diff --git a/depscan/cli.py b/depscan/cli.py index 36663dd..866646a 100755 --- a/depscan/cli.py +++ b/depscan/cli.py @@ -746,7 +746,7 @@ def main(): ) = (None, None, None, None, None, None) if os.getenv("GITHUB_ACTION", "").lower() == "__appthreat_dep-scan-action" \ and not os.getenv("INPUT_THANK_YOU", "") == ("I have sponsored " - "OWASP-dep-scan."): + "OWASP-dep-scan."): console.print( Panel( "OWASP relies on donations to fund our projects.\n\n" diff --git a/depscan/lib/analysis.py b/depscan/lib/analysis.py index 471015f..0b55645 100644 --- a/depscan/lib/analysis.py +++ b/depscan/lib/analysis.py @@ -777,7 +777,7 @@ def prepare_vdr(options: PrepareVdrOptions): len(pkg_vulnerabilities) > config.max_distro_vulnerabilities ): - rmessage += f"\nNOTE: Check if the base image or the kernel version used is End-of-Life (EOL)." + rmessage += "\nNOTE: Check if the base image or the kernel version used is End-of-Life (EOL)." else: rmessage += ( f"\nNOTE: [magenta]{distro_packages_count}" @@ -1118,8 +1118,7 @@ def jsonl_report( full_pkg = f"""{purl_obj.get("namespace")}/ {purl_obj.get("name")}@{purl_obj.get("version")}""" else: - full_pkg = f"""{purl_obj.get("name")}@{purl_obj - .get("version")}""" + full_pkg = f"""{purl_obj.get("name")}@{purl_obj.get("version")}""" if ids_seen.get(vid + purl): continue # On occasions, this could still result in duplicates if the diff --git a/depscan/lib/explainer.py b/depscan/lib/explainer.py index 95c9518..c35f8e9 100644 --- a/depscan/lib/explainer.py +++ b/depscan/lib/explainer.py @@ -130,7 +130,7 @@ def flow_to_source_sink(idx, flow, purls, project_type): if parent_method in ("handleRequest",): method_str = f"handler {method_str}" elif parent_method in ("__construct", "__init"): - method_str = f"constructor" + method_str = "constructor" elif project_type in ("php",) and parent_method.startswith("__"): method_str = f"magic {method_str}" if flow.get("label") == "METHOD_PARAMETER_IN": diff --git a/depscan/lib/normalize.py b/depscan/lib/normalize.py index e8ad68e..efc1367 100644 --- a/depscan/lib/normalize.py +++ b/depscan/lib/normalize.py @@ -54,9 +54,17 @@ def create_pkg_variations(pkg_dict): if purl_obj: pkg_type = purl_obj.get("type") qualifiers = purl_obj.get("qualifiers", {}) - # npm is resulting in false positives - # Let's disable aliasing for now. See #194, #195, #196 if pkg_type in ("npm",): + # vendorless package could have npm as the vendor name from sources such as osv + # So we need 1 more alias + if not purl_obj.get("namespace") and not vendor: + pkg_list.append( + { + "vendor": "npm", + "name": pkg_dict.get("name"), + "version": pkg_dict.get("version"), + } + ) return pkg_list if qualifiers and qualifiers.get("distro_name"): os_distro_name = qualifiers.get("distro_name") @@ -83,11 +91,11 @@ def create_pkg_variations(pkg_dict): or vendor.startswith("com.") or vendor.startswith("net.") ): - tmpA = vendor.split(".") + tmp_a = vendor.split(".") # Automatically add short vendor forms - if len(tmpA) > 1 and len(tmpA[1]) > 3: - if tmpA[1] != name: - vendor_aliases.add(tmpA[1]) + if len(tmp_a) > 1 and len(tmp_a[1]) > 3: + if tmp_a[1] != name: + vendor_aliases.add(tmp_a[1]) # Add some common vendor aliases if purl.startswith("pkg:golang") and not name.startswith("go"): vendor_aliases.add("go") @@ -192,9 +200,10 @@ def create_pkg_variations(pkg_dict): ) elif len(name_aliases) > 1: for nvar in list(name_aliases): + # vendor could be none which is fine pkg_list.append( { - "vendor": pkg_dict.get("vendor"), # Could be none which is fine + "vendor": pkg_dict.get("vendor"), "name": nvar, "version": pkg_dict["version"], } diff --git a/pyproject.toml b/pyproject.toml index fb7758a..ea5106e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,7 +6,7 @@ authors = [ {name = "Team AppThreat", email = "cloud@appthreat.com"}, ] dependencies = [ - "appthreat-vulnerability-db>=5.6.0", + "appthreat-vulnerability-db>=5.6.2", "defusedxml", "oras==0.1.26", "PyYAML",