Commit 923fdafd authored by Jérome Perrin's avatar Jérome Perrin

cyclonedx: use the github organisation as software vendor

the case of snappy from the test was a real problem where
false positive vulnerabilities for cpe:2.3:a:knplabs:snappy:*:*:*:*:*:*:*:*
were reported, like for example CVE-2023-41330
parent 511ad44d
......@@ -613,7 +613,11 @@ def fmt_bom_cyclonedx_json(bom, software_path):
elif pkginfo.kind == 'gem':
purl_type = 'gem'
else:
cpe = f'cpe:2.3:*:*:{pkginfo.name}:{pkginfo.version}:*:*:*:*:*:*:*'
cpe_vendor = '*'
parsed_url = urlparse(pkginfo.url)
if parsed_url.hostname == 'github.com':
cpe_vendor = parsed_url.path.split('/')[1]
cpe = f'cpe:2.3:*:{cpe_vendor}:{pkginfo.name}:{pkginfo.version}:*:*:*:*:*:*:*'
purl = f'pkg:{purl_type}/{pkginfo.name}@{pkginfo.version}'
component = {
'name': pkginfo.name,
......
......@@ -767,6 +767,10 @@ recipe = slapos.recipe.build:gitclone
repository = https://lab.nexedi.com/nexedi/erp5
revision = 1234abcd
[snappy]
recipe = slapos.recipe.cmmi
url = https://github.com/google/snappy/archive/1.1.8.tar.gz
[eggs]
recipe = zc.recipe.egg
_d = /ROOT/develop-eggs
......@@ -827,7 +831,20 @@ eggs =
'type': 'library',
'version': '1.6.37',
},
]
{
'name': 'snappy',
'purl': 'pkg:generic/snappy@1.1.8',
'type': 'library',
'version': '1.1.8',
'cpe': 'cpe:2.3:*:google:snappy:1.1.8:*:*:*:*:*:*:*',
'externalReferences': [
{
'url': 'https://github.com/google/snappy/archive/1.1.8.tar.gz',
'type': 'distribution',
}
],
},
]
# loading non-existing .installed.cfg -> error
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment