Merge remote-tracking branch 'upstream/main' into triage-process

mastersans · Jul 31, 2024 · a1fef97 · a1fef97
2 parents a9e360b + ceec0dc
commit a1fef97
Show file tree

Hide file tree

Showing 34 changed files with 377 additions and 273 deletions.
diff --git a/.github/ISSUE_TEMPLATE/mismatch-report.md b/.github/ISSUE_TEMPLATE/mismatch-report.md
@@ -0,0 +1,27 @@
+---
+name: 'Report a false positive or incorrect component (mismatch)'
+about: Template for reporting false positive
+title: 'bug: incorrect detection for [product name]'
+labels: bug
+assignees: ''
+
+---
+
+### Description
+
+Add a short description of the invalid vendor-product relation.
+
+```yml
+  purls:
+    - [purl identifier] (e.g. pkg:pypi/zstandard.  This will be in the format pkg:[package repository]/[product name])
+
+  invalid_vendors:
+    - [list of vendors that shouldn't be detected] (e.g. facebook)
+```
+
+Not sure how to fill this out? Give us the CVE number that's being incorrectly detected and we'll try to figure it out from there.
+
+### Instructions
+
+[How to add a new entry to the mismatch database](https://github.com/intel/cve-bin-tool/blob/main/doc/mismatch_data.md)
+
diff --git a/.github/workflows/build-wheel.yml b/.github/workflows/build-wheel.yml
@@ -23,7 +23,7 @@ jobs:
     if: github.repository == 'intel/cve-bin-tool' # run on origin repo only
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
       with:
         egress-policy: audit
 

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -42,7 +42,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
       with:
         egress-policy: audit
 

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
       with:
         egress-policy: audit
 

diff --git a/.github/workflows/cve_scan.yml b/.github/workflows/cve_scan.yml
@@ -15,7 +15,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -18,7 +18,7 @@ jobs:
         tool: ['isort', 'black', 'pyupgrade', 'flake8', 'bandit', 'gitlint', 'mypy', 'interrogate']
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -22,7 +22,7 @@ jobs:
         python: ['3.8', '3.9', '3.10', '3.11', '3.12']
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
       with:
         egress-policy: audit
 

diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -39,7 +39,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -76,7 +76,7 @@ jobs:
     timeout-minutes: 60
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -203,7 +203,7 @@ jobs:
       LONG_TESTS: 1
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -365,7 +365,7 @@ jobs:
       EXTERNAL_SYSTEM: 1
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -498,7 +498,7 @@ jobs:
       PYTHONIOENCODING: 'utf8'
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/update-cache.yml b/.github/workflows/update-cache.yml
@@ -27,7 +27,7 @@ jobs:
     timeout-minutes: 60
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/update-js-dependencies.yml b/.github/workflows/update-js-dependencies.yml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/update-pre-commit.yml b/.github/workflows/update-pre-commit.yml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/update-spdx-header.yml b/.github/workflows/update-spdx-header.yml
@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/validate-yml.yml b/.github/workflows/validate-yml.yml
@@ -12,14 +12,14 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: '3.11'
           cache: 'pip'

diff --git a/cve_bin_tool/parsers/__init__.py b/cve_bin_tool/parsers/__init__.py
@@ -101,6 +101,15 @@ def generate_purl(self, product, vendor="", version="", qualifier={}, subpath=No
         )
         return purl
 
+    def get_vendor(self, purl, product, version):
+        """Returns the finalised vendor after utilising various mechanisms."""
+        vendor, result = self.find_vendor_from_purl(purl, version)
+
+        if not result:
+            vendor = self.find_vendor(product, version)
+
+        return self.mismatch(purl, vendor)
+
     def find_vendor_from_purl(self, purl, ver) -> tuple[list[ScanInfo], bool]:
         """
         Finds the vendor information for a given PackageURL (purl) and version from the database.

diff --git a/cve_bin_tool/parsers/dart.py b/cve_bin_tool/parsers/dart.py
@@ -54,11 +54,7 @@ def run_checker(self, filename):
                 product = package_name
                 version = package_detail.get("version").replace('"', "")
                 purl = self.generate_purl(product)
-                vendor, result = self.find_vendor_from_purl(purl, version)
-                if not result:
-                    vendor = self.find_vendor(product, version)
-
-                vendor = self.mismatch(purl, vendor)
+                vendor = self.get_vendor(purl, product, version)
                 if vendor:
                     yield from vendor
         self.logger.debug(f"Done scanning file: {self.filename}")
diff --git a/cve_bin_tool/parsers/go.py b/cve_bin_tool/parsers/go.py
@@ -75,11 +75,7 @@ def run_checker(self, filename):
                         product = line.split(" ")[0].split("/")[-1]
                         version = line.split(" ")[1][1:].split("-")[0].split("+")[0]
                         purl = self.generate_purl(product)
-                        vendors, result = self.find_vendor_from_purl(purl, version)
-
-                        if not result:
-                            vendors = self.find_vendor(product, version)
-                        vendors = self.mismatch(purl, vendors)
+                        vendors = self.get_vendor(purl, product, version)
                         if vendors is not None:
                             yield from vendors
             self.logger.debug(f"Done scanning file: {self.filename}")
diff --git a/cve_bin_tool/parsers/javascript.py b/cve_bin_tool/parsers/javascript.py
@@ -48,11 +48,7 @@ def run_checker(self, filename):
                 product = data["name"]
                 version = data["version"]
                 purl = self.generate_purl(product)
-                vendor, result = self.find_vendor_from_purl(purl, version)
-
-                if not result:
-                    vendor = self.find_vendor(product, version)
-                vendor = self.mismatch(purl, vendor)
+                vendor = self.get_vendor(purl, product, version)
             else:
                 vendor = None
             if vendor is not None:
@@ -102,11 +98,7 @@ def run_checker(self, filename):
 
             for product, version in product_version_mapping:
                 purl = self.generate_purl(product, "")
-                vendor, result = self.find_vendor_from_purl(purl, version)
-
-                if not result:
-                    vendor = self.find_vendor(product, version)
-                vendor = self.mismatch(purl, vendor)
+                vendor = self.get_vendor(purl, product, version)
                 if vendor is not None:
                     yield from vendor
             self.logger.debug(f"Done scanning file: {self.filename}")
diff --git a/cve_bin_tool/parsers/perl.py b/cve_bin_tool/parsers/perl.py
@@ -59,11 +59,7 @@ def run_checker(self, filename):
                 product = dependency[0]
                 version = dependency[1]
                 purl = self.generate_purl(product)
-                vendor, result = self.find_vendor_from_purl(purl, version)
-
-                if not result:
-                    vendor = self.find_vendor(product, version)
-                vendor = self.mismatch(purl, vendor)
+                vendor = self.get_vendor(purl, product, version)
                 if vendor is not None:
                     yield from vendor
         self.logger.debug(f"Done scanning file: {self.filename}")
diff --git a/cve_bin_tool/parsers/php.py b/cve_bin_tool/parsers/php.py
@@ -58,11 +58,7 @@ def run_checker(self, filename):
                     if "dev" in version:
                         continue
                     purl = self.generate_purl(product)
-                    vendor, result = self.find_vendor_from_purl(purl, version)
-
-                    if not result:
-                        vendor = self.find_vendor(product, version)
-                    vendor = self.mismatch(purl, vendor)
+                    vendor = self.get_vendor(purl, product, version)
                     if vendor is not None:
                         yield from vendor
             self.logger.debug(f"Done scanning file: {self.filename}")
diff --git a/cve_bin_tool/parsers/python.py b/cve_bin_tool/parsers/python.py
@@ -100,12 +100,8 @@ def run_checker(self, filename):
                 product = line["metadata"]["name"]
                 version = line["metadata"]["version"]
                 purl = self.generate_purl(product)
-                vendor, result = self.find_vendor_from_purl(purl, version)
+                vendor = self.get_vendor(purl, product, version)
 
-                if not result:
-                    vendor = self.find_vendor(product, version)
-
-                vendor = self.mismatch(purl, vendor)
                 if vendor is not None:
                     yield from vendor
             self.logger.debug(f"Done scanning file: {self.filename}")
@@ -157,12 +153,7 @@ def run_checker(self, filename):
             product = search(compile(r"^Name: (.+)$", MULTILINE), lines).group(1)
             version = search(compile(r"^Version: (.+)$", MULTILINE), lines).group(1)
             purl = self.generate_purl(product)
-            vendor, result = self.find_vendor_from_purl(purl, version)
-
-            if not result:
-                vendor = self.find_vendor(product, version)
-
-            vendor = self.mismatch(purl, vendor)
+            vendor = self.get_vendor(purl, product, version)
             if vendor is not None:
                 yield from vendor
 

diff --git a/cve_bin_tool/parsers/r.py b/cve_bin_tool/parsers/r.py
@@ -61,12 +61,7 @@ def run_checker(self, filename):
                 product = content["Packages"][package]["Package"]
                 version = content["Packages"][package]["Version"]
                 purl = self.generate_purl(product)
-                vendor, result = self.find_vendor_from_purl(purl, version)
-
-                if not result:
-                    vendor = self.find_vendor(product, version)
-
-                vendor = self.mismatch(purl, vendor)
+                vendor = self.get_vendor(purl, product, version)
                 if vendor is not None:
                     yield from vendor
             self.logger.debug(f"Done scanning file: {self.filename}")
diff --git a/cve_bin_tool/parsers/ruby.py b/cve_bin_tool/parsers/ruby.py
@@ -73,11 +73,7 @@ def run_checker(self, filename):
                     product = line.strip().split()[0]
                     version = line.strip().split("(")[1][:-1]
                     purl = self.generate_purl(product)
-                    vendors, result = self.find_vendor_from_purl(purl, version)
-
-                    if not result:
-                        vendors = self.find_vendor(product, version)
-                    vendors = self.mismatch(purl, vendors)
+                    vendors = self.get_vendor(purl, product, version)
                     if vendors is not None:
                         yield from vendors
             self.logger.debug(f"Done scanning file: {self.filename}")
diff --git a/cve_bin_tool/parsers/rust.py b/cve_bin_tool/parsers/rust.py
@@ -66,12 +66,7 @@ def run_checker(self, filename):
                         continue
 
                     purl = self.generate_purl(product)
-                    vendors, result = self.find_vendor_from_purl(purl, version)
-
-                    if not result:
-                        vendors = self.find_vendor(product, version)
-
-                    vendors = self.mismatch(purl, vendors)
+                    vendors = self.get_vendor(purl, product, version)
                     if vendors is not None:
                         yield from vendors
                     product = ""

diff --git a/cve_bin_tool/parsers/swift.py b/cve_bin_tool/parsers/swift.py
@@ -74,11 +74,7 @@ def run_checker(self, filename):
                 self.logger.debug(domain)
 
                 purl = self.generate_purl(product)
-                vendors, result = self.find_vendor_from_purl(purl, version)
-
-                if not result:
-                    vendors = self.find_vendor(product, version)
-                vendors = self.mismatch(purl, vendors)
+                vendors = self.get_vendor(purl, product, version)
                 if vendors is not None:
                     yield from vendors
             self.logger.debug(f"Done scanning file: {self.filename}")
diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -22,4 +22,3 @@ types-PyYAML
 types-requests
 types-setuptools
 types-toml
-setuptools>=65.5.1 # not directly required, pinned by Snyk to avoid a vulnerability