Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: spdx sbom cpe bug #4733

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: spdx sbom cpe bug #4733

wants to merge 2 commits into from

Conversation

AryanBakliwal
Copy link
Contributor

fixes: #4700

Changed the order of decoding at parse.py#L382

Output

╭─────────────╮
│ CPE SUMMARY │
╰─────────────╯
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓
┃        ┃          ┃         ┃ Latest       ┃              ┃              ┃              ┃              ┃              ┃              ┃
┃        ┃          ┃         ┃ Upstream     ┃              ┃              ┃              ┃              ┃              ┃              ┃
┃        ┃          ┃         ┃ Stable       ┃ CRITICAL     ┃ HIGH CVEs    ┃ MEDIUM CVEs  ┃ LOW CVEs     ┃ UNKNOWN CVEs ┃ TOTAL CVEs   ┃
┃ Vendor ┃ Product  ┃ Version ┃ Version      ┃ CVEs Count   ┃ Count        ┃ Count        ┃ Count        ┃ Count        ┃ Count        ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │ 3.6.2        │ 1            │ 0            │ 1            │ 0            │ 0            │ 2            │
└────────┴──────────┴─────────┴──────────────┴──────────────┴──────────────┴──────────────┴──────────────┴──────────────┴──────────────┘
╭─────────────────╮
│  NewFound CVEs  │
╰─────────────────╯
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ CVE Number     ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │ CVE-2024-45157 │ NVD    │ MEDIUM   │ 5.1 (v3)             │
│ arm    │ mbed_tls │ 3.6.0   │ CVE-2024-45159 │ NVD    │ CRITICAL │ 9.8 (v3)             │
└────────┴──────────┴─────────┴────────────────┴────────┴──────────┴──────────────────────┘
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ Root ┃ Filename ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━╇━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │      │          │
└────────┴──────────┴─────────┴──────┴──────────┘
╭───────────────────────────────────────────────╮
│  Products with No Identified Vulnerabilities  │
╰───────────────────────────────────────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━┩
└────────┴─────────┴─────────┘

@AryanBakliwal
Copy link
Contributor Author

@terriko @anthonyharrison PTAL and let me know what you think

terriko
terriko requested changes Feb 6, 2025
View reviewed changes
Copy link
Contributor

@terriko terriko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would resolve that bug, but I think @anthonyharrison is correct that it may introduce some not-so-great side effects.

Right now, I'd like us to change things so we return ALL references rather than having a preference order at all. (I know, @anthonyharrison is asserting that we could just prefer purl, but obviously that's what we were doing and it wasn't working as people expected either.)

So you'd need to get rid of the elifs and set this up to return a potential list of tuples, and possibly change anywhere that parse_ext_ref is called to handle an list instead of a single tuple.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terriko terriko terriko requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix: PURL to CPE conversion results in "UNKOWN" vendor when CPE is given
2 participants
@AryanBakliwal @terriko