search

sonatype-nexus-community / jake

Check your Python environments for vulnerable Open Source packages with OSS Index or Sonatype Nexus Lifecycle.
https://jake.readthedocs.io/
Apache License 2.0
111 stars 24 forks source link

[BUG] - "CWE-noinfo" not handled #128

Closed JimmyDore closed 1 year ago

JimmyDore commented 1 year ago

Describe the bug CWE name can have the name "CWE-noinfo", instead of being suffixed by an integer. It seems it's not handled in jake, and raise this specific error : 

🐍 Collected 321 packages from your environment                      ━━ 100% 0:…
🐍 Successfully queried OSS Index for package and vulnerability info ━━ 100% 0:…
🐍 Sane number of results from OSS Index                             ━━ 100% 0:…
🐍 Munching & crunching data...                                      ━   74% 0:…
Traceback (most recent call last):
  File "/home/testuser/venv/bin/jake", line 8, in <module>
    sys.exit(main())
  File "/home/testuser/venv/lib/python3.8/site-packages/jake/app.py", line 106, in main
    JakeCmd(args).execute()
  File "/home/testuser/venv/lib/python3.8/site-packages/jake/app.py", line 80, in execute
    exit_code: int = command.execute(arguments=self._arguments)
  File "/home/testuser/venv/lib/python3.8/site-packages/jake/command/__init__.py", line 43, in execute
    return self.handle_args()
  File "/home/testuser/venv/lib/python3.8/site-packages/jake/command/oss.py", line 142, in handle_args
    cwes=[int(oic_vulnerability.cwe[4:])] if oic_vulnerability.cwe else None,
ValueError: invalid literal for int() with base 10: 'noinfo'

To Reproduce Steps to reproduce the behavior:

  1. Simply run jake. I run it with jake -w ddt --output-format json --schema-version 1.4 -o /tmp/jake.json
  2. Raises error mentionned above

Screenshots Fail in gitlab pipeline : image

Additional context First time opening a github issue, and trying to contribute to Open Source. Don't hesitate to let me know if I forgot to do something, It seems I can't sign the Sonatype CLA
image

JimmyDore commented 1 year ago

Fix proposed here : #129

madpah commented 1 year ago

Hi @JimmyDore - thanks for the proposed fix and reporting this issue.

Are you able to share an example input (e.g. requirements.txt or such) that reproduces this behaviour? Would like to ensure this is fixed proper!

JimmyDore commented 1 year ago

Hi @JimmyDore - thanks for the proposed fix and reporting this issue.

Are you able to share an example input (e.g. requirements.txt or such) that reproduces this behaviour? Would like to ensure this is fixed proper!

Hi @madpah, sorry for not providing this earlier 🤦‍♂️

Here is an example : 

certifi==2022.12.7
charset-normalizer==3.1.0
colorama==0.4.6
commonmark==0.9.1
cyclonedx-bom==3.11.0
cyclonedx-python-lib==3.1.5
idna==3.4
jake==3.0.0
MarkupSafe==2.1.2
ossindex-lib==1.1.1
packageurl-python==0.9.9
packaging==23.0
pip-requirements-parser==32.0.1
polling2==0.5.0
pyfiglet==0.8.post1
Pygments==2.14.0
pyparsing==3.0.9
PyYAML==6.0
requests==2.28.2
rich==10.16.2
sortedcontainers==2.4.0
tinydb==4.7.1
toml==0.10.2
types-PyYAML==5.4.12
types-requests==2.28.11.17
types-setuptools==67.6.0.6
types-urllib3==1.26.25.10
urllib3==1.26.15
Werkzeug==2.2.2

Werkzeug==2.2.2 triggers CWE : CVE-2023-23934, and it generates a "CWE-noinfo"

Thanks for taking a look !