PyPI - scanoss - Versions diffs - 1.27.0__tar.gz → 1.28.0__tar.gz - Mend

scanoss 1.27.0tar.gz → 1.28.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (100) hide show

{scanoss-1.27.0/src/scanoss.egg-info → scanoss-1.28.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: scanoss
-Version: 1.27.0
+Version: 1.28.0
 Summary: Simple Python library to leverage the SCANOSS APIs
 Home-page: https://scanoss.com
 Author: SCANOSS

{scanoss-1.27.0 → scanoss-1.28.0}/src/scanoss/__init__.py RENAMED Viewed

@@ -22,4 +22,4 @@ SPDX-License-Identifier: MIT
   THE SOFTWARE.
 """
-__version__ = '1.27.0'
+__version__ = '1.28.0'

{scanoss-1.27.0 → scanoss-1.28.0}/src/scanoss/cyclonedx.py RENAMED Viewed

@@ -22,14 +22,13 @@ SPDX-License-Identifier: MIT
   THE SOFTWARE.
 """
+import datetime
 import json
 import os.path
 import sys
 import uuid
-import datetime
 from . import __version__
 from .scanossbase import ScanossBase
 from .spdxlite import SpdxLite
@@ -49,7 +48,7 @@ class CycloneDx(ScanossBase):
         self.debug = debug
         self._spdx = SpdxLite(debug=debug)
-    def parse(self, data: json):
+    def parse(self, data: json):  # noqa: PLR0912, PLR0915
         """
         Parse the given input (raw/plain) JSON string and return CycloneDX summary
         :param data: json - JSON object
@@ -58,7 +57,7 @@ class CycloneDx(ScanossBase):
         if not data:
             self.print_stderr('ERROR: No JSON data provided to parse.')
             return None, None
-        self.print_debug(f'Processing raw results into CycloneDX format...')
+        self.print_debug('Processing raw results into CycloneDX format...')
         cdx = {}
         vdx = {}
         for f in data:
@@ -171,17 +170,22 @@ class CycloneDx(ScanossBase):
             success = self.produce_from_str(f.read(), output_file)
         return success
-    def produce_from_json(self, data: json, output_file: str = None) -> bool:
+    def produce_from_json(self, data: json, output_file: str = None) -> tuple[bool, json]:  # noqa: PLR0912
         """
-        Produce the CycloneDX output from the input data
-        :param data: JSON object
-        :param output_file: Output file (optional)
-        :return: True if successful, False otherwise
+        Produce the CycloneDX output from the raw scan results input data
+        Args:
+            data (json): JSON object
+            output_file (str, optional): Output file (optional). Defaults to None.
+        Returns:
+            bool: True if successful, False otherwise
+            json: The CycloneDX output
         """
         cdx, vdx = self.parse(data)
         if not cdx:
             self.print_stderr('ERROR: No CycloneDX data returned for the JSON string provided.')
-            return False
+            return False, None
         self._spdx.load_license_data()  # Load SPDX license name data for later reference
         #
         # Using CDX version 1.4: https://cyclonedx.org/docs/1.4/json/
@@ -264,7 +268,7 @@ class CycloneDx(ScanossBase):
         if output_file:
             file.close()
-        return True
+        return True, data
     def produce_from_str(self, json_str: str, output_file: str = None) -> bool:
         """
@@ -283,6 +287,87 @@ class CycloneDx(ScanossBase):
             return False
         return self.produce_from_json(data, output_file)
+    def _normalize_vulnerability_id(self, vuln: dict) -> tuple[str, str]:
+        """
+        Normalize vulnerability ID and CVE from different possible field names.
+        Returns tuple of (vuln_id, vuln_cve).
+        """
+        vuln_id = vuln.get('ID', '') or vuln.get('id', '')
+        vuln_cve = vuln.get('CVE', '') or vuln.get('cve', '')
+        # Skip CPE entries, use CVE if available
+        if vuln_id.upper().startswith('CPE:') and vuln_cve:
+            vuln_id = vuln_cve
+        return vuln_id, vuln_cve
+    def _create_vulnerability_entry(self, vuln_id: str, vuln: dict, vuln_cve: str, purl: str) -> dict:
+        """
+        Create a new vulnerability entry for CycloneDX format.
+        """
+        vuln_source = vuln.get('source', '').lower()
+        return {
+            'id': vuln_id,
+            'source': {
+                'name': 'NVD' if vuln_source == 'nvd' else 'GitHub Advisories',
+                'url': f'https://nvd.nist.gov/vuln/detail/{vuln_cve}'
+                      if vuln_source == 'nvd'
+                      else f'https://github.com/advisories/{vuln_id}'
+            },
+            'ratings': [{'severity': self._sev_lookup(vuln.get('severity', 'unknown').lower())}],
+            'affects': [{'ref': purl}]
+        }
+    def append_vulnerabilities(self, cdx_dict: dict, vulnerabilities_data: dict, purl: str) -> dict:
+        """
+        Append vulnerabilities to an existing CycloneDX dictionary
+        Args:
+            cdx_dict (dict): The existing CycloneDX dictionary
+            vulnerabilities_data (dict): The vulnerabilities data from get_vulnerabilities_json
+            purl (str): The PURL of the component these vulnerabilities affect
+        Returns:
+            dict: The updated CycloneDX dictionary with vulnerabilities appended
+        """
+        if not cdx_dict or not vulnerabilities_data:
+            return cdx_dict
+        if 'vulnerabilities' not in cdx_dict:
+            cdx_dict['vulnerabilities'] = []
+        # Extract vulnerabilities from the response
+        vulns_list = vulnerabilities_data.get('purls', [])
+        if not vulns_list:
+            return cdx_dict
+        vuln_items = vulns_list[0].get('vulnerabilities', [])
+        for vuln in vuln_items:
+            vuln_id, vuln_cve = self._normalize_vulnerability_id(vuln)
+            # Skip empty IDs or CPE-only entries
+            if not vuln_id or vuln_id.upper().startswith('CPE:'):
+                continue
+            # Check if vulnerability already exists
+            existing_vuln = next(
+                (v for v in cdx_dict['vulnerabilities'] if v.get('id') == vuln_id),
+                None
+            )
+            if existing_vuln:
+                # Add this PURL to the affects list if not already present
+                if not any(ref.get('ref') == purl for ref in existing_vuln.get('affects', [])):
+                    existing_vuln['affects'].append({'ref': purl})
+            else:
+                # Create new vulnerability entry
+                cdx_dict['vulnerabilities'].append(
+                    self._create_vulnerability_entry(vuln_id, vuln, vuln_cve, purl)
+                )
+        return cdx_dict
     @staticmethod
     def _sev_lookup(value: str):
         """

scanoss-1.28.0/src/scanoss/data/build_date.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ date: 20250710142446, utime: 1752157486

{scanoss-1.27.0 → scanoss-1.28.0}/src/scanoss/scanner.py RENAMED Viewed

@@ -22,40 +22,40 @@ SPDX-License-Identifier: MIT
   THE SOFTWARE.
 """
+import datetime
 import json
 import os
-from pathlib import Path
 import sys
-import datetime
+from pathlib import Path
 from typing import Any, Dict, List, Optional
-import importlib_resources
+import importlib_resources
 from progress.bar import Bar
 from progress.spinner import Spinner
 from pypac.parser import PACFile
 from scanoss.file_filters import FileFilters
-from .scanossapi import ScanossApi
-from .cyclonedx import CycloneDx
-from .spdxlite import SpdxLite
+from . import __version__
 from .csvoutput import CsvOutput
-from .threadedscanning import ThreadedScanning
+from .cyclonedx import CycloneDx
 from .scancodedeps import ScancodeDeps
-from .threadeddependencies import ThreadedDependencies, SCOPE
-from .scanossgrpc import ScanossGrpc
-from .scantype import ScanType
-from .scanossbase import ScanossBase
 from .scanoss_settings import ScanossSettings
+from .scanossapi import ScanossApi
+from .scanossbase import ScanossBase
+from .scanossgrpc import ScanossGrpc
 from .scanpostprocessor import ScanPostProcessor
-from . import __version__
+from .scantype import ScanType
+from .spdxlite import SpdxLite
+from .threadeddependencies import SCOPE, ThreadedDependencies
+from .threadedscanning import ThreadedScanning
 FAST_WINNOWING = False
 try:
     from scanoss_winnowing.winnowing import Winnowing
     FAST_WINNOWING = True
-except ModuleNotFoundError or ImportError:
+except (ModuleNotFoundError, ImportError):
     FAST_WINNOWING = False
     from .winnowing import Winnowing
@@ -284,7 +284,7 @@ class Scanner(ScanossBase):
             return True
         return False
-    def scan_folder_with_options(
+    def scan_folder_with_options(  # noqa: PLR0913
         self,
         scan_dir: str,
         deps_file: str = None,
@@ -332,7 +332,7 @@ class Scanner(ScanossBase):
                 success = False
         return success
-    def scan_folder(self, scan_dir: str) -> bool:
+    def scan_folder(self, scan_dir: str) -> bool:  # noqa: PLR0912, PLR0915
         """
         Scan the specified folder producing fingerprints, send to the SCANOSS API and return results
@@ -400,7 +400,7 @@ class Scanner(ScanossBase):
                 scan_block += wfp
                 scan_size = len(scan_block.encode('utf-8'))
                 wfp_file_count += 1
-                # If the scan request block (group of WFPs) or larger than the POST size or we have reached the file limit, add it to the queue
+                # If the scan request block (group of WFPs) or larger than the POST size or we have reached the file limit, add it to the queue  # noqa: E501
                 if wfp_file_count > self.post_file_count or scan_size >= self.max_post_size:
                     self.threaded_scan.queue_add(scan_block)
                     queue_size += 1
@@ -484,7 +484,7 @@ class Scanner(ScanossBase):
             self.__log_result(json.dumps(results, indent=2, sort_keys=True))
         elif self.output_format == 'cyclonedx':
             cdx = CycloneDx(self.debug, self.scan_output)
-            success = cdx.produce_from_json(results)
+            success, _ = cdx.produce_from_json(results)
         elif self.output_format == 'spdxlite':
             spdxlite = SpdxLite(self.debug, self.scan_output)
             success = spdxlite.produce_from_json(results)
@@ -509,7 +509,7 @@ class Scanner(ScanossBase):
             for response in scan_responses:
                 if response is not None:
                     if file_map:
-                        response = self._deobfuscate_filenames(response, file_map)
+                        response = self._deobfuscate_filenames(response, file_map)  # noqa: PLW2901
                     results.update(response)
         dep_files = dep_responses.get('files', None) if dep_responses else None
@@ -532,7 +532,7 @@ class Scanner(ScanossBase):
                 deobfuscated[key] = value
         return deobfuscated
-    def scan_file_with_options(
+    def scan_file_with_options(  # noqa: PLR0913
         self,
         file: str,
         deps_file: str = None,
@@ -603,7 +603,7 @@ class Scanner(ScanossBase):
             success = False
         return success
-    def scan_files(self, files: []) -> bool:
+    def scan_files(self, files: []) -> bool:  # noqa: PLR0912, PLR0915
         """
         Scan the specified list of files, producing fingerprints, send to the SCANOSS API and return results
         Please note that by providing an explicit list you bypass any exclusions that may be defined on the scanner
@@ -657,7 +657,7 @@ class Scanner(ScanossBase):
             file_count += 1
             if self.threaded_scan:
                 wfp_size = len(wfp.encode('utf-8'))
-                # If the WFP is bigger than the max post size and we already have something stored in the scan block, add it to the queue
+                # If the WFP is bigger than the max post size and we already have something stored in the scan block, add it to the queue  # noqa: E501
                 if scan_block != '' and (wfp_size + scan_size) >= self.max_post_size:
                     self.threaded_scan.queue_add(scan_block)
                     queue_size += 1
@@ -666,7 +666,7 @@ class Scanner(ScanossBase):
                 scan_block += wfp
                 scan_size = len(scan_block.encode('utf-8'))
                 wfp_file_count += 1
-                # If the scan request block (group of WFPs) or larger than the POST size or we have reached the file limit, add it to the queue
+                # If the scan request block (group of WFPs) or larger than the POST size or we have reached the file limit, add it to the queue  # noqa: E501
                 if wfp_file_count > self.post_file_count or scan_size >= self.max_post_size:
                     self.threaded_scan.queue_add(scan_block)
                     queue_size += 1
@@ -755,7 +755,7 @@ class Scanner(ScanossBase):
                 success = False
         return success
-    def scan_wfp_file(self, file: str = None) -> bool:
+    def scan_wfp_file(self, file: str = None) -> bool:  # noqa: PLR0912, PLR0915
         """
         Scan the contents of the specified WFP file (in the current process)
         :param file: Scan the contents of the specified WFP file (in the current process)

{scanoss-1.27.0 → scanoss-1.28.0}/src/scanoss/scanners/container_scanner.py RENAMED Viewed

@@ -436,10 +436,12 @@ class ContainerScannerPresenter(AbstractPresenter):
         scan_results = {}
         for f in self.scanner.decorated_scan_results['files']:
             scan_results[f['file']] = [f]
-        if not cdx.produce_from_json(scan_results, self.output_file):
+        success, cdx_output = cdx.produce_from_json(scan_results)
+        if not success:
             error_msg = 'Failed to produce CycloneDX output'
             self.base.print_stderr(error_msg)
-            raise ValueError(error_msg)
+            return None
+        return json.dumps(cdx_output, indent=2)
     def _format_spdxlite_output(self) -> str:
         """

{scanoss-1.27.0 → scanoss-1.28.0}/src/scanoss/scanners/scanner_hfh.py RENAMED Viewed

@@ -162,7 +162,7 @@ class ScannerHFHPresenter(AbstractPresenter):
             else str(self.scanner.scan_results)
         )
-    def _format_cyclonedx_output(self) -> str:
+    def _format_cyclonedx_output(self) -> str:  # noqa: PLR0911
         if not self.scanner.scan_results:
             return ''
         try:
@@ -193,17 +193,28 @@ class ScannerHFHPresenter(AbstractPresenter):
                     }
                 ]
             }
+            get_vulnerabilities_json_request = {
+                'purls': [{'purl': purl, 'requirement': best_match_version['version']}],
+            }
             decorated_scan_results = self.scanner.client.get_dependencies(get_dependencies_json_request)
+            vulnerabilities = self.scanner.client.get_vulnerabilities_json(get_vulnerabilities_json_request)
-            cdx = CycloneDx(self.base.debug, self.output_file)
+            cdx = CycloneDx(self.base.debug)
             scan_results = {}
             for f in decorated_scan_results['files']:
                 scan_results[f['file']] = [f]
-            if not cdx.produce_from_json(scan_results, self.output_file):
+            success, cdx_output = cdx.produce_from_json(scan_results)
+            if not success:
                 error_msg = 'ERROR: Failed to produce CycloneDX output'
                 self.base.print_stderr(error_msg)
-                raise ValueError(error_msg)
+                return None
+            if vulnerabilities:
+                cdx_output = cdx.append_vulnerabilities(cdx_output, vulnerabilities, purl)
+            return json.dumps(cdx_output, indent=2)
         except Exception as e:
             self.base.print_stderr(f'ERROR: Failed to get license information: {e}')
             return None

{scanoss-1.27.0 → scanoss-1.28.0}/src/scanoss/scanossgrpc.py RENAMED Viewed

@@ -326,7 +326,7 @@ class ScanossGrpc(ScanossBase):
             request = ParseDict(purls, PurlRequest())  # Parse the JSON/Dict into the purl request object
             metadata = self.metadata[:]
             metadata.append(('x-request-id', request_id))  # Set a Request ID
-            self.print_debug(f'Sending crypto data for decoration (rqId: {request_id})...')
+            self.print_debug(f'Sending vulnerability data for decoration (rqId: {request_id})...')
             resp = self.vuln_stub.GetVulnerabilities(request, metadata=metadata, timeout=self.timeout)
         except Exception as e:
             self.print_stderr(

{scanoss-1.27.0 → scanoss-1.28.0/src/scanoss.egg-info}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: scanoss
-Version: 1.27.0
+Version: 1.28.0
 Summary: Simple Python library to leverage the SCANOSS APIs
 Home-page: https://scanoss.com
 Author: SCANOSS