owasp-depscan 5.0.1__tar.gz → 5.0.3__tar.gz

{owasp-depscan-5.0.1/owasp_depscan.egg-info → owasp-depscan-5.0.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: owasp-depscan
-Version: 5.0.1
+Version: 5.0.3
 Summary: Fully open-source security audit for project dependencies based on known vulnerabilities and advisories.
 Author-email: Team AppThreat <cloud@appthreat.com>
 License: MIT
@@ -20,7 +20,7 @@ Classifier: Topic :: Utilities
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: appthreat-vulnerability-db>=5.5.4
+Requires-Dist: appthreat-vulnerability-db>=5.5.5
 Requires-Dist: defusedxml
 Requires-Dist: oras
 Requires-Dist: PyYAML
@@ -29,6 +29,7 @@ Requires-Dist: quart
 Requires-Dist: PyGithub
 Requires-Dist: toml
 Requires-Dist: pdfkit
+Requires-Dist: Jinja2
 Provides-Extra: dev
 Requires-Dist: black; extra == "dev"
 Requires-Dist: flake8; extra == "dev"
@@ -91,7 +92,7 @@ dep-scan is ideal for use during continuous integration (CI) and as a local deve
 
 ### OCI Artifacts via ORAS cli
 
-Use [ORAS cli](https://oras.land/docs/) to download the dep-scan binary and the vulnerability database for effortless integration. Example workflow is [here](https://github.com/appthreat/images-info/blob/main/.github/workflows/build.yml#L13).
+Use [ORAS cli](https://oras.land/docs/) to download the vulnerability database for effortless integration. Example workflow is [here](https://github.com/owasp-dep-scan/dep-scan/blob/master/.github/workflows/gobintests.yml#L44-L53).
 
 ```bash
 export VDB_HOME=depscan
@@ -146,22 +147,26 @@ Use the `/scan` endpoint to perform scans.
 > [!NOTE]
 > The `type` parameter is mandatory in server mode.
 
-* Scanning a local directory.
+- Scanning a local directory.
+
 ```bash
 curl --json '{"path": "/tmp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan
 ```
 
-* Scanning a SBOM file (present locally).
+- Scanning a SBOM file (present locally).
+
 ```bash
 curl --json '{"path": "/tmp/vulnerable-aws-koa-app/sbom_file.json", "type": "js"}' http://0.0.0.0:7070/scan
 ```
 
-* Scanning a GitHub repo.
+- Scanning a GitHub repo.
+
 ```bash
 curl --json '{"url": "https://github.com/HooliCorp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan -o app.vdr.json
 ```
 
-* Uploading a SBOM file and generating results based on it.
+- Uploading a SBOM file and generating results based on it.
+
 ```bash
 curl -X POST -H 'Content-Type: multipart/form-data' -F 'file=@/tmp/app/sbom_file.json' http://0.0.0.0:7070/scan?type=js
 ```
@@ -185,9 +190,10 @@ depscan --src $PWD --reports-dir $PWD/reports
 The full list of options is below:
 
 ```bash
-usage: cli.py [-h] [--no-banner] [--cache] [--csaf] [--sync] [--profile {appsec,research,operational,threat-modeling,license-compliance,generic}] [--no-suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE] [-o REPORT_FILE]
-              [--reports-dir REPORTS_DIR] [--deep] [--no-universal] [--no-vuln-table] [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN] [--server]
-              [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [--debug] [--explain] [--reachables-slices-file REACHABLES_SLICES_FILE] [-v]
+usage: cli.py [-h] [--no-banner] [--cache] [--csaf] [--sync] [--profile {appsec,research,operational,threat-modeling,license-compliance,generic}] [--no-suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM]
+              [-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--report-template REPORT_TEMPLATE] [--report-name REPORT_NAME] [--no-error] [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table]
+              [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT]
+              [--cdxgen-server CDXGEN_SERVER] [--debug] [--explain] [--reachables-slices-file REACHABLES_SLICES_FILE] [-v]
 
 Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories.
 
@@ -212,6 +218,12 @@ options:
                         DEPRECATED. Use reports directory since multiple files are created. Report filename with directory
   --reports-dir REPORTS_DIR
                         Reports directory
+  --report-template REPORT_TEMPLATE
+                        Jinja template file used for rendering a custom report
+  --report-name REPORT_NAME
+                        Filename of the custom report written to the --reports-dir
+  --no-error            UNUSED: Continue on error to prevent build from breaking
+  --no-license-scan     UNUSED: dep-scan doesn't perform license scanning by default
   --deep                Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
   --no-universal        Depscan would attempt to perform a single universal scan instead of individual scans per language type.
   --no-vuln-table       Do not print the table with the full list of vulnerabilities. This can help reduce console output.
@@ -234,6 +246,7 @@ options:
   --explain             Makes depscan to explain the various analysis. Useful for creating detailed reports.
   --reachables-slices-file REACHABLES_SLICES_FILE
                         Path for the reachables slices file created by atom.
+  --purl SEARCH_PURL    Scan a single package url.
   -v, --version         Display the version
 ```
 
@@ -440,6 +453,32 @@ dep-scan could auto-detect most cloud applications and Kubernetes manifest files
 
 Ensure [wkhtmltopdf](https://wkhtmltopdf.org/downloads.html) is installed or use the official container image to generate pdf reports. Use with `--explain` for more detailed reports.
 
+## Custom reports
+
+dep-scan can be provided with a [Jinja](https://jinja.palletsprojects.com/en/3.1.x/) template using the `--report-template` parameter.
+Giving it will pass the vulnerability report into your template for rendering the report.
+
+Please find a basic example here:
+
+```jinja
+There were {{ vulnerabilities | length }} issues identified:
+
+{% for vuln in vulnerabilities -%}
+* {{ vuln.id }} - {{ vuln.package }}
+{% endfor %}
+
+Severity counts:
+* Low: {{ summary.LOW }}
+* Medium: {{ summary.MEDIUM }}
+* High: {{ summary.HIGH }}
+* Critical: {{ summary.CRITICAL }}
+* Unspecified: {{ summary.UNSPECIFIED }}
+```
+
+The `vulnerabilities` object is the same list that can be found in the `depscan-bom.json` report file,
+`summary` is a dictionary type with vulnerability severity quantities as shown in the example above.
+Furthermore insights are imaginably to be made available to the template, please reach out or contribute on demand.
+
 ## Discord support
 
 The developers could be reached via the [discord](https://discord.gg/DCNxzaeUpd) channel for enterprise support.

{owasp-depscan-5.0.1 → owasp-depscan-5.0.3}/README.md

@@ -53,7 +53,7 @@ dep-scan is ideal for use during continuous integration (CI) and as a local deve
 
 ### OCI Artifacts via ORAS cli
 
-Use [ORAS cli](https://oras.land/docs/) to download the dep-scan binary and the vulnerability database for effortless integration. Example workflow is [here](https://github.com/appthreat/images-info/blob/main/.github/workflows/build.yml#L13).
+Use [ORAS cli](https://oras.land/docs/) to download the vulnerability database for effortless integration. Example workflow is [here](https://github.com/owasp-dep-scan/dep-scan/blob/master/.github/workflows/gobintests.yml#L44-L53).
 
 ```bash
 export VDB_HOME=depscan
@@ -108,22 +108,26 @@ Use the `/scan` endpoint to perform scans.
 > [!NOTE]
 > The `type` parameter is mandatory in server mode.
 
-* Scanning a local directory.
+- Scanning a local directory.
+
 ```bash
 curl --json '{"path": "/tmp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan
 ```
 
-* Scanning a SBOM file (present locally).
+- Scanning a SBOM file (present locally).
+
 ```bash
 curl --json '{"path": "/tmp/vulnerable-aws-koa-app/sbom_file.json", "type": "js"}' http://0.0.0.0:7070/scan
 ```
 
-* Scanning a GitHub repo.
+- Scanning a GitHub repo.
+
 ```bash
 curl --json '{"url": "https://github.com/HooliCorp/vulnerable-aws-koa-app", "type": "js"}' http://0.0.0.0:7070/scan -o app.vdr.json
 ```
 
-* Uploading a SBOM file and generating results based on it.
+- Uploading a SBOM file and generating results based on it.
+
 ```bash
 curl -X POST -H 'Content-Type: multipart/form-data' -F 'file=@/tmp/app/sbom_file.json' http://0.0.0.0:7070/scan?type=js
 ```
@@ -147,9 +151,10 @@ depscan --src $PWD --reports-dir $PWD/reports
 The full list of options is below:
 
 ```bash
-usage: cli.py [-h] [--no-banner] [--cache] [--csaf] [--sync] [--profile {appsec,research,operational,threat-modeling,license-compliance,generic}] [--no-suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM] [-i SRC_DIR_IMAGE] [-o REPORT_FILE]
-              [--reports-dir REPORTS_DIR] [--deep] [--no-universal] [--no-vuln-table] [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN] [--server]
-              [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--cdxgen-server CDXGEN_SERVER] [--debug] [--explain] [--reachables-slices-file REACHABLES_SLICES_FILE] [-v]
+usage: cli.py [-h] [--no-banner] [--cache] [--csaf] [--sync] [--profile {appsec,research,operational,threat-modeling,license-compliance,generic}] [--no-suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM]
+              [-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--report-template REPORT_TEMPLATE] [--report-name REPORT_NAME] [--no-error] [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table]
+              [--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT]
+              [--cdxgen-server CDXGEN_SERVER] [--debug] [--explain] [--reachables-slices-file REACHABLES_SLICES_FILE] [-v]
 
 Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories.
 
@@ -174,6 +179,12 @@ options:
                         DEPRECATED. Use reports directory since multiple files are created. Report filename with directory
   --reports-dir REPORTS_DIR
                         Reports directory
+  --report-template REPORT_TEMPLATE
+                        Jinja template file used for rendering a custom report
+  --report-name REPORT_NAME
+                        Filename of the custom report written to the --reports-dir
+  --no-error            UNUSED: Continue on error to prevent build from breaking
+  --no-license-scan     UNUSED: dep-scan doesn't perform license scanning by default
   --deep                Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
   --no-universal        Depscan would attempt to perform a single universal scan instead of individual scans per language type.
   --no-vuln-table       Do not print the table with the full list of vulnerabilities. This can help reduce console output.
@@ -196,6 +207,7 @@ options:
   --explain             Makes depscan to explain the various analysis. Useful for creating detailed reports.
   --reachables-slices-file REACHABLES_SLICES_FILE
                         Path for the reachables slices file created by atom.
+  --purl SEARCH_PURL    Scan a single package url.
   -v, --version         Display the version
 ```
 
@@ -402,6 +414,32 @@ dep-scan could auto-detect most cloud applications and Kubernetes manifest files
 
 Ensure [wkhtmltopdf](https://wkhtmltopdf.org/downloads.html) is installed or use the official container image to generate pdf reports. Use with `--explain` for more detailed reports.
 
+## Custom reports
+
+dep-scan can be provided with a [Jinja](https://jinja.palletsprojects.com/en/3.1.x/) template using the `--report-template` parameter.
+Giving it will pass the vulnerability report into your template for rendering the report.
+
+Please find a basic example here:
+
+```jinja
+There were {{ vulnerabilities | length }} issues identified:
+
+{% for vuln in vulnerabilities -%}
+* {{ vuln.id }} - {{ vuln.package }}
+{% endfor %}
+
+Severity counts:
+* Low: {{ summary.LOW }}
+* Medium: {{ summary.MEDIUM }}
+* High: {{ summary.HIGH }}
+* Critical: {{ summary.CRITICAL }}
+* Unspecified: {{ summary.UNSPECIFIED }}
+```
+
+The `vulnerabilities` object is the same list that can be found in the `depscan-bom.json` report file,
+`summary` is a dictionary type with vulnerability severity quantities as shown in the example above.
+Furthermore insights are imaginably to be made available to the template, please reach out or contribute on demand.
+
 ## Discord support
 
 The developers could be reached via the [discord](https://discord.gg/DCNxzaeUpd) channel for enterprise support.

{owasp-depscan-5.0.1 → owasp-depscan-5.0.3}/depscan/cli.py

@@ -181,6 +181,17 @@ def build_args():
         dest="reports_dir",
         help="Reports directory",
     )
+    parser.add_argument(
+        "--report-template",
+        dest="report_template",
+        help="Jinja template file used for rendering a custom report",
+    )
+    parser.add_argument(
+        "--report-name",
+        default="rendered.report",
+        dest="report_name",
+        help="Filename of the custom report written to the --reports-dir",
+    )
     parser.add_argument(
         "--no-error",
         action="store_true",
@@ -287,6 +298,11 @@ def build_args():
         dest="reachables_slices_file",
         help="Path for the reachables slices file created by atom.",
     )
+    parser.add_argument(
+        "--purl",
+        dest="search_purl",
+        help="Scan a single package url.",
+    )
     parser.add_argument(
         "-v",
         "--version",
@@ -437,7 +453,7 @@ def summarise(
         reached_purls=reached_purls,
     )
     pkg_vulnerabilities, pkg_group_rows = prepare_vdr(options)
-    vdr_file = bom_file.replace(".json", ".vdr.json")
+    vdr_file = bom_file.replace(".json", ".vdr.json") if bom_file else None
     if pkg_vulnerabilities and bom_file:
         try:
             with open(bom_file, encoding="utf-8") as fp:
@@ -497,9 +513,15 @@ def download_rafs_based_image():
                 target=vdb_rafs_database_url, outdir=rafs_data_dir.name
             )
 
-            if paths_list and os.path.exists(
-                os.path.join(rafs_data_dir.name, "data.rafs")
-            ) and os.path.exists(os.path.join(rafs_data_dir.name, "meta.rafs")):
+            if (
+                paths_list
+                and os.path.exists(
+                    os.path.join(rafs_data_dir.name, "data.rafs")
+                )
+                and os.path.exists(
+                    os.path.join(rafs_data_dir.name, "meta.rafs")
+                )
+            ):
                 nydus_download_command = [
                     f"{nydus_image_command}",
                     "unpack",
@@ -529,7 +551,8 @@ def download_rafs_based_image():
 
         except Exception:
             LOG.info(
-                "Unable to pull the vulnerability database (rafs image) from %s. Trying to pull the non-rafs-based VDB image.", vdb_rafs_database_url
+                "Unable to pull the vulnerability database (rafs image) from %s. Trying to pull the non-rafs-based VDB image.",
+                vdb_rafs_database_url,
             )
             rafs_image_downloaded = False
 
@@ -808,6 +831,12 @@ def main():
     # Detect the project types and perform the right type of scan
     if args.project_type:
         project_types_list = args.project_type.split(",")
+    elif args.search_purl:
+        purl_obj = parse_purl(args.search_purl)
+        purl_obj["purl"] = args.search_purl
+        purl_obj["vendor"] = purl_obj.get("namespace")
+        project_types_list = [purl_obj.get("type")]
+        pkg_list = [purl_obj]
     elif args.bom and not args.project_type:
         project_types_list = ["bom"]
     elif not args.non_universal_scan:
@@ -846,7 +875,12 @@ def main():
         risk_report_file = areport_file.replace(
             ".json", f"-risk.{project_type}.json"
         )
-        if args.bom and os.path.exists(args.bom):
+        # Are we scanning a single purl
+        if args.search_purl:
+            bom_file = None
+            creation_status = True
+        # Are we scanning a bom file
+        elif args.bom and os.path.exists(args.bom):
             bom_file = args.bom
             creation_status = True
         else:
@@ -865,14 +899,15 @@ def main():
         if not creation_status:
             LOG.debug("Bom file %s was not created successfully", bom_file)
             continue
-        LOG.debug("Scanning using the bom file %s", bom_file)
-        if not args.bom:
-            LOG.info(
-                "To improve performance, cache the bom file and invoke "
-                "depscan with --bom %s instead of -i",
-                bom_file,
-            )
-        pkg_list = get_pkg_list(bom_file)
+        if bom_file:
+            LOG.debug("Scanning using the bom file %s", bom_file)
+            if not args.bom:
+                LOG.info(
+                    "To improve performance, cache the bom file and invoke "
+                    "depscan with --bom %s instead of -i",
+                    bom_file,
+                )
+            pkg_list = get_pkg_list(bom_file)
         if not pkg_list:
             LOG.debug("No packages found in the project!")
             continue
@@ -1035,7 +1070,7 @@ def main():
             bom_file, src_dir, args.reachables_slices_file
         )
         # Summarise and print results
-        _, vdr_file, pkg_vulnerabilities, pkg_group_rows = summarise(
+        summary, vdr_file, pkg_vulnerabilities, pkg_group_rows = summarise(
             project_type,
             results,
             pkg_aliases,
@@ -1077,6 +1112,19 @@ def main():
         else DEFAULT_TERMINAL_THEME,
     )
     utils.export_pdf(html_file, pdf_file)
+    # render report into template if wished
+    if args.report_template and os.path.isfile(args.report_template):
+        utils.render_template_report(
+            jsonl_report_file=report_file,
+            summary=summary,
+            template_file=args.report_template,
+            result_file=os.path.join(reports_dir, args.report_name),
+        )
+    elif args.report_template:
+        LOG.warning(
+            "Template file %s doesn't exist, custom report not created.",
+            args.report_template,
+        )
     # Submit vdr/vex files to threatdb server
     if args.threatdb_server and (args.threatdb_username or args.threatdb_token):
         submit_bom(

{owasp-depscan-5.0.1 → owasp-depscan-5.0.3}/depscan/lib/analysis.py

@@ -11,7 +11,7 @@ from rich.style import Style
 from rich.table import Table
 from rich.tree import Tree
 from vdb.lib import CPE_FULL_REGEX
-from vdb.lib.config import placeholder_fix_version
+from vdb.lib.config import placeholder_exclude_version, placeholder_fix_version
 from vdb.lib.utils import parse_cpe, parse_purl
 
 from depscan.lib import config
@@ -84,7 +84,7 @@ def retrieve_bom_dependency_tree(bom_file):
     :return: Dependency tree as a list
     """
     if not bom_file:
-        return []
+        return [], None
     try:
         with open(bom_file, encoding="utf-8") as bfp:
             bom_data = json.load(bfp)
@@ -97,6 +97,8 @@ def retrieve_bom_dependency_tree(bom_file):
 
 def retrieve_oci_properties(bom_data):
     props = {}
+    if not bom_data:
+        return props
     for p in bom_data.get("metadata", {}).get("properties", []):
         if p.get("name", "").startswith("oci:image:"):
             props[p.get("name")] = p.get("value")
@@ -842,7 +844,7 @@ def summary_stats(results):
     """
     Generate summary stats
 
-    :param results: List of scan results objects wuth severity attribute.
+    :param results: List of scan results objects with severity attribute.
     :return: A dictionary containing the summary statistics for the severity
     levels of the vulnerabilities in the results list.
     """
@@ -1174,7 +1176,11 @@ def suggest_version(results, pkg_aliases=None, purl_aliases=None):
         else:
             full_pkg = pkg_aliases.get(full_pkg, full_pkg)
         version_upgrades = pkg_fix_map.get(full_pkg, set())
-        version_upgrades.add(fixed_location)
+        if (
+            fixed_location != placeholder_fix_version
+            and fixed_location != placeholder_exclude_version
+        ):
+            version_upgrades.add(fixed_location)
         pkg_fix_map[full_pkg] = version_upgrades
     for k, v in pkg_fix_map.items():
         # Don't go near certain packages

{owasp-depscan-5.0.1 → owasp-depscan-5.0.3}/depscan/lib/audit.py

@@ -4,14 +4,16 @@ from depscan.lib import config
 from depscan.lib.pkg_query import npm_metadata, pypi_metadata
 
 # Dict mapping project type to the audit source
-type_audit_map = {"nodejs": NpmSource(), "js": NpmSource()}
+type_audit_map = {"nodejs": NpmSource(), "js": NpmSource(), "npm": NpmSource()}
 
 # Dict mapping project type to risk audit
 risk_audit_map = {
+    "npm": npm_metadata,
     "nodejs": npm_metadata,
     "js": npm_metadata,
     "python": pypi_metadata,
     "py": pypi_metadata,
+    "pypi": pypi_metadata,
 }
 
 

{owasp-depscan-5.0.1 → owasp-depscan-5.0.3}/depscan/lib/csaf.py

@@ -1173,7 +1173,11 @@ class CsafOccurence:
         )
         self.references = res["related_urls"]
         self.type = (res["type"],)
-        self.severity = res["severity"]
+        self.severity = (
+            res["severity"] if (
+            res["severity"] in ["CRITICAL", "HIGH", "MEDIUM", "LOW", "NONE"]) else (
+            "UNKNOWN")
+        )
         self.orig_date = res["source_orig_time"] or None
         self.update_date = res["source_update_time"] or None
 
@@ -1186,7 +1190,8 @@ class CsafOccurence:
         vuln["product_status"] = self.product_status
         [ids, vuln["references"]] = format_references(self.references)
         vuln["ids"] = ids
-        vuln["scores"] = [{"cvss_v3": self.cvss_v3, "products": [self.pkg]}]
+        if self.cvss_v3:
+            vuln["scores"] = [{"cvss_v3": self.cvss_v3, "products": [self.pkg]}]
         self.notes.append(
             {
                 "category": "general",
@@ -1298,28 +1303,33 @@ def parse_cvss(res):
             If the vector string or base score are missing, or the CVSS
             version is not 3.0 or 3.1, None is returned.
     """
+
+    # baseScore, baseSeverity, vectorString, and version are required
     cvss_v3 = res.get("cvss_v3")
-    version = re.findall(r"3.0|3.1", cvss_v3["vector_string"])
-    # baseScore, vectorString, and version are required for a valid score
     if (
-        not cvss_v3
-        or not cvss_v3.get("vector_string")
-        or not version
-        or not cvss_v3.get("base_score")
+            not cvss_v3
+            or not (vector_string := cvss_v3.get("vector_string"))
+            or not (version := re.findall(r"3.0|3.1",
+                                          cvss_v3.get("vector_string", "")))
+            or not (base_score := cvss_v3.get("base_score"))
+            or (severity := res.get("severity")) not in
+            ["CRITICAL", "HIGH", "MEDIUM", "LOW", "NONE"]
     ):
         return None
     version = version[0]
-    return {
-        "baseScore": cvss_v3["base_score"],
-        "attackVector": cvss_v3["attack_vector"],
-        "privilegesRequired": cvss_v3["privileges_required"],
-        "userInteraction": cvss_v3["user_interaction"],
-        "scope": cvss_v3["scope"],
-        "baseSeverity": res["severity"],
+    cvss_v3_data = {
+        "baseScore": base_score,
+        "baseSeverity": severity,
+        "attackVector": cvss_v3.get("attack_vector"),
+        "privilegesRequired": cvss_v3.get("privileges_required"),
+        "userInteraction": cvss_v3.get("user_interaction"),
+        "scope": cvss_v3.get("scope"),
         "version": version,
-        "vectorString": cvss_v3["vector_string"],
+        "vectorString": vector_string,
     }
 
+    return cvss_v3_data
+
 
 def format_references(ref):
     """
@@ -1567,6 +1577,7 @@ def parse_toml(metadata):
         'current_release_date'.
     """
     tracking = parse_revision_history(metadata.get("tracking"))
+    # FIXME: Could this be simplified as list comprehension without append
     refs = []
     [refs.append(v) for v in metadata.get("reference")]
     notes = []
@@ -1873,6 +1884,8 @@ def add_vulnerabilities(data, results, direct_purls, reached_purls):
         "HIGH": 2,
         "MEDIUM": 3,
         "LOW": 4,
+        "UNKNOWN": 5,
+        "NONE": 6,
     }
     affected_regex = re.compile(
         r"(?P<lmod>[>=]{1,2})(?P<lower>\w+(?:.\w+)?(?:.\w+)?)-(?P<umod>[<=]{"
@@ -1884,7 +1897,7 @@ def add_vulnerabilities(data, results, direct_purls, reached_purls):
     for r in results:
         c = CsafOccurence(r)
         new_vuln = c.to_dict()
-        agg_score.add(severity_ref.get(c.severity))
+        agg_score.add(severity_ref.get(c.severity, 5))
         if c.search_string:
             found = reached_dict.get(c.search_string)
             if not found:

{owasp-depscan-5.0.1 → owasp-depscan-5.0.3}/depscan/lib/normalize.py

@@ -54,10 +54,10 @@ def create_pkg_variations(pkg_dict):
             if purl_obj:
                 pkg_type = purl_obj.get("type")
                 qualifiers = purl_obj.get("qualifiers", {})
-                if qualifiers.get("distro_name"):
+                if qualifiers and qualifiers.get("distro_name"):
                     os_distro_name = qualifiers.get("distro_name")
                     name_aliases.add(f"""{os_distro_name}/{name}""")
-                if qualifiers.get("distro"):
+                if qualifiers and qualifiers.get("distro"):
                     os_distro = qualifiers.get("distro")
                     name_aliases.add(f"""{os_distro}/{name}""")
                     # almalinux-9.2 becomes almalinux-9
@@ -70,6 +70,7 @@ def create_pkg_variations(pkg_dict):
     if vendor:
         vendor_aliases.add(vendor)
         vendor_aliases.add(vendor.lower())
+        vendor_aliases.add(vendor.lstrip("@"))
         if (
             vendor.startswith("org.")
             or vendor.startswith("io.")
@@ -94,7 +95,6 @@ def create_pkg_variations(pkg_dict):
             vendor_aliases.add("golang")
     if pkg_type not in config.OS_PKG_TYPES:
         name_aliases.add("package_" + name)
-        vendor_aliases.add(pkg_type)
         if purl.startswith("pkg:composer"):
             vendor_aliases.add("get" + name)
             vendor_aliases.add(name + "_project")
@@ -168,7 +168,7 @@ def create_pkg_variations(pkg_dict):
             name_aliases.add(name + "-bin")
     else:
         # Filter vendor aliases that are also name aliases
-        vendor_aliases = [x for x in vendor_aliases if x not in name_aliases]
+        vendor_aliases = [x for x in vendor_aliases if x not in name_aliases or x == vendor]
     if len(vendor_aliases) > 0:
         for vvar in list(vendor_aliases):
             for nvar in list(name_aliases):

{owasp-depscan-5.0.1 → owasp-depscan-5.0.3}/depscan/lib/utils.py

@@ -1,9 +1,11 @@
 import ast
 import os
 import re
+import json
 from collections import defaultdict
 from datetime import datetime
 from importlib.metadata import distribution
+from jinja2 import Environment
 
 from vdb.lib import db as db_lib
 from vdb.lib.utils import version_compare
@@ -408,3 +410,26 @@ def export_pdf(
             pdfkit.from_file(html_file, pdf_file, options=pdf_options)
     except Exception:
         pass
+
+
+def render_template_report(
+    jsonl_report_file,
+    summary,
+    template_file,
+    result_file,
+):
+    """
+    Render the given json_report_file and summary dict using the template_file with Jinja
+    """
+    with open(jsonl_report_file, "r", encoding="utf-8") as jsonl_file:
+        json_report = [json.loads(jline) for jline in jsonl_file.readlines()]
+    with open(template_file, "r", encoding="utf-8") as tmpl_file:
+        template = tmpl_file.read()
+    jinja_env = Environment(autoescape=False)
+    jinja_tmpl = jinja_env.from_string(template)
+    report_result = jinja_tmpl.render(
+        vulnerabilities=json_report,
+        summary=summary,
+    )
+    with open(result_file, "w", encoding="utf-8") as outfile:
+        outfile.write(report_result)