search

sonatype-nexus-community / jake

Check your Python environments for vulnerable Open Source packages with OSS Index or Sonatype Nexus Lifecycle.
https://jake.readthedocs.io/
Apache License 2.0
114 stars 24 forks source link

[BUG] "jake ddt" produces a ValueError when a CWE is found #95

Closed blackstream-x closed 2 years ago

blackstream-x commented 2 years ago

Describe the bug When finding a vulnerability having a CWE, jake 1.4.1 seems to assume the CWE ID is numerical, and fails with a ValueError.

To Reproduce Steps to reproduce the behavior:

  1. Run a docker container with image python:3.6-slim: docker run --rm -it --name jaketest python:3.6-slim bash
  2. Inside the container, install and activate a virtual environment. The version of pip inside that environment will be 18.1 which has known vulnerabilities.
  3. Install jake inside the virtual environment
  4. Run jake ddt
  5. jake produces the error ValueError: invalid literal for int() with base 10: 'CWE-22', see https://gitlab.com/j2c-bce/helloworld-fastapi/-/jobs/2028565003 for an example

Expected behavior Jake produces a vulnerability report. In the same environment as above, this worked with jake==1.1.5.

Screenshots

Jake Version: 1.4.1
Put your Python dependencies in a chokehold

🐍 Collected 26 packages from your environment                       ━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Successfully queried OSS Index for package and vulnerability info ━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Sane number of results from OSS Index                             ━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Munching & crunching data...                                      ━━╺━━━━━━━━━━━━━━━  12% 0:00:01
Traceback (most recent call last):
  File "/venv/bin/jake", line 11, in <module>
    sys.exit(main())
  File "/venv/lib/python3.6/site-packages/jake/app.py", line 124, in main
    JakeCmd().execute()
  File "/venv/lib/python3.6/site-packages/jake/app.py", line 69, in execute
    exit_code: int = command.execute(arguments=self._arguments)
  File "/venv/lib/python3.6/site-packages/jake/command/__init__.py", line 45, in execute
    return self.handle_args()
  File "/venv/lib/python3.6/site-packages/jake/command/oss.py", line 137, in handle_args
    cwes=[int(oic_vulnerability.get_cwe())] if oic_vulnerability.get_cwe() else None,
ValueError: invalid literal for int() with base 10: 'CWE-22'

Desktop (please complete the following information):

blackstream-x commented 2 years ago

Version 1.4.2 is affected as well.

madpah commented 2 years ago

Thanks for the report @blackstream-x

madpah commented 2 years ago

jake 1.4.3 released @blackstream-x