Skip to content

fix: spdx sbom cpe bug #4733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 14, 2025
Merged

fix: spdx sbom cpe bug #4733

merged 4 commits into from
Apr 14, 2025

Conversation

AryanBakliwal
Copy link
Contributor

fixes: #4700

Changed the order of decoding at parse.py#L382

Output

╭─────────────╮
│ CPE SUMMARY │
╰─────────────╯
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓
┃        ┃          ┃         ┃ Latest       ┃              ┃              ┃              ┃              ┃              ┃              ┃
┃        ┃          ┃         ┃ Upstream     ┃              ┃              ┃              ┃              ┃              ┃              ┃
┃        ┃          ┃         ┃ Stable       ┃ CRITICAL     ┃ HIGH CVEs    ┃ MEDIUM CVEs  ┃ LOW CVEs     ┃ UNKNOWN CVEs ┃ TOTAL CVEs   ┃
┃ Vendor ┃ Product  ┃ Version ┃ Version      ┃ CVEs Count   ┃ Count        ┃ Count        ┃ Count        ┃ Count        ┃ Count        ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │ 3.6.2        │ 1            │ 0            │ 1            │ 0            │ 0            │ 2            │
└────────┴──────────┴─────────┴──────────────┴──────────────┴──────────────┴──────────────┴──────────────┴──────────────┴──────────────┘
╭─────────────────╮
│  NewFound CVEs  │
╰─────────────────╯
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ CVE Number     ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │ CVE-2024-45157 │ NVD    │ MEDIUM   │ 5.1 (v3)             │
│ arm    │ mbed_tls │ 3.6.0   │ CVE-2024-45159 │ NVD    │ CRITICAL │ 9.8 (v3)             │
└────────┴──────────┴─────────┴────────────────┴────────┴──────────┴──────────────────────┘
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ Root ┃ Filename ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━╇━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │      │          │
└────────┴──────────┴─────────┴──────┴──────────┘
╭───────────────────────────────────────────────╮
│  Products with No Identified Vulnerabilities  │
╰───────────────────────────────────────────────╯
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━┩
└────────┴─────────┴─────────┘

@AryanBakliwal
Copy link
Contributor Author

@terriko @anthonyharrison PTAL and let me know what you think

terriko
terriko previously requested changes Feb 6, 2025
View reviewed changes
Copy link
Contributor

@terriko terriko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would resolve that bug, but I think @anthonyharrison is correct that it may introduce some not-so-great side effects.

Right now, I'd like us to change things so we return ALL references rather than having a preference order at all. (I know, @anthonyharrison is asserting that we could just prefer purl, but obviously that's what we were doing and it wasn't working as people expected either.)

So you'd need to get rid of the elifs and set this up to return a potential list of tuples, and possibly change anywhere that parse_ext_ref is called to handle an list instead of a single tuple.

@mastersans
Copy link
Member

Hey @AryanBakliwal Any Progress on this one?

@AryanBakliwal
Copy link
Contributor Author

@mastersans I will make the changes discussed and push them soon.

@AryanBakliwal
fix: spdx sbom cpe bug
4f87d88 
Signed-off-by: Aryan Bakliwal <[email protected]>
@AryanBakliwal AryanBakliwal force-pushed the bug_cpe_purl_spdx_sbom branch from 069eb25 to 4f87d88 Compare March 17, 2025 06:55
@AryanBakliwal
Copy link
Contributor Author

@terriko @mastersans I have updated it to return all external references rather than one

output:

$ cve-bin-tool --sbom spdx --sbom-file ~/sbom.spdx
[06:06:42] INFO     cve_bin_tool - CVE Binary Tool v3.4                                                                               cli.py:630
           INFO     cve_bin_tool - This product uses the NVD API but is not endorsed or certified by the NVD.                         cli.py:631
           INFO     cve_bin_tool - For potentially faster NVD downloads, mirrors are available using -n json-mirror                   cli.py:634
           INFO     cve_bin_tool.CVEDB - Using cached CVE data (<24h old). Use -u now to update immediately.                        cvedb.py:325
           INFO     cve_bin_tool.CVEDB - There are 328906 CVE entries in the database                                               cvedb.py:391
           INFO     cve_bin_tool.CVEDB - There are 285342 CVE entries from NVD in the database                                      cvedb.py:393
           INFO     cve_bin_tool.CVEDB - There are 24114 CVE entries from GAD in the database                                       cvedb.py:393
           INFO     cve_bin_tool.CVEDB - There are 19450 CVE entries from REDHAT in the database                                    cvedb.py:393
           INFO     cve_bin_tool - CVE database contains CVEs from National Vulnerability Database (NVD), Open Source Vulnerability   cli.py:921
                    Database (OSV), Gitlab Advisory Database (GAD) and RedHat                                                                   
           INFO     cve_bin_tool - CVE database last updated on 16 March 2025 at 19:19:31                                             cli.py:924
           INFO     cve_bin_tool - The number of products to process from SBOM - 2                                                   cli.py:1140
           INFO     cve_bin_tool.CVEScanner - 2 CVE(s) in arm.mbed_tls version 3.6.0                                          cve_scanner.py:363
           INFO     cve_bin_tool - Overall CVE summary:                                                                              cli.py:1187
           INFO     cve_bin_tool - There are 1 products with known CVEs detected                                                     cli.py:1188
           INFO     cve_bin_tool - Known CVEs in ('arm.mbed_tls', '3.6.0'):                                                          cli.py:1199
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃                                                         CVE BINARY TOOL version: 3.4                                                         ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

 • Report Generated: 2025-03-17  06:06:42                                                                                                       
 • Time of last update of CVE Data: 2025-03-16  19:19:31                                                                                        
╭─────────────╮
│ CVE SUMMARY │
╰─────────────╯
┏━━━━━━━━━━┳━━━━━━━┓
┃ Severity ┃ Count ┃
┡━━━━━━━━━━╇━━━━━━━┩
│ CRITICAL │ 1     │
│ HIGH     │ 0     │
│ MEDIUM   │ 1     │
│ LOW      │ 0     │
│ UNKNOWN  │ 0     │
└──────────┴───────┘
[06:06:43] ERROR    cve_bin_tool - An error occurred while fetching https://release-monitoring.org/api/v2/packages/?distribution=CPE util.py:351
                    NVD NIST&name=cpe:2.3:a:arm:mbed_tls: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by                
                    peer'))                                                                                                                     
╭─────────────╮
│ CPE SUMMARY │
╰─────────────╯
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┓
┃        ┃          ┃         ┃ Latest        ┃               ┃               ┃               ┃               ┃                ┃               ┃
┃        ┃          ┃         ┃ Upstream      ┃               ┃               ┃               ┃               ┃                ┃               ┃
┃        ┃          ┃         ┃ Stable        ┃ CRITICAL CVEs ┃ HIGH CVEs     ┃ MEDIUM CVEs   ┃ LOW CVEs      ┃ UNKNOWN CVEs   ┃ TOTAL CVEs    ┃
┃ Vendor ┃ Product  ┃ Version ┃ Version       ┃ Count         ┃ Count         ┃ Count         ┃ Count         ┃ Count          ┃ Count         ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │ UNKNOWN       │ 1             │ 0             │ 1             │ 0             │ 0              │ 2             │
└────────┴──────────┴─────────┴───────────────┴───────────────┴───────────────┴───────────────┴───────────────┴────────────────┴───────────────┘
╭─────────────────╮
│  NewFound CVEs  │
╰─────────────────╯
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ CVE Number     ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │ CVE-2024-45157 │ NVD    │ MEDIUM   │ 5.1 (v3)             │
│ arm    │ mbed_tls │ 3.6.0   │ CVE-2024-45159 │ NVD    │ CRITICAL │ 9.8 (v3)             │
└────────┴──────────┴─────────┴────────────────┴────────┴──────────┴──────────────────────┘
┏━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━┳━━━━━━━━━━┓
┃ Vendor ┃ Product  ┃ Version ┃ Root ┃ Filename ┃
┡━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━╇━━━━━━━━━━┩
│ arm    │ mbed_tls │ 3.6.0   │      │          │
└────────┴──────────┴─────────┴──────┴──────────┘
╭───────────────────────────────────────────────╮
│  Products with No Identified Vulnerabilities  │
╰───────────────────────────────────────────────╯
┏━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━┓
┃ Vendor  ┃ Product      ┃ Version ┃
┡━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━┩
│ UNKNOWN │ mbedtls-deps │ V3.6.0  │
└─────────┴──────────────┴─────────┘

@AryanBakliwal AryanBakliwal requested a review from terriko March 17, 2025 06:58
mastersans
mastersans approved these changes Mar 24, 2025
View reviewed changes
Copy link
Member

@mastersans mastersans left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. I'll have @terriko also have a second look, otherwise will get it merged.

@terriko
Copy link
Contributor

terriko commented Apr 14, 2025

I'm updating the branch and re-running the tests for safety, but I'll set this to merge when that's done since @mastersans has already reviewed it.

@terriko terriko dismissed their stale review April 14, 2025 16:57

fixed

@terriko terriko enabled auto-merge (squash) April 14, 2025 16:57
@terriko terriko merged commit 86f4274 into intel:main Apr 14, 2025
18 of 24 checks passed
@sultanqasim
Copy link

This change completely broke parsing of SBOMs that lack external references, such as the SPDX SBOMs generated by this tool itself. Looking at the commit, it's obvious why. This commit just removed handling of all SBOM entries for packages that lack external references.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mastersans mastersans mastersans approved these changes

@terriko terriko Awaiting requested review from terriko

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix: PURL to CPE conversion results in "UNKOWN" vendor when CPE is given
4 participants
@AryanBakliwal @mastersans @terriko @sultanqasim