fix: handle disabled_sources in get_vendor_product_pairs #4208
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ffontaine
force-pushed
the
fix-get_vendor_product_pairs
branch
from
d9649d6 to
6422696
Compare
get_vendor_product_pairs function doesn't handle disabled sources passed by the user. As a result, the user can't disable a datasource (e.g., OSV) when parsing a python PKG-INFO file. Fix this by passing enabled_sources from cli to version_scanner and then to cvedb. To achieve this functionality, source_nvd must also be added to enabled_sources when appropriate. nosec must be added to disable this bandit warning: >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html) Location: cve_bin_tool/cvedb.py:681:12 More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b608_hardcoded_sql_expressions.html Indeed, sources is retrieved from self.sources[i].source_name which can't be updated by an attacker Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
ffontaine
force-pushed
the
fix-get_vendor_product_pairs
branch
from
6422696 to
226a78b
Compare
terriko
approved these changes
Jun 24, 2024
There was a problem hiding this comment.
THANK YOU. I've been bugged by the fact that the disabling only changes the download on several occasions, but since no one else seemed bothered I wasn't sure if anyone else would want it to work that way. Very excited to have this finally behave the way I'd expect.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
get_vendor_product_pairsfunction doesn't handle disabled sources passed by the user. As a result, the user can't disable a datasource (e.g., OSV) when parsing a pythonPKG-INFOfile.Fix this by passing
enabled_sourcesfrom cli to version_scanner and then to cvedb. To achieve this functionality,source_nvdmust also be added toenabled_sourceswhen appropriate.nosec must be added to disable this bandit warning:
Indeed,
sourcesis retrieved fromself.sources[i].source_namewhichcan't be updated by an attacker