From b351849e14e805e87531bfc6f913cce41e400460 Mon Sep 17 00:00:00 2001 From: anthonyharrison Date: Tue, 11 Jul 2023 21:47:36 +0100 Subject: [PATCH 1/3] fix: Update SPDX Version handling (#3137) --- cve_bin_tool/sbom_manager/spdx_parser.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cve_bin_tool/sbom_manager/spdx_parser.py b/cve_bin_tool/sbom_manager/spdx_parser.py index 6921ea6492..4ef399991a 100644 --- a/cve_bin_tool/sbom_manager/spdx_parser.py +++ b/cve_bin_tool/sbom_manager/spdx_parser.py @@ -45,7 +45,8 @@ def parse_spdx_tag(self, sbom_file: str) -> list[list[str]]: package = line_elements[1].strip().rstrip("\n") version = None if line_elements[0] == "PackageVersion": - version = line_elements[1].strip().rstrip("\n") + # Version may contain : + version = line[16:].strip().rstrip("\n") version = version.split("-")[0] version = version.split("+")[0] modules.append([package, version]) From 58a10fd95eb963a6f30b0701215238cc05558ae2 Mon Sep 17 00:00:00 2001 From: SukhveerS <78963782+Rexbeast2@users.noreply.github.com> Date: Wed, 12 Jul 2023 23:49:31 +0530 Subject: [PATCH 2/3] fix: refactor insert queries (#3145) * fixes: #3144 --- cve_bin_tool/cvedb.py | 141 +++++++++++++++++++----------------------- 1 file changed, 64 insertions(+), 77 deletions(-) diff --git a/cve_bin_tool/cvedb.py b/cve_bin_tool/cvedb.py index 1d5b75b557..882091ac43 100644 --- a/cve_bin_tool/cvedb.py +++ b/cve_bin_tool/cvedb.py @@ -59,6 +59,60 @@ class CVEDB: gad_source.GAD_Source, ] + INSERT_QUERIES = { + "insert_severity": """ + INSERT or REPLACE INTO cve_severity( + CVE_number, + severity, + description, + score, + cvss_version, + cvss_vector, + data_source, + last_modified + ) + VALUES (?, ?, ?, ?, ?, ?, ?, ?) + """, + "insert_cve_range": """ + INSERT or REPLACE INTO cve_range( + cve_number, + vendor, + product, + version, + versionStartIncluding, + versionStartExcluding, + versionEndIncluding, + versionEndExcluding, + data_source + ) + VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?) + """, + "insert_exploit": """ + INSERT or REPLACE INTO cve_exploited ( + cve_number, + product, + description + ) + VALUES (?,?,?) + """, + "insert_cve_metrics": """ + INSERT or REPLACE INTO cve_metrics ( + cve_number, + metric_id, + metric_score, + metric_field + ) + VALUES (?, ?, ?, ?) + """, + "insert_metrics": """ + INSERT or REPLACE INTO metrics ( + metrics_id, + metrics_name + ) + VALUES (?, ?) + """, + } + def __init__( self, sources=None, @@ -316,66 +370,6 @@ def table_schemas(self): metrics_table, ) - def insert_queries(self): - cve_severity = """ - cve_severity( - CVE_number, - severity, - description, - score, - cvss_version, - cvss_vector, - data_source, - last_modified - ) - VALUES (?, ?, ?, ?, ?, ?, ?, ?) - """ - insert_severity = f"INSERT or REPLACE INTO {cve_severity}" - insert_cve_range = """ - INSERT or REPLACE INTO cve_range( - cve_number, - vendor, - product, - version, - versionStartIncluding, - versionStartExcluding, - versionEndIncluding, - versionEndExcluding, - data_source - ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?) - """ - insert_exploit = """ - INSERT or REPLACE INTO cve_exploited ( - cve_number, - product, - description - ) - VALUES (?,?,?) - """ - insert_cve_metrics = """ - INSERT or REPLACE INTO cve_metrics ( - cve_number, - metric_id, - metric_score, - metric_field - ) - VALUES (?, ?, ?, ?) - """ - insert_metrics = """ - INSERT or REPLACE INTO metrics ( - metrics_id, - metrics_name - ) - VALUES (?, ?) - """ - return ( - insert_severity, - insert_cve_range, - insert_exploit, - insert_cve_metrics, - insert_metrics, - ) - def init_database(self) -> None: """Initialize db tables used for storing cve/version data""" @@ -492,7 +486,7 @@ def populate_db(self) -> None: self.db_close() def populate_severity(self, severity_data, cursor, data_source): - (insert_severity, _, _, _, _) = self.insert_queries() + insert_severity = self.INSERT_QUERIES["insert_severity"] del_cve_range = "DELETE from cve_range where CVE_number=?" for cve in severity_data: @@ -535,7 +529,7 @@ def populate_severity(self, severity_data, cursor, data_source): cursor.executemany(del_cve_range, [(cve["ID"],) for cve in severity_data]) def populate_affected(self, affected_data, cursor, data_source): - (_, insert_cve_range, _, _, _) = self.insert_queries() + insert_cve_range = self.INSERT_QUERIES["insert_cve_range"] try: cursor.executemany( insert_cve_range, @@ -560,7 +554,7 @@ def populate_affected(self, affected_data, cursor, data_source): def populate_metrics(self): cursor = self.db_open_and_get_cursor() # Insert a row without specifying cve_metrics_id - (_, _, _, _, insert_metrics) = self.insert_queries() + insert_metrics = self.INSERT_QUERIES["insert_metrics"] data = [ (1, "EPSS"), (2, "CVSS-2"), @@ -762,14 +756,14 @@ def create_exploit_db(self): self.db_close() def populate_exploit_db(self, exploits): - (_, _, insert_exploit, _, _) = self.insert_queries() + insert_exploit = self.INSERT_QUERIES["insert_exploit"] cursor = self.db_open_and_get_cursor() cursor.executemany(insert_exploit, exploits) self.connection.commit() self.db_close() def store_epss_data(self): - (_, _, _, insert_cve_metrics, _) = self.insert_queries() + insert_cve_metrics = self.INSERT_QUERIES["insert_cve_metrics"] cursor = self.db_open_and_get_cursor() cursor.executemany(insert_cve_metrics, self.epss_data) self.connection.commit() @@ -923,13 +917,6 @@ def db_to_json(self, path, private_key, passphrase): shutil.rmtree(temp_gnupg_home) def json_to_db(self, cursor, db_column, json_data): - ( - insert_severity, - insert_cve_range, - insert_exploit, - insert_cve_metrics, - insert_metrics, - ) = self.insert_queries() columns = [] for data in json_data: column = list(data.keys()) @@ -945,15 +932,15 @@ def json_to_db(self, cursor, db_column, json_data): values.append(list(value)) if db_column == "cve_exploited": - cursor.executemany(insert_exploit, values) + cursor.executemany(self.INSERT_QUERIES["insert_exploit"], values) elif db_column == "cve_range": - cursor.executemany(insert_cve_range, values) + cursor.executemany(self.INSERT_QUERIES["insert_cve_range"], values) elif db_column == "cve_severity": - cursor.executemany(insert_severity, values) + cursor.executemany(self.INSERT_QUERIES["insert_severity"], values) elif db_column == "cve_metrics": - cursor.executemany(insert_cve_metrics, values) + cursor.executemany(self.INSERT_QUERIES["insert_cve_metrics"], values) elif db_column == "metrics": - cursor.executemany(insert_metrics, values) + cursor.executemany(self.INSERT_QUERIES["insert_metrics"], values) def json_to_db_wrapper(self, path, pubkey, ignore_signature, log_signature_error): try: From 810864561728f20955c5b17e4cedc02fdb7eb8af Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 12 Jul 2023 11:23:37 -0700 Subject: [PATCH 3/3] chore(deps): bump github/codeql-action from 2.20.2 to 2.20.3 (#3135) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.20.2 to 2.20.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/004c5de30b6423267685b897a3d595e944f7fed5...46ed16ded91731b2df79a2893d3aea8e9f03b5c4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Terri Oda --- .github/workflows/codeql-analysis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b1c9ca7a49..64be0275ff 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -51,7 +51,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@004c5de30b6423267685b897a3d595e944f7fed5 # v2.20.2 + uses: github/codeql-action/init@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.20.3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -62,7 +62,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@004c5de30b6423267685b897a3d595e944f7fed5 # v2.20.2 + uses: github/codeql-action/autobuild@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.20.3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -76,4 +76,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@004c5de30b6423267685b897a3d595e944f7fed5 # v2.20.2 + uses: github/codeql-action/analyze@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.20.3