You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Operating System: Linux - Ubuntu 18.04.1 (docker image: python:3.8)
Description
The database file contains entries with the cve field equals to null. Contrary to 1.10.3 which only parses the field if it is neither None or "", the version 2.2.0 assumes it is always a string.
What I Did
$ safety --debug check
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/safety/cli.py", line 143, in check
vulns, db_full = safety.check(packages=packages, key=key, db_mirror=db, cached=cache, ignore_vulns=ignore,
File "/usr/local/lib/python3.8/site-packages/safety/util.py", line 601, in new_func
return f(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/safety/safety.py", line 341, in check
cve = get_cve_from(data, db_full)
File "/usr/local/lib/python3.8/site-packages/safety/safety.py", line 279, in get_cve_from
cve_id = data.get("cve", '').split(",")[0].strip()
AttributeError: 'NoneType' object has no attribute 'split'
The text was updated successfully, but these errors were encountered:
v01dXYZ
changed the title
Regression: Vulnerabilities with cve == None should be ignored
Regression: Vulnerabilities with cve == None should be left as it is
Sep 29, 2022
v01dXYZ
changed the title
Regression: Vulnerabilities with cve == None should be left as it is
Regression: Do not parse cave if cve == NoneSep 29, 2022
v01dXYZ
changed the title
Regression: Do not parse cave if cve == None
Regression: Do not parse cve if cve == NoneSep 29, 2022
Hi @v01dXYZ, thanks for reporting this issue; we appreciate your report.
I want to explain that now (Safety 2.0+), all the vulnerabilities have a link to a CVE ID (or a PVE ID), so this issue is a bug coming from the bot's free and open-source database process and upload.
Therefore we are working on finding and fixing the issue that exported those null CVEs; also, we have added handling for "None" CVE ids in the Safety code.
PR #412 has the extra validation for None CVE ids; it will be available in the following Safety version.
I will close this issue; please, open a new one or comment if you have any other questions or concerns.
Description
The database file contains entries with the
cve
field equals tonull
. Contrary to1.10.3
which only parses the field if it is neitherNone
or""
, the version2.2.0
assumes it is always a string.What I Did
The text was updated successfully, but these errors were encountered: