Merge branch 'main' into dependabot/pip/black-24.4.0

intel · Apr 16, 2024 · 7bea207 · 7bea207
2 parents e624f7f + e37cc39
commit 7bea207
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 5 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -51,7 +51,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
+      uses: github/codeql-action/init@df5a14dc28094dc936e103b37d749c6628682b60 # v3.25.0
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
+      uses: github/codeql-action/analyze@df5a14dc28094dc936e103b37d749c6628682b60 # v3.25.0
diff --git a/cve_bin_tool/parsers/php.py b/cve_bin_tool/parsers/php.py
@@ -1,17 +1,45 @@
-# Copyright (C) 2022 Intel Corporation
+# Copyright (C) 2024 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
-
+"""Python script containing all functionalities related to parsing of php's composer.lock files."""
 import json
+import re
 
 from cve_bin_tool.parsers import Parser
 
 
 class PhpParser(Parser):
+    """
+    Parser for Php Composer.lock files.
+    This parser is designed to parse Php Composer.lock and
+    generate PURLs (Package URLs) for the listed packages.
+    """
+
     def __init__(self, cve_db, logger):
+        """Initialize the PhpParser."""
         super().__init__(cve_db, logger)
+        self.purl_pkg_type = "composer"
+
+    def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
+        """Generates PURL after normalizing all components."""
+        vendor = re.sub(r"[^a-zA-Z0-9._-]", "", vendor).lower()
+        product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
+        version = re.sub(r"[^a-zA-Z0-9.+-]", "", version)
+
+        if not vendor or not product or not version:
+            return None
+
+        purl = super().generate_purl(
+            product,
+            version,
+            vendor,
+            qualifier,
+            subpath,
+        )
+
+        return purl
 
     def run_checker(self, filename):
-        """Process package.lock file and extract product and dependency details"""
+        """Process composer.lock file and extract product and dependency details"""
         self.filename = filename
         with open(self.filename) as fh:
             data = json.load(fh)

diff --git a/cve_bin_tool/parsers/r.py b/cve_bin_tool/parsers/r.py
@@ -2,15 +2,58 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import json
+import re
 
 from cve_bin_tool.parsers import Parser
 
 
 class RParser(Parser):
+    """
+    Parser implementation for R module files (renv.lock).
+
+    This parser is designed to parse Go module files and generate Package URL (PURL) strings
+    based on the modules and their dependencies listed in the file.
+
+    Attributes:
+        cve_db (CVEDB): The CVE database instance used for vulnerability information.
+        logger (Logger): The logger instance for logging messages and debugging information.
+
+    Methods:
+        generate_purl(product, version, vendor):
+            Generates PURL after normalizing all components.
+        run_checker(filename):
+            Parse the R module file and yield valid PURLs for the modules listed in the file.
+
+    """
+
     def __init__(self, cve_db, logger):
         super().__init__(cve_db, logger)
+        self.purl_pkg_type = "cran"
+
+    def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
+        """Generates PURL after normalizing all components."""
+
+        product = re.sub(r"[^a-zA-Z0-9.-]", "", product)
+        version = re.sub(r"^[^a-zA-Z0-9]|[^a-zA-Z0-9.-]", "", version)
+        vendor = "UNKNOWN"
+
+        if not re.match(r"^[a-zA-Z0-9_-]", product):
+            return
+        if version == "":
+            version = "UNKNOWN"
+
+        purl = super().generate_purl(
+            product,
+            version,
+            vendor,
+            qualifier,
+            subpath,
+        )
+
+        return purl
 
     def run_checker(self, filename):
+        """Parse the file and yield valid PURLs."""
         self.filename = filename
         with open(self.filename) as fh:
             # parse the json structure for extracting product version pairs