Merge branch 'main' into pr-3150

terriko · web-flow · commit e7ef7a8f207f · 2023-07-12T12:01:55.000-07:00
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -51,7 +51,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@004c5de30b6423267685b897a3d595e944f7fed5 # v2.20.2
+      uses: github/codeql-action/init@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.20.3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -62,7 +62,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@004c5de30b6423267685b897a3d595e944f7fed5 # v2.20.2
+      uses: github/codeql-action/autobuild@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.20.3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -76,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@004c5de30b6423267685b897a3d595e944f7fed5 # v2.20.2
+      uses: github/codeql-action/analyze@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.20.3
diff --git a/cve_bin_tool/cvedb.py b/cve_bin_tool/cvedb.py
@@ -59,6 +59,60 @@ class CVEDB:
         gad_source.GAD_Source,
     ]
 
+    INSERT_QUERIES = {
+        "insert_severity": """
+       INSERT or REPLACE INTO cve_severity(
+            CVE_number,
+            severity,
+            description,
+            score,
+            cvss_version,
+            cvss_vector,
+            data_source,
+            last_modified
+            )
+            VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+        """,
+        "insert_cve_range": """
+        INSERT or REPLACE INTO cve_range(
+            cve_number,
+            vendor,
+            product,
+            version,
+            versionStartIncluding,
+            versionStartExcluding,
+            versionEndIncluding,
+            versionEndExcluding,
+            data_source
+            )
+            VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+        """,
+        "insert_exploit": """
+        INSERT or REPLACE INTO cve_exploited (
+            cve_number,
+            product,
+            description
+            )
+            VALUES (?,?,?)
+        """,
+        "insert_cve_metrics": """
+        INSERT or REPLACE INTO cve_metrics (
+            cve_number,
+            metric_id,
+            metric_score,
+            metric_field
+            )
+            VALUES (?, ?, ?, ?)
+        """,
+        "insert_metrics": """
+            INSERT or REPLACE INTO metrics (
+                metrics_id,
+                metrics_name
+            )
+            VALUES (?, ?)
+        """,
+    }
+
     def __init__(
         self,
         sources=None,
@@ -316,66 +370,6 @@ def table_schemas(self):
             metrics_table,
         )
 
-    def insert_queries(self):
-        cve_severity = """
-        cve_severity(
-            CVE_number,
-            severity,
-            description,
-            score,
-            cvss_version,
-            cvss_vector,
-            data_source,
-            last_modified
-        )
-        VALUES (?, ?, ?, ?, ?, ?, ?, ?)
-        """
-        insert_severity = f"INSERT or REPLACE INTO {cve_severity}"
-        insert_cve_range = """
-        INSERT or REPLACE INTO cve_range(
-            cve_number,
-            vendor,
-            product,
-            version,
-            versionStartIncluding,
-            versionStartExcluding,
-            versionEndIncluding,
-            versionEndExcluding,
-            data_source
-        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
-        """
-        insert_exploit = """
-        INSERT or REPLACE INTO cve_exploited (
-            cve_number,
-            product,
-            description
-        )
-        VALUES (?,?,?)
-        """
-        insert_cve_metrics = """
-        INSERT or REPLACE INTO cve_metrics (
-            cve_number,
-            metric_id,
-            metric_score,
-            metric_field
-        )
-        VALUES (?, ?, ?, ?)
-        """
-        insert_metrics = """
-            INSERT or REPLACE INTO metrics (
-                metrics_id,
-                metrics_name
-            )
-            VALUES (?, ?)
-        """
-        return (
-            insert_severity,
-            insert_cve_range,
-            insert_exploit,
-            insert_cve_metrics,
-            insert_metrics,
-        )
-
     def init_database(self) -> None:
         """Initialize db tables used for storing cve/version data"""
 
@@ -492,7 +486,7 @@ def populate_db(self) -> None:
             self.db_close()
 
     def populate_severity(self, severity_data, cursor, data_source):
-        (insert_severity, _, _, _, _) = self.insert_queries()
+        insert_severity = self.INSERT_QUERIES["insert_severity"]
         del_cve_range = "DELETE from cve_range where CVE_number=? and data_source=?"
 
         for cve in severity_data:
@@ -536,7 +530,7 @@ def populate_severity(self, severity_data, cursor, data_source):
             cursor.execute(del_cve_range, [cve["ID"], data_source])
 
     def populate_affected(self, affected_data, cursor, data_source):
-        (_, insert_cve_range, _, _, _) = self.insert_queries()
+        insert_cve_range = self.INSERT_QUERIES["insert_cve_range"]
         try:
             cursor.executemany(
                 insert_cve_range,
@@ -561,7 +555,7 @@ def populate_affected(self, affected_data, cursor, data_source):
     def populate_metrics(self):
         cursor = self.db_open_and_get_cursor()
         # Insert a row without specifying cve_metrics_id
-        (_, _, _, _, insert_metrics) = self.insert_queries()
+        insert_metrics = self.INSERT_QUERIES["insert_metrics"]
         data = [
             (1, "EPSS"),
             (2, "CVSS-2"),
@@ -764,14 +758,14 @@ def create_exploit_db(self):
         self.db_close()
 
     def populate_exploit_db(self, exploits):
-        (_, _, insert_exploit, _, _) = self.insert_queries()
+        insert_exploit = self.INSERT_QUERIES["insert_exploit"]
         cursor = self.db_open_and_get_cursor()
         cursor.executemany(insert_exploit, exploits)
         self.connection.commit()
         self.db_close()
 
     def store_epss_data(self):
-        (_, _, _, insert_cve_metrics, _) = self.insert_queries()
+        insert_cve_metrics = self.INSERT_QUERIES["insert_cve_metrics"]
         cursor = self.db_open_and_get_cursor()
         cursor.executemany(insert_cve_metrics, self.epss_data)
         self.connection.commit()
@@ -925,13 +919,6 @@ def db_to_json(self, path, private_key, passphrase):
             shutil.rmtree(temp_gnupg_home)
 
     def json_to_db(self, cursor, db_column, json_data):
-        (
-            insert_severity,
-            insert_cve_range,
-            insert_exploit,
-            insert_cve_metrics,
-            insert_metrics,
-        ) = self.insert_queries()
         columns = []
         for data in json_data:
             column = list(data.keys())
@@ -947,15 +934,15 @@ def json_to_db(self, cursor, db_column, json_data):
             values.append(list(value))
 
         if db_column == "cve_exploited":
-            cursor.executemany(insert_exploit, values)
+            cursor.executemany(self.INSERT_QUERIES["insert_exploit"], values)
         elif db_column == "cve_range":
-            cursor.executemany(insert_cve_range, values)
+            cursor.executemany(self.INSERT_QUERIES["insert_cve_range"], values)
         elif db_column == "cve_severity":
-            cursor.executemany(insert_severity, values)
+            cursor.executemany(self.INSERT_QUERIES["insert_severity"], values)
         elif db_column == "cve_metrics":
-            cursor.executemany(insert_cve_metrics, values)
+            cursor.executemany(self.INSERT_QUERIES["insert_cve_metrics"], values)
         elif db_column == "metrics":
-            cursor.executemany(insert_metrics, values)
+            cursor.executemany(self.INSERT_QUERIES["insert_metrics"], values)
 
     def json_to_db_wrapper(self, path, pubkey, ignore_signature, log_signature_error):
         try:
diff --git a/cve_bin_tool/sbom_manager/spdx_parser.py b/cve_bin_tool/sbom_manager/spdx_parser.py
@@ -45,7 +45,8 @@ def parse_spdx_tag(self, sbom_file: str) -> list[list[str]]:
                 package = line_elements[1].strip().rstrip("\n")
                 version = None
             if line_elements[0] == "PackageVersion":
-                version = line_elements[1].strip().rstrip("\n")
+                # Version may contain :
+                version = line[16:].strip().rstrip("\n")
                 version = version.split("-")[0]
                 version = version.split("+")[0]
                 modules.append([package, version])
