Closed madpah closed 2 years ago
Example SBOM (1.4, JSON) with the changes:
{
"$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:ee4a7637-7ebf-4c60-b4db-eb63b9bd19b5",
"version": 1,
"metadata": {
"timestamp": "2022-01-27T08:56:24.359212+00:00",
"tools": [
{
"vendor": "CycloneDX",
"name": "cyclonedx-python-lib",
"version": "1.3.0",
"externalReferences": [
{
"type": "build-system",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions"
},
{
"type": "distribution",
"url": "https://pypi.org/project/cyclonedx-python-lib/"
},
{
"type": "documentation",
"url": "https://cyclonedx.github.io/cyclonedx-python-lib/"
},
{
"type": "issue-tracker",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues"
},
{
"type": "license",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE"
},
{
"type": "release-notes",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md"
},
{
"type": "vcs",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib"
},
{
"type": "website",
"url": "https://cyclonedx.org"
}
]
}
]
},
"components": [
{
"type": "library",
"bom-ref": "ffccc54d-3d7d-4e85-8b05-95bd162cf646",
"author": "Kenneth Reitz",
"name": "certifi",
"version": "2021.10.8",
"licenses": [
{
"expression": "MPL-2.0"
}
],
"purl": "pkg:pypi/certifi@2021.10.8"
},
{
"type": "library",
"bom-ref": "f3d183fd-8bba-4648-a3ed-077b650bdff4",
"author": "Python Packaging Authority",
"name": "setuptools",
"version": "59.6.0",
"purl": "pkg:pypi/setuptools@59.6.0"
},
{
"type": "library",
"bom-ref": "f882d243-2a3d-4326-a21f-42888b4aa04c",
"name": "types-setuptools",
"version": "57.4.7",
"licenses": [
{
"expression": "Apache-2.0 license"
}
],
"purl": "pkg:pypi/types-setuptools@57.4.7"
},
{
"type": "library",
"bom-ref": "3d2cbe11-75d2-403a-ac11-3e7c1f0ac8cb",
"author": "Hynek Schlawack",
"name": "attrs",
"version": "21.4.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/attrs@21.4.0"
},
{
"type": "library",
"bom-ref": "c57da1eb-d01e-4bd2-96cf-45fbb2ce31ec",
"author": "The pip developers",
"name": "pip",
"version": "21.3.1",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/pip@21.3.1"
},
{
"type": "library",
"bom-ref": "ac67fa1d-775b-4bb6-888f-d3c0e05c572d",
"author": "Donald Stufft and individual contributors",
"name": "packaging",
"version": "21.3",
"licenses": [
{
"expression": "BSD-2-Clause or Apache-2.0"
}
],
"purl": "pkg:pypi/packaging@21.3"
},
{
"type": "library",
"bom-ref": "8ea61715-9854-4d8d-89a8-2ced85f1f933",
"author": "Bernat Gabor",
"name": "virtualenv",
"version": "20.13.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/virtualenv@20.13.0"
},
{
"type": "library",
"bom-ref": "856e453e-1414-4f54-bfff-e6ddd0063b20",
"author": "Will McGugan",
"name": "rich",
"version": "11.0.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/rich@11.0.0"
},
{
"type": "library",
"bom-ref": "8c2da1c2-b5df-4b55-af57-bac5c7f89a67",
"author": "Holger Krekel, Bruno Oliveira, Ronny Pfannschmidt, Floris Bruynooghe, Brianna Laugher, Florian Bruhin and others",
"name": "pytest",
"version": "6.2.5",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/pytest@6.2.5"
},
{
"type": "library",
"bom-ref": "e543c7e6-d5e0-459c-ac79-c289a975a677",
"author": "Ned Batchelder and 146 others",
"name": "coverage",
"version": "6.2",
"licenses": [
{
"expression": "Apache 2.0"
}
],
"purl": "pkg:pypi/coverage@6.2"
},
{
"type": "library",
"bom-ref": "7d1da738-be12-4bd4-9970-303382bbc9b9",
"author": "Markus Siemens",
"name": "tinydb",
"version": "4.6.1",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/tinydb@4.6.1"
},
{
"type": "library",
"bom-ref": "0d728da6-33dd-4324-b80e-55e01a4793ff",
"author": "Tarek Ziade",
"name": "flake8",
"version": "4.0.1",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/flake8@4.0.1"
},
{
"type": "library",
"bom-ref": "148fa5dd-79a0-4cae-9865-8ae2f98c52b4",
"author": "Holger Krekel, Oliver Bestwalter, Bern\u00e1t G\u00e1bor and others",
"name": "tox",
"version": "3.24.5",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/tox@3.24.5"
},
{
"type": "library",
"bom-ref": "c57fe768-a2d9-438c-b1e4-fec171192d7c",
"author": "Benedikt Schmitt",
"name": "filelock",
"version": "3.4.1",
"licenses": [
{
"expression": "Unlicense"
}
],
"purl": "pkg:pypi/filelock@3.4.1"
},
{
"type": "library",
"bom-ref": "13d5e7cb-887b-4d34-803f-f70100be18d7",
"author": "Kim Davies",
"name": "idna",
"version": "3.3",
"licenses": [
{
"expression": "BSD-3-Clause"
}
],
"purl": "pkg:pypi/idna@3.3"
},
{
"type": "library",
"bom-ref": "1a209cc9-0caf-4fdc-a0d8-e7c66766c2f0",
"author": "Paul McGuire",
"name": "pyparsing",
"version": "3.0.7",
"licenses": [
{
"expression": "MIT License"
}
],
"purl": "pkg:pypi/pyparsing@3.0.7"
},
{
"type": "library",
"bom-ref": "8277fa4f-30ef-4d0d-b1d9-1a2e009701cd",
"author": "Kenneth Reitz",
"name": "requests",
"version": "2.27.1",
"licenses": [
{
"expression": "Apache 2.0"
}
],
"purl": "pkg:pypi/requests@2.27.1"
},
{
"type": "library",
"bom-ref": "1e7943de-53d6-4627-a6c4-e421a7d10206",
"author": "Georg Brandl",
"name": "Pygments",
"version": "2.11.2",
"licenses": [
{
"expression": "BSD License"
}
],
"purl": "pkg:pypi/pygments@2.11.2"
},
{
"type": "library",
"bom-ref": "e0531b38-c0b5-439d-8d4e-c95cc2a0cfa3",
"author": "Johann C. Rocholl",
"name": "pycodestyle",
"version": "2.8.0",
"licenses": [
{
"expression": "Expat license"
}
],
"purl": "pkg:pypi/pycodestyle@2.8.0"
},
{
"type": "library",
"bom-ref": "abd70860-96f0-40a5-b25f-d992ce55a250",
"author": "A lot of people",
"name": "pyflakes",
"version": "2.4.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/pyflakes@2.4.0"
},
{
"type": "library",
"bom-ref": "81409b25-1213-4ea1-a802-807e1a6676a4",
"name": "platformdirs",
"version": "2.4.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/platformdirs@2.4.0"
},
{
"type": "library",
"bom-ref": "46a2ca5e-55d7-4b37-aeb5-8afc2bcf622e",
"author": "Ahmed TAHRI @Ousret",
"name": "charset-normalizer",
"version": "2.0.10",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/charset-normalizer@2.0.10"
},
{
"type": "library",
"bom-ref": "92eab689-5abb-4e08-b71d-f8eb2d0ac2b5",
"author": "Steven Springett",
"name": "cyclonedx-bom",
"version": "2.0.1",
"licenses": [
{
"expression": "Apache-2.0"
}
],
"purl": "pkg:pypi/cyclonedx-bom@2.0.1"
},
{
"type": "library",
"bom-ref": "9888c71c-39d9-4ee7-a319-58bcadeb47da",
"author": "Andrey Petrov",
"name": "urllib3",
"version": "1.26.8",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/urllib3@1.26.8"
},
{
"type": "library",
"bom-ref": "db7cc511-a0b4-445f-85ca-fd8d394b5cfc",
"author": "Benjamin Peterson",
"name": "six",
"version": "1.16.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/six@1.16.0"
},
{
"type": "library",
"bom-ref": "a887ae3d-7e2c-4be0-9574-7f23a7bba9b6",
"author": "holger krekel, Ronny Pfannschmidt, Benjamin Peterson and others",
"name": "py",
"version": "1.11.0",
"licenses": [
{
"expression": "MIT license"
}
],
"purl": "pkg:pypi/py@1.11.0"
},
{
"type": "library",
"bom-ref": "5c5da76d-8cae-4f2b-83b6-36448b248e12",
"author": "Paul Horton",
"name": "cyclonedx-python-lib",
"version": "1.3.0",
"licenses": [
{
"expression": "Apache-2.0"
}
],
"purl": "pkg:pypi/cyclonedx-python-lib@1.3.0"
},
{
"type": "library",
"bom-ref": "6de2741f-3e9a-4f4f-85d2-c76805ba95ee",
"author": "Jos\u00e9 Padilla",
"name": "PyJWT",
"version": "1.3.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/pyjwt@1.3.0"
},
{
"type": "library",
"bom-ref": "decf14ef-0978-468f-96b8-88f50506b68d",
"author": "Ronny Pfannschmidt, Holger Krekel",
"name": "iniconfig",
"version": "1.1.1",
"licenses": [
{
"expression": "MIT License"
}
],
"purl": "pkg:pypi/iniconfig@1.1.1"
},
{
"type": "library",
"bom-ref": "6d54b14b-6829-43f8-bde1-67b64ebd3993",
"author": "Holger Krekel",
"name": "pluggy",
"version": "1.0.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/pluggy@1.0.0"
},
{
"type": "library",
"bom-ref": "76586a8e-5329-46b8-b552-c6307bdd4719",
"author": "Daniel Holth",
"name": "wheel",
"version": "0.37.0",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/wheel@0.37.0"
},
{
"type": "library",
"bom-ref": "84b57982-f8b3-4b7d-b170-a98a5e1d0db0",
"name": "types-toml",
"version": "0.10.3",
"licenses": [
{
"expression": "Apache-2.0 license"
}
],
"purl": "pkg:pypi/types-toml@0.10.3"
},
{
"type": "library",
"bom-ref": "0fa1011e-6548-41d8-a97b-f453432dbcec",
"author": "William Pearson",
"name": "toml",
"version": "0.10.2",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/toml@0.10.2"
},
{
"type": "library",
"bom-ref": "c2fd0e00-3a42-4cb7-82b2-77d02c215df5",
"author": "the purl authors",
"name": "packageurl-python",
"version": "0.9.6",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/packageurl-python@0.9.6"
},
{
"type": "library",
"bom-ref": "a24ba1e7-68aa-4727-b335-929d246f58df",
"author": "Bibek Kafle <bkafle662@gmail.com>, Roland Shoemaker <rolandshoemaker@gmail.com>",
"name": "commonmark",
"version": "0.9.1",
"licenses": [
{
"expression": "BSD-3-Clause"
}
],
"purl": "pkg:pypi/commonmark@0.9.1"
},
{
"type": "library",
"bom-ref": "4f418679-331f-418b-8a8b-e6b0a49c43c8",
"author": "Peter Waller (Thanks to Christopher Jones and Stefano Rivera)",
"name": "pyfiglet",
"version": "0.8.post1",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:pypi/pyfiglet@0.8.post1"
},
{
"type": "library",
"bom-ref": "cded65f9-94fe-4a69-9e50-a51d29dc0305",
"author": "Ian Cordasco",
"name": "mccabe",
"version": "0.6.1",
"licenses": [
{
"expression": "Expat license"
}
],
"purl": "pkg:pypi/mccabe@0.6.1"
},
{
"type": "library",
"bom-ref": "9ecc003c-5346-4785-9b1d-81ebd29c00fa",
"author": "Donal Mee",
"name": "polling2",
"version": "0.5.0",
"purl": "pkg:pypi/polling2@0.5.0"
},
{
"type": "library",
"bom-ref": "df04cfb6-bbc1-4465-a1b8-13182941700e",
"author": "Jonathan Hartley",
"name": "colorama",
"version": "0.4.4",
"licenses": [
{
"expression": "BSD"
}
],
"purl": "pkg:pypi/colorama@0.4.4"
},
{
"type": "library",
"bom-ref": "dfd61713-a56d-40d5-a064-97d1a3c9d3ad",
"author": "Vinay Sajip",
"name": "distlib",
"version": "0.3.4",
"licenses": [
{
"expression": "Python license"
}
],
"purl": "pkg:pypi/distlib@0.3.4"
},
{
"type": "library",
"bom-ref": "3c20d0b7-ac28-49a5-b000-d6113b13f508",
"author": "Paul Horton",
"name": "ossindex-lib",
"version": "0.2.1",
"licenses": [
{
"expression": "Apache-2.0"
}
],
"purl": "pkg:pypi/ossindex-lib@0.2.1"
}
],
"vulnerabilities": [
{
"bom-ref": "4dc8bf86-e2ee-45b0-881f-bb4f03748b5b",
"id": "4dc8bf86-e2ee-45b0-881f-bb4f03748b5b",
"source": {
"name": "OSS Index",
"url": "https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration"
},
"references": [
{
"id": "CVE-2017-11424",
"source": {
"name": "OSS Index",
"url": "https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration"
}
}
],
"ratings": [
{
"source": {
"name": "OSS Index",
"url": "https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration"
},
"score": 7.5,
"severity": "high",
"method": "CVSSv3",
"vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
}
],
"description": "[CVE-2017-11424] Improper Access Control",
"detail": "In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.",
"advisories": [
{
"url": "https://github.com/jpadilla/pyjwt/pull/277"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11424"
}
],
"affects": [
{
"ref": "6de2741f-3e9a-4f4f-85d2-c76805ba95ee",
"versions": [
{
"version": "1.3.0",
"status": "affected"
}
]
}
]
}
]
}
Tested it on a real project. LGTM
Signed-off-by: Paul Horton phorton@sonatype.com
This PR:
It relates to the following issue #s:
cc @bhamail / @DarthHater