feat: Adding locations in CycloneDX reports (#3989)

Author: Mayankrai449

cve_bin_tool/input_engine.py

@@ -261,7 +261,7 @@ def decode_bom_ref(self, ref) -> ProductInfo:
         urn_cdx = re.compile(
             r"urn:cdx:(?P<bomSerialNumber>.*?)\/(?P<bom_version>.*?)#(?P<bom_ref>.*)"
         )
-
+        location = "location/to/product"
         if urn_cbt_ext_ref.match(ref):
             urn_dict = urn_cbt_ext_ref.match(ref).groupdict()
             vendor = urn_dict["vendor"]
@@ -290,7 +290,9 @@ def decode_bom_ref(self, ref) -> ProductInfo:
 
         product_info = None
         if product is not None and self.validate_product(product):
-            product_info = ProductInfo(vendor.strip(), product.strip(), version.strip())
+            product_info = ProductInfo(
+                vendor.strip(), product.strip(), version.strip(), location
+            )
 
         return product_info
 
@@ -314,7 +316,10 @@ def parse_data(self, fields: Set[str], data: Iterable) -> None:
 
         for row in data:
             product_info = ProductInfo(
-                row["vendor"].strip(), row["product"].strip(), row["version"].strip()
+                row["vendor"].strip(),
+                row["product"].strip(),
+                row["version"].strip(),
+                row.get("location", "location/to/product").strip(),
             )
             self.parsed_data[product_info][
                 row.get("cve_number", "").strip() or "default"

cve_bin_tool/merge.py

@@ -208,7 +208,10 @@ def parse_data_from_json(
 
     for row in json_data:
         product_info = ProductInfo(
-            row["vendor"].strip(), row["product"].strip(), row["version"].strip()
+            row["vendor"].strip(),
+            row["product"].strip(),
+            row["version"].strip(),
+            row.get("location", "location/to/product").strip(),
         )
         parsed_data[product_info][row.get("cve_number", "").strip() or "default"] = {
             "remarks": Remarks(str(row.get("remarks", "")).strip()),

cve_bin_tool/output_engine/__init__.py

@@ -106,6 +106,7 @@ def output_csv(
         "vendor",
         "product",
         "version",
+        "location",
         "cve_number",
         "severity",
         "score",
@@ -917,6 +918,7 @@ def generate_sbom(
         sbom_relationships = []
         my_package = SBOMPackage()
         sbom_relationship = SBOMRelationship()
+
         # Create root package
         my_package.initialise()
         root_package = f'CVEBINTOOL-{Path(sbom_root).name.replace(".", "-")}'
@@ -929,13 +931,15 @@ def generate_sbom(
         my_package.set_licensedeclared(license)
         my_package.set_licenseconcluded(license)
         my_package.set_supplier("UNKNOWN", "NOASSERTION")
+
         # Store package data
         sbom_packages[(my_package.get_name(), my_package.get_value("version"))] = (
             my_package.get_package()
         )
         sbom_relationship.initialise()
         sbom_relationship.set_relationship(parent, "DESCRIBES", root_package)
         sbom_relationships.append(sbom_relationship.get_relationship())
+
         # Add dependent products
         for product_data in all_product_data:
             my_package.initialise()
@@ -950,6 +954,8 @@ def generate_sbom(
                 in sbom_packages
                 and product_data.vendor == "unknown"
             ):
+                location = product_data.location
+                my_package.set_evidence(location)  # Set location directly
                 sbom_packages[
                     (my_package.get_name(), my_package.get_value("version"))
                 ] = my_package.get_package()

cve_bin_tool/output_engine/util.py

@@ -160,6 +160,7 @@ def format_output(
                             "vendor": "haxx"
                             "product": "curl",
                             "version": "1.2.1",
+                            "location": "/usr/local/bin/product",
                             "cve_number": "CVE-1234-1234",
                             "severity": "LOW",
                             "score": "1.2",
@@ -191,6 +192,7 @@ def format_output(
                 "vendor": product_info.vendor,
                 "product": product_info.product,
                 "version": product_info.version,
+                "location": product_info.location,
                 "cve_number": cve.cve_number,
                 "severity": cve.severity,
                 "score": str(cve.score),

cve_bin_tool/parsers/__init__.py

@@ -62,18 +62,20 @@ def find_vendor(self, product, version):
         vendor_package_pair = self.cve_db.get_vendor_product_pairs(product)
         vendorlist: list[ScanInfo] = []
         file_path = self.filename
+        location = file_path
         if vendor_package_pair != []:
             # To handle multiple vendors, return all combinations of product/vendor mappings
             for v in vendor_package_pair:
                 vendor = v["vendor"]
+                location = v.get("location", "/usr/local/bin/product")
                 self.logger.debug(f"{file_path} {product} {version} by {vendor}")
                 vendorlist.append(
-                    ScanInfo(ProductInfo(vendor, product, version), file_path)
+                    ScanInfo(ProductInfo(vendor, product, version, location), file_path)
                 )
         else:
             # Add entry
             vendorlist.append(
-                ScanInfo(ProductInfo("UNKNOWN", product, version), file_path)
+                ScanInfo(ProductInfo("UNKNOWN", product, version, location), file_path)
             )
         return vendorlist
 

cve_bin_tool/parsers/java.py

@@ -57,8 +57,11 @@ def find_vendor(self, product, version):
             for pair in vendor_package_pair:
                 vendor = pair["vendor"]
                 file_path = self.filename
+                location = pair.get("location", "/usr/local/bin/product")
                 self.logger.debug(f"{file_path} {product} {version} by {vendor}")
-                info.append(ScanInfo(ProductInfo(vendor, product, version), file_path))
+                info.append(
+                    ScanInfo(ProductInfo(vendor, product, version, location), file_path)
+                )
             return info
         return None
 

cve_bin_tool/parsers/python.py

@@ -152,9 +152,12 @@ def run_checker(self, filename):
             if vendor_package_pair != []:
                 for pair in vendor_package_pair:
                     vendor = pair["vendor"]
+                    location = pair.get("location", "/usr/local/bin/product")
                     file_path = self.filename
                     self.logger.debug(f"{file_path} is {vendor}.{product} {version}")
-                    yield ScanInfo(ProductInfo(vendor, product, version), file_path)
+                    yield ScanInfo(
+                        ProductInfo(vendor, product, version, location), file_path
+                    )
 
         # There are packages with a METADATA file in them containing different data from what the tool expects
         except AttributeError:

cve_bin_tool/sbom_manager/__init__.py

@@ -4,6 +4,7 @@
 from __future__ import annotations
 
 import re
+import sys
 from collections import defaultdict
 from logging import Logger
 from pathlib import Path
@@ -15,7 +16,12 @@
 from cve_bin_tool.cvedb import CVEDB
 from cve_bin_tool.input_engine import TriageData
 from cve_bin_tool.log import LOGGER
-from cve_bin_tool.util import ProductInfo, Remarks
+from cve_bin_tool.util import (
+    ProductInfo,
+    Remarks,
+    find_product_location,
+    validate_location,
+)
 from cve_bin_tool.validator import validate_cyclonedx, validate_spdx
 
 from .swid_parser import SWIDParser
@@ -80,10 +86,17 @@ def common_prefix_split(self, product, version) -> list[ProductInfo]:
                     len(common_prefix_vendor) == 1
                     and common_prefix_vendor[0] != "UNKNOWN"
                 ):
+                    location = find_product_location(common_prefix_product)
+                    if location is None:
+                        location = "NotFound"
+                    if validate_location(location) is False:
+                        raise ValueError(f"Invalid location {location} for {product}")
                     found_common_prefix = True
                     for vendor in common_prefix_vendor:
                         parsed_data.append(
-                            ProductInfo(vendor, common_prefix_product, version)
+                            ProductInfo(
+                                vendor, common_prefix_product, version, location
+                            )
                         )
                 break
         if not found_common_prefix:
@@ -97,8 +110,15 @@ def common_prefix_split(self, product, version) -> list[ProductInfo]:
                 temp = self.get_vendor(sp)
                 if len(temp) > 1 or (len(temp) == 1 and temp[0] != "UNKNOWN"):
                     for vendor in temp:
+                        location = find_product_location(sp)
+                        if location is None:
+                            location = "NotFound"
+                        if validate_location(location) is False:
+                            raise ValueError(
+                                f"Invalid location {location} for {product}"
+                            )
                         # if vendor is not None:
-                        parsed_data.append(ProductInfo(vendor, sp, version))
+                        parsed_data.append(ProductInfo(vendor, sp, version, location))
         return parsed_data
 
     def scan_file(self) -> dict[ProductInfo, TriageData]:
@@ -139,9 +159,21 @@ def scan_file(self) -> dict[ProductInfo, TriageData]:
                 vendor_set = self.get_vendor(product)
                 for vendor in vendor_set:
                     # if vendor is not None:
-                    parsed_data.append(ProductInfo(vendor, product, version))
+                    location = find_product_location(product)
+                    if location is None:
+                        location = "NotFound"
+                    if validate_location(location) is False:
+                        raise ValueError(f"Invalid location {location} for {product}")
+                    parsed_data.append(ProductInfo(vendor, product, version, location))
             else:
-                parsed_data.append(ProductInfo(module_vendor, product, version))
+                location = find_product_location(product)
+                if location is None:
+                    location = "NotFound"
+                if validate_location(location) is False:
+                    raise ValueError(f"Invalid location {location} for {product}")
+                parsed_data.append(
+                    ProductInfo(module_vendor, product, version, location)
+                )
 
         for row in parsed_data:
             self.sbom_data[row]["default"] = {
@@ -357,7 +389,6 @@ def decode_purl(self, purl) -> (str | None, str | None, str | None):
 
 
 if __name__ == "__main__":
-    import sys
 
     file = sys.argv[1]
     sbom = SBOMManager(file)

cve_bin_tool/sbom_manager/cyclonedx_parser.py

@@ -7,6 +7,7 @@
 
 import defusedxml.ElementTree as ET
 
+from cve_bin_tool.util import find_product_location
 from cve_bin_tool.validator import validate_cyclonedx
 
 
@@ -38,7 +39,10 @@ def parse_cyclonedx_json(self, sbom_file: str) -> list[list[str]]:
             if d["type"] in self.components_supported:
                 package = d["name"]
                 version = d["version"]
-                modules.append([package, version])
+                location = find_product_location(package)
+                if location is None:
+                    location = "NotFound"
+                modules.append([package, version, location])
 
         return modules
 
@@ -68,8 +72,10 @@ def parse_cyclonedx_xml(self, sbom_file: str) -> list[list[str]]:
                     if component_version is None:
                         raise KeyError(f"Could not find version in {component}")
                     version = component_version.text
-                    if version is not None:
-                        modules.append([package, version])
+                    location = find_product_location(package)
+                    if location is None:
+                        location = "NotFound"
+                    modules.append([package, version, location])
         return modules
 
 

cve_bin_tool/sbom_manager/spdx_parser.py

@@ -10,6 +10,7 @@
 import yaml
 
 from cve_bin_tool.log import LOGGER
+from cve_bin_tool.util import find_product_location
 from cve_bin_tool.validator import validate_spdx
 
 
@@ -61,7 +62,10 @@ def parse_spdx_json(self, sbom_file: str) -> list[list[str]]:
             package = d["name"]
             try:
                 version = d["versionInfo"]
-                modules.append([package, version])
+                location = find_product_location(package)
+                if location is None:
+                    location = "NotFound"
+                modules.append([package, version, location])
             except KeyError as e:
                 LOGGER.debug(e, exc_info=True)