Skip to content

Commit

Permalink
strip version and qualifiers from package purls
Browse files Browse the repository at this point in the history 
Signed-off-by: Jason Shepherd <jason@jasonshepherd.net>
  • Loading branch information
@jasinner
jasinner committed Oct 15, 2024
1 parent 8632e28 commit d3fcad7
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 17 deletions.
7 changes: 6 additions & 1 deletion tools/redhat/redhat_osv/osv.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,8 @@ class Package:
Class to hold package data for an Affect.
Expects an ecosystem string that starts with CPE_PATTERN.
Replaces the CPE prefix 'redhat' part with 'Red Hat'
to match more closely with other ecosystem identifiers in the OSV database
to match more closely with other ecosystem identifiers in the OSV database.
Also removes version and qualifiers from the CSAF remediation PURL
"""

cpe_pattern: re.Pattern = field(init=False,
Expand All @@ -98,6 +99,10 @@ def __post_init__(self):
if not self.cpe_pattern.match(self.ecosystem):
raise ValueError(f"Got unsupported ecosystem: {self.ecosystem}")
self.ecosystem = f"Red Hat{self.cpe_pattern.split(self.ecosystem, maxsplit=1)[-1]}"
if "@" in self.purl:
version_index = self.purl.index("@")
self.purl = self.purl[:version_index]



@dataclass
Expand Down
5 changes: 5 additions & 0 deletions tools/redhat/redhat_osv/osv_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,14 @@ def test_missing_cvss_v3(self):
assert csaf
assert len(csaf.vulnerabilities) == 1
assert not csaf.vulnerabilities[0].cvss_v3_base_score
for vuln in csaf.vulnerabilities:
for remediation in vuln.remediations:
assert "@" in remediation.purl

osv = OSV(csaf, "test_date")
assert not hasattr(osv, "severity")
for affected in osv.affected:
assert "@" not in affected.package.purl


class EventTest(unittest.TestCase):
Expand Down
32 changes: 16 additions & 16 deletions tools/redhat/testdata/RHSA-2024_4546.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"schema_version": "1.6.5",
"schema_version": "1.6.7",
"id": "RHSA-2024:4546",
"related": [
"CVE-2023-45288",
Expand All @@ -19,7 +19,7 @@
"package": {
"name": "git-lfs",
"ecosystem": "Red Hat:rhel_aus:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=src"
"purl": "pkg:rpm/redhat/git-lfs"
},
"ranges": [
{
Expand All @@ -39,7 +39,7 @@
"package": {
"name": "git-lfs",
"ecosystem": "Red Hat:rhel_aus:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=x86_64"
"purl": "pkg:rpm/redhat/git-lfs"
},
"ranges": [
{
Expand All @@ -59,7 +59,7 @@
"package": {
"name": "git-lfs-debuginfo",
"ecosystem": "Red Hat:rhel_aus:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@2.13.3-3.el8_6.1?arch=x86_64"
"purl": "pkg:rpm/redhat/git-lfs-debuginfo"
},
"ranges": [
{
Expand All @@ -79,7 +79,7 @@
"package": {
"name": "git-lfs-debugsource",
"ecosystem": "Red Hat:rhel_aus:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs-debugsource@2.13.3-3.el8_6.1?arch=x86_64"
"purl": "pkg:rpm/redhat/git-lfs-debugsource"
},
"ranges": [
{
Expand All @@ -99,7 +99,7 @@
"package": {
"name": "git-lfs",
"ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=ppc64le"
"purl": "pkg:rpm/redhat/git-lfs"
},
"ranges": [
{
Expand All @@ -119,7 +119,7 @@
"package": {
"name": "git-lfs",
"ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=src"
"purl": "pkg:rpm/redhat/git-lfs"
},
"ranges": [
{
Expand All @@ -139,7 +139,7 @@
"package": {
"name": "git-lfs",
"ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=x86_64"
"purl": "pkg:rpm/redhat/git-lfs"
},
"ranges": [
{
Expand All @@ -159,7 +159,7 @@
"package": {
"name": "git-lfs-debuginfo",
"ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@2.13.3-3.el8_6.1?arch=ppc64le"
"purl": "pkg:rpm/redhat/git-lfs-debuginfo"
},
"ranges": [
{
Expand All @@ -179,7 +179,7 @@
"package": {
"name": "git-lfs-debuginfo",
"ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@2.13.3-3.el8_6.1?arch=x86_64"
"purl": "pkg:rpm/redhat/git-lfs-debuginfo"
},
"ranges": [
{
Expand All @@ -199,7 +199,7 @@
"package": {
"name": "git-lfs-debugsource",
"ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs-debugsource@2.13.3-3.el8_6.1?arch=ppc64le"
"purl": "pkg:rpm/redhat/git-lfs-debugsource"
},
"ranges": [
{
Expand All @@ -219,7 +219,7 @@
"package": {
"name": "git-lfs-debugsource",
"ecosystem": "Red Hat:rhel_e4s:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs-debugsource@2.13.3-3.el8_6.1?arch=x86_64"
"purl": "pkg:rpm/redhat/git-lfs-debugsource"
},
"ranges": [
{
Expand All @@ -239,7 +239,7 @@
"package": {
"name": "git-lfs",
"ecosystem": "Red Hat:rhel_tus:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=src"
"purl": "pkg:rpm/redhat/git-lfs"
},
"ranges": [
{
Expand All @@ -259,7 +259,7 @@
"package": {
"name": "git-lfs",
"ecosystem": "Red Hat:rhel_tus:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=x86_64"
"purl": "pkg:rpm/redhat/git-lfs"
},
"ranges": [
{
Expand All @@ -279,7 +279,7 @@
"package": {
"name": "git-lfs-debuginfo",
"ecosystem": "Red Hat:rhel_tus:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs-debuginfo@2.13.3-3.el8_6.1?arch=x86_64"
"purl": "pkg:rpm/redhat/git-lfs-debuginfo"
},
"ranges": [
{
Expand All @@ -299,7 +299,7 @@
"package": {
"name": "git-lfs-debugsource",
"ecosystem": "Red Hat:rhel_tus:8.6::appstream",
"purl": "pkg:rpm/redhat/git-lfs-debugsource@2.13.3-3.el8_6.1?arch=x86_64"
"purl": "pkg:rpm/redhat/git-lfs-debugsource"
},
"ranges": [
{
Expand Down

0 comments on commit d3fcad7

Please sign in to comment.