Merge branch 'main' into fix-dovecot-checker

Author: ffontaine

.github/workflows/build-wheel.yml

@@ -28,7 +28,7 @@ jobs:
         egress-policy: audit
 
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+    - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
       with:
         python-version: ${{ matrix.python-version }}
         cache: 'pip'

.github/workflows/codeql-analysis.yml

@@ -51,7 +51,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
+      uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
+      uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6

.github/workflows/cve_scan.yml

@@ -21,7 +21,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: '3.11'
           cache: 'pip'

.github/workflows/formatting.yml

@@ -24,7 +24,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: '3.11'
           cache: 'pip'

.github/workflows/fuzzing.yml

@@ -19,7 +19,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Python 
-        uses: actions/setup-python@v5.1.1
+        uses: actions/setup-python@v5.2.0
         with:
           python-version: 3.9  
 

.github/workflows/linting.yml

@@ -23,7 +23,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: '3.11'
           cache: 'pip'

.github/workflows/sbom.yml

@@ -27,7 +27,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: ${{ matrix.python }}
           cache: 'pip'

.github/workflows/scorecard.yml

@@ -39,7 +39,7 @@ jobs:
           publish_results: true
 
       - name: "Upload artifact"
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/testing.yml

@@ -49,7 +49,7 @@ jobs:
             pypi.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: '3.11'
           cache: 'pip'
@@ -108,7 +108,7 @@ jobs:
             www.sqlite.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: ${{ matrix.python }}
           cache: 'pip'
@@ -240,7 +240,7 @@ jobs:
             www.sqlite.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: '3.10'
           cache: 'pip'
@@ -397,7 +397,7 @@ jobs:
             www.sqlite.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: '3.10'
           cache: 'pip'
@@ -503,7 +503,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: '3.12'
           cache: 'pip'

.github/workflows/update-cache.yml

@@ -32,7 +32,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: '3.10'
           cache: 'pip'

.github/workflows/update-js-dependencies.yml

@@ -28,7 +28,7 @@ jobs:
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: '3.11'
 
@@ -73,7 +73,7 @@ jobs:
           output_html(TestOutputEngine.MOCK_OUTPUT, None, "", "", "", 3, 3, 0, None, None, open("test.html", "w"))'
 
       - name: Upload mock report
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: HTML report
           path: test.html

.github/workflows/update-pre-commit.yml

@@ -28,7 +28,7 @@ jobs:
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: '3.11'
 

.github/workflows/validate-yml.yml

@@ -19,7 +19,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: '3.11'
           cache: 'pip'

.pre-commit-config.yaml

@@ -14,7 +14,7 @@ repos:
       exclude: ^fuzz/generated/
 
 -   repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 24.4.2
+    rev: 24.8.0
     hooks:
     - id: black
       exclude: ^fuzz/generated/
@@ -27,7 +27,7 @@ repos:
       args: ["--py38-plus"]
 
 -   repo: https://github.com/pycqa/flake8
-    rev: 7.1.0
+    rev: 7.1.1
     hooks:
     - id: flake8
       exclude: ^fuzz/generated/|bandit\.conf$
@@ -45,7 +45,7 @@ repos:
     - id: gitlint
 
 -   repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.11.1
+    rev: v1.11.2
     hooks:
     - id: mypy
       additional_dependencies:

cve_bin_tool/cli.py

@@ -1025,6 +1025,7 @@ def main(argv=None):
         total_files: int = 0
         parsed_data: dict[ProductInfo, TriageData] = {}
         vex_product_info: dict[str, str] = {}
+        sbom_serial_number = ""
         # Package List parsing
         if args["package_list"]:
             sbom_root = args["package_list"]
@@ -1095,6 +1096,7 @@ def main(argv=None):
                 validate=not args["disable_validation_check"],
             )
             parsed_data = sbom_list.parse_sbom()
+            sbom_serial_number = sbom_list.serialNumber
             LOGGER.info(
                 f"The number of products to process from SBOM - {len(parsed_data)}"
             )
@@ -1103,10 +1105,10 @@ def main(argv=None):
                 cve_scanner.get_cves(product_info, triage_data)
 
         if args["vex_file"]:
-            # for now use cyclonedx as auto detection is not implemented in latest pypi package of lib4vex
+            # use auto so that lib4vex can auto-detect the vex type.
             vexdata = VEXParse(
                 filename=args["vex_file"],
-                vextype="cyclonedx",
+                vextype="auto",
                 logger=LOGGER,
             )
             parsed_vex_data = vexdata.parse_vex()
@@ -1122,9 +1124,14 @@ def main(argv=None):
                 LOGGER.info(
                     f"VEX file {args['vex_file']} is not a standalone file and will be used as a triage file"
                 )
-                # need to do validation on the sbom part
-                # need to implement is_linked() function which will check the linkage.
-                if args["sbom_file"]:
+                # check weather vex is linked with given sbom or not.
+                # only check cyclonedx since it have serialNumber.
+                if (
+                    args["sbom_file"]
+                    and args["sbom"] == "cyclonedx"
+                    and vexdata.vextype == "cyclonedx"
+                    and sbom_serial_number not in vexdata.serialNumbers
+                ):
                     LOGGER.warning(
                         f"SBOM file: {args['sbom_file']} is not linked to VEX file: {args['vex_file']}."
                     )
@@ -1162,6 +1169,7 @@ def main(argv=None):
                     "release": args["release"],
                     "vendor": args["vendor"],
                     "revision_reason": args["revision_reason"],
+                    "sbom_serial_number": sbom_serial_number,
                 }
             elif args["vex_file"]:
                 vex_product_info["revision_reason"] = args["revision_reason"]

cve_bin_tool/output_engine/__init__.py

@@ -803,6 +803,7 @@ def output_cves(self, outfile, output_type="console"):
                 self.vex_type,
                 self.all_cve_data,
                 self.vex_product_info["revision_reason"],
+                self.vex_product_info["sbom_serial_number"],
                 logger=self.logger,
             )
             vexgen.generate_vex()

cve_bin_tool/sbom_manager/parse.py

@@ -23,6 +23,7 @@
     decode_cpe23,
     find_product_location,
     validate_location,
+    validate_serialNumber,
 )
 from cve_bin_tool.validator import validate_cyclonedx, validate_spdx, validate_swid
 
@@ -58,6 +59,7 @@ def __init__(
             self.type = sbom_type
         self.logger = logger or LOGGER.getChild(self.__class__.__name__)
         self.validate = validate
+        self.serialNumber = ""
 
         # Connect to the database
         self.cvedb = CVEDB(version_check=False)
@@ -253,6 +255,25 @@ def parse_cyclonedx_spdx(self) -> [(str, str, str)]:
         sbom_parser = SBOMParser(sbom_type=self.type)
         # Load SBOM
         sbom_parser.parse_file(self.filename)
+        doc = sbom_parser.get_document()
+        uuid = doc.get("uuid", "")
+        if self.type == "cyclonedx":
+            parts = uuid.split(":")
+            if len(parts) == 3 and parts[0] == "urn" and parts[1] == "uuid":
+                serialNumber = parts[2]
+                if validate_serialNumber(serialNumber):
+                    self.serialNumber = serialNumber
+                else:
+                    LOGGER.error(
+                        f"The SBOM file '{self.filename}' has an invalid serial number."
+                    )
+                    return []
+            else:
+                LOGGER.error(
+                    f"The SBOM file '{self.filename}' has an invalid serial number."
+                )
+                return []
+
         modules = []
         if self.validate and self.filename.endswith(".xml"):
             # Only for XML files

cve_bin_tool/util.py

@@ -391,7 +391,7 @@ def decode_purl(purl: str) -> ProductInfo | None:
         return None
 
 
-def decode_bom_ref(ref: str) -> ProductInfo | None:
+def decode_bom_ref(ref: str):
     """
     Decodes the BOM reference for each component.
 
@@ -418,11 +418,29 @@ def decode_bom_ref(ref: str) -> ProductInfo | None:
     urn_cdx = re.compile(
         r"urn:cdx:(?P<bomSerialNumber>.*?)\/(?P<bom_version>.*?)#(?P<bom_ref>.*)"
     )
+    urn_cdx_with_purl = re.compile(
+        r"urn:cdx:(?P<bomSerialNumber>[^/]+)\/(?P<bom_version>[^#]+)#(?P<purl>pkg:[^\s]+)"
+    )
     location = "location/to/product"
-    match = urn_cbt_ext_ref.match(ref) or urn_cbt_ref.match(ref) or urn_cdx.match(ref)
+    match = (
+        urn_cdx_with_purl.match(ref)
+        or urn_cbt_ext_ref.match(ref)
+        or urn_cbt_ref.match(ref)
+        or urn_cdx.match(ref)
+    )
     if match:
         urn_dict = match.groupdict()
-        if "bom_ref" in urn_dict:  # For urn_cdx match
+        if "purl" in urn_dict:  # For urn_cdx_with_purl match
+            serialNumber = urn_dict["bomSerialNumber"]
+            product_info = decode_purl(urn_dict["purl"])
+            if not validate_serialNumber(serialNumber):
+                LOGGER.error(
+                    f"The BOM link contains an invalid serial number: '{serialNumber}'"
+                )
+                return product_info
+            else:
+                return product_info, serialNumber
+        elif "bom_ref" in urn_dict:  # For urn_cdx match
             cdx_bom_ref = urn_dict["bom_ref"]
             try:
                 product, version = cdx_bom_ref.rsplit("-", 1)
@@ -466,6 +484,14 @@ def validate_version(version: str) -> bool:
     return re.search(cpe_regex, version) is not None
 
 
+def validate_serialNumber(serialNumber: str) -> bool:
+    """
+    Validates the serial number present in sbom
+    """
+    pattern = r"^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"
+    return re.match(pattern, serialNumber) is not None
+
+
 class DirWalk:
     """
     for filename in DirWalk('*.c').walk(roots):

cve_bin_tool/version.py

@@ -8,7 +8,7 @@
 from cve_bin_tool.log import LOGGER
 from cve_bin_tool.util import make_http_requests
 
-VERSION: str = "3.4rc1"
+VERSION: str = "3.4"
 
 HTTP_HEADERS: dict = {
     "User-Agent": f"cve-bin-tool/{VERSION} (https://github.com/intel/cve-bin-tool/)",

cve_bin_tool/vex_manager/generate.py

@@ -48,6 +48,7 @@ def __init__(
         vextype: str,
         all_cve_data: Dict[ProductInfo, CVEData],
         revision_reason: str = "",
+        sbom_serial_number: str = "",
         sbom: Optional[str] = None,
         logger: Optional[Logger] = None,
         validate: bool = True,
@@ -62,6 +63,7 @@ def __init__(
         self.logger = logger or LOGGER.getChild(self.__class__.__name__)
         self.validate = validate
         self.all_cve_data = all_cve_data
+        self.sbom_serial_number = sbom_serial_number
 
     def generate_vex(self) -> None:
         """
@@ -155,10 +157,13 @@ def __get_vulnerabilities(self) -> List[Vulnerability]:
                     else cve.remarks.name
                 )
                 # more details will be added using set_value()
-                bom_version = 1
-                ref = f"urn:cbt:{bom_version}/{vendor}#{product}:{version}"
                 if purl is None:
                     purl = f"pkg:generic/{vendor}/{product}@{version}"
+                bom_version = 1
+                if self.sbom_serial_number != "":
+                    ref = f"urn:cdx:{self.sbom_serial_number}/{bom_version}#{purl}"
+                else:
+                    ref = f"urn:cbt:{bom_version}/{vendor}#{product}:{version}"
 
                 vulnerability.set_value("purl", str(purl))
                 vulnerability.set_value("bom_link", ref)