search

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
https://safetycli.com/product/safety-cli
MIT License
1.66k stars 141 forks source link

Regression: Do not parse `cve` if `cve == None` #409

Closed v01dXYZ closed 1 year ago

v01dXYZ commented 1 year ago

Description

The database file contains entries with the cve field equals to null. Contrary to 1.10.3 which only parses the field if it is neither None or "", the version 2.2.0 assumes it is always a string.

What I Did

$ safety --debug check

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/safety/cli.py", line 143, in check
    vulns, db_full = safety.check(packages=packages, key=key, db_mirror=db, cached=cache, ignore_vulns=ignore,
  File "/usr/local/lib/python3.8/site-packages/safety/util.py", line 601, in new_func
    return f(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/safety/safety.py", line 341, in check
    cve = get_cve_from(data, db_full)
  File "/usr/local/lib/python3.8/site-packages/safety/safety.py", line 279, in get_cve_from
    cve_id = data.get("cve", '').split(",")[0].strip()
AttributeError: 'NoneType' object has no attribute 'split'
$ curl "https://raw.githubusercontent.com/pyupio/safety-db/bc28866e8129481f6b7b687591ae59e96f567dd1/data/insecure_full.json" -s  | grep -A5 -B2 '"cve": null'

        {
            "advisory": "Hypercorn 0.6.0 pauses reading during h11 pipelining, fixing a potential DOS weakness.",
            "cve": null,
            "id": "pyup.io-50866",
            "more_info_path": "/vulnerabilities/None/50866/",
            "specs": [
                "<0.6.0"
            ],
--
        {
            "advisory": "Opendp 0.5.0 hardens samplers to handle some privacy violation cases.\r\nhttps://github.com/opendp/opendp/pull/481",
            "cve": null,
            "id": "pyup.io-50829",
            "more_info_path": "/vulnerabilities/None/50829/",
            "specs": [
                "<0.5.0"
            ],
yeisonvargasf commented 1 year ago

Hi @v01dXYZ, thanks for reporting this issue; we appreciate your report.

I want to explain that now (Safety 2.0+), all the vulnerabilities have a link to a CVE ID (or a PVE ID), so this issue is a bug coming from the bot's free and open-source database process and upload.

Therefore we are working on finding and fixing the issue that exported those null CVEs; also, we have added handling for "None" CVE ids in the Safety code.

PR #412 has the extra validation for None CVE ids; it will be available in the following Safety version.

I will close this issue; please, open a new one or comment if you have any other questions or concerns.