owasp-depscan 4.3.1__tar.gz → 4.3.3__tar.gz

{owasp-depscan-4.3.1/owasp_depscan.egg-info → owasp-depscan-4.3.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 4.3.1
+Version: 4.3.3
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -26,12 +26,14 @@ Requires-Dist: oras
 Requires-Dist: PyYAML
 Requires-Dist: rich
 Requires-Dist: quart
+Requires-Dist: PyGithub
 Requires-Dist: toml
 Provides-Extra: dev
 Requires-Dist: black; extra == "dev"
 Requires-Dist: flake8; extra == "dev"
 Requires-Dist: pytest; extra == "dev"
 Requires-Dist: pytest-cov; extra == "dev"
+Requires-Dist: httpretty; extra == "dev"
 
 # Introduction
 
@@ -174,36 +176,60 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
-               [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table] [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN]
-               [--privado-json PRIVADO_JSON] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
-
-Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories.
+usage: cli.py [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest]
+              [--no-suggest] [--risk-audit] [--private-ns PRIVATE_NS]
+              [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE]
+              [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
+              [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table]
+              [--threatdb-server THREATDB_SERVER]
+              [--threatdb-username THREATDB_USERNAME]
+              [--threatdb-password THREATDB_PASSWORD]
+              [--threatdb-token THREATDB_TOKEN] [--privado-json PRIVADO_JSON]
+              [--server] [--server-host SERVER_HOST]
+              [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
+
+Fully open-source security and license audit for application dependencies and
+container images based on known vulnerabilities and advisories.
 
 options:
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
-  --cache               Cache vulnerability information in platform specific user_data_dir
+  --cache               Cache vulnerability information in platform specific
+                        user_data_dir
   --csaf                Generate a CSAF
-  --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
-  --suggest             DEPRECATED: Suggest is the default mode for determining fix version.
+  --sync                Sync to receive the latest vulnerability data. Should
+                        have invoked cache first.
+  --suggest             DEPRECATED: Suggest is the default mode for
+                        determining fix version.
+  --no-suggest          Disable suggest mode
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS
-                        Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma separated values accepted.
+                        Private namespace to use while performing oss risk
+                        audit. Private packages should not be available in
+                        public registries by default. Comma separated values
+                        accepted.
   -t PROJECT_TYPE, --type PROJECT_TYPE
                         Override project type if auto-detection is incorrect
-  --bom BOM             Examine using the given Software Bill-of-Materials (SBoM) file in CycloneDX format. Use cdxgen command to produce one.
+  --bom BOM             Examine using the given Software Bill-of-Materials
+                        (SBoM) file in CycloneDX format. Use cdxgen command to
+                        produce one.
   -i SRC_DIR_IMAGE, --src SRC_DIR_IMAGE
                         Source directory or container image or binary file
   -o REPORT_FILE, --report_file REPORT_FILE
-                        DEPRECATED. Use reports directory since multiple files are created. Report filename with directory
+                        DEPRECATED. Use reports directory since multiple files
+                        are created. Report filename with directory
   --reports-dir REPORTS_DIR
                         Reports directory
   --no-error            Continue on error to prevent build from breaking
-  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning by default
-  --deep                Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
-  --no-universal        Depscan would attempt to perform a single universal scan instead of individual scans per language type.
-  --no-vuln-table       Do not print the table with the full list of vulnerabilities. This can help reduce console output.
+  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning
+                        by default
+  --deep                Perform deep scan by passing this --deep argument to
+                        cdxgen. Useful while scanning docker images and OS
+                        packages.
+  --no-universal        Depscan would attempt to perform a single universal
+                        scan instead of individual scans per language type.
+  --no-vuln-table       Do not print the table with the full list of
+                        vulnerabilities. This can help reduce console output.
   --threatdb-server THREATDB_SERVER
                         ThreatDB server url. Eg: https://api.sbom.cx
   --threatdb-username THREATDB_USERNAME
@@ -213,7 +239,10 @@ options:
   --threatdb-token THREATDB_TOKEN
                         ThreatDB token for token based submission
   --privado-json PRIVADO_JSON
-                        Optional: Enrich the VEX report with information from privado.ai json report. cdxgen can process and include privado info automatically so this argument is usually not required.
+                        Optional: Enrich the VEX report with information from
+                        privado.ai json report. cdxgen can process and include
+                        privado info automatically so this argument is usually
+                        not required.
   --server              Run depscan as a server
   --server-host SERVER_HOST
                         depscan server host
@@ -343,9 +372,10 @@ The following environment variables can be used to customise the behaviour.
 
 ## GitHub Security Advisory
 
-To download security advisories from GitHub, a personal access token with the following scope is necessary.
+To download security advisories from GitHub, a personal access token with minimal permissions is necessary.
 
-- read:packages
+- Fine-grained token: Grant no permissions and select the following for repository access: `Public Repositories (read-only)`
+- Token (classic): Grant no permissions
 
 ```bash
 export GITHUB_TOKEN="<PAT token>"

{owasp-depscan-4.3.1 → owasp-depscan-4.3.3}/README.md

@@ -139,36 +139,60 @@ depscan --src $PWD --reports-dir $PWD/reports
 Full list of options are below:
 
 ```bash
-usage: depscan [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
-               [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table] [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN]
-               [--privado-json PRIVADO_JSON] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
-
-Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories.
+usage: cli.py [-h] [--no-banner] [--cache] [--csaf] [--sync] [--suggest]
+              [--no-suggest] [--risk-audit] [--private-ns PRIVATE_NS]
+              [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE]
+              [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--no-error]
+              [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table]
+              [--threatdb-server THREATDB_SERVER]
+              [--threatdb-username THREATDB_USERNAME]
+              [--threatdb-password THREATDB_PASSWORD]
+              [--threatdb-token THREATDB_TOKEN] [--privado-json PRIVADO_JSON]
+              [--server] [--server-host SERVER_HOST]
+              [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [-v]
+
+Fully open-source security and license audit for application dependencies and
+container images based on known vulnerabilities and advisories.
 
 options:
   -h, --help            show this help message and exit
   --no-banner           Do not display banner
-  --cache               Cache vulnerability information in platform specific user_data_dir
+  --cache               Cache vulnerability information in platform specific
+                        user_data_dir
   --csaf                Generate a CSAF
-  --sync                Sync to receive the latest vulnerability data. Should have invoked cache first.
-  --suggest             DEPRECATED: Suggest is the default mode for determining fix version.
+  --sync                Sync to receive the latest vulnerability data. Should
+                        have invoked cache first.
+  --suggest             DEPRECATED: Suggest is the default mode for
+                        determining fix version.
+  --no-suggest          Disable suggest mode
   --risk-audit          Perform package risk audit (slow operation). Npm only.
   --private-ns PRIVATE_NS
-                        Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma separated values accepted.
+                        Private namespace to use while performing oss risk
+                        audit. Private packages should not be available in
+                        public registries by default. Comma separated values
+                        accepted.
   -t PROJECT_TYPE, --type PROJECT_TYPE
                         Override project type if auto-detection is incorrect
-  --bom BOM             Examine using the given Software Bill-of-Materials (SBoM) file in CycloneDX format. Use cdxgen command to produce one.
+  --bom BOM             Examine using the given Software Bill-of-Materials
+                        (SBoM) file in CycloneDX format. Use cdxgen command to
+                        produce one.
   -i SRC_DIR_IMAGE, --src SRC_DIR_IMAGE
                         Source directory or container image or binary file
   -o REPORT_FILE, --report_file REPORT_FILE
-                        DEPRECATED. Use reports directory since multiple files are created. Report filename with directory
+                        DEPRECATED. Use reports directory since multiple files
+                        are created. Report filename with directory
   --reports-dir REPORTS_DIR
                         Reports directory
   --no-error            Continue on error to prevent build from breaking
-  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning by default
-  --deep                Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
-  --no-universal        Depscan would attempt to perform a single universal scan instead of individual scans per language type.
-  --no-vuln-table       Do not print the table with the full list of vulnerabilities. This can help reduce console output.
+  --no-license-scan     DEPRECATED: dep-scan does not perform license scanning
+                        by default
+  --deep                Perform deep scan by passing this --deep argument to
+                        cdxgen. Useful while scanning docker images and OS
+                        packages.
+  --no-universal        Depscan would attempt to perform a single universal
+                        scan instead of individual scans per language type.
+  --no-vuln-table       Do not print the table with the full list of
+                        vulnerabilities. This can help reduce console output.
   --threatdb-server THREATDB_SERVER
                         ThreatDB server url. Eg: https://api.sbom.cx
   --threatdb-username THREATDB_USERNAME
@@ -178,7 +202,10 @@ options:
   --threatdb-token THREATDB_TOKEN
                         ThreatDB token for token based submission
   --privado-json PRIVADO_JSON
-                        Optional: Enrich the VEX report with information from privado.ai json report. cdxgen can process and include privado info automatically so this argument is usually not required.
+                        Optional: Enrich the VEX report with information from
+                        privado.ai json report. cdxgen can process and include
+                        privado info automatically so this argument is usually
+                        not required.
   --server              Run depscan as a server
   --server-host SERVER_HOST
                         depscan server host
@@ -308,9 +335,10 @@ The following environment variables can be used to customise the behaviour.
 
 ## GitHub Security Advisory
 
-To download security advisories from GitHub, a personal access token with the following scope is necessary.
+To download security advisories from GitHub, a personal access token with minimal permissions is necessary.
 
-- read:packages
+- Fine-grained token: Grant no permissions and select the following for repository access: `Public Repositories (read-only)`
+- Token (classic): Grant no permissions
 
 ```bash
 export GITHUB_TOKEN="<PAT token>"

{owasp-depscan-4.3.1 → owasp-depscan-4.3.3}/depscan/cli.py

@@ -20,6 +20,7 @@ from vdb.lib.utils import parse_purl
 
 import oras.client
 
+from depscan.lib import privado, utils, github
 from depscan.lib.csaf import export_csaf, write_toml
 from depscan.lib import privado, utils
 from depscan.lib.analysis import (
@@ -114,6 +115,12 @@ def build_args():
         help="DEPRECATED: Suggest is the default mode for determining fix "
         "version.",
     )
+    parser.add_argument(
+        "--no-suggest",
+        action="store_false",
+        dest="suggest",
+        help="Disable suggest mode",
+    )
     parser.add_argument(
         "--risk-audit",
         action="store_true",
@@ -791,8 +798,20 @@ def main():
             )
 
         sources_list = [OSVSource(), NvdSource()]
-        if os.environ.get("GITHUB_TOKEN"):
-            sources_list.insert(0, GitHubSource())
+        github_token = os.environ.get("GITHUB_TOKEN")
+        if github_token:
+            github_client = github.GitHub(github_token)
+
+            if not github_client.can_authenticate():
+                LOG.error("The GitHub personal access token supplied appears to be invalid or expired. Please see: https://github.com/owasp-dep-scan/dep-scan#github-security-advisory")
+            else:
+                sources_list.insert(0, GitHubSource())
+                scopes = github_client.get_token_scopes()
+                if not scopes is None and len(scopes) > 0:
+                    LOG.warning(
+                        "The GitHub personal access token was granted more permissions than is necessary for depscan to operate, including the scopes of: %s. It is recommended to use a dedicated token with only the minimum scope necesary for depscan to operate. Please see: https://github.com/owasp-dep-scan/dep-scan#github-security-advisory",
+                        ', '.join([scope for scope in scopes])
+                    )
         if run_cacher:
             LOG.debug(
                 "About to download vdb from %s. This might take a while ...",
@@ -804,6 +823,7 @@ def main():
             )
             LOG.debug("VDB data is stored at: %s", paths_list)
             run_cacher = False
+            db = db_lib.get()
         elif args.sync:
             for s in sources_list:
                 LOG.debug("Syncing %s", s.__class__.__name__)
@@ -823,7 +843,7 @@ def main():
             new_res = []
             for r in results:
                 new_res.append(r.to_dict())
-            export_csaf(new_res, src_dir, reports_dir)
+            export_csaf(new_res, src_dir, reports_dir, bom_file)
         # Summarise and print results
         summarise(
             project_type,

{owasp-depscan-4.3.1 → owasp-depscan-4.3.3}/depscan/lib/csaf.py

@@ -1111,39 +1111,42 @@ TOML_TEMPLATE = {
 }
 
 ref_map = {
+    r"(?P<org>[^\s./]+).(?:com|org)/(?:[\S]+)?/(?P<id>("
+    r"?:ghsa|ntap|rhsa|rhba|zdi|dsa|cisco|intel)-?[\w\d\-:]+)": "Advisory",
     r"cve-[0-9]{4,}-[0-9]{4,}$": "CVE Record",
     r"(?<=bugzilla.)\S+(?=.\w{3}/show_bug.cgi\?)": "Bugzilla",
-    r"https://github.com/([\w\d\-.]+/[\w\d\-.]+/security/)?advisories": "GitHub Advisory",
-    r"https://github.com/[\w\d\-.]+/[\w\d\-.]+/pull/\d+": "GitHub Pull Request",
-    r"https://github.com/[\w\d\-.]+/[\w\d\-.]+/commit": "GitHub Commit",
-    r"https://github.com/[\w\d\-.]+/[\w\d\-.]+/release": "GitHub Repository "
-    "Release",
-    r"https://github.com/[\w\d\-.]+/[\w\d\-.]+/issues/?": "GitHub Issue",
-    r"https://github.com/[\w\d\-.]+/[\w\d\-.]+/blob": "GitHub Blob Reference",
-    r"https://github.com/[\w\d\-.]+/[\w\d\-.]+/?$": "GitHub Repository",
-    "https://gist.github.com": "GitHub Gist",
-    r"https://github.com/": "GitHub Other",
-    r"https://access.redhat.com/errata/rhba-\d{4}:\d{4}": "Red Hat Bug Fix "
-    "Advisory",
-    r"https://access.redhat.com/errata/rhsa-\d{4}:\d{4}": "Red Hat Security "
-    "Advisory",
-    r"(?<=CiscoSecurityAdvisory/)[\w\d\-]+": "Cisco Security Advisory",
-    "https://www.npmjs.com/advisories/": "NPM Advisory",
-    r"https://www.npmjs.com/package/@?\w+/?\w+": "NPM Package Page",
-    "https://www.oracle.com/security-alerts": "Oracle Security Alert",
-    "https://security.netapp.com/advisory": "NetApp Security Advisory",
-    "https://security.snyk.io/vuln": "Snyk Vulnerability Database Entry",
-    "https://snyk.io/vuln/": "Snyk Vulnerability Database Entry",
-    "https://www.debian.org/security": "Debian Security Advisory",
-    "https://security.gentoo.org/glsa": "Gentoo Security Advisory",
-    ".+advisory.?": "Advisory",
+    r"github.com/[\w\-.]+/[\w\-.]+/pull/\d+": "GitHub Pull Request",
+    r"github.com/[\w\-.]+/[\w\-.]+/release": "GitHub Repository Release",
+    r"(github|bitbucket|chromium)(?:.com|.org)/([\w\-.]+)/([\w\-.]+)/issues/("
+    r"?:detail\?id=)?(\d+)": "Issue",
+    r"github.com/[\w\-.]+/[\w\-.]+/blob": "GitHub Blob Reference",
+    r"github.com/[\w\-.]+/[\w\-.]+/commit": "GitHub Commit",
+    r"github.com/[\w\-.]+/[\w\-.]+/?$": "GitHub Repository",
+    "gist.github.com": "GitHub Gist",
+    r"github.com/": "GitHub Other",
+    "npmjs.com/advisories/": "NPM Advisory",
+    r"npmjs.com/package/@?\w+/?\w+": "NPM Package Page",
+    "oracle.com/security-alerts": "Oracle Security Alert",
+    "security.snyk.io/vuln|https://snyk.io/vuln/": "Snyk Vulnerability "
+    "Database Entry",
+    "security.gentoo.org/glsa": "Advisory",
+    r"usn.ubuntu.com/[\d\-]+|ubuntu.com/security/notices/USN\-[\d\-]+": 
+        "Ubuntu Security Notice",
+    r"lists.[\w\-]+.org/[\S]+announce": "Mailing List Announcement",
+    r"lists.[\w\-]+.org/": "Mailing List Other",
+    "blog": "Blog Post",
+    r"bitbucket.org/[^\s/]+/[^\s/]+/?(?!.)": "Bitbucket Repository",
+    r"bitbucket.org/[^\s/]+/[^\s/]+/commits": "Bitbucket Commit",
+    r"bitbucket.org/[^\s/]+/[^\s/]+/issues/\d+(/)?": "Bitbucket Issue",
+    r"bitbucket.org/[^\s/]+/[^\s/]+/wiki/": "Bitbucket Wiki Entry",
+    r"https://vuldb.com/\?id.\d+": "VulDB Entry",
 }
-
 sorted_ref_map = sorted(ref_map.items(), key=lambda x: len(x[0]), reverse=True)
 sorted_ref_map = dict(sorted_ref_map)
 
 compiled_patterns = {
-    re.compile(pattern): value for pattern, value in sorted_ref_map.items()
+    re.compile(pattern, re.IGNORECASE): value for pattern, value in 
+    sorted_ref_map.items()
 }
 
 
@@ -1320,78 +1323,68 @@ def format_references(ref):
     """
     fmt_refs = [{"summary": get_ref_summary(r), "url": r} for r in ref]
     ids = []
-    refs = []
-    github_advisory_regex = re.compile(r"(GHSA-\w{4}-\w{4}-\w{4}$)")
-    github_issue_regex = re.compile(
-        r"(?<=https://github.com/)(?P<owner>["
-        r"^\s/]+)/(?P<repo>[^\s/]+)/issues/("
-        r"?P<id>\d+)"
+    issues_regex = re.compile(
+        r"(?P<host>github|bitbucket|chromium)(?:.com|.org)/(?P<owner>["
+        r"\w\-.]+)/(?P<repo>[\w\-.]+)/issues/(?:detail\?id=)?(?P<id>\d+)", 
+        re.IGNORECASE
     )
+    advisory_regex = re.compile(
+        r"(?P<org>[^\s/.]+).(?:com|org)/(?:\S+/)*/?(?P<id>[\w\-:]+)", 
+        re.IGNORECASE)
     bugzilla_regex = re.compile(
-        r"(?<=bugzilla.)(?P<owner>[^\s]+)\.\w{3}/show_bug.cgi\?id=(?P<id>\S+)"
+        r"(?<=bugzilla.)(?P<owner>\S+)\.\w{3}/show_bug.cgi\?id=(?P<id>"
+        r"\S+)", re.IGNORECASE)
+    usn_regex = re.compile(
+        r"(?<=usn.ubuntu.com/)[\d\-]+|(?<=ubuntu.com/security/notices/USN-)["
+        r"\d\-]+", re.IGNORECASE
     )
-    redhat_advisory_regex = re.compile(r"(RH[BS]A-\d{4}:\d+)")
-    cisco_regex = re.compile(r"(?<=CiscoSecurityAdvisory/)[\w\d\-]+")
-    id_types = [
-        "GitHub Advisory",
-        "GitHub Issue",
-        "Bugzilla",
-        "Cisco Security Advisory",
-        "Red Hat Security Advisory",
-        "Red Hat Bug Fix Advisory",
-    ]
+    id_types = ["Advisory", "Issue", "Ubuntu Security Notice", "Bugzilla"]
     parse = [i for i in fmt_refs if i.get("summary") in id_types]
+    refs = [i for i in fmt_refs if i.get("summary") not in id_types]
     for reference in parse:
-        r = reference["url"]
+        url = reference["url"]
         summary = reference["summary"]
-        if summary == "GitHub Advisory":
-            if gha := re.search(github_advisory_regex, r):
-                ids.append(
-                    {
-                        "system_name": summary,
-                        "text": gha.group(0),
-                    }
+        if summary == "Advisory":
+            url = url.replace("glsa/", "glsa-")
+            if adv := re.search(advisory_regex, url):
+                system_name = (
+                    (adv["org"].capitalize() + " Advisory")
+                    .replace("Redhat", "Red Hat")
+                    .replace("Zerodayinitiative", "Zero Day Initiative")
+                    .replace("Github", "GitHub")
+                    .replace("Netapp", "NetApp")
                 )
-        elif summary == "GitHub Issue":
-            if issue := re.search(github_issue_regex, r):
-                ids.append(
-                    {
-                        "system_name": f'GitHub Issue [{issue.group("owner")}'
-                        f'/{issue.group("repo")}]',
-                        "text": issue.group("id"),
-                    }
-                )
-        elif summary == "Bugzilla":
-            if bugzilla := re.search(bugzilla_regex, r):
-                new_id = {
-                    "system_name": f"{bugzilla.group('owner').capitalize()} Bugzilla ID",
-                    "text": bugzilla.group("id"),
+                ids.append({"system_name": system_name, "text": adv["id"]})
+                summary = system_name
+        elif issue := re.search(issues_regex, url):
+            summary = (
+                issue["host"].capitalize().replace("Github", "GitHub")
+                + " Issue"
+            )
+            ids.append(
+                {
+                    "system_name": summary
+                    + (
+                        f" [{issue['owner']}/{issue['repo']}]"
+                        if issue["owner"] != "p"
+                        else f" [{issue['repo']}]"
+                    ),
+                    "text": issue["id"],
                 }
-                if new_id["system_name"] == "Redhat Bugzilla ID":
-                    new_id["system_name"] = "Red Hat Bugzilla ID"
-                ids.append(new_id)
-        elif summary == "Cisco Security Advisory":
-            if csa := re.search(cisco_regex, r):
-                ids.append(
-                    {
-                        "system_name": summary,
-                        "text": csa.group(0),
-                    }
-                )
-        elif summary in [
-            "Red Hat Security Advisory",
-            "Red Hat Bug Fix Advisory",
-        ]:
-            if bugzilla_id := re.search(redhat_advisory_regex, r):
-                ids.append(
-                    {
-                        "system_name": summary,
-                        "text": bugzilla_id.group(0),
-                    }
-                )
-    new_ids = {(id["system_name"], id["text"]) for id in ids}
-    ids = [{"system_name": id[0], "text": id[1]} for id in new_ids]
-    return ids, fmt_refs
+            )
+        elif bugzilla := re.search(bugzilla_regex, url):
+            system_name = f"{bugzilla['owner'].capitalize()} Bugzilla"
+            system_name = system_name.replace("Redhat", "Red Hat")
+            ids.append(
+                {"system_name": f"{system_name} ID", "text": bugzilla["id"]}
+            )
+            summary = system_name
+        elif usn := re.search(usn_regex, url):
+            ids.append({"system_name": summary, "text": f"USN-{usn[0]}"})
+        refs.append({"summary": summary, "url": url})
+    new_ids = {(idx["system_name"], idx["text"]) for idx in ids}
+    ids = [{"system_name": idx[0], "text": idx[1]} for idx in new_ids]
+    return ids, refs
 
 
 def get_ref_summary(url):
@@ -1412,7 +1405,7 @@ def get_ref_summary(url):
         (
             value
             for pattern, value in compiled_patterns.items()
-            if pattern.search(url.lower())
+            if pattern.search(url)
         ),
         "Other",
     )
@@ -1468,13 +1461,19 @@ def parse_revision_history(tracking):
     except AttributeError:
         LOG.warning("Your dates don't appear to be in ISO format.")
     if status == "final" and (not hx or len(hx) == 0):
+        choose_date = max(
+            tracking.get("initial_release_date"),
+            tracking.get("current_release_date"),
+        )
         hx.append(
             {
-                "date": tracking["initial_release_date"],
+                "date": choose_date,
                 "number": "1",
                 "summary": "Initial",
             }
         )
+        tracking["current_release_date"] = choose_date
+        tracking["initial_release_date"] = choose_date
     elif status == "final":
         hx = sorted(hx, key=lambda x: x["number"])
         tracking["initial_release_date"] = hx[0]["date"]
@@ -1587,8 +1586,8 @@ def toml_compatibility(metadata):
     Applies any changes to the formatting of the TOML after a depscan
     minor or patch update
     """
-    # The 4.5.0 TOML referenced revision_history as revision
-    if metadata["depscan_version"] < "4.5.1":
+    # The 4.3.0 TOML referenced revision_history as revision
+    if metadata["depscan_version"] < "4.3.1":
         metadata["tracking"]["revision_history"] = metadata["tracking"].get(
             "revision"
         )
@@ -1597,7 +1596,7 @@ def toml_compatibility(metadata):
     return metadata
 
 
-def export_csaf(results, src_dir, reports_dir):
+def export_csaf(results, src_dir, reports_dir, bom_file):
     """
     Generates a CSAF JSON template from the given results.
 
@@ -1605,6 +1604,7 @@ def export_csaf(results, src_dir, reports_dir):
         results (list): A list of results obtained from the analysis.
         src_dir (str): The source directory.
         reports_dir (str): The reports directory.
+        bom_file (str): The BOM file path
 
     Returns:
         None
@@ -1633,6 +1633,13 @@ def export_csaf(results, src_dir, reports_dir):
             + severity_ref[agg_score[0]][1:].lower()
         )
         template["document"]["aggregate_severity"]["text"] = agg_severity
+    if not template.get("product_tree"):
+        [template["product_tree"], extra_ref] = import_root_component(
+            bom_file)
+        if extra_ref and template["document"].get("references"):
+            template["document"]["references"].append(extra_ref)
+        elif extra_ref:
+            template["document"]["references"] = [extra_ref]
     new_results = cleanup_dict(template)
     # CSAF forbids revision entries unless the status is final, but requires
     # this to be here nonetheless
@@ -1744,3 +1751,43 @@ def cleanup_dict(d):
         if entry:
             new_dict[key] = entry
     return new_dict
+
+
+def import_root_component(bom_file):
+    """
+    Imports the root component from the given bom file into the csaf
+    """
+    with open(bom_file, "r") as f:
+        bom = json.load(f)
+
+    refs = []
+    product_tree = {}
+
+    if component := bom["metadata"].get("component"):
+        product_tree = {
+            "full_product_names": [
+                {
+                    "name": component.get("name"),
+                    "product_id": f"{component.get('name')}:"
+                                  f"{component.get('version')}",
+                    "product_identification_helper": {
+                        "purl": component.get("purl"),
+                    },
+                }
+            ]
+        }
+        if external_references := component.get("externalReferences"):
+            refs.extend(
+                {
+                    "summary": r.get("type"),
+                    "url": r.get("url"),
+                }
+                for r in external_references
+            )
+    if product_tree:
+        LOG.info("Successfully imported root component into the product tree.")
+    else:
+        LOG.info("Unable to import root component for product tree, "
+                 "so product tree will not be included.")
+
+    return product_tree, refs