fix: KeyError: 'package' on --update

[tenflows]

I have encounter this trouble everytime I update cve database.

Steps to reproduce the behaviour:

1. On the first time i run update on cve-bin-tool.
2. Full command: "cve-bin-tool --update latest --nvd-api-key *******"

Version/platform info

• cve-bin-tool version: 3.2.1
• Installation: pip install cve-bin-tool in a virtualenv, so all required package is installed properly ( i think ).
• Python version: 3.11.6
• Both Linux and Windows.

Print out all of the error:

─# cve-bin-tool --update latest --nvd-api-key *******
[22:33:55] INFO cve_bin_tool - CVE Binary Tool v3.2.1 cli.py:483
INFO cve_bin_tool - This product uses the NVD API but is not endorsed or certified by the NVD. cli.py:484
INFO cve_bin_tool - Getting NVD CVE data... nvd_source.py:310
INFO cve_bin_tool - Getting GitLab Advisory Database CVEs... gad_source.py:83
INFO cve_bin_tool - Getting RedHat CVEs... redhat_source.py:65
INFO cve_bin_tool - [Using NVD API] nvd_source.py:355
INFO cve_bin_tool.CVEDB - Fetching metadata from NVD... nvd_api.py:163
[22:34:03] ERROR cve_bin_tool - Unable to fetch GitLab Advisory Database CVEs, skipping GAD. gad_source.py:332
INFO cve_bin_tool - Getting Open Source Vulnerability Database CVEs... osv_source.py:155
[22:34:11] INFO cve_bin_tool.CVEDB - Adding 217401 CVE entries nvd_api.py:213
[22:35:05] INFO cve_bin_tool - Adding 29412 RedHat CVE entries redhat_source.py:130
Downloading Feeds from NVD... ━━━━╺━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 11% 0:12:33╭─────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮
│ /usr/local/bin/cve-bin-tool:8 in │
│ │
│ 5 from cve_bin_tool.cli import main │
│ 6 if name == 'main': │
│ 7 │ sys.argv[0] = re.sub(r'(-script.pyw|.exe)?$', '', sys.argv[0]) │
│ ❱ 8 │ sys.exit(main()) │
│ 9 │
│ │
│ /usr/local/lib/python3.11/dist-packages/cve_bin_tool/cli.py:655 in main │
│ │
│ 652 │ │ cvedb_orig.clear_cached_data() │
│ 653 │ │
│ 654 │ if db_update == "latest": │
│ ❱ 655 │ │ cvedb_orig.refresh_cache_and_update_db() │
│ 656 │ │
│ 657 │ # update db if needed │
│ 658 │ if db_update != "never": │
│ │
│ /usr/local/lib/python3.11/dist-packages/cve_bin_tool/cvedb.py:132 in refresh_cache_and_update_db │
│ │
│ 129 │ def refresh_cache_and_update_db(self) -> None: │
│ 130 │ │ self.LOGGER.debug("Updating CVE data. This will take a few minutes.") │
│ 131 │ │ # refresh the nvd cache │
│ ❱ 132 │ │ run_coroutine(self.refresh()) │
│ 133 │ │ │
│ 134 │ │ # if the database isn't open, open it │
│ 135 │ │ self.init_database() │
│ │
│ /usr/local/lib/python3.11/dist-packages/cve_bin_tool/async_utils.py:73 in run_coroutine │
│ │
│ 70 def run_coroutine(coro): │
│ 71 │ loop = get_event_loop() │
│ 72 │ aws = asyncio.ensure_future(coro, loop=loop) │
│ ❱ 73 │ result = loop.run_until_complete(aws) │
│ 74 │ return result │
│ 75 │
│ 76 │
│ │
│ /usr/lib/python3.11/asyncio/base_events.py:653 in run_until_complete │
│ │
│ 650 │ │ if not future.done(): │
│ 651 │ │ │ raise RuntimeError('Event loop stopped before Future completed.') │
│ 652 │ │ │
│ ❱ 653 │ │ return future.result() │
│ 654 │ │
│ 655 │ def stop(self): │
│ 656 │ │ """Stop running the event loop. │
│ │
│ /usr/local/lib/python3.11/dist-packages/cve_bin_tool/cvedb.py:127 in refresh │
│ │
│ 124 │ │ if self.version_check: │
│ 125 │ │ │ check_latest_version() │
│ 126 │ │ │
│ ❱ 127 │ │ await self.get_data() │
│ 128 │ │
│ 129 │ def refresh_cache_and_update_db(self) -> None: │
│ 130 │ │ self.LOGGER.debug("Updating CVE data. This will take a few minutes.") │
│ │
│ /usr/local/lib/python3.11/dist-packages/cve_bin_tool/cvedb.py:233 in get_data │
│ │
│ 230 │ │ │ if source is not None: │
│ 231 │ │ │ │ tasks.append(source.get_cve_data()) │
│ 232 │ │ │
│ ❱ 233 │ │ for r in await asyncio.gather(*tasks): │
│ 234 │ │ │ self.data.append(r) │
│ 235 │ │
│ 236 │ def table_schemas(self): │
│ │
│ /usr/local/lib/python3.11/dist-packages/cve_bin_tool/data_sources/osv_source.py:362 in │
│ get_cve_data │
│ │
│ 359 │ │ │
│ 360 │ │ await self.update_cve_entries() │
│ 361 │ │ │
│ ❱ 362 │ │ return self.format_data(self.all_cve_entries), self.source_name │
│ 363 │
│ │
│ /usr/local/lib/python3.11/dist-packages/cve_bin_tool/data_sources/osv_source.py:293 in │
│ format_data │
│ │
│ 290 │ │ │ severity_data.append(cve) │
│ 291 │ │ │ │
│ 292 │ │ │ for package in cve_item["affected"]: │
│ ❱ 293 │ │ │ │ product = package["package"]["name"] │
│ 294 │ │ │ │ vendor = ( │
│ 295 │ │ │ │ │ "unknown" # OSV Schema does not provide vendor names for packages │
│ 296 │ │ │ │ ) │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
KeyError: 'package'

[tenflows]

Sorry this was literally my environment faults.

[perrinjerome]

I also had this error when using current cve-bin-tool from pypi (version 3.2.1), but by running from latest git checkout it was OK. It seems the issue was solved by #3452