feat: add support for VEX (Fixes intel#1570)

anthonyharrison · Mar 18, 2022 · c2975ac · c2975ac
1 parent d26fe7a
commit c2975ac
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 3 deletions.
diff --git a/cve_bin_tool/input_engine.py b/cve_bin_tool/input_engine.py
@@ -4,6 +4,7 @@
 import csv
 import json
 import os
+import re
 from collections import defaultdict
 from logging import Logger
 from typing import Any, DefaultDict, Dict, Iterable, Set, Union
@@ -22,7 +23,6 @@
 # TriageData is dictionary of cve_number mapped to dictionary of remarks, comments and custom severity
 TriageData = Dict[str, Union[Dict[str, Any], Set[str]]]
 
-
 class InputEngine:
     # parsed_data is a dictionary of vendor, product, version mapped to TriageData
     parsed_data: DefaultDict[ProductInfo, TriageData]
@@ -67,6 +67,14 @@ def input_json(self) -> None:
 
             self.parse_data(set(json_data[0].keys()), json_data)
 
+    def validate_product(self, product: str) -> bool:
+        '''
+        Ensure product name conforms to CPE 2.3 standard.
+        See https://csrc.nist.gov/schema/cpe/2.3/cpe-naming_2.3.xsd for naming specification
+        '''
+        cpe_regex = "\A([A-Za-z0-9\._\-~ %])+\Z"
+        return re.search(cpe_regex, product) is not None
+
     def input_vex(self) -> None:
         analysis_state = {
             "under_review": Remarks.Unexplored,
@@ -101,7 +109,7 @@ def input_vex(self) -> None:
                             )
                             if vendor_package_pair != []:
                                 vendor = vendor_package_pair[0]["vendor"]
-                        if version is not None:
+                        if version is not None and self.validate_product(product):
                             product_info = ProductInfo(
                                 vendor.strip(), product.strip(), version.strip()
                             )

diff --git a/cve_bin_tool/output_engine/__init__.py b/cve_bin_tool/output_engine/__init__.py
@@ -449,7 +449,7 @@ def generate_vex(self, all_cve_data: Dict[ProductInfo, CVEData], filename: str):
                 bom_version = 1
                 vulnerability["affects"] = [
                     {
-                        "ref": f"urn:cdx:{bom_urn}/{bom_version}#{product_info.product}-{product_info.version}"
+                        "ref": f"urn:cdx:{bom_urn}/{bom_version}#{product_info.product}-{product_info.version}",
                     }
                 ]
                 vuln_entry.append(vulnerability)

diff --git a/test/test_input_engine.py b/test/test_input_engine.py
@@ -152,3 +152,16 @@ def test_valid_file(self, filepath, parsed_data):
     def test_vex_file(self, filepath, parsed_data):
         input_engine = InputEngine(filepath, error_mode=ErrorMode.FullTrace)
         assert dict(input_engine.parse_input()) == parsed_data
+
+    @pytest.mark.parametrize(
+        "product, product_result",
+        (
+            ("gcc", True),
+            ("not_a_bad%product", True),
+            ("12!", False),
+            ("!Superproduct", False),
+        ),
+    )
+    def test_valid_product_name(self, product, product_result):
+        input_engine = InputEngine("temp.txt", error_mode=ErrorMode.FullTrace)
+        assert input_engine.validate_product(product) == product_result