From 8d0faa93e965320a0df4bcd3316a3019326b755a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 09:07:58 -0700 Subject: [PATCH 1/3] chore(deps): bump github/codeql-action from 3.24.10 to 3.25.0 (#4034) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.10 to 3.25.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/4355270be187e1b672a7a1c7c7bae5afdc1ab94a...df5a14dc28094dc936e103b37d749c6628682b60) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ac89652f12..ce48f1aeb4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -51,7 +51,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 + uses: github/codeql-action/init@df5a14dc28094dc936e103b37d749c6628682b60 # v3.25.0 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -76,4 +76,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 + uses: github/codeql-action/analyze@df5a14dc28094dc936e103b37d749c6628682b60 # v3.25.0 From fcf0555ac42b3be42bf7f202f2ce519d0603e802 Mon Sep 17 00:00:00 2001 From: Joydeep Tripathy <113792434+joydeep049@users.noreply.github.com> Date: Tue, 16 Apr 2024 21:58:47 +0530 Subject: [PATCH 2/3] feat: added PURL generation to PhpParser (#4016) Co-authored-by: Joydeep Tripathy <113792434+crazytrain328@users.noreply.github.com> --- cve_bin_tool/parsers/php.py | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/cve_bin_tool/parsers/php.py b/cve_bin_tool/parsers/php.py index 487d2d4390..4174d9971e 100644 --- a/cve_bin_tool/parsers/php.py +++ b/cve_bin_tool/parsers/php.py @@ -1,17 +1,45 @@ -# Copyright (C) 2022 Intel Corporation +# Copyright (C) 2024 Intel Corporation # SPDX-License-Identifier: GPL-3.0-or-later - +"""Python script containing all functionalities related to parsing of php's composer.lock files.""" import json +import re from cve_bin_tool.parsers import Parser class PhpParser(Parser): + """ + Parser for Php Composer.lock files. + This parser is designed to parse Php Composer.lock and + generate PURLs (Package URLs) for the listed packages. + """ + def __init__(self, cve_db, logger): + """Initialize the PhpParser.""" super().__init__(cve_db, logger) + self.purl_pkg_type = "composer" + + def generate_purl(self, product, version, vendor, qualifier={}, subpath=None): + """Generates PURL after normalizing all components.""" + vendor = re.sub(r"[^a-zA-Z0-9._-]", "", vendor).lower() + product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower() + version = re.sub(r"[^a-zA-Z0-9.+-]", "", version) + + if not vendor or not product or not version: + return None + + purl = super().generate_purl( + product, + version, + vendor, + qualifier, + subpath, + ) + + return purl def run_checker(self, filename): - """Process package.lock file and extract product and dependency details""" + """Process composer.lock file and extract product and dependency details""" self.filename = filename with open(self.filename) as fh: data = json.load(fh) From e37cc39f57cbb01310725279f242ecb03f888c71 Mon Sep 17 00:00:00 2001 From: Meet Soni <92802561+inosmeet@users.noreply.github.com> Date: Tue, 16 Apr 2024 23:02:28 +0530 Subject: [PATCH 3/3] feat: added PURL generation for r parser (#4035) Signed-off-by: Meet Soni --- cve_bin_tool/parsers/r.py | 43 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/cve_bin_tool/parsers/r.py b/cve_bin_tool/parsers/r.py index b75abca067..32973a0889 100644 --- a/cve_bin_tool/parsers/r.py +++ b/cve_bin_tool/parsers/r.py @@ -2,15 +2,58 @@ # SPDX-License-Identifier: GPL-3.0-or-later import json +import re from cve_bin_tool.parsers import Parser class RParser(Parser): + """ + Parser implementation for R module files (renv.lock). + + This parser is designed to parse Go module files and generate Package URL (PURL) strings + based on the modules and their dependencies listed in the file. + + Attributes: + cve_db (CVEDB): The CVE database instance used for vulnerability information. + logger (Logger): The logger instance for logging messages and debugging information. + + Methods: + generate_purl(product, version, vendor): + Generates PURL after normalizing all components. + run_checker(filename): + Parse the R module file and yield valid PURLs for the modules listed in the file. + + """ + def __init__(self, cve_db, logger): super().__init__(cve_db, logger) + self.purl_pkg_type = "cran" + + def generate_purl(self, product, version, vendor, qualifier={}, subpath=None): + """Generates PURL after normalizing all components.""" + + product = re.sub(r"[^a-zA-Z0-9.-]", "", product) + version = re.sub(r"^[^a-zA-Z0-9]|[^a-zA-Z0-9.-]", "", version) + vendor = "UNKNOWN" + + if not re.match(r"^[a-zA-Z0-9_-]", product): + return + if version == "": + version = "UNKNOWN" + + purl = super().generate_purl( + product, + version, + vendor, + qualifier, + subpath, + ) + + return purl def run_checker(self, filename): + """Parse the file and yield valid PURLs.""" self.filename = filename with open(self.filename) as fh: # parse the json structure for extracting product version pairs