bug: HTML report generator fails due to unknown severity

[stjen]

Description

HTML report generator fails due to unknown severity "HIGH-EXPLOIT"

To reproduce

Steps to reproduce the behaviour:

1. Scan using this command:
   cve-bin-tool -S critical -S high --detailed -l info --affected-versions --exploits mac_build/theapp.app -f json,html -o mac_build/vulnerability

Expected behaviour:
HTML report is generated correctly

Actual behaviour:
HTML report generation fails due to unexpected severity

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.3
Installed from pypi or github? pypi
Operating system: macOS
Python version (e.g. python3 --version): Python 3.10
Running in any particular CI environment we should know about? Gitlab

Anything else?

Relevant vulnerability.json snippet

{
    "vendor": "webmproject",
    "product": "libvpx",
    "version": "1.11.0",
    "cve_number": "CVE-2023-5217",
    "severity": "HIGH-EXPLOIT",
    "score": "8.8",
    "source": "NVD",
    "cvss_version": "3",
    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "paths": "[redacted]/MacOS/ffmpeg",
    "remarks": "NewFound",
    "comments": "",
    "description": "Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)",
    "affected_versions": "< 1.13.1"
},

cve-bin-tool callstack

    INFO     cve_bin_tool.OutputEngine - HTML report     __init__.py:1029
                    stored at                                                   
                    /Users/gitlabrunner/builds/Ln3Astbb/0/git/l                 
                    uxion/mac_build/vulnerability.html                          
╭───────────────────── Traceback (most recent call last) ──────────────────────╮
│ /Users/gitlabrunner/.ci-python-venv/bin/cve-bin-tool:8 in <module>           │
│                                                                              │
│   5 from cve_bin_tool.cli import main                                        │
│   6 if __name__ == '__main__':                                               │
│   7 │   sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])     │
│ ❱ 8 │   sys.exit(main())                                                     │
│   9                                                                          │
│                                                                              │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/cli.py:1103 in main                                                        │
│                                                                              │
│   1100 │   │   )                                                             │
│   1101 │   │                                                                 │
│   1102 │   │   if not args["quiet"]:                                         │
│ ❱ 1103 │   │   │   output.output_file_wrapper(output_formats)                │
│   1104 │   │   │   if args["backport_fix"] or args["available_fix"]:         │
│   1105 │   │   │   │   distro_info = args["backport_fix"] or args["available │
│   1106 │   │   │   │   is_backport = True if args["backport_fix"] else False │
│                                                                              │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/output_engine/__init__.py:977 in output_file_wrapper                       │
│                                                                              │
│    974 │   def output_file_wrapper(self, output_types=["console"]):          │
│    975 │   │   """Call output_file method for all output types."""           │
│    976 │   │   for output_type in output_types:                              │
│ ❱  977 │   │   │   self.output_file(output_type)                             │
│    978 │                                                                     │
│    979 │   def output_file(self, output_type="console"):                     │
│    980 │   │   """Generate a file for list of CVE"""                         │
│                                                                              │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/output_engine/__init__.py:1037 in output_file                              │
│                                                                              │
│   1034 │   │   │   │   self.output_cves(f, output_type)                      │
│   1035 │   │   else:                                                         │
│   1036 │   │   │   with open(self.filename, "w", encoding="utf8") as f:      │
│ ❱ 1037 │   │   │   │   self.output_cves(f, output_type)                      │
│   1038 │                                                                     │
│   1039 │   def check_file_path(self, filepath: str, output_type: str, prefix │
│   1040 │   │   """Generate a new filename if file already exists."""         │
│                                                                              │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/output_engine/__init__.py:752 in output_cves                               │
│                                                                              │
│    749 │   │   │   │   self.metrics,                                         │
│    750 │   │   │   )                                                         │
│    751 │   │   elif output_type == "html":                                   │
│ ❱  752 │   │   │   output_html(                                              │
│    753 │   │   │   │   self.all_cve_data,                                    │
│    754 │   │   │   │   self.all_cve_version_info,                            │
│    755 │   │   │   │   self.scanned_dir,                                     │
│                                                                              │
│ /Users/gitlabrunner/.ci-python-venv/lib/python3.10/site-packages/cve_bin_too │
│ l/output_engine/html.py:279 in output_html                                   │
│                                                                              │
│   276 │   │   │   cve_remarks["NOT AFFECTED"] += len(cve_by_remark[Remarks.N │
│   277 │   │   │                                                              │
│   278 │   │   │   for cve in cve_data["cves"]:                               │
│ ❱ 279 │   │   │   │   cve_severity[cve.severity] += 1                        │
│   280 │   │   │                                                              │
│   281 │   │   │   # hid is unique for each product                           │
│   282 │   │   │   if product_info.vendor != "UNKNOWN":                       │
╰──────────────────────────────────────────────────────────────────────────────╯
KeyError: 'HIGH-EXPLOIT'

[terriko]

I'm not sure if this is related to our other severity bug (fix is in code review) or if it's due to the fact that there's an expectation of the value being "high, medium, low" (as in, "high-exploit" isn't a valid severity), but we should definitely handle this more gracefully. Thanks for letting us know!

[stjen]

Hi again, thanks for getting back to me.

Just some more info FYI, the issue disappeared when I removed the --exploits flag, so it seems to be related to that.