Closed JimmyDore closed 1 year ago
Fix proposed here : #129
Hi @JimmyDore - thanks for the proposed fix and reporting this issue.
Are you able to share an example input (e.g. requirements.txt
or such) that reproduces this behaviour? Would like to ensure this is fixed proper!
Hi @JimmyDore - thanks for the proposed fix and reporting this issue.
Are you able to share an example input (e.g.
requirements.txt
or such) that reproduces this behaviour? Would like to ensure this is fixed proper!
Hi @madpah, sorry for not providing this earlier 🤦♂️
Here is an example :
certifi==2022.12.7
charset-normalizer==3.1.0
colorama==0.4.6
commonmark==0.9.1
cyclonedx-bom==3.11.0
cyclonedx-python-lib==3.1.5
idna==3.4
jake==3.0.0
MarkupSafe==2.1.2
ossindex-lib==1.1.1
packageurl-python==0.9.9
packaging==23.0
pip-requirements-parser==32.0.1
polling2==0.5.0
pyfiglet==0.8.post1
Pygments==2.14.0
pyparsing==3.0.9
PyYAML==6.0
requests==2.28.2
rich==10.16.2
sortedcontainers==2.4.0
tinydb==4.7.1
toml==0.10.2
types-PyYAML==5.4.12
types-requests==2.28.11.17
types-setuptools==67.6.0.6
types-urllib3==1.26.25.10
urllib3==1.26.15
Werkzeug==2.2.2
Werkzeug==2.2.2
triggers CWE : CVE-2023-23934, and it generates a "CWE-noinfo"
Thanks for taking a look !
Describe the bug CWE name can have the name "CWE-noinfo", instead of being suffixed by an integer. It seems it's not handled in jake, and raise this specific error :
To Reproduce Steps to reproduce the behavior:
jake -w ddt --output-format json --schema-version 1.4 -o /tmp/jake.json
Screenshots Fail in gitlab pipeline :
Additional context First time opening a github issue, and trying to contribute to Open Source. Don't hesitate to let me know if I forgot to do something, It seems I can't sign the Sonatype CLA