Expand the scope of npm alias to search for vendor with the name npm (#…

…243) * Expand the scope of npm alias to search for vendor with the name npm Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Lint fixes Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> --------- Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
owasp-dep-scan · Feb 12, 2024 · dc541bf · dc541bf
1 parent 5f9afab
commit dc541bf
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 13 deletions.
diff --git a/depscan/cli.py b/depscan/cli.py
@@ -746,7 +746,7 @@ def main():
     ) = (None, None, None, None, None, None)
     if os.getenv("GITHUB_ACTION", "").lower() == "__appthreat_dep-scan-action" \
         and not os.getenv("INPUT_THANK_YOU", "") == ("I have sponsored "
-                                                 "OWASP-dep-scan."):
+                                                     "OWASP-dep-scan."):
         console.print(
             Panel(
                 "OWASP relies on donations to fund our projects.\n\n"

diff --git a/depscan/lib/analysis.py b/depscan/lib/analysis.py
@@ -777,7 +777,7 @@ def prepare_vdr(options: PrepareVdrOptions):
                         len(pkg_vulnerabilities)
                         > config.max_distro_vulnerabilities
                     ):
-                        rmessage += f"\nNOTE: Check if the base image or the kernel version used is End-of-Life (EOL)."
+                        rmessage += "\nNOTE: Check if the base image or the kernel version used is End-of-Life (EOL)."
                     else:
                         rmessage += (
                             f"\nNOTE: [magenta]{distro_packages_count}"
@@ -1118,8 +1118,7 @@ def jsonl_report(
                         full_pkg = f"""{purl_obj.get("namespace")}/
                         {purl_obj.get("name")}@{purl_obj.get("version")}"""
                     else:
-                        full_pkg = f"""{purl_obj.get("name")}@{purl_obj
-                            .get("version")}"""
+                        full_pkg = f"""{purl_obj.get("name")}@{purl_obj.get("version")}"""
             if ids_seen.get(vid + purl):
                 continue
             # On occasions, this could still result in duplicates if the

diff --git a/depscan/lib/explainer.py b/depscan/lib/explainer.py
@@ -130,7 +130,7 @@ def flow_to_source_sink(idx, flow, purls, project_type):
         if parent_method in ("handleRequest",):
             method_str = f"handler {method_str}"
         elif parent_method in ("__construct", "__init"):
-            method_str = f"constructor"
+            method_str = "constructor"
         elif project_type in ("php",) and parent_method.startswith("__"):
             method_str = f"magic {method_str}"
     if flow.get("label") == "METHOD_PARAMETER_IN":

diff --git a/depscan/lib/normalize.py b/depscan/lib/normalize.py
@@ -54,9 +54,17 @@ def create_pkg_variations(pkg_dict):
             if purl_obj:
                 pkg_type = purl_obj.get("type")
                 qualifiers = purl_obj.get("qualifiers", {})
-                # npm is resulting in false positives
-                # Let's disable aliasing for now. See #194, #195, #196
                 if pkg_type in ("npm",):
+                    # vendorless package could have npm as the vendor name from sources such as osv
+                    # So we need 1 more alias
+                    if not purl_obj.get("namespace") and not vendor:
+                        pkg_list.append(
+                            {
+                                "vendor": "npm",
+                                "name": pkg_dict.get("name"),
+                                "version": pkg_dict.get("version"),
+                            }
+                        )
                     return pkg_list
                 if qualifiers and qualifiers.get("distro_name"):
                     os_distro_name = qualifiers.get("distro_name")
@@ -83,11 +91,11 @@ def create_pkg_variations(pkg_dict):
             or vendor.startswith("com.")
             or vendor.startswith("net.")
         ):
-            tmpA = vendor.split(".")
+            tmp_a = vendor.split(".")
             # Automatically add short vendor forms
-            if len(tmpA) > 1 and len(tmpA[1]) > 3:
-                if tmpA[1] != name:
-                    vendor_aliases.add(tmpA[1])
+            if len(tmp_a) > 1 and len(tmp_a[1]) > 3:
+                if tmp_a[1] != name:
+                    vendor_aliases.add(tmp_a[1])
     # Add some common vendor aliases
     if purl.startswith("pkg:golang") and not name.startswith("go"):
         vendor_aliases.add("go")
@@ -192,9 +200,10 @@ def create_pkg_variations(pkg_dict):
                 )
     elif len(name_aliases) > 1:
         for nvar in list(name_aliases):
+            # vendor could be none which is fine
             pkg_list.append(
                 {
-                    "vendor": pkg_dict.get("vendor"), # Could be none which is fine
+                    "vendor": pkg_dict.get("vendor"),
                     "name": nvar,
                     "version": pkg_dict["version"],
                 }

diff --git a/pyproject.toml b/pyproject.toml
@@ -6,7 +6,7 @@ authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},
 ]
 dependencies = [
-    "appthreat-vulnerability-db>=5.6.0",
+    "appthreat-vulnerability-db>=5.6.2",
     "defusedxml",
     "oras==0.1.26",
     "PyYAML",