Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] "jake ddt" produces a ValueError when a CWE is found #95

Closed
blackstream-x opened this issue Jan 31, 2022 · 3 comments · Fixed by #97
Closed

[BUG] "jake ddt" produces a ValueError when a CWE is found #95

blackstream-x opened this issue Jan 31, 2022 · 3 comments · Fixed by #97
Labels
bug Something isn't working

Comments

@blackstream-x
Copy link

Describe the bug
When finding a vulnerability having a CWE, jake 1.4.1 seems to assume the CWE ID is numerical, and fails with a ValueError.

To Reproduce
Steps to reproduce the behavior:

  1. Run a docker container with image python:3.6-slim: docker run --rm -it --name jaketest python:3.6-slim bash
  2. Inside the container, install and activate a virtual environment. The version of pip inside that environment will be 18.1 which has known vulnerabilities.
  3. Install jake inside the virtual environment
  4. Run jake ddt
  5. jake produces the error ValueError: invalid literal for int() with base 10: 'CWE-22', see https://gitlab.com/j2c-bce/helloworld-fastapi/-/jobs/2028565003 for an example

Expected behavior
Jake produces a vulnerability report. In the same environment as above, this worked with jake==1.1.5.

Screenshots

Jake Version: 1.4.1
Put your Python dependencies in a chokehold

🐍 Collected 26 packages from your environment                       ━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Successfully queried OSS Index for package and vulnerability info ━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Sane number of results from OSS Index                             ━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Munching & crunching data...                                      ━━╺━━━━━━━━━━━━━━━  12% 0:00:01
Traceback (most recent call last):
  File "/venv/bin/jake", line 11, in <module>
    sys.exit(main())
  File "/venv/lib/python3.6/site-packages/jake/app.py", line 124, in main
    JakeCmd().execute()
  File "/venv/lib/python3.6/site-packages/jake/app.py", line 69, in execute
    exit_code: int = command.execute(arguments=self._arguments)
  File "/venv/lib/python3.6/site-packages/jake/command/__init__.py", line 45, in execute
    return self.handle_args()
  File "/venv/lib/python3.6/site-packages/jake/command/oss.py", line 137, in handle_args
    cwes=[int(oic_vulnerability.get_cwe())] if oic_vulnerability.get_cwe() else None,
ValueError: invalid literal for int() with base 10: 'CWE-22'

Desktop (please complete the following information):

  • OS: Linux x86-64
  • Python Version: 3.6.15
  • Version: 1.4.1
@blackstream-x blackstream-x added the bug Something isn't working label Jan 31, 2022
@blackstream-x
Copy link
Author

Version 1.4.2 is affected as well.

@madpah
Copy link
Collaborator

madpah commented Feb 3, 2022

Thanks for the report @blackstream-x

@madpah madpah mentioned this issue Feb 3, 2022
Merged
@madpah madpah closed this as completed in #97 Feb 3, 2022
@madpah
Copy link
Collaborator

madpah commented Feb 3, 2022

jake 1.4.3 released @blackstream-x

@blackstream-x blackstream-x mentioned this issue Feb 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: CWEs not passed as ints to CDX model sonatype-nexus-community/jake
2 participants
@blackstream-x @madpah