fix: drop location handling (intel#4822)

Drop find_product_location as it tries to find the location of the
product on the system parsing the SBOM which obviously doesn't make
sense

While at it, drop location totally from ProductInfo. Indeed, currently
only the first location of the product is saved in the SBOM. Instead of
using this location field, set the evidence to be the list of paths
saved in all_cve_data. This will avoid to duplicate information.

__identity_members, __eq__ and __hash__, which were added by commit
f1d3c75 to handle location, are kept to
still handle the optional purl parameter and avoid breaking
test_product_info_{equality,hashing} tests.

Fix intel#4676

Signed-off-by: Fabrice Fontaine <[email protected]>

Author: ffontaine

cve_bin_tool/input_engine.py

@@ -158,7 +158,6 @@ def parse_data(self, fields: Set[str], data: Iterable) -> None:
                 row["vendor"].strip(),
                 row["product"].strip(),
                 row["version"].strip(),
-                row.get("location", "location/to/product").strip(),
             )
             self.parsed_data[product_info][
                 row.get("cve_number", "").strip() or "default"

cve_bin_tool/merge.py

@@ -211,7 +211,6 @@ def parse_data_from_json(
             row["vendor"].strip(),
             row["product"].strip(),
             row["version"].strip(),
-            row.get("location", "location/to/product").strip(),
         )
         parsed_data[product_info][row.get("cve_number", "").strip() or "default"] = {
             "remarks": Remarks(str(row.get("remarks", "")).strip()),

cve_bin_tool/output_engine/__init__.py

@@ -90,7 +90,6 @@ def output_csv(
         "vendor",
         "product",
         "version",
-        "location",
         "cve_number",
         "severity",
         "score",
@@ -813,6 +812,7 @@ def output_cves(self, outfile, output_type="console"):
                 self.sbom_filename = add_extension_if_not(self.sbom_filename, "json")
             sbomgen = SBOMGenerate(
                 self.all_product_data,
+                self.all_cve_data,
                 self.sbom_filename,
                 self.sbom_type,
                 self.sbom_format,

cve_bin_tool/output_engine/util.py

@@ -160,7 +160,6 @@ def format_output(
                             "vendor": "haxx"
                             "product": "curl",
                             "version": "1.2.1",
-                            "location": "/usr/local/bin/product",
                             "cve_number": "CVE-1234-1234",
                             "severity": "LOW",
                             "score": "1.2",
@@ -192,7 +191,6 @@ def format_output(
                 "vendor": product_info.vendor,
                 "product": product_info.product,
                 "version": product_info.version,
-                "location": product_info.location,
                 "cve_number": cve.cve_number,
                 "severity": cve.severity,
                 "score": str(cve.score),

cve_bin_tool/parsers/__init__.py

@@ -73,20 +73,18 @@ def find_vendor(self, product, version):
         vendor_package_pair = self.cve_db.get_vendor_product_pairs(product)
         vendorlist: list[ScanInfo] = []
         file_path = self.filename
-        location = file_path
         if vendor_package_pair != []:
             # To handle multiple vendors, return all combinations of product/vendor mappings
             for v in vendor_package_pair:
                 vendor = v["vendor"]
-                location = v.get("location", self.filename)
                 self.logger.debug(f"{file_path} {product} {version} by {vendor}")
                 vendorlist.append(
-                    ScanInfo(ProductInfo(vendor, product, version, location), file_path)
+                    ScanInfo(ProductInfo(vendor, product, version), file_path)
                 )
         else:
             # Add entry
             vendorlist.append(
-                ScanInfo(ProductInfo("UNKNOWN", product, version, location), file_path)
+                ScanInfo(ProductInfo("UNKNOWN", product, version), file_path)
             )
         return vendorlist
 
@@ -150,7 +148,6 @@ def find_vendor_from_purl(self, purl, ver) -> tuple[list[ScanInfo], bool]:
                             vendor,
                             product,
                             ver,
-                            self.filename,
                             purl_with_ver,
                         ),
                         self.filename,

cve_bin_tool/parsers/env.py

@@ -18,14 +18,13 @@ class EnvNamespaceConfig:
     """
     Configuration details for environment namespace in the CVE Bin tool
     Attributes:
-        CVE ID associated with this namespace, vendor name, product name, version of the product, file path where product is located
+        CVE ID associated with this namespace, vendor name, product name, version of the product
     """
 
     ad_hoc_cve_id: str
     vendor: str
     product: str
     version: str
-    location: str = "/usr/local/bin/product"
 
 
 @dataclasses.dataclass
@@ -139,7 +138,6 @@ def run_checker(self, filename):
                     cve.vendor,
                     cve.product,
                     cve.version,
-                    cve.location,
                     PackageURL(
                         type="ad-hoc",
                         namespace=cve.vendor,

cve_bin_tool/parsers/java.py

@@ -58,11 +58,8 @@ def find_vendor(self, product, version):
             for pair in vendor_package_pair:
                 vendor = pair["vendor"]
                 file_path = self.filename
-                location = pair.get("location", self.filename)
                 self.logger.debug(f"{file_path} {product} {version} by {vendor}")
-                info.append(
-                    ScanInfo(ProductInfo(vendor, product, version, location), file_path)
-                )
+                info.append(ScanInfo(ProductInfo(vendor, product, version), file_path))
             return info
         return None
 

cve_bin_tool/sbom_manager/generate.py

@@ -25,13 +25,15 @@ class SBOMGenerate:
     def __init__(
         self,
         all_product_data,
+        all_cve_data,
         filename="",
         sbom_type="spdx",
         sbom_format="tag",
         sbom_root="CVE-SCAN",
         logger: Optional[Logger] = None,
     ):
         self.all_product_data = all_product_data
+        self.all_cve_data = all_cve_data
         self.filename = filename
         self.sbom_type = sbom_type
         self.sbom_format = sbom_format
@@ -81,8 +83,9 @@ def generate_sbom(self) -> None:
                 in self.sbom_packages
                 and product_data.vendor == "unknown"
             ):
-                location = product_data.location
-                my_package.set_evidence(location)  # Set location directly
+                if self.all_cve_data.get(product_data):
+                    for path in self.all_cve_data[product_data]["paths"]:
+                        my_package.set_evidence(path)
                 self.sbom_packages[
                     (my_package.get_name(), my_package.get_value("version"))
                 ] = my_package.get_package()

cve_bin_tool/sbom_manager/parse.py

@@ -21,8 +21,6 @@
     Remarks,
     decode_cpe22,
     decode_cpe23,
-    find_product_location,
-    validate_location,
     validate_serialNumber,
 )
 from cve_bin_tool.validator import validate_cyclonedx, validate_spdx, validate_swid
@@ -101,21 +99,9 @@ def parse_sbom(self) -> dict[ProductInfo, TriageData]:
                 vendor_set = self.get_vendor(product)
                 for vendor in vendor_set:
                     # if vendor is not None:
-                    location = find_product_location(product)
-                    if location is None:
-                        location = "NotFound"
-                    if validate_location(location) is False:
-                        raise ValueError(f"Invalid location {location} for {product}")
-                    parsed_data.append(ProductInfo(vendor, product, version, location))
+                    parsed_data.append(ProductInfo(vendor, product, version))
             else:
-                location = find_product_location(product)
-                if location is None:
-                    location = "NotFound"
-                if validate_location(location) is False:
-                    raise ValueError(f"Invalid location {location} for {product}")
-                parsed_data.append(
-                    ProductInfo(module_vendor, product, version, location)
-                )
+                parsed_data.append(ProductInfo(module_vendor, product, version))
 
         for row in parsed_data:
             self.sbom_data[row]["default"] = {
@@ -152,17 +138,10 @@ def common_prefix_split(self, product, version) -> list[ProductInfo]:
                     len(common_prefix_vendor) == 1
                     and common_prefix_vendor[0] != "UNKNOWN"
                 ):
-                    location = find_product_location(common_prefix_product)
-                    if location is None:
-                        location = "NotFound"
-                    if validate_location(location) is False:
-                        raise ValueError(f"Invalid location {location} for {product}")
                     found_common_prefix = True
                     for vendor in common_prefix_vendor:
                         parsed_data.append(
-                            ProductInfo(
-                                vendor, common_prefix_product, version, location
-                            )
+                            ProductInfo(vendor, common_prefix_product, version)
                         )
                 break
         if not found_common_prefix:
@@ -176,15 +155,8 @@ def common_prefix_split(self, product, version) -> list[ProductInfo]:
                 temp = self.get_vendor(sp)
                 if len(temp) > 1 or (len(temp) == 1 and temp[0] != "UNKNOWN"):
                     for vendor in temp:
-                        location = find_product_location(sp)
-                        if location is None:
-                            location = "NotFound"
-                        if validate_location(location) is False:
-                            raise ValueError(
-                                f"Invalid location {location} for {product}"
-                            )
                         # if vendor is not None:
-                        parsed_data.append(ProductInfo(vendor, sp, version, location))
+                        parsed_data.append(ProductInfo(vendor, sp, version))
         return parsed_data
 
     def get_vendor(self, product: str) -> list:

cve_bin_tool/util.py

@@ -156,23 +156,20 @@ class ProductInfo(NamedTuple):
         vendor: str
         product: str
         version: str
-        location: str
         purl: Optional[str]
     """
 
     vendor: str
     product: str
     version: str
-    location: str
     purl: str | None = None
 
     def __identity_members(self):
         """The members that will be used for eq and hash implementations.
-        We do not include location here since it can take on different values
+        We do not include purl here since it can take on different values
         depending on where the product info is coming from and we want to be
         able to properly identify products that are actually the same.
         """
-        # TODO: what is the meaning of the location field exactly?
         return (self.vendor, self.product, self.version)
 
     def __eq__(self, other):
@@ -308,52 +305,6 @@ def make_http_requests(attribute, **kwargs):
         LOGGER.error(ve)
 
 
-def find_product_location(product_name):
-    """
-    Find the location of a product in the system.
-    Returns the location of the product if found, None otherwise.
-    """
-    for path in sys.path:
-        product_location = Path(path) / product_name
-        if product_location.exists():
-            return str(product_location)
-        parts = product_name.split("-")
-        for part in parts:
-            product_location = Path(path) / part
-            if product_location.exists():
-                return str(product_location)
-
-    known_installation_directories = [
-        "/usr/local/bin",
-        "/usr/local/sbin",
-        "/usr/bin",
-        "/opt",
-        "/usr/sbin",
-        "/usr/local/lib",
-        "/usr/lib",
-        "/usr/local/share",
-        "/usr/share",
-        "/usr/local/include",
-        "/usr/include",
-    ]
-
-    for directory in known_installation_directories:
-        product_location = Path(directory) / product_name
-        if product_location.exists():
-            return str(product_location)
-
-    return None
-
-
-def validate_location(location: str) -> bool:
-    """
-    Validates the location.
-    Returns True if the location is valid, False otherwise.
-    """
-    pattern = r"^(?!https?:\/\/)(?=.*[\\/])(?!.*@)[a-zA-Z0-9_\-\\\/\s]+|NotFound$"
-    return bool(re.match(pattern, location))
-
-
 def decode_purl(purl: str) -> ProductInfo | None:
     """
     Decode a Package URL (purl) in the format: pkg:type/namespace/product@version.
@@ -363,9 +314,8 @@ def decode_purl(purl: str) -> ProductInfo | None:
 
     Returns:
     - ProductInfo | None: An instance of ProductInfo containing the vendor, product,
-      version, location, and purl, or None if the purl is invalid.
+      version, and purl, or None if the purl is invalid.
     """
-    location = "location/to/product"
 
     try:
         purl_obj = PackageURL.from_string(purl)
@@ -377,7 +327,6 @@ def decode_purl(purl: str) -> ProductInfo | None:
                 vendor=vendor,
                 product=product,
                 version=version,
-                location=location,
                 purl=purl,
             )
             return product_info
@@ -421,7 +370,6 @@ def decode_bom_ref(ref: str):
     urn_cdx_with_purl = re.compile(
         r"urn:cdx:(?P<bomSerialNumber>[^/]+)\/(?P<bom_version>[^#]+)#(?P<purl>pkg:[^\s]+)"
     )
-    location = "location/to/product"
     match = (
         urn_cdx_with_purl.match(ref)
         or urn_cbt_ext_ref.match(ref)
@@ -456,9 +404,7 @@ def decode_bom_ref(ref: str):
 
     if product and vendor and version:
         if validate_product_vendor(product, vendor) and validate_version(version):
-            return ProductInfo(
-                vendor.strip(), product.strip(), version.strip(), location
-            )
+            return ProductInfo(vendor.strip(), product.strip(), version.strip())
 
     return None
 

cve_bin_tool/vex_manager/generate.py

@@ -199,7 +199,7 @@ def __get_vulnerabilities(self) -> List[Vulnerability]:
         """
         vulnerabilities = []
         for product_info, cve_data in self.all_cve_data.items():
-            vendor, product, version, _, purl = product_info
+            vendor, product, version, purl = product_info
             for cve in cve_data["cves"]:
                 if isinstance(cve, str):
                     continue

test/test_available_fix.py

@@ -156,7 +156,6 @@ def test_redhat_available_fix_output(
             vendor="gnu",
             product="pspp",
             version="1.2.0",
-            location="/usr/local/bin/pspp",
         ): CVEData(
             None,
             {
@@ -185,7 +184,6 @@ def test_redhat_available_fix_output(
             vendor="avahi",
             product="avahi",
             version="0.6.25",
-            location="/usr/local/bin/avahi",
         ): CVEData(
             None,
             {
@@ -235,7 +233,6 @@ def test_redhat_available_fix_output(
             vendor="nodejs",
             product="node.js",
             version="14.16.0",
-            location="/usr/local/bin/nodejs",
         ): CVEData(
             None,
             {

test/test_cli.py

@@ -546,7 +546,7 @@ def test_basic_epss(self, caplog):
             csv_rows = content.splitlines()
             assert len(csv_rows) > 0
             # row 0 is the header,
-            # vendor,product,version,location,cve_number,severity,score,source,cvss_version,cvss_vector,paths,
+            # vendor,product,version,cve_number,severity,score,source,cvss_version,cvss_vector,paths,
             # remarks,comments,epss_probability,epss_percentile
             row_zero = csv_rows[0].split(",")
             # row 1 should contain some EPSS values
@@ -558,7 +558,7 @@ def test_basic_epss(self, caplog):
                 "last header value in produced csv file must be " "'epss_percentile'"
             )
 
-            assert len(row_one) == 15, "one csv row should have 15 values"
+            assert len(row_one) == 14, "one csv row should have 14 values"
             assert (
                 0.0 <= float(row_one[-1]) <= 1.0
             ), "last value in the row must be the epss percentile value, i.e., a floating point between 0.0 and 1.0"