes) -> bool: def check_mach_o_32(_filename: str, signature: bytes) -> bool: """Check for Mach-O 32-bit signature.""" - return signature[:4] == b"\xFE\xED\xFA\xCE" + return signature[:4] == b"\xfe\xed\xfa\xce" def check_mach_o_64(_filename: str, signature: bytes) -> bool: """Check for Mach-O 64-bit signature.""" - return signature[:4] == b"\xFE\xED\xFA\xCF" + return signature[:4] == b"\xfe\xed\xfa\xcf" def check_mach_o_universal(_filename: str, signature: bytes) -> bool: """Check for Mach-O Universal Binary signature.""" - return signature[:4] == b"\xCA\xFE\xBA\xBE" + return signature[:4] == b"\xca\xfe\xba\xbe" def check_ios_arm(_filename: str, signature: bytes) -> bool: """Check for Mach-O Universal Binary signature.""" - return signature[:4] == b"\xCF\xFA\xED\xFE" + return signature[:4] == b"\xcf\xfa\xed\xfe" def check_wasm(_filename: str, signature: bytes) -> bool: """Check for WebAssembly (WASM) signature.""" - return signature[:4] == b"\x00\x61\x73\x6D" + return signature[:4] == b"\x00\x61\x73\x6d" diff --git a/cve_bin_tool/merge.py b/cve_bin_tool/merge.py index e492b9dea9..1c77051f2e 100644 --- a/cve_bin_tool/merge.py +++ b/cve_bin_tool/merge.py @@ -228,7 +228,7 @@ def get_intermediate_cve_scanner(cve_data_list, score) -> list[CVEScanner]: def parse_data_from_json( - json_data: list[dict[str, str]] + json_data: list[dict[str, str]], ) -> dict[ProductInfo, TriageData]: """Parse CVE JSON dictionary to Dict[ProductInfo, TriageData]""" diff --git a/cve_bin_tool/parsers/ccpp.py b/cve_bin_tool/parsers/ccpp.py index 8d4452e940..2cc151d430 100644 --- a/cve_bin_tool/parsers/ccpp.py +++ b/cve_bin_tool/parsers/ccpp.py @@ -6,6 +6,7 @@ import re from cve_bin_tool.parsers import Parser +from cve_bin_tool.util import ProductInfo, ScanInfo class CCppParser(Parser): @@ -51,15 +52,31 @@ def run_checker(self, filename): product = require.split("#")[0].split("/")[0] version = require.split("#")[0].split("/")[1] purl = self.generate_purl(product) - vendor = self.get_vendor(purl, product, version) - if vendor is not None: - yield from vendor + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendor = self.get_vendor(purl, product, version) + if vendor is not None: + yield from vendor if build_requires: for build_require in build_requires: product = build_require.split("#")[0].split("/")[0] version = build_require.split("#")[0].split("/")[1] purl = self.generate_purl(product) - vendor = self.get_vendor(purl, product, version) - if vendor is not None: - yield from vendor + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendor = self.get_vendor(purl, product, version) + if vendor is not None: + yield from vendor self.logger.debug(f"Done scanning file: {self.filename}") diff --git a/cve_bin_tool/parsers/dart.py b/cve_bin_tool/parsers/dart.py index 91f79075a7..29aee9a997 100644 --- a/cve_bin_tool/parsers/dart.py +++ b/cve_bin_tool/parsers/dart.py @@ -6,6 +6,7 @@ import yaml from cve_bin_tool.parsers import Parser +from cve_bin_tool.util import ProductInfo, ScanInfo class DartParser(Parser): @@ -54,7 +55,16 @@ def run_checker(self, filename): product = package_name version = package_detail.get("version").replace('"', "") purl = self.generate_purl(product) - vendor = self.get_vendor(purl, product, version) - if vendor: - yield from vendor + + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendor = self.get_vendor(purl, product, version) + if vendor: + yield from vendor self.logger.debug(f"Done scanning file: {self.filename}") diff --git a/cve_bin_tool/parsers/env.py b/cve_bin_tool/parsers/env.py index 5612b23613..5c776ca861 100644 --- a/cve_bin_tool/parsers/env.py +++ b/cve_bin_tool/parsers/env.py @@ -45,6 +45,11 @@ class EnvParser(Parser): requirements.txt) and generate PURLs (Package URLs) for the listed packages. """ + def __init__(self, cve_db, logger): + super().__init__(cve_db, logger) + self.cve_db = cve_db + self.logger = logger + PARSER_MATCH_FILENAMES = [ ".env", ] @@ -127,10 +132,11 @@ def run_checker(self, filename): for _namespace, cve in env_config.namespaces.items() ] - with self.cve_db.with_cursor() as cursor: - self.cve_db.populate_cve_metrics(severity_data, cursor) - self.cve_db.populate_severity(severity_data, cursor, data_source) - self.cve_db.populate_affected(affected_data, cursor, data_source) + if self.cve_db: + with self.cve_db.with_cursor() as cursor: + self.cve_db.populate_cve_metrics(severity_data, cursor) + self.cve_db.populate_severity(severity_data, cursor, data_source) + self.cve_db.populate_affected(affected_data, cursor, data_source) for _namespace, cve in env_config.namespaces.items(): yield ScanInfo( diff --git a/cve_bin_tool/parsers/go.py b/cve_bin_tool/parsers/go.py index e01727f3a0..ab11d29dee 100644 --- a/cve_bin_tool/parsers/go.py +++ b/cve_bin_tool/parsers/go.py @@ -4,6 +4,7 @@ import re from cve_bin_tool.parsers import Parser +from cve_bin_tool.util import ProductInfo, ScanInfo class GoParser(Parser): @@ -75,7 +76,15 @@ def run_checker(self, filename): product = line.split(" ")[0].split("/")[-1] version = line.split(" ")[1][1:].split("-")[0].split("+")[0] purl = self.generate_purl(product) - vendors = self.get_vendor(purl, product, version) - if vendors is not None: - yield from vendors + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendors = self.get_vendor(purl, product, version) + if vendors is not None: + yield from vendors self.logger.debug(f"Done scanning file: {self.filename}") diff --git a/cve_bin_tool/parsers/java.py b/cve_bin_tool/parsers/java.py index ac84836931..48a515beb5 100644 --- a/cve_bin_tool/parsers/java.py +++ b/cve_bin_tool/parsers/java.py @@ -99,12 +99,20 @@ def run_checker(self, filename): product = parent.find(schema + "artifactId").text if product is not None and version is not None: purl = self.generate_purl(product) - product_info, result = self.find_vendor_from_purl(purl, version) - if not result: - product_info = self.find_vendor(product, version) - product_info = self.mismatch(purl, product_info) - if product_info is not None: - yield from product_info + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + file_path, + ), + ] + else: + product_info, result = self.find_vendor_from_purl(purl, version) + if not result: + product_info = self.find_vendor(product, version) + product_info = self.mismatch(purl, product_info) + if product_info is not None: + yield from product_info # Some version strings are defined as properties. # Build up dictionary of values in same format ${name} : {value} @@ -136,14 +144,24 @@ def run_checker(self, filename): if version[0].isdigit(): # Valid version identifier purl = self.generate_purl(product.text) - product_info, result = self.find_vendor_from_purl( - purl, version - ) - if not result: - product_info = self.find_vendor( - product.text, version + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo( + "UNKNOWN", product.text, version, purl + ), + file_path, + ), + ] + else: + product_info, result = self.find_vendor_from_purl( + purl, version ) - product_info = self.mismatch(purl, product_info) - if product_info is not None: - yield from product_info + if not result: + product_info = self.find_vendor( + product.text, version + ) + product_info = self.mismatch(purl, product_info) + if product_info is not None: + yield from product_info self.logger.debug(f"Done scanning file: {filename}") diff --git a/cve_bin_tool/parsers/javascript.py b/cve_bin_tool/parsers/javascript.py index d12ca2dca6..13cf2e57ca 100644 --- a/cve_bin_tool/parsers/javascript.py +++ b/cve_bin_tool/parsers/javascript.py @@ -6,6 +6,7 @@ import re from cve_bin_tool.parsers import Parser +from cve_bin_tool.util import ProductInfo, ScanInfo class JavascriptParser(Parser): @@ -58,7 +59,16 @@ def process_package_lock(self, filename): product = data["name"] version = data["version"] purl = self.generate_purl(product) - vendor = self.get_vendor(purl, product, version) + if not self.cve_db: + vendor = None + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendor = self.get_vendor(purl, product, version) else: vendor = None if vendor is not None: @@ -108,9 +118,17 @@ def process_package_lock(self, filename): for product, version in product_version_mapping: purl = self.generate_purl(product, "") - vendor = self.get_vendor(purl, product, version) - if vendor is not None: - yield from vendor + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendor = self.get_vendor(purl, product, version) + if vendor is not None: + yield from vendor def process_yarn_lock(self, filename): """Process yarn.lock file and extract product and dependency details @@ -136,11 +154,19 @@ def process_yarn_lock(self, filename): for product, version in product_version_mapping: # Generate the PURL for the package purl = self.generate_purl(product, "", version) - vendor, result = self.find_vendor_from_purl(purl, version) + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendor, result = self.find_vendor_from_purl(purl, version) - if not result: - # If no vendor found using PURL, try to find vendor using product and version - vendor = self.find_vendor(product, version) - if vendor is not None: - # Yield vendor information if found - yield from vendor + if not result: + # If no vendor found using PURL, try to find vendor using product and version + vendor = self.find_vendor(product, version) + if vendor is not None: + # Yield vendor information if found + yield from vendor diff --git a/cve_bin_tool/parsers/perl.py b/cve_bin_tool/parsers/perl.py index b018871619..9e90343f9c 100644 --- a/cve_bin_tool/parsers/perl.py +++ b/cve_bin_tool/parsers/perl.py @@ -4,6 +4,7 @@ import re from cve_bin_tool.parsers import Parser +from cve_bin_tool.util import ProductInfo, ScanInfo class PerlParser(Parser): @@ -59,7 +60,15 @@ def run_checker(self, filename): product = dependency[0] version = dependency[1] purl = self.generate_purl(product) - vendor = self.get_vendor(purl, product, version) - if vendor is not None: - yield from vendor + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendor = self.get_vendor(purl, product, version) + if vendor is not None: + yield from vendor self.logger.debug(f"Done scanning file: {self.filename}") diff --git a/cve_bin_tool/parsers/php.py b/cve_bin_tool/parsers/php.py index 37a4d4acb6..18007ae801 100644 --- a/cve_bin_tool/parsers/php.py +++ b/cve_bin_tool/parsers/php.py @@ -8,6 +8,7 @@ import re from cve_bin_tool.parsers import Parser +from cve_bin_tool.util import ProductInfo, ScanInfo class PhpParser(Parser): @@ -58,7 +59,15 @@ def run_checker(self, filename): if "dev" in version: continue purl = self.generate_purl(product) - vendor = self.get_vendor(purl, product, version) - if vendor is not None: - yield from vendor + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendor = self.get_vendor(purl, product, version) + if vendor is not None: + yield from vendor self.logger.debug(f"Done scanning file: {self.filename}") diff --git a/cve_bin_tool/parsers/python.py b/cve_bin_tool/parsers/python.py index 827d717224..3c439fa94d 100644 --- a/cve_bin_tool/parsers/python.py +++ b/cve_bin_tool/parsers/python.py @@ -10,6 +10,7 @@ from cve_bin_tool.parsers import Parser from cve_bin_tool.strings import parse_strings +from cve_bin_tool.util import ProductInfo, ScanInfo class PythonRequirementsParser(Parser): @@ -100,10 +101,18 @@ def run_checker(self, filename): product = line["metadata"]["name"] version = line["metadata"]["version"] purl = self.generate_purl(product) - vendor = self.get_vendor(purl, product, version) - - if vendor is not None: - yield from vendor + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendor = self.get_vendor(purl, product, version) + + if vendor is not None: + yield from vendor self.logger.debug(f"Done scanning file: {self.filename}") @@ -153,9 +162,17 @@ def run_checker(self, filename): product = search(compile(r"^Name: (.+)$", MULTILINE), lines).group(1) version = search(compile(r"^Version: (.+)$", MULTILINE), lines).group(1) purl = self.generate_purl(product) - vendor = self.get_vendor(purl, product, version) - if vendor is not None: - yield from vendor + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendor = self.get_vendor(purl, product, version) + if vendor is not None: + yield from vendor # There are packages with a METADATA file in them containing different data from what the tool expects except AttributeError: diff --git a/cve_bin_tool/parsers/r.py b/cve_bin_tool/parsers/r.py index 4b08f3393a..40a5c27e5a 100644 --- a/cve_bin_tool/parsers/r.py +++ b/cve_bin_tool/parsers/r.py @@ -5,6 +5,7 @@ import re from cve_bin_tool.parsers import Parser +from cve_bin_tool.util import ProductInfo, ScanInfo class RParser(Parser): @@ -61,7 +62,15 @@ def run_checker(self, filename): product = content["Packages"][package]["Package"] version = content["Packages"][package]["Version"] purl = self.generate_purl(product) - vendor = self.get_vendor(purl, product, version) - if vendor is not None: - yield from vendor + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendor = self.get_vendor(purl, product, version) + if vendor is not None: + yield from vendor self.logger.debug(f"Done scanning file: {self.filename}") diff --git a/cve_bin_tool/parsers/ruby.py b/cve_bin_tool/parsers/ruby.py index 0efa8c4046..1937e8e33f 100644 --- a/cve_bin_tool/parsers/ruby.py +++ b/cve_bin_tool/parsers/ruby.py @@ -6,6 +6,7 @@ import re from cve_bin_tool.parsers import Parser +from cve_bin_tool.util import ProductInfo, ScanInfo class RubyParser(Parser): @@ -73,7 +74,15 @@ def run_checker(self, filename): product = line.strip().split()[0] version = line.strip().split("(")[1][:-1] purl = self.generate_purl(product) - vendors = self.get_vendor(purl, product, version) - if vendors is not None: - yield from vendors + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendors = self.get_vendor(purl, product, version) + if vendors is not None: + yield from vendors self.logger.debug(f"Done scanning file: {self.filename}") diff --git a/cve_bin_tool/parsers/rust.py b/cve_bin_tool/parsers/rust.py index 20f8b155b3..34c633aa75 100644 --- a/cve_bin_tool/parsers/rust.py +++ b/cve_bin_tool/parsers/rust.py @@ -4,6 +4,7 @@ import re from cve_bin_tool.parsers import Parser +from cve_bin_tool.util import ProductInfo, ScanInfo class RustParser(Parser): @@ -66,9 +67,17 @@ def run_checker(self, filename): continue purl = self.generate_purl(product) - vendors = self.get_vendor(purl, product, version) - if vendors is not None: - yield from vendors + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendors = self.get_vendor(purl, product, version) + if vendors is not None: + yield from vendors product = "" version = "" self.logger.debug(f"Done scanning file: {self.filename}") diff --git a/cve_bin_tool/parsers/swift.py b/cve_bin_tool/parsers/swift.py index bbe6d6b2e9..dbd177fb0b 100644 --- a/cve_bin_tool/parsers/swift.py +++ b/cve_bin_tool/parsers/swift.py @@ -7,6 +7,7 @@ from urllib.parse import urlparse from cve_bin_tool.parsers import Parser +from cve_bin_tool.util import ProductInfo, ScanInfo class SwiftParser(Parser): @@ -74,7 +75,15 @@ def run_checker(self, filename): self.logger.debug(domain) purl = self.generate_purl(product) - vendors = self.get_vendor(purl, product, version) - if vendors is not None: - yield from vendors + if not self.cve_db: + yield from [ + ScanInfo( + ProductInfo("UNKNOWN", product, version, purl), + " ", + ), + ] + else: + vendors = self.get_vendor(purl, product, version) + if vendors is not None: + yield from vendors self.logger.debug(f"Done scanning file: {self.filename}") diff --git a/cve_bin_tool/version_scanner.py b/cve_bin_tool/version_scanner.py index 83f5b574da..7ee0686876 100644 --- a/cve_bin_tool/version_scanner.py +++ b/cve_bin_tool/version_scanner.py @@ -68,7 +68,6 @@ def __init__( self.should_extract = should_extract self.file_stack: list[str] = [] self.error_mode = error_mode - self.cve_db = CVEDB(sources=sources) self.validate = validate self.logger.info( "Checkers loaded: %s" % (", ".join(sorted(self.checkers.keys()))) @@ -76,6 +75,11 @@ def __init__( self.language_checkers = valid_files self.language_checkers_names = self.available_language_checkers() + if self.no_scan: + self.cve_db = None + else: + self.cve_db = CVEDB(sources=sources) + @classmethod def load_checkers(cls) -> dict[str, type[Checker]]: """Loads CVE checkers""" @@ -264,9 +268,8 @@ def scan_file(self, filename: str) -> Iterator[ScanInfo]: # parse binary file's strings lines = parse_strings(filename) - if self.no_scan: - yield from self.run_checkers(filename, lines) - return + if not self.no_scan and not self.cve_db: + self.logger.info("No Database Object Found: Fallback to No-Scan Mode") if output: valid_file = False diff --git a/fuzz/generated/cargo_lock_pb2.py b/fuzz/generated/cargo_lock_pb2.py index 0b6b8d8a93..569ea3e09c 100644 --- a/fuzz/generated/cargo_lock_pb2.py +++ b/fuzz/generated/cargo_lock_pb2.py @@ -7,24 +7,25 @@ from google.protobuf import descriptor_pool as _descriptor_pool from google.protobuf import symbol_database as _symbol_database from google.protobuf.internal import builder as _builder + # @@protoc_insertion_point(imports) _sym_db = _symbol_database.Default() - - -DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x10\x63\x61rgo_lock.proto\"\xa7\x02\n\tCargoLock\x12$\n\x08packages\x18\x01 \x03(\x0b\x32\x12.CargoLock.Package\x1a\x99\x01\n\x07Package\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x0f\n\x07version\x18\x02 \x01(\t\x12\x13\n\x06source\x18\x03 \x01(\tH\x00\x88\x01\x01\x12\x15\n\x08\x63hecksum\x18\x04 \x01(\tH\x01\x88\x01\x01\x12+\n\ndependency\x18\x05 \x03(\x0b\x32\x17.CargoLock.DependenciesB\t\n\x07_sourceB\x0b\n\t_checksum\x1aX\n\x0c\x44\x65pendencies\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x14\n\x07version\x18\x02 \x01(\tH\x00\x88\x01\x01\x12\x10\n\x03url\x18\x03 \x01(\tH\x01\x88\x01\x01\x42\n\n\x08_versionB\x06\n\x04_urlb\x06proto3') +DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile( + b'\n\x10\x63\x61rgo_lock.proto"\xa7\x02\n\tCargoLock\x12$\n\x08packages\x18\x01 \x03(\x0b\x32\x12.CargoLock.Package\x1a\x99\x01\n\x07Package\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x0f\n\x07version\x18\x02 \x01(\t\x12\x13\n\x06source\x18\x03 \x01(\tH\x00\x88\x01\x01\x12\x15\n\x08\x63hecksum\x18\x04 \x01(\tH\x01\x88\x01\x01\x12+\n\ndependency\x18\x05 \x03(\x0b\x32\x17.CargoLock.DependenciesB\t\n\x07_sourceB\x0b\n\t_checksum\x1aX\n\x0c\x44\x65pendencies\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x14\n\x07version\x18\x02 \x01(\tH\x00\x88\x01\x01\x12\x10\n\x03url\x18\x03 \x01(\tH\x01\x88\x01\x01\x42\n\n\x08_versionB\x06\n\x04_urlb\x06proto3' +) _globals = globals() _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals) -_builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'cargo_lock_pb2', _globals) +_builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, "cargo_lock_pb2", _globals) if _descriptor._USE_C_DESCRIPTORS == False: - DESCRIPTOR._options = None - _globals['_CARGOLOCK']._serialized_start=21 - _globals['_CARGOLOCK']._serialized_end=316 - _globals['_CARGOLOCK_PACKAGE']._serialized_start=73 - _globals['_CARGOLOCK_PACKAGE']._serialized_end=226 - _globals['_CARGOLOCK_DEPENDENCIES']._serialized_start=228 - _globals['_CARGOLOCK_DEPENDENCIES']._serialized_end=316 + DESCRIPTOR._options = None + _globals["_CARGOLOCK"]._serialized_start = 21 + _globals["_CARGOLOCK"]._serialized_end = 316 + _globals["_CARGOLOCK_PACKAGE"]._serialized_start = 73 + _globals["_CARGOLOCK_PACKAGE"]._serialized_end = 226 + _globals["_CARGOLOCK_DEPENDENCIES"]._serialized_start = 228 + _globals["_CARGOLOCK_DEPENDENCIES"]._serialized_end = 316 # @@protoc_insertion_point(module_scope) diff --git a/fuzz/generated/gemfile_lock_pb2.py b/fuzz/generated/gemfile_lock_pb2.py index ecd58cd008..bdb9335736 100644 --- a/fuzz/generated/gemfile_lock_pb2.py +++ b/fuzz/generated/gemfile_lock_pb2.py @@ -31,4 +31,4 @@ _globals["_GEMPACKAGE"]._serialized_end = 272 _globals["_GEMFILELOCK"]._serialized_start = 275 _globals["_GEMFILELOCK"]._serialized_end = 458 -# @@protoc_insertion_point(module_scope) \ No newline at end of file +# @@protoc_insertion_point(module_scope) diff --git a/fuzz/generated/package_resolved_pb2.py b/fuzz/generated/package_resolved_pb2.py index 2edc764706..7153e70525 100644 --- a/fuzz/generated/package_resolved_pb2.py +++ b/fuzz/generated/package_resolved_pb2.py @@ -1,4 +1,5 @@ """Generated protocol buffer code.""" + from google.protobuf import descriptor as _descriptor from google.protobuf import descriptor_pool as _descriptor_pool from google.protobuf import symbol_database as _symbol_database @@ -26,4 +27,4 @@ _globals["_PACKAGERESOLVED"]._serialized_end = 327 _globals["_PACKAGERESOLVED_OBJECT"]._serialized_start = 283 _globals["_PACKAGERESOLVED_OBJECT"]._serialized_end = 327 -# @@protoc_insertion_point(module_scope) \ No newline at end of file +# @@protoc_insertion_point(module_scope) diff --git a/fuzz/generated/pom_xml_pb2.py b/fuzz/generated/pom_xml_pb2.py index cb825f3e42..0eb3075f2b 100644 --- a/fuzz/generated/pom_xml_pb2.py +++ b/fuzz/generated/pom_xml_pb2.py @@ -9,32 +9,28 @@ from google.protobuf import runtime_version as _runtime_version from google.protobuf import symbol_database as _symbol_database from google.protobuf.internal import builder as _builder + _runtime_version.ValidateProtobufRuntimeVersion( - _runtime_version.Domain.PUBLIC, - 5, - 29, - 3, - '', - 'pom_xml.proto' + _runtime_version.Domain.PUBLIC, 5, 29, 3, "", "pom_xml.proto" ) # @@protoc_insertion_point(imports) _sym_db = _symbol_database.Default() - - -DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\rpom_xml.proto\"\xb4\x02\n\rPomXmlProject\x12\x15\n\rxml_namespace\x18\x01 \x01(\t\x12\x1b\n\x13xml_schema_instance\x18\x02 \x01(\t\x12\x1a\n\x12xml_namespace_uri1\x18\x03 \x01(\t\x12\x1a\n\x12xml_namespace_uri2\x18\x04 \x01(\t\x12\x15\n\rmodel_version\x18\x05 \x01(\x02\x12\x11\n\tpackaging\x18\x06 \x01(\t\x12\x10\n\x08group_Id\x18\x07 \x01(\t\x12\x12\n\nartifactId\x18\x08 \x01(\t\x12\x0c\n\x04name\x18\n \x01(\t\x12\x0b\n\x03url\x18\x0b \x01(\t\x12\x0f\n\x07version\x18\x0c \x01(\x02\x12!\n\x0c\x64\x65pendencies\x18\r \x03(\x0b\x32\x0b.Dependency\x12\x18\n\x07plugins\x18\x0e \x03(\x0b\x32\x07.Plugin\"Q\n\nDependency\x12\x0f\n\x07groupId\x18\x01 \x01(\t\x12\x12\n\nartifactId\x18\x02 \x01(\t\x12\x0f\n\x07version\x18\x03 \x01(\t\x12\r\n\x05scope\x18\x04 \x01(\t\">\n\x06Plugin\x12\x0f\n\x07groupId\x18\x01 \x01(\t\x12\x12\n\nartifactId\x18\x02 \x01(\t\x12\x0f\n\x07version\x18\x03 \x01(\x02\x62\x06proto3') +DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile( + b'\n\rpom_xml.proto"\xb4\x02\n\rPomXmlProject\x12\x15\n\rxml_namespace\x18\x01 \x01(\t\x12\x1b\n\x13xml_schema_instance\x18\x02 \x01(\t\x12\x1a\n\x12xml_namespace_uri1\x18\x03 \x01(\t\x12\x1a\n\x12xml_namespace_uri2\x18\x04 \x01(\t\x12\x15\n\rmodel_version\x18\x05 \x01(\x02\x12\x11\n\tpackaging\x18\x06 \x01(\t\x12\x10\n\x08group_Id\x18\x07 \x01(\t\x12\x12\n\nartifactId\x18\x08 \x01(\t\x12\x0c\n\x04name\x18\n \x01(\t\x12\x0b\n\x03url\x18\x0b \x01(\t\x12\x0f\n\x07version\x18\x0c \x01(\x02\x12!\n\x0c\x64\x65pendencies\x18\r \x03(\x0b\x32\x0b.Dependency\x12\x18\n\x07plugins\x18\x0e \x03(\x0b\x32\x07.Plugin"Q\n\nDependency\x12\x0f\n\x07groupId\x18\x01 \x01(\t\x12\x12\n\nartifactId\x18\x02 \x01(\t\x12\x0f\n\x07version\x18\x03 \x01(\t\x12\r\n\x05scope\x18\x04 \x01(\t">\n\x06Plugin\x12\x0f\n\x07groupId\x18\x01 \x01(\t\x12\x12\n\nartifactId\x18\x02 \x01(\t\x12\x0f\n\x07version\x18\x03 \x01(\x02\x62\x06proto3' +) _globals = globals() _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals) -_builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'pom_xml_pb2', _globals) +_builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, "pom_xml_pb2", _globals) if not _descriptor._USE_C_DESCRIPTORS: - DESCRIPTOR._loaded_options = None - _globals['_POMXMLPROJECT']._serialized_start=18 - _globals['_POMXMLPROJECT']._serialized_end=326 - _globals['_DEPENDENCY']._serialized_start=328 - _globals['_DEPENDENCY']._serialized_end=409 - _globals['_PLUGIN']._serialized_start=411 - _globals['_PLUGIN']._serialized_end=473 + DESCRIPTOR._loaded_options = None + _globals["_POMXMLPROJECT"]._serialized_start = 18 + _globals["_POMXMLPROJECT"]._serialized_end = 326 + _globals["_DEPENDENCY"]._serialized_start = 328 + _globals["_DEPENDENCY"]._serialized_end = 409 + _globals["_PLUGIN"]._serialized_start = 411 + _globals["_PLUGIN"]._serialized_end = 473 # @@protoc_insertion_point(module_scope) diff --git a/fuzz/generated/pubspec_lock_pb2.py b/fuzz/generated/pubspec_lock_pb2.py index 966f21723b..bc75d7ab1d 100644 --- a/fuzz/generated/pubspec_lock_pb2.py +++ b/fuzz/generated/pubspec_lock_pb2.py @@ -9,34 +9,30 @@ from google.protobuf import runtime_version as _runtime_version from google.protobuf import symbol_database as _symbol_database from google.protobuf.internal import builder as _builder + _runtime_version.ValidateProtobufRuntimeVersion( - _runtime_version.Domain.PUBLIC, - 5, - 29, - 3, - '', - 'pubspec_lock.proto' + _runtime_version.Domain.PUBLIC, 5, 29, 3, "", "pubspec_lock.proto" ) # @@protoc_insertion_point(imports) _sym_db = _symbol_database.Default() - - -DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x12pubspec_lock.proto\x12\x07pubspec\"b\n\x07Package\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x0f\n\x07version\x18\x02 \x01(\t\x12\x0b\n\x03url\x18\x03 \x01(\t\x12+\n\ndependency\x18\x04 \x01(\x0e\x32\x17.pubspec.DependencyType\".\n\rSdkConstraint\x12\x0c\n\x04\x64\x61rt\x18\x01 \x01(\t\x12\x0f\n\x07\x66lutter\x18\x02 \x01(\t\"W\n\x0bPubspecLock\x12\"\n\x08packages\x18\x01 \x03(\x0b\x32\x10.pubspec.Package\x12$\n\x04sdks\x18\x02 \x01(\x0b\x32\x16.pubspec.SdkConstraint*>\n\x0e\x44\x65pendencyType\x12\x0b\n\x07UNKNOWN\x10\x00\x12\x0f\n\x0b\x44IRECT_MAIN\x10\x01\x12\x0e\n\nTRANSITIVE\x10\x02\x62\x06proto3') +DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile( + b'\n\x12pubspec_lock.proto\x12\x07pubspec"b\n\x07Package\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x0f\n\x07version\x18\x02 \x01(\t\x12\x0b\n\x03url\x18\x03 \x01(\t\x12+\n\ndependency\x18\x04 \x01(\x0e\x32\x17.pubspec.DependencyType".\n\rSdkConstraint\x12\x0c\n\x04\x64\x61rt\x18\x01 \x01(\t\x12\x0f\n\x07\x66lutter\x18\x02 \x01(\t"W\n\x0bPubspecLock\x12"\n\x08packages\x18\x01 \x03(\x0b\x32\x10.pubspec.Package\x12$\n\x04sdks\x18\x02 \x01(\x0b\x32\x16.pubspec.SdkConstraint*>\n\x0e\x44\x65pendencyType\x12\x0b\n\x07UNKNOWN\x10\x00\x12\x0f\n\x0b\x44IRECT_MAIN\x10\x01\x12\x0e\n\nTRANSITIVE\x10\x02\x62\x06proto3' +) _globals = globals() _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals) -_builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'pubspec_lock_pb2', _globals) +_builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, "pubspec_lock_pb2", _globals) if not _descriptor._USE_C_DESCRIPTORS: - DESCRIPTOR._loaded_options = None - _globals['_DEPENDENCYTYPE']._serialized_start=268 - _globals['_DEPENDENCYTYPE']._serialized_end=330 - _globals['_PACKAGE']._serialized_start=31 - _globals['_PACKAGE']._serialized_end=129 - _globals['_SDKCONSTRAINT']._serialized_start=131 - _globals['_SDKCONSTRAINT']._serialized_end=177 - _globals['_PUBSPECLOCK']._serialized_start=179 - _globals['_PUBSPECLOCK']._serialized_end=266 + DESCRIPTOR._loaded_options = None + _globals["_DEPENDENCYTYPE"]._serialized_start = 268 + _globals["_DEPENDENCYTYPE"]._serialized_end = 330 + _globals["_PACKAGE"]._serialized_start = 31 + _globals["_PACKAGE"]._serialized_end = 129 + _globals["_SDKCONSTRAINT"]._serialized_start = 131 + _globals["_SDKCONSTRAINT"]._serialized_end = 177 + _globals["_PUBSPECLOCK"]._serialized_start = 179 + _globals["_PUBSPECLOCK"]._serialized_end = 266 # @@protoc_insertion_point(module_scope) diff --git a/test/test_executable.py b/test/test_executable.py index 22c07b11f4..8477b60f94 100644 --- a/test/test_executable.py +++ b/test/test_executable.py @@ -35,11 +35,11 @@ def _check_test(self, type): the given string is in the parsed result""" file_signatures = { "elf": (b"\x7f\x45\x4c\x46\x02\x01\x01\x03\n", True, ".out"), - "mach_o_32": (b"\xFE\xED\xFA\xCE\x00\x00\x00\x00", True, ".out"), - "mach_o_64": (b"\xFE\xED\xFA\xCF\x00\x00\x00\x00", True, ".out"), - "mach_o_universal": (b"\xCA\xFE\xBA\xBE\x00\x00\x00\x00", True, ".out"), - "ios_arm": (b"\xCF\xFA\xED\xFE\x00\x00\x00\x00", True, ".out"), - "wasm": (b"yoyo\x00\x61\x73\x6D\x01\x00\x00\x00", True, ".out"), + "mach_o_32": (b"\xfe\xed\xfa\xce\x00\x00\x00\x00", True, ".out"), + "mach_o_64": (b"\xfe\xed\xfa\xcf\x00\x00\x00\x00", True, ".out"), + "mach_o_universal": (b"\xca\xfe\xba\xbe\x00\x00\x00\x00", True, ".out"), + "ios_arm": (b"\xcf\xfa\xed\xfe\x00\x00\x00\x00", True, ".out"), + "wasm": (b"yoyo\x00\x61\x73\x6d\x01\x00\x00\x00", True, ".out"), "c": (b"#include ", False, ".c"), "single_byte": (b"1", False, ".txt"), "windows": (b"MZ\x90\x00", True, ".dll"), diff --git a/test/test_extractor.py b/test/test_extractor.py index ebe834555c..8b72cf791f 100644 --- a/test/test_extractor.py +++ b/test/test_extractor.py @@ -1,7 +1,7 @@ # Copyright (C) 2022 Intel Corporation # SPDX-License-Identifier: GPL-3.0-or-later -""" CVE Binary Tool tests for the extractor function """ +"""CVE Binary Tool tests for the extractor function""" from __future__ import annotations import shutil diff --git a/test/test_file.py b/test/test_file.py index 1b54611070..931e09467e 100644 --- a/test/test_file.py +++ b/test/test_file.py @@ -32,11 +32,11 @@ async def _check_test(self, type): the given string is in the parsed result""" file_signatures = { "elf": (b"\x7f\x45\x4c\x46\x02\x01\x01\x03\n", True, ".out"), - "mach_o_32": (b"\xFE\xED\xFA\xCE\x00\x00\x00\x00", True, ".out"), - "mach_o_64": (b"\xFE\xED\xFA\xCF\x00\x00\x00\x00", True, ".out"), - "mach_o_universal": (b"\xCA\xFE\xBA\xBE\x00\x00\x00\x00", True, ".out"), - "ios_arm": (b"\xCF\xFA\xED\xFE\x00\x00\x00\x00", True, ".out"), - "wasm": (b"\x00\x61\x73\x6D\x01\x00\x00\x00", True, ".out"), + "mach_o_32": (b"\xfe\xed\xfa\xce\x00\x00\x00\x00", True, ".out"), + "mach_o_64": (b"\xfe\xed\xfa\xcf\x00\x00\x00\x00", True, ".out"), + "mach_o_universal": (b"\xca\xfe\xba\xbe\x00\x00\x00\x00", True, ".out"), + "ios_arm": (b"\xcf\xfa\xed\xfe\x00\x00\x00\x00", True, ".out"), + "wasm": (b"\x00\x61\x73\x6d\x01\x00\x00\x00", True, ".out"), "c": (b"#include ", False, ".c"), "single_byte": (b"1", False, ".txt"), "windows": (b"MZ", True, ".txt"), diff --git a/test/test_javascript.py b/test/test_javascript.py index f0b353a364..125a3a98f6 100644 --- a/test/test_javascript.py +++ b/test/test_javascript.py @@ -4,6 +4,7 @@ import json from cve_bin_tool.parsers.javascript import JavascriptParser +from cve_bin_tool.util import ProductInfo, ScanInfo # Dummy logger to suppress debug output @@ -18,13 +19,21 @@ def __init__(self): super().__init__(cve_db=None, logger=DummyLogger()) def get_vendor(self, purl, product, version): - return ["vendor_dummy"] + return [ScanInfo(ProductInfo("UNKNOWN", product, version, purl), " ")] def find_vendor_from_purl(self, purl, version): - return (["vendor_yarn"], True) + return ([ScanInfo(ProductInfo("UNKNOWN", purl.name, version, purl), " ")], True) def find_vendor(self, product, version): - return ["vendor_yarn_alt"] + return [ScanInfo(ProductInfo("UNKNOWN", product, version), " ")] + + def run_checker(self, filename): + # Override run_checker to bypass no_scan mode check + if filename.endswith("package-lock.json"): + return self.process_package_lock(filename) + elif filename.endswith("yarn.lock"): + return self.process_yarn_lock(filename) + return [] # Test for package-lock.json branch with lockfileVersion>=2 @@ -46,7 +55,11 @@ def test_process_package_lock_lockfile_v2(tmp_path): # - package "" -> yields vendor_dummy # - its require "dep1" yields vendor_dummy (skip if version=="*") # - package "node_modules/dep3" yields vendor_dummy - expected = ["vendor_dummy", "vendor_dummy", "vendor_dummy"] + expected = [ + ScanInfo(ProductInfo("UNKNOWN", "", "1.0.0", None), " "), + ScanInfo(ProductInfo("UNKNOWN", "dep1", "1.2.3", None), " "), + ScanInfo(ProductInfo("UNKNOWN", "dep3", "2.3.4", None), " "), + ] assert results == expected @@ -63,5 +76,8 @@ def test_process_yarn_lock(tmp_path): parser = DummyJavascriptParser() results = list(parser.run_checker(str(file_path))) # Two matches yield vendor from find_vendor_from_purl for each - expected = ["vendor_yarn", "vendor_yarn"] + expected = [ + ScanInfo(ProductInfo("UNKNOWN", "somepackage", "1.0.0", None), " "), + ScanInfo(ProductInfo("UNKNOWN", "anotherpkg", "2.0.0", None), " "), + ] assert results == expected diff --git a/test/test_json.py b/test/test_json.py index 7ab1225314..8f5f48c1fb 100644 --- a/test/test_json.py +++ b/test/test_json.py @@ -1,7 +1,7 @@ # Copyright (C) 2021 Intel Corporation # SPDX-License-Identifier: GPL-3.0-or-later -""" Validates the NIST data feed +"""Validates the NIST data feed 1. Against their schema. This uses the schemas mentioned here: https://nvd.nist.gov/vuln/Data-Feeds/JSON-feed-changelog 2. Against the provided metadata, including the sha256sum