Skip to content

Commit

Permalink
feat: removed version info from purls in language parsers (#4159)
Browse files Browse the repository at this point in the history
Signed-off-by: Meet Soni <[email protected]>
  • Loading branch information
inosmeet committed Jun 4, 2024
1 parent e8b7241 commit fb2f0bd
Show file tree
Hide file tree
Showing 12 changed files with 24 additions and 63 deletions.
3 changes: 1 addition & 2 deletions cve_bin_tool/parsers/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,12 @@ def find_vendor(self, product, version):
)
return vendorlist

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generate purl string based on various components."""
purl = PackageURL(
type=self.purl_pkg_type,
namespace=vendor,
name=product,
version=version,
qualifiers=qualifier,
subpath=subpath,
)
Expand Down
9 changes: 4 additions & 5 deletions cve_bin_tool/parsers/dart.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,21 +19,20 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "pub"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""
Generates PURL after normalizing all components.
pubspec: https://dart.dev/tools/pub/pubspec#name
purl-spec for pub: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#pub
"""
# Normalize product, version, and vendor for Dart packages
# Normalize product and vendor for Dart packages
product = re.sub(r"[^a-zA-Z0-9_]", "", product).lower()
version = re.sub(r"[^a-z0-9.+-]", "", version)
vendor = "UNKNOWN" # The vendor is not explicitly defined for pub packages
if not product or not version:
if not product:
return None

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
10 changes: 1 addition & 9 deletions cve_bin_tool/parsers/go.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,23 +29,19 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "golang"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""

product = re.sub(r"[^a-zA-Z0-9_-]", "", product)
version = re.sub(r"^[^a-zA-Z0-9]|[^a-zA-Z0-9.-]", "", version)
vendor = re.sub(r"^[^a-zA-Z_]|[^a-zA-Z0-9_-]", "", vendor)

if not re.match(r"^[a-zA-Z0-9_-]", product):
return
if vendor == "":
vendor = "UNKNOWN"
if version == "":
version = "UNKNOWN"

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down Expand Up @@ -79,9 +75,5 @@ def run_checker(self, filename):
version = line.split(" ")[1][1:].split("-")[0].split("+")[0]
vendors = self.find_vendor(product, version)
if vendors is not None:
for v in vendors:
self.generate_purl(
product, version, v.product_info.vendor
)
yield from vendors
self.logger.debug(f"Done scanning file: {self.filename}")
9 changes: 3 additions & 6 deletions cve_bin_tool/parsers/java.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,20 +18,17 @@ def __init__(self, cve_db, logger, validate=True):
self.validate = validate
self.purl_pkg_type = "maven"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components of a Maven package."""
# Normalize product, version, and vendor
# Normalize product and vendor
product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
version = re.sub(r"[^a-zA-Z0-9.+\-]", "", version)

vendor = re.sub(r"[^a-zA-Z0-9._-]", "", vendor).lower() if vendor else "UNKNOWN"

if not product or not version:
if not product:
return None

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
6 changes: 2 additions & 4 deletions cve_bin_tool/parsers/javascript.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,18 +15,16 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "npm"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""
product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
version = re.sub(r"[^a-zA-Z0-9.+\-]", "", version)
vendor = "UNKNOWN" # Typically, the vendor is not explicitly defined for npm packages

if not product or not version:
if not product:
return None

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
8 changes: 3 additions & 5 deletions cve_bin_tool/parsers/perl.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,17 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "cpan"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""
# Normalize product, version, and vendor for Perl packages
# Normalize product and vendor for Perl packages
product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
version = re.sub(r"[^a-zA-Z0-9.+-]", "", version)
vendor = "UNKNOWN" # Typically, the vendor is not explicitly defined for CPAN packages

if not product or not version:
if not product:
return None

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
6 changes: 2 additions & 4 deletions cve_bin_tool/parsers/php.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,18 +19,16 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "composer"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""
vendor = re.sub(r"[^a-zA-Z0-9._-]", "", vendor).lower()
product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
version = re.sub(r"[^a-zA-Z0-9.+-]", "", version)

if not vendor or not product or not version:
if not vendor or not product:
return None

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
12 changes: 4 additions & 8 deletions cve_bin_tool/parsers/python.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,18 +25,16 @@ def __init__(self, cve_db, logger):
self.purl_pkg_type = "pypi"
super().__init__(cve_db, logger)

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""
product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
version = re.sub(r"[^a-zA-Z0-9.+-]", "", version)
vendor = "UNKNOWN"

if not product or not version:
if not product:
return None

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down Expand Up @@ -117,18 +115,16 @@ def __init__(self, cve_db, logger):
self.purl_pkg_type = "pypi"
super().__init__(cve_db, logger)

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""
product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
version = re.sub(r"[^a-zA-Z0-9.+-]", "", version)
vendor = "UNKNOWN"

if not product or not version:
if not product:
return None

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
6 changes: 1 addition & 5 deletions cve_bin_tool/parsers/r.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,21 +30,17 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "cran"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""

product = re.sub(r"[^a-zA-Z0-9.-]", "", product)
version = re.sub(r"^[^a-zA-Z0-9]|[^a-zA-Z0-9.-]", "", version)
vendor = "UNKNOWN"

if not re.match(r"^[a-zA-Z0-9_-]", product):
return
if version == "":
version = "UNKNOWN"

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
6 changes: 1 addition & 5 deletions cve_bin_tool/parsers/ruby.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,23 +29,19 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "gem"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""

product = re.sub(r"^[^a-z]|[^a-z0-9_-]", "", product)
version = re.sub(r"^[^0-9]|[^a-zA-Z0-9.+-]", "", version)
vendor = re.sub(r"^[^a-z]|[^a-z0-9_-]", "", vendor)

if not re.match(r"^[a-z]|[a-z0-9_-]", product):
return
if vendor == "":
vendor = "UNKNOWN"
if version == "":
version = "UNKNOWN"

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
6 changes: 1 addition & 5 deletions cve_bin_tool/parsers/rust.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,23 +28,19 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "cargo"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""

product = re.sub(r"^[^a-zA-Z_]|[^a-zA-Z0-9_-]", "", product)
vendor = re.sub(r"^[^a-zA-Z_]|[^a-zA-Z0-9_-]", "", vendor)
version = re.sub(r"^[^0-9]|[^a-zA-Z0-9.+-]", "", version)

if not re.match(r"^[a-zA-Z_]|[a-zA-Z0-9_-]", product):
return
if vendor == "":
vendor = "UNKNOWN"
if version == "":
version = "UNKNOWN"

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down
6 changes: 1 addition & 5 deletions cve_bin_tool/parsers/swift.py
Original file line number Diff line number Diff line change
Expand Up @@ -32,22 +32,18 @@ def __init__(self, cve_db, logger):
super().__init__(cve_db, logger)
self.purl_pkg_type = "swift"

def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
def generate_purl(self, product, vendor, qualifier={}, subpath=None):
"""Generates PURL after normalizing all components."""

product = re.sub(r"[^a-zA-Z0-9_-]", "", product)
version = re.sub(r"[^a-zA-Z0-9.+-]", "", version)

if not re.match(r"[a-zA-Z0-9_-]", product):
return
if not vendor:
vendor = "UNKNOWN"
if not version:
version = "UNKNOWN"

purl = super().generate_purl(
product,
version,
vendor,
qualifier,
subpath,
Expand Down

0 comments on commit fb2f0bd

Please sign in to comment.