[BUG] Missing attribute generating report in version 1.4 in JSON format, an attribute is missing.

[damiencarol]

When generating report in version 1.4 in JSON format, an attribute is missing in the components data.

According to the specification of CycloneDX a vulnerability reference a component by his bom-ref. So the components should have bom-ref.

My advice is to use the PURL string as a bom-ref

Renamed with txt because github
jake.json.txt

Version

• Python 3.9
• Jake 1.4.0
• cmd jake ddt --output-format cyclonedx-json --schema-version 1.4 -o ~/dd2/jake.json

[madpah]

Hi @damiencarol - thanks for the report.

Can you please confirm a few things:

• Python Version
• Jake Version
• Full command invoked

Thanks

[damiencarol]

added some details in the description

[madpah]

@damiencarol - 1.4.1 has been released - can you test with that please and let us know?

[damiencarol]

@madpah needed to clear the cache but it works now, I'm cheking the report:

(.venv2) [damien@damien vulnerabilities]$ python3 -m pip install jake==1.4.1
Collecting jake==1.4.1
  Using cached jake-1.4.1-py3-none-any.whl (28 kB)
Requirement already satisfied: polling2>=0.5.0 in ./.venv2/lib/python3.10/site-packages (from jake==1.4.1) (0.5.0)
Collecting cyclonedx-bom<3.0.0,>=2.0.1
  Using cached cyclonedx_bom-2.0.1-py3-none-any.whl (25 kB)
Requirement already satisfied: pyfiglet>=0.8.post1 in ./.venv2/lib/python3.10/site-packages (from jake==1.4.1) (0.8.post1)
Requirement already satisfied: ossindex-lib>=0.2.1 in ./.venv2/lib/python3.10/site-packages (from jake==1.4.1) (0.2.1)
Requirement already satisfied: rich>=10.15.2 in ./.venv2/lib/python3.10/site-packages (from jake==1.4.1) (11.0.0)
Requirement already satisfied: requests in ./.venv2/lib/python3.10/site-packages (from jake==1.4.1) (2.27.1)
Collecting cyclonedx-python-lib<2.0.0,>=1.3.0
  Using cached cyclonedx_python_lib-1.3.0-py3-none-any.whl (168 kB)
Requirement already satisfied: types-setuptools>=57.0.0 in ./.venv2/lib/python3.10/site-packages (from cyclonedx-python-lib<2.0.0,>=1.3.0->cyclonedx-bom<3.0.0,>=2.0.1->jake==1.4.1) (57.4.4)
Requirement already satisfied: packageurl-python>=0.9 in ./.venv2/lib/python3.10/site-packages (from cyclonedx-python-lib<2.0.0,>=1.3.0->cyclonedx-bom<3.0.0,>=2.0.1->jake==1.4.1) (0.9.6)
Requirement already satisfied: types-toml<0.11.0,>=0.10.0 in ./.venv2/lib/python3.10/site-packages (from cyclonedx-python-lib<2.0.0,>=1.3.0->cyclonedx-bom<3.0.0,>=2.0.1->jake==1.4.1) (0.10.1)
Requirement already satisfied: toml<0.11.0,>=0.10.0 in ./.venv2/lib/python3.10/site-packages (from cyclonedx-python-lib<2.0.0,>=1.3.0->cyclonedx-bom<3.0.0,>=2.0.1->jake==1.4.1) (0.10.2)
Requirement already satisfied: setuptools>=47.0.0 in ./.venv2/lib/python3.10/site-packages (from cyclonedx-python-lib<2.0.0,>=1.3.0->cyclonedx-bom<3.0.0,>=2.0.1->jake==1.4.1) (58.1.0)
Requirement already satisfied: tinydb<5.0.0,>=4.5.1 in ./.venv2/lib/python3.10/site-packages (from ossindex-lib>=0.2.1->jake==1.4.1) (4.6.1)
Requirement already satisfied: certifi>=2017.4.17 in ./.venv2/lib/python3.10/site-packages (from requests->jake==1.4.1) (2021.10.8)
Requirement already satisfied: urllib3<1.27,>=1.21.1 in ./.venv2/lib/python3.10/site-packages (from requests->jake==1.4.1) (1.26.8)
Requirement already satisfied: idna<4,>=2.5 in ./.venv2/lib/python3.10/site-packages (from requests->jake==1.4.1) (3.3)
Requirement already satisfied: charset-normalizer~=2.0.0 in ./.venv2/lib/python3.10/site-packages (from requests->jake==1.4.1) (2.0.10)
Requirement already satisfied: commonmark<0.10.0,>=0.9.0 in ./.venv2/lib/python3.10/site-packages (from rich>=10.15.2->jake==1.4.1) (0.9.1)
Requirement already satisfied: colorama<0.5.0,>=0.4.0 in ./.venv2/lib/python3.10/site-packages (from rich>=10.15.2->jake==1.4.1) (0.4.4)
Requirement already satisfied: pygments<3.0.0,>=2.6.0 in ./.venv2/lib/python3.10/site-packages (from rich>=10.15.2->jake==1.4.1) (2.11.2)
Installing collected packages: cyclonedx-python-lib, cyclonedx-bom, jake
  Attempting uninstall: cyclonedx-python-lib
    Found existing installation: cyclonedx-python-lib 1.1.1
    Uninstalling cyclonedx-python-lib-1.1.1:
      Successfully uninstalled cyclonedx-python-lib-1.1.1
  Attempting uninstall: cyclonedx-bom
    Found existing installation: cyclonedx-bom 2.0.0
    Uninstalling cyclonedx-bom-2.0.0:
      Successfully uninstalled cyclonedx-bom-2.0.0
  Attempting uninstall: jake
    Found existing installation: jake 1.4.0
    Uninstalling jake-1.4.0:
      Successfully uninstalled jake-1.4.0
Successfully installed cyclonedx-bom-2.0.1 cyclonedx-python-lib-1.3.0 jake-1.4.1
(.venv2) [damien@damien vulnerabilities]$ jake ddt  -o ~/dd2/unittests/scans/cyclonedx/jake2.json --output-format json --schema-version 1.4 --clear-cache
                   ___           ___           ___     
       ___        /  /\         /  /\         /  /\    
      /__/\      /  /::\       /  /:/        /  /::\   
      \__\:\    /  /:/\:\     /  /:/        /  /:/\:\  
  ___ /  /::\  /  /::\ \:\   /  /::\____   /  /::\ \:\ 
 /__/\  /:/\/ /__/:/\:\_\:\ /__/:/\:::::\ /__/:/\:\ \:\
 \  \:\/:/~~  \__\/  \:\/:/ \__\/~|:|~~~~ \  \:\ \:\_\/
  \  \::/          \__\::/     |  |:|      \  \:\ \:\  
   \__\/           /  /:/      |  |:|       \  \:\_\/  
                  /__/:/       |__|:|        \  \:\    
                  \__\/         \__\|         \__\/    

                                                  
            /)                     /)             
        _/_(/    _     _  __   _  (/_   _         
 o   o  (__/ )__(/_   /_)_/ (_(_(_/(___(/_ o   o  
                                                  
                                                  

Jake Version: 1.4.1
Put your Python dependencies in a chokehold

🐍 Collected 28 packages from your environment                       ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Successfully queried OSS Index for package and vulnerability info ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Sane number of results from OSS Index                             ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Munching & crunching data...                                      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

[22/28] - Django@2.0.1 [VULNERABLE]
Vulnerability Details for Django@2.0.1                                                                                                                                            
├── ⚠  ID: CVE-2021-33203                                                                                                                                                         
│   └── ╭─ CVE-2021-33203 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│       │                                                                                                                                                                        │
│       │ [CVE-2021-33203] Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential ...                                                                   │
│       │ Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the          │
│       │ TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application  │
│       │ developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal    │
│       │ outside of the template root directories.                                                                                                                              │
│       │                                                                                                                                                                        │
│       │ Ratings:                                                                                                                                                               │
│       │    -  7.5 HIGH: Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, CWEs: Not Recorded                                                                                        │
│       │                                                                                                                                                                        │
│       │ References:                                                                                                                                                            │
│       │   -  [Ref: None]    URL: https://nvd.nist.gov/vuln/detail/CVE-2021-33203                                                                                               │
│       │                                                                                                                                                                        │
│       ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
├── ⚠  ID: CVE-2018-7536                                                                                                                                                          
│   └── ╭─ CVE-2018-7536 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│       │                                                                                                                                                                        │
│       │ [CVE-2018-7536]  Incorrect Regular Expression                                                                                                                          │
│       │ An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate │
│       │ certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is    │
│       │ used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.                                                                             │
│       │                                                                                                                                                                        │
│       │ Ratings:                                                                                                                                                               │
│       │    -  5.29999999999999982236431605997495353221893310546875 MEDIUM: Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, CWEs: Not Recorded                                     │
│       │                                                                                                                                                                        │
│       │ References:                                                                                                                                                            │
│       │   -  [Ref: None]    URL: https://www.djangoproject.com/weblog/2018/mar/06/security-releases/                                                                           │
│       │   -  [Ref: None]    URL: https://nvd.nist.gov/vuln/detail/CVE-2018-7536                                                                                                │
│       │                                                                                                                                                                        │
│       ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
├── ⚠  ID: CVE-2018-7537                                                                                                                                                          
│   └── ╭─ CVE-2018-7537 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│       │                                                                                                                                                                        │
│       │ [CVE-2018-7537]  Incorrect Regular Expression                                                                                                                          │
│       │ An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were      │
│       │ passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The       │
│       │ chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.                          │
│       │                                                                                                                                                                        │
│       │ Ratings:                                                                                                                                                               │
│       │    -  5.29999999999999982236431605997495353221893310546875 MEDIUM: Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, CWEs: Not Recorded                                     │
│       │                                                                                                                                                                        │
│       │ References:                                                                                                                                                            │
│       │   -  [Ref: None]    URL: https://www.djangoproject.com/weblog/2018/mar/06/security-releases/                                                                           │
│       │   -  [Ref: None]    URL: https://nvd.nist.gov/vuln/detail/CVE-2018-7537                                                                                                │
│       │                                                                                                                                                                        │
│       ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
├── ⚠  ID: CVE-2018-14574                                                                                                                                                         
│   └── ╭─ CVE-2018-14574 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│       │                                                                                                                                                                        │
│       │ [CVE-2018-14574]  URL Redirection to Untrusted Site ("Open Redirect")                                                                                                  │
│       │ django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.                                                 │
│       │                                                                                                                                                                        │
│       │ Ratings:                                                                                                                                                               │
│       │    -  6.0999999999999996447286321199499070644378662109375 MEDIUM: Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, CWEs: Not Recorded                                      │
│       │                                                                                                                                                                        │
│       │ References:                                                                                                                                                            │
│       │   -  [Ref: None]    URL: https://www.djangoproject.com/weblog/2018/aug/01/security-releases/                                                                           │
│       │   -  [Ref: None]    URL: https://nvd.nist.gov/vuln/detail/CVE-2018-14574                                                                                               │
│       │                                                                                                                                                                        │
│       ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
├── ⚠  ID: CVE-2019-3498                                                                                                                                                          
│   └── ╭─ CVE-2019-3498 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│       │                                                                                                                                                                        │
│       │ [CVE-2019-3498]  Improper Input Validation                                                                                                                             │
│       │ In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component  │
│       │ issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has          │
│       │ malicious content.                                                                                                                                                     │
│       │                                                                                                                                                                        │
│       │ Ratings:                                                                                                                                                               │
│       │    -  6.5 MEDIUM: Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, CWEs: Not Recorded                                                                                      │
│       │                                                                                                                                                                        │
│       │ References:                                                                                                                                                            │
│       │   -  [Ref: None]    URL: https://nvd.nist.gov/vuln/detail/CVE-2019-3498                                                                                                │
│       │                                                                                                                                                                        │
│       ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
├── ⚠  ID: CVE-2019-6975                                                                                                                                                          
│   └── ╭─ CVE-2019-6975 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│       │                                                                                                                                                                        │
│       │ [CVE-2019-6975]  Uncontrolled Resource Consumption ("Resource Exhaustion")                                                                                             │
│       │ Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the        │
│       │ django.utils.numberformat.format() function.                                                                                                                           │
│       │                                                                                                                                                                        │
│       │ Ratings:                                                                                                                                                               │
│       │    -  7.5 HIGH: Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, CWEs: Not Recorded                                                                                        │
│       │                                                                                                                                                                        │
│       │ References:                                                                                                                                                            │
│       │   -  [Ref: None]    URL: https://nvd.nist.gov/vuln/detail/CVE-2019-6975                                                                                                │
│       │                                                                                                                                                                        │
│       ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
└── ⚠  ID: CVE-2018-6188                                                                                                                                                          
    └── ╭─ CVE-2018-6188 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
        │                                                                                                                                                                        │
        │ [CVE-2018-6188]  Information Exposure                                                                                                                                  │
        │ django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by │
        │ leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.                                   │
        │                                                                                                                                                                        │
        │ Ratings:                                                                                                                                                               │
        │    -  7.5 HIGH: Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, CWEs: Not Recorded                                                                                        │
        │                                                                                                                                                                        │
        │ References:                                                                                                                                                            │
        │   -  [Ref: None]    URL: https://www.djangoproject.com/weblog/2018/feb/01/security-releases/                                                                           │
        │   -  [Ref: None]    URL: https://nvd.nist.gov/vuln/detail/CVE-2018-6188                                                                                                │
        │                                                                                                                                                                        │
        ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

                    Summary                     
┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Audited Dependencies ┃ Vulnerabilities Found ┃
┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━┩
│ 28                   │ 7                     │
└──────────────────────┴───────────────────────┘

CycloneDX has been written to /home/damien/dd2/unittests/scans/cyclonedx/jake2.json

[damiencarol]

@madpah The link between the vulnerability and the component is good now. 👍
But I just found a new bug, creating a new issue => #93 .