Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regression: Do not parse cve if cve == None #409

Closed
v01dXYZ opened this issue Sep 29, 2022 · 1 comment
Closed

Regression: Do not parse cve if cve == None #409

v01dXYZ opened this issue Sep 29, 2022 · 1 comment
Assignees
@yeisonvargasf

Comments

@v01dXYZ
Copy link

v01dXYZ commented Sep 29, 2022
edited

  • safety version: 2.2.0
  • Python version: 3.8
  • Operating System: Linux - Ubuntu 18.04.1 (docker image: python:3.8)

Description

The database file contains entries with the cve field equals to null. Contrary to 1.10.3 which only parses the field if it is neither None or "", the version 2.2.0 assumes it is always a string.

What I Did

$ safety --debug check

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/safety/cli.py", line 143, in check
    vulns, db_full = safety.check(packages=packages, key=key, db_mirror=db, cached=cache, ignore_vulns=ignore,
  File "/usr/local/lib/python3.8/site-packages/safety/util.py", line 601, in new_func
    return f(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/safety/safety.py", line 341, in check
    cve = get_cve_from(data, db_full)
  File "/usr/local/lib/python3.8/site-packages/safety/safety.py", line 279, in get_cve_from
    cve_id = data.get("cve", '').split(",")[0].strip()
AttributeError: 'NoneType' object has no attribute 'split'

$ curl "https://raw.githubusercontent.com/pyupio/safety-db/bc28866e8129481f6b7b687591ae59e96f567dd1/data/insecure_full.json" -s  | grep -A5 -B2 '"cve": null'

        {
            "advisory": "Hypercorn 0.6.0 pauses reading during h11 pipelining, fixing a potential DOS weakness.",
            "cve": null,
            "id": "pyup.io-50866",
            "more_info_path": "/vulnerabilities/None/50866/",
            "specs": [
                "<0.6.0"
            ],
--
        {
            "advisory": "Opendp 0.5.0 hardens samplers to handle some privacy violation cases.\r\nhttps://github.com/opendp/opendp/pull/481",
            "cve": null,
            "id": "pyup.io-50829",
            "more_info_path": "/vulnerabilities/None/50829/",
            "specs": [
                "<0.5.0"
            ],
@v01dXYZ v01dXYZ changed the title Regression: Vulnerabilities with cve == None should be ignored Regression: Vulnerabilities with cve == None should be left as it is Sep 29, 2022
@v01dXYZ v01dXYZ changed the title Regression: Vulnerabilities with cve == None should be left as it is Regression: Do not parse cave if cve == None Sep 29, 2022
@v01dXYZ v01dXYZ changed the title Regression: Do not parse cave if cve == None Regression: Do not parse cve if cve == None Sep 29, 2022
@yeisonvargasf yeisonvargasf self-assigned this Sep 29, 2022
@yeisonvargasf
Copy link
Member

Hi @v01dXYZ, thanks for reporting this issue; we appreciate your report.

I want to explain that now (Safety 2.0+), all the vulnerabilities have a link to a CVE ID (or a PVE ID), so this issue is a bug coming from the bot's free and open-source database process and upload.

Therefore we are working on finding and fixing the issue that exported those null CVEs; also, we have added handling for "None" CVE ids in the Safety code.

PR #412 has the extra validation for None CVE ids; it will be available in the following Safety version.

I will close this issue; please, open a new one or comment if you have any other questions or concerns.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yeisonvargasf yeisonvargasf

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@v01dXYZ @yeisonvargasf