search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.19k stars 455 forks source link

refactor: decode_cpe23 de-duplication #4180

Closed terriko closed 2 months ago

terriko commented 3 months ago

4164 added a second cpe-decoding function which is basically the same as the one found in the sbom code. We should refactor things so we don't have duplicated code. Probably the best thing to do is move the decode_cpe23 function in with our other utils and import it from there in both the language parser and sbom code.

Pinging @inosmeet and @mastersans in case you need to coordinate so this doesn't break the two PRs that are still open (I'm still waiting on licensing approval for lib4vex before those merge, but they are otherwise ready). I think the changes needed should be pretty minimal so it won't be a big problem, though.

mastersans commented 3 months ago

Currently I'm using decode_bom_ref in my vex parser same as the one present in sbom_manager which I was thinking of Refactoring later so that can be included aswell , also I will require decode_cpe function for openvex parsing specifically, and decode_purl for csaf and openvex parsing. may be for some improvement in cyclonedx too, so anyone interested in working on this one feel free to do so, I will do it later if its open then.

cc @terriko @anthonyharrison @inosmeet