scanoss 1.27.1__py3-none-any.whl → 1.28.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- scanoss/__init__.py +1 -1
- scanoss/cyclonedx.py +81 -0
- scanoss/data/build_date.txt +1 -1
- scanoss/scanners/scanner_hfh.py +9 -0
- scanoss/scanossgrpc.py +1 -1
- {scanoss-1.27.1.dist-info → scanoss-1.28.0.dist-info}/METADATA +1 -1
- {scanoss-1.27.1.dist-info → scanoss-1.28.0.dist-info}/RECORD +11 -11
- {scanoss-1.27.1.dist-info → scanoss-1.28.0.dist-info}/WHEEL +0 -0
- {scanoss-1.27.1.dist-info → scanoss-1.28.0.dist-info}/entry_points.txt +0 -0
- {scanoss-1.27.1.dist-info → scanoss-1.28.0.dist-info}/licenses/LICENSE +0 -0
- {scanoss-1.27.1.dist-info → scanoss-1.28.0.dist-info}/top_level.txt +0 -0
scanoss/__init__.py
CHANGED
scanoss/cyclonedx.py
CHANGED
|
@@ -287,6 +287,87 @@ class CycloneDx(ScanossBase):
|
|
|
287
287
|
return False
|
|
288
288
|
return self.produce_from_json(data, output_file)
|
|
289
289
|
|
|
290
|
+
def _normalize_vulnerability_id(self, vuln: dict) -> tuple[str, str]:
|
|
291
|
+
"""
|
|
292
|
+
Normalize vulnerability ID and CVE from different possible field names.
|
|
293
|
+
Returns tuple of (vuln_id, vuln_cve).
|
|
294
|
+
"""
|
|
295
|
+
vuln_id = vuln.get('ID', '') or vuln.get('id', '')
|
|
296
|
+
vuln_cve = vuln.get('CVE', '') or vuln.get('cve', '')
|
|
297
|
+
|
|
298
|
+
# Skip CPE entries, use CVE if available
|
|
299
|
+
if vuln_id.upper().startswith('CPE:') and vuln_cve:
|
|
300
|
+
vuln_id = vuln_cve
|
|
301
|
+
|
|
302
|
+
return vuln_id, vuln_cve
|
|
303
|
+
|
|
304
|
+
def _create_vulnerability_entry(self, vuln_id: str, vuln: dict, vuln_cve: str, purl: str) -> dict:
|
|
305
|
+
"""
|
|
306
|
+
Create a new vulnerability entry for CycloneDX format.
|
|
307
|
+
"""
|
|
308
|
+
vuln_source = vuln.get('source', '').lower()
|
|
309
|
+
return {
|
|
310
|
+
'id': vuln_id,
|
|
311
|
+
'source': {
|
|
312
|
+
'name': 'NVD' if vuln_source == 'nvd' else 'GitHub Advisories',
|
|
313
|
+
'url': f'https://nvd.nist.gov/vuln/detail/{vuln_cve}'
|
|
314
|
+
if vuln_source == 'nvd'
|
|
315
|
+
else f'https://github.com/advisories/{vuln_id}'
|
|
316
|
+
},
|
|
317
|
+
'ratings': [{'severity': self._sev_lookup(vuln.get('severity', 'unknown').lower())}],
|
|
318
|
+
'affects': [{'ref': purl}]
|
|
319
|
+
}
|
|
320
|
+
|
|
321
|
+
def append_vulnerabilities(self, cdx_dict: dict, vulnerabilities_data: dict, purl: str) -> dict:
|
|
322
|
+
"""
|
|
323
|
+
Append vulnerabilities to an existing CycloneDX dictionary
|
|
324
|
+
|
|
325
|
+
Args:
|
|
326
|
+
cdx_dict (dict): The existing CycloneDX dictionary
|
|
327
|
+
vulnerabilities_data (dict): The vulnerabilities data from get_vulnerabilities_json
|
|
328
|
+
purl (str): The PURL of the component these vulnerabilities affect
|
|
329
|
+
|
|
330
|
+
Returns:
|
|
331
|
+
dict: The updated CycloneDX dictionary with vulnerabilities appended
|
|
332
|
+
"""
|
|
333
|
+
if not cdx_dict or not vulnerabilities_data:
|
|
334
|
+
return cdx_dict
|
|
335
|
+
|
|
336
|
+
if 'vulnerabilities' not in cdx_dict:
|
|
337
|
+
cdx_dict['vulnerabilities'] = []
|
|
338
|
+
|
|
339
|
+
# Extract vulnerabilities from the response
|
|
340
|
+
vulns_list = vulnerabilities_data.get('purls', [])
|
|
341
|
+
if not vulns_list:
|
|
342
|
+
return cdx_dict
|
|
343
|
+
|
|
344
|
+
vuln_items = vulns_list[0].get('vulnerabilities', [])
|
|
345
|
+
|
|
346
|
+
for vuln in vuln_items:
|
|
347
|
+
vuln_id, vuln_cve = self._normalize_vulnerability_id(vuln)
|
|
348
|
+
|
|
349
|
+
# Skip empty IDs or CPE-only entries
|
|
350
|
+
if not vuln_id or vuln_id.upper().startswith('CPE:'):
|
|
351
|
+
continue
|
|
352
|
+
|
|
353
|
+
# Check if vulnerability already exists
|
|
354
|
+
existing_vuln = next(
|
|
355
|
+
(v for v in cdx_dict['vulnerabilities'] if v.get('id') == vuln_id),
|
|
356
|
+
None
|
|
357
|
+
)
|
|
358
|
+
|
|
359
|
+
if existing_vuln:
|
|
360
|
+
# Add this PURL to the affects list if not already present
|
|
361
|
+
if not any(ref.get('ref') == purl for ref in existing_vuln.get('affects', [])):
|
|
362
|
+
existing_vuln['affects'].append({'ref': purl})
|
|
363
|
+
else:
|
|
364
|
+
# Create new vulnerability entry
|
|
365
|
+
cdx_dict['vulnerabilities'].append(
|
|
366
|
+
self._create_vulnerability_entry(vuln_id, vuln, vuln_cve, purl)
|
|
367
|
+
)
|
|
368
|
+
|
|
369
|
+
return cdx_dict
|
|
370
|
+
|
|
290
371
|
@staticmethod
|
|
291
372
|
def _sev_lookup(value: str):
|
|
292
373
|
"""
|
scanoss/data/build_date.txt
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
date:
|
|
1
|
+
date: 20250710142446, utime: 1752157486
|
scanoss/scanners/scanner_hfh.py
CHANGED
|
@@ -193,8 +193,13 @@ class ScannerHFHPresenter(AbstractPresenter):
|
|
|
193
193
|
}
|
|
194
194
|
]
|
|
195
195
|
}
|
|
196
|
+
|
|
197
|
+
get_vulnerabilities_json_request = {
|
|
198
|
+
'purls': [{'purl': purl, 'requirement': best_match_version['version']}],
|
|
199
|
+
}
|
|
196
200
|
|
|
197
201
|
decorated_scan_results = self.scanner.client.get_dependencies(get_dependencies_json_request)
|
|
202
|
+
vulnerabilities = self.scanner.client.get_vulnerabilities_json(get_vulnerabilities_json_request)
|
|
198
203
|
|
|
199
204
|
cdx = CycloneDx(self.base.debug)
|
|
200
205
|
scan_results = {}
|
|
@@ -205,6 +210,10 @@ class ScannerHFHPresenter(AbstractPresenter):
|
|
|
205
210
|
error_msg = 'ERROR: Failed to produce CycloneDX output'
|
|
206
211
|
self.base.print_stderr(error_msg)
|
|
207
212
|
return None
|
|
213
|
+
|
|
214
|
+
if vulnerabilities:
|
|
215
|
+
cdx_output = cdx.append_vulnerabilities(cdx_output, vulnerabilities, purl)
|
|
216
|
+
|
|
208
217
|
return json.dumps(cdx_output, indent=2)
|
|
209
218
|
except Exception as e:
|
|
210
219
|
self.base.print_stderr(f'ERROR: Failed to get license information: {e}')
|
scanoss/scanossgrpc.py
CHANGED
|
@@ -326,7 +326,7 @@ class ScanossGrpc(ScanossBase):
|
|
|
326
326
|
request = ParseDict(purls, PurlRequest()) # Parse the JSON/Dict into the purl request object
|
|
327
327
|
metadata = self.metadata[:]
|
|
328
328
|
metadata.append(('x-request-id', request_id)) # Set a Request ID
|
|
329
|
-
self.print_debug(f'Sending
|
|
329
|
+
self.print_debug(f'Sending vulnerability data for decoration (rqId: {request_id})...')
|
|
330
330
|
resp = self.vuln_stub.GetVulnerabilities(request, metadata=metadata, timeout=self.timeout)
|
|
331
331
|
except Exception as e:
|
|
332
332
|
self.print_stderr(
|
|
@@ -4,13 +4,13 @@ protoc_gen_swagger/options/annotations_pb2.py,sha256=b25EDD6gssUWnFby9gxgcpLIROT
|
|
|
4
4
|
protoc_gen_swagger/options/annotations_pb2_grpc.py,sha256=1oboBPFxaTEXt9Aw7EAj8gXHDCNMhZD2VXqocC9l_gk,159
|
|
5
5
|
protoc_gen_swagger/options/openapiv2_pb2.py,sha256=vYElGp8E1vGHszvWqX97zNG9GFJ7u2QcdK9ouq0XdyI,14939
|
|
6
6
|
protoc_gen_swagger/options/openapiv2_pb2_grpc.py,sha256=1oboBPFxaTEXt9Aw7EAj8gXHDCNMhZD2VXqocC9l_gk,159
|
|
7
|
-
scanoss/__init__.py,sha256=
|
|
7
|
+
scanoss/__init__.py,sha256=Sre04UP925CNKzy9Agq2V3oSyx5Jx3X14ZW9gtmdE5A,1146
|
|
8
8
|
scanoss/cli.py,sha256=9ELIAJy06g4KyvnALzPSQ_Rh1ypALbyQGGKrjb4sCOk,72615
|
|
9
9
|
scanoss/components.py,sha256=b0R9DdKuXqyQiw5nZZwjQ6NJXBr1U9gyx1RI2FP9ozA,14511
|
|
10
10
|
scanoss/constants.py,sha256=On8mQ-8ardVMHSJ7WOJqeTvGXIOWPLCgUanjE7Wk-wE,351
|
|
11
11
|
scanoss/cryptography.py,sha256=Q39MOCscP-OFvrnPXaPOMFFkc8OKnf3mC3SgZYEtCog,9407
|
|
12
12
|
scanoss/csvoutput.py,sha256=qNKRwcChSkgIwLm00kZiVX6iHVQUF4Apl-sMbzJ5Taw,10192
|
|
13
|
-
scanoss/cyclonedx.py,sha256=
|
|
13
|
+
scanoss/cyclonedx.py,sha256=n3SVuHxiN1Oa-CaqAOtHsLTFefvXEjgJbpsKa0AcwDY,16267
|
|
14
14
|
scanoss/file_filters.py,sha256=2DzyvSVR7We7U36UurtJj3cdQturUjDl8j3OIqmv4Pg,20638
|
|
15
15
|
scanoss/filecount.py,sha256=RZjKQ6M5P_RQg0_PMD2tsRe5Z8f98ke0sxYVjPDN8iQ,6538
|
|
16
16
|
scanoss/results.py,sha256=47ZXXuU2sDjYa5vhtbWTmikit9jHhA0rsYKwkvZFI5w,9252
|
|
@@ -19,7 +19,7 @@ scanoss/scanner.py,sha256=tS5yR6byhbVliSV0vTC7dkdX9XOhiTi8s9tCkDSObik,45397
|
|
|
19
19
|
scanoss/scanoss_settings.py,sha256=393JnWLsEZhvMg5tPUGgxmqnBKp8AcLxYsDRbLP7aV4,10650
|
|
20
20
|
scanoss/scanossapi.py,sha256=v4D9i9Impa82Enw-5hZ7KLlscDIpaILNbGOMj3MJXqs,13067
|
|
21
21
|
scanoss/scanossbase.py,sha256=Dkpwxa8NH8XN1iRl03NM_Mkvby0JQ4qfvCiiUrJ5ul0,3163
|
|
22
|
-
scanoss/scanossgrpc.py,sha256=
|
|
22
|
+
scanoss/scanossgrpc.py,sha256=uwAp9CzA_t7oMXYo7o81j8kVgn8qSeTjA4b1Jj8hoL0,30011
|
|
23
23
|
scanoss/scanpostprocessor.py,sha256=-JsThlxrU70r92GHykTMERnicdd-6jmwNsE4PH0MN2o,11063
|
|
24
24
|
scanoss/scantype.py,sha256=gFmyVmKQpHWogN2iCmMj032e_sZo4T92xS3_EH5B3Tc,1310
|
|
25
25
|
scanoss/spdxlite.py,sha256=MQqFgQhIO-yrbRwEAQS77HmRgP5GDxff-2JYLVoceA0,28946
|
|
@@ -57,7 +57,7 @@ scanoss/api/vulnerabilities/__init__.py,sha256=IFrDk_DTJgKSZmmU-nuLXuq_s8sQZlrSC
|
|
|
57
57
|
scanoss/api/vulnerabilities/v2/__init__.py,sha256=IFrDk_DTJgKSZmmU-nuLXuq_s8sQZlrSCHhIDMJT4r0,1122
|
|
58
58
|
scanoss/api/vulnerabilities/v2/scanoss_vulnerabilities_pb2.py,sha256=CFhF80av8tenGvn9AIsGEtRJPuV2dC_syA5JLZb2lDw,5464
|
|
59
59
|
scanoss/api/vulnerabilities/v2/scanoss_vulnerabilities_pb2_grpc.py,sha256=HlS4k4Zmx6RIAqaO9I96jD-eyF5yU6Xx04pVm7pdqOg,6864
|
|
60
|
-
scanoss/data/build_date.txt,sha256
|
|
60
|
+
scanoss/data/build_date.txt,sha256=iYCQ03ljoro3XW9RTUH04V18pc85cKHRTeyfyVL06BI,40
|
|
61
61
|
scanoss/data/scanoss-settings-schema.json,sha256=ClkRYAkjAN0Sk704G8BE_Ok006oQ6YnIGmX84CF8h9w,8798
|
|
62
62
|
scanoss/data/spdx-exceptions.json,sha256=s7UTYxC7jqQXr11YBlIWYCNwN6lRDFTR33Y8rpN_dA4,17953
|
|
63
63
|
scanoss/data/spdx-licenses.json,sha256=A6Z0q82gaTLtnopBfzeIVZjJFxkdRW1g2TuumQc-lII,228794
|
|
@@ -73,15 +73,15 @@ scanoss/scanners/__init__.py,sha256=D4C0lWLuNp8k_BjQZEc07WZcUgAvriVwQWOk063b0ZU,
|
|
|
73
73
|
scanoss/scanners/container_scanner.py,sha256=fOrb64owrstX7LnTuxiIan059YgLeKXeBS6g2QaCyq0,16346
|
|
74
74
|
scanoss/scanners/folder_hasher.py,sha256=-qvTtMC0iPj7zS8nMSZZJyt9d62MeQIK0LcrNDkt7yc,12267
|
|
75
75
|
scanoss/scanners/scanner_config.py,sha256=egG7cw3S2akU-D9M1aLE5jLrfz_c8e7_DIotMnnpM84,2601
|
|
76
|
-
scanoss/scanners/scanner_hfh.py,sha256=
|
|
76
|
+
scanoss/scanners/scanner_hfh.py,sha256=OvayCIq_a5iJwv7H7OCdB9K0vI9oxAz9UvgGfg7xrLU,8392
|
|
77
77
|
scanoss/utils/__init__.py,sha256=0hjb5ktavp7utJzFhGMPImPaZiHWgilM2HwvTp5lXJE,1122
|
|
78
78
|
scanoss/utils/abstract_presenter.py,sha256=teiDTxBj5jBMCk2T8i4l1BJPf_u4zBLWrtCTFHSSECM,3148
|
|
79
79
|
scanoss/utils/crc64.py,sha256=TMrwQimSdE6imhFOUL7oAG6Kxu-8qMpGWMuMg8QpSVs,3169
|
|
80
80
|
scanoss/utils/file.py,sha256=62cA9a17TU9ZvfA3FY5HY4-QOajJeSrc8S6xLA_f-3M,2980
|
|
81
81
|
scanoss/utils/simhash.py,sha256=6iu8DOcecPAY36SZjCOzrrLMT9oIE7-gI6QuYwUQ7B0,5793
|
|
82
|
-
scanoss-1.
|
|
83
|
-
scanoss-1.
|
|
84
|
-
scanoss-1.
|
|
85
|
-
scanoss-1.
|
|
86
|
-
scanoss-1.
|
|
87
|
-
scanoss-1.
|
|
82
|
+
scanoss-1.28.0.dist-info/licenses/LICENSE,sha256=LLUaXoiyOroIbr5ubAyrxBOwSRLTm35ETO2FmLpy8QQ,1074
|
|
83
|
+
scanoss-1.28.0.dist-info/METADATA,sha256=MCZLZyTbAL_542yYN9oJGDfDUlzUxaWRaGbOqE7030o,6060
|
|
84
|
+
scanoss-1.28.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
|
|
85
|
+
scanoss-1.28.0.dist-info/entry_points.txt,sha256=Uy28xnaDL5KQ7V77sZD5VLDXPNxYYzSr5tsqtiXVzAs,48
|
|
86
|
+
scanoss-1.28.0.dist-info/top_level.txt,sha256=V11PrQ6Pnrc-nDF9xnisnJ8e6-i7HqSIKVNqduRWcL8,27
|
|
87
|
+
scanoss-1.28.0.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|