Skip to content

feat: removed version info from purls in language parsers #4159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 4, 2024
Merged

feat: removed version info from purls in language parsers #4159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions cve_bin_tool/parsers/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,12 @@ def find_vendor(self, product, version):
)
return vendorlist

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generate purl string based on various components."""
purl = PackageURL(
type=self.purl_pkg_type,
namespace=vendor,
name=product,
version=version,
qualifiers=qualifier,
subpath=subpath,
)
Expand Down
9 changes: 4 additions & 5 deletions cve_bin_tool/parsers/dart.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,21 +19,20 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "pub"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""
Generates PURL after normalizing all components.
pubspec: https://dart.dev/tools/pub/pubspec#name
purl-spec for pub: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#pub
"""
# Normalize product, version, and vendor for Dart packages
# Normalize product and vendor for Dart packages
product = re.sub(r"[^a-zA-Z0-9_]", "", product).lower()
version = re.sub(r"[^a-z0-9.+-]", "", version)
vendor = "UNKNOWN" # The vendor is not explicitly defined for pub packages
if not product or not version:
if not product:
return None

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
10 changes: 1 addition & 9 deletions cve_bin_tool/parsers/go.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,23 +29,19 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "golang"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""

product = re.sub(r"[^a-zA-Z0-9_-]", "", product)
version = re.sub(r"^[^a-zA-Z0-9]|[^a-zA-Z0-9.-]", "", version)
vendor = re.sub(r"^[^a-zA-Z_]|[^a-zA-Z0-9_-]", "", vendor)

if not re.match(r"^[a-zA-Z0-9_-]", product):
return
if vendor == "":
vendor = "UNKNOWN"
if version == "":
version = "UNKNOWN"

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down Expand Up @@ -79,9 +75,5 @@ def run_checker(self, filename):
version = line.split(" ")[1][1:].split("-")[0].split("+")[0]
vendors = self.find_vendor(product, version)
if vendors is not None:
for v in vendors:
self.generate_purl(
product, version, v.product_info.vendor
)
yield from vendors
self.logger.debug(f"Done scanning file: {self.filename}")
9 changes: 3 additions & 6 deletions cve_bin_tool/parsers/java.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,20 +18,17 @@ def __init__(self, cve_db, logger, validate=True):
self.validate = validate
self.purl_pkg_type = "maven"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components of a Maven package."""
# Normalize product, version, and vendor
# Normalize product and vendor
product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
version = re.sub(r"[^a-zA-Z0-9.+\-]", "", version)

vendor = re.sub(r"[^a-zA-Z0-9._-]", "", vendor).lower() if vendor else "UNKNOWN"

if not product or not version:
if not product:
return None

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
6 changes: 2 additions & 4 deletions cve_bin_tool/parsers/javascript.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,18 +15,16 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "npm"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""
product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
version = re.sub(r"[^a-zA-Z0-9.+\-]", "", version)
vendor = "UNKNOWN" # Typically, the vendor is not explicitly defined for npm packages

if not product or not version:
if not product:
return None

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
8 changes: 3 additions & 5 deletions cve_bin_tool/parsers/perl.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,17 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "cpan"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""
# Normalize product, version, and vendor for Perl packages
# Normalize product and vendor for Perl packages
product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
version = re.sub(r"[^a-zA-Z0-9.+-]", "", version)
vendor = "UNKNOWN" # Typically, the vendor is not explicitly defined for CPAN packages

if not product or not version:
if not product:
return None

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
6 changes: 2 additions & 4 deletions cve_bin_tool/parsers/php.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,18 +19,16 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "composer"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""
vendor = re.sub(r"[^a-zA-Z0-9._-]", "", vendor).lower()
product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
version = re.sub(r"[^a-zA-Z0-9.+-]", "", version)

if not vendor or not product or not version:
if not vendor or not product:
return None

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
12 changes: 4 additions & 8 deletions cve_bin_tool/parsers/python.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,18 +25,16 @@ def __init__(self, cve_db, logger):
self.purl_pkg_type = "pypi"
super().__init__(cve_db, logger)

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""
product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
version = re.sub(r"[^a-zA-Z0-9.+-]", "", version)
vendor = "UNKNOWN"

if not product or not version:
if not product:
return None

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down Expand Up @@ -117,18 +115,16 @@ def __init__(self, cve_db, logger):
self.purl_pkg_type = "pypi"
super().__init__(cve_db, logger)

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""
product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
version = re.sub(r"[^a-zA-Z0-9.+-]", "", version)
vendor = "UNKNOWN"

if not product or not version:
if not product:
return None

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
6 changes: 1 addition & 5 deletions cve_bin_tool/parsers/r.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,21 +30,17 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "cran"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""

product = re.sub(r"[^a-zA-Z0-9.-]", "", product)
version = re.sub(r"^[^a-zA-Z0-9]|[^a-zA-Z0-9.-]", "", version)
vendor = "UNKNOWN"

if not re.match(r"^[a-zA-Z0-9_-]", product):
return
if version == "":
version = "UNKNOWN"

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
6 changes: 1 addition & 5 deletions cve_bin_tool/parsers/ruby.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,23 +29,19 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "gem"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""

product = re.sub(r"^[^a-z]|[^a-z0-9_-]", "", product)
version = re.sub(r"^[^0-9]|[^a-zA-Z0-9.+-]", "", version)
vendor = re.sub(r"^[^a-z]|[^a-z0-9_-]", "", vendor)

if not re.match(r"^[a-z]|[a-z0-9_-]", product):
return
if vendor == "":
vendor = "UNKNOWN"
if version == "":
version = "UNKNOWN"

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
6 changes: 1 addition & 5 deletions cve_bin_tool/parsers/rust.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,23 +28,19 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "cargo"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""

product = re.sub(r"^[^a-zA-Z_]|[^a-zA-Z0-9_-]", "", product)
vendor = re.sub(r"^[^a-zA-Z_]|[^a-zA-Z0-9_-]", "", vendor)
version = re.sub(r"^[^0-9]|[^a-zA-Z0-9.+-]", "", version)

if not re.match(r"^[a-zA-Z_]|[a-zA-Z0-9_-]", product):
return
if vendor == "":
vendor = "UNKNOWN"
if version == "":
version = "UNKNOWN"

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
6 changes: 1 addition & 5 deletions cve_bin_tool/parsers/swift.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,22 +32,18 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "swift"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""

product = re.sub(r"[^a-zA-Z0-9_-]", "", product)
version = re.sub(r"[^a-zA-Z0-9.+-]", "", version)

if not re.match(r"[a-zA-Z0-9_-]", product):
return
if not vendor:
vendor = "UNKNOWN"
if not version:
version = "UNKNOWN"

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down