Regression: Do not parse `cve` if `cve == None`
v01dXYZ opened this issue · 1 comments
- safety version: 2.2.0
- Python version: 3.8
- Operating System: Linux - Ubuntu 18.04.1 (docker image: python:3.8)
Description
The database file contains entries with the cve
field equals to null
. Contrary to 1.10.3
which only parses the field if it is neither None
or ""
, the version 2.2.0
assumes it is always a string.
What I Did
$ safety --debug check
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/safety/cli.py", line 143, in check
vulns, db_full = safety.check(packages=packages, key=key, db_mirror=db, cached=cache, ignore_vulns=ignore,
File "/usr/local/lib/python3.8/site-packages/safety/util.py", line 601, in new_func
return f(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/safety/safety.py", line 341, in check
cve = get_cve_from(data, db_full)
File "/usr/local/lib/python3.8/site-packages/safety/safety.py", line 279, in get_cve_from
cve_id = data.get("cve", '').split(",")[0].strip()
AttributeError: 'NoneType' object has no attribute 'split'
$ curl "https://raw.githubusercontent.com/pyupio/safety-db/bc28866e8129481f6b7b687591ae59e96f567dd1/data/insecure_full.json" -s | grep -A5 -B2 '"cve": null'
{
"advisory": "Hypercorn 0.6.0 pauses reading during h11 pipelining, fixing a potential DOS weakness.",
"cve": null,
"id": "pyup.io-50866",
"more_info_path": "/vulnerabilities/None/50866/",
"specs": [
"<0.6.0"
],
--
{
"advisory": "Opendp 0.5.0 hardens samplers to handle some privacy violation cases.\r\nhttps://github.com/opendp/opendp/pull/481",
"cve": null,
"id": "pyup.io-50829",
"more_info_path": "/vulnerabilities/None/50829/",
"specs": [
"<0.5.0"
],
Hi @v01dXYZ, thanks for reporting this issue; we appreciate your report.
I want to explain that now (Safety 2.0+), all the vulnerabilities have a link to a CVE ID (or a PVE ID), so this issue is a bug coming from the bot's free and open-source database process and upload.
Therefore we are working on finding and fixing the issue that exported those null CVEs; also, we have added handling for "None" CVE ids in the Safety code.
PR #412 has the extra validation for None CVE ids; it will be available in the following Safety version.
I will close this issue; please, open a new one or comment if you have any other questions or concerns.