oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

cpe generation update (#850)

Browse Source 
* do not allow empty CPE to be returned as part of a packages list

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
This commit is contained in:
Christopher Angelo Phillips 2022-02-25 17:06:05 -05:00 committed by GitHub
parent c89131bcf3
commit bb3d713b97
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 42 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
syft/pkg/cataloger/common/cpe/generate.go
View File

@ -12,14 +12,17 @@ import (
"github.com/facebookincubator/nvdtools/wfn" "github.com/facebookincubator/nvdtools/wfn"
) )
func newCPE(product, vendor, version, targetSW string) wfn.Attributes { func newCPE(product, vendor, version, targetSW string) *wfn.Attributes {
cpe := *(wfn.NewAttributesWithAny()) cpe := *(wfn.NewAttributesWithAny())
cpe.Part = "a" cpe.Part = "a"
cpe.Product = product cpe.Product = product
cpe.Vendor = vendor cpe.Vendor = vendor
cpe.Version = version cpe.Version = version
cpe.TargetSW = targetSW cpe.TargetSW = targetSW
return cpe if pkg.ValidateCPEString(pkg.CPEString(cpe)) != nil {
return nil
}
return &cpe
} }
// Generate Create a list of CPEs for a given package, trying to guess the vendor, product tuple. We should be trying to // Generate Create a list of CPEs for a given package, trying to guess the vendor, product tuple. We should be trying to
@ -43,7 +46,9 @@ func Generate(p pkg.Package) []pkg.CPE {
} }
keys.Add(key) keys.Add(key)
// add a new entry... // add a new entry...
cpes = append(cpes, newCPE(product, vendor, p.Version, wfn.Any)) if cpe := newCPE(product, vendor, p.Version, wfn.Any); cpe != nil {
cpes = append(cpes, *cpe)
}
} }
} }

32
syft/pkg/cataloger/common/cpe/generate_test.go
View File

@ -620,6 +620,38 @@ func TestGeneratePackageCPEs(t *testing.T) {
"cpe:2.3:a:jenkins_ci:active_directory:2.25.1:*:*:*:*:*:*:*", "cpe:2.3:a:jenkins_ci:active_directory:2.25.1:*:*:*:*:*:*:*",
}, },
}, },
{
name: "regression: special characters in CPE should result in no generation",
p: pkg.Package{
Name: "bundler",
Version: "2.1.4",
Type: pkg.GemPkg,
FoundBy: "gem-cataloger",
Language: pkg.Ruby,
MetadataType: pkg.GemMetadataType,
Metadata: pkg.GemMetadata{
Name: "bundler",
Version: "2.1.4",
Authors: []string{
"jessica lynn suttles",
"stephanie morillo",
"david rodríguez",
"andré medeiros",
},
},
},
expected: []string{
"cpe:2.3:a:*:bundler:2.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:bundler:bundler:2.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:ruby-lang:bundler:2.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:ruby:bundler:2.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:ruby_lang:bundler:2.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:jessica-lynn-suttles:bundler:2.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:jessica_lynn_suttles:bundler:2.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:stephanie-morillo:bundler:2.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:stephanie_morillo:bundler:2.1.4:*:*:*:*:*:*:*",
},
},
} }
for _, test := range tests { for _, test := range tests {

4
syft/pkg/cpe.go
View File

@ -34,7 +34,7 @@ func NewCPE(cpeStr string) (CPE, error) {
} }
// ensure that this CPE can be validated after being fully sanitized // ensure that this CPE can be validated after being fully sanitized
if validateCPEString(CPEString(c)) != nil { if ValidateCPEString(CPEString(c)) != nil {
return CPE{}, err return CPE{}, err
} }
@ -43,7 +43,7 @@ func NewCPE(cpeStr string) (CPE, error) {
return c, nil return c, nil
} }
func validateCPEString(cpeStr string) error { func ValidateCPEString(cpeStr string) error {
// We should filter out all CPEs that do not match the official CPE regex // We should filter out all CPEs that do not match the official CPE regex
// The facebook nvdtools parser can sometimes incorrectly parse invalid CPE strings // The facebook nvdtools parser can sometimes incorrectly parse invalid CPE strings
if !cpeRegex.MatchString(cpeStr) { if !cpeRegex.MatchString(cpeStr) {