TypeError when scanning

[Molkree]

I have tried to scan the dir from this comment and instead of the error mentioned in that thread got another one:

(.venv) molkree@DESKTOP-V2SIETN:~/cve-bin-tool$ cve-bin-tool _openwrt-mt1300-3.203-0809.bin.extracted/
[19:16:43] INFO     cve_bin_tool.CVEDB - Using cached CVE data (<24h old). Use -u now to update immediately.                                    cvedb.py:346
           INFO     cve_bin_tool.CVEDB - There are 167184 CVE entries in the database                                                           cvedb.py:376
           INFO     cve_bin_tool - CVE database last updated on 09 January 2022 at 19:10:41                                                       cli.py:446
[19:16:44] INFO     cve_bin_tool - Number of checkers: 110                                                                                        cli.py:520
           INFO     cve_bin_tool.VersionScanner - Checkers: accountsservice, avahi, bash, bind, binutils, bolt, bubblewrap, busybox,   version_scanner.py:93
                    bzip2, cronie, cryptsetup, cups, curl, dbus, dnsmasq, dovecot, dpkg, enscript, expat, ffmpeg, freeradius, ftp,
                    gcc, gimp, glibc, gnomeshell, gnupg, gnutls, gpgme, gstreamer, gupnp, haproxy, hdf5, hostapd, hunspell, icecast,
                    icu, irssi, kbd, kerberos, kexectools, libarchive, libbpg, libdb, libgcrypt, libical, libjpeg_turbo, liblas,
                    libnss, libsndfile, libsoup, libsrtp, libssh2, libtiff, libvirt, libvncserver, libxslt, lighttpd, logrotate, lua,
                    mariadb, mdadm, memcached, mtr, mysql, nano, ncurses, nessus, netpbm, nginx, node, ntp, open_vm_tools, openafs,
                    openjpeg, openldap, openssh, openssl, openswan, openvpn, p7zip, pcsc_lite, pigz, png, polarssl_fedora, poppler,
                    postgresql, pspp, python, qt, radare2, rsyslog, samba, sane_backends, sqlite, strongswan, subversion, sudo,
                    syslogng, systemd, tcpdump, trousers, varnish, webkitgtk, wireshark, wpa_supplicant, xerces, xml2, zlib, zsh
[19:17:20] INFO     cve_bin_tool.CVEScanner - 4 CVE(s) in lua.lua v5.1.5                                                                  cve_scanner.py:221
/home/molkree/cve-bin-tool/.venv/lib/python3.9/site-packages/pkg_resources/__init__.py:116: PkgResourcesDeprecationWarning: 1.1.1d is an invalid version and will not be supported in a future release
  warnings.warn(
/home/molkree/cve-bin-tool/.venv/lib/python3.9/site-packages/pkg_resources/__init__.py:116: PkgResourcesDeprecationWarning: a.00.09.07.11 is an invalid version and will not be supported in a future release
  warnings.warn(
           INFO     cve_bin_tool.CVEScanner - 13 CVE(s) in openssl.openssl v1.1.1d                                                        cve_scanner.py:221
[19:17:21] INFO     cve_bin_tool.CVEScanner - 9 CVE(s) in sqlite.sqlite v3.31.1                                                           cve_scanner.py:221
╭─────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮
│                                                                                                  │
│ /home/molkree/cve-bin-tool/.venv/bin/cve-bin-tool:8 in <module>                                  │
│                                                                                                  │
│   5 from cve_bin_tool.cli import main                                                            │
│   6 if __name__ == '__main__':                                                                   │
│   7 │   sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])                         │
│ ❱ 8 │   sys.exit(main())                                                                         │
│   9                                                                                              │
│ /home/molkree/cve-bin-tool/.venv/lib/python3.9/site-packages/cve_bin_tool/cli.py:529 in main     │
│                                                                                                  │
│   526 │   │   │   │   │   triage_data = parsed_data.get(product_info, {"default": {}})           │
│   527 │   │   │   │   │   # Ignore paths from triage_data if we are scanning directory           │
│   528 │   │   │   │   │   triage_data["paths"] = {path}                                          │
│ ❱ 529 │   │   │   │   │   cve_scanner.get_cves(product_info, triage_data)                        │
│   530 │   │   │   total_files = version_scanner.total_scanned_files                              │
│   531 │   │                                                                                      │
│   532 │   │   if args["merge"]:                                                                  │
│                                                                                                  │
│ /home/molkree/cve-bin-tool/.venv/lib/python3.9/site-packages/cve_bin_tool/cve_scanner.py:144 in  │
│ get_cves                                                                                         │
│                                                                                                  │
│   141 │   │   │   passes_end = False                                                             │
│   142 │   │   │   if (                                                                           │
│   143 │   │   │   │   version_end_including is not self.RANGE_UNSET                              │
│ ❱ 144 │   │   │   │   and parsed_version <= parse_version(version_end_including)                 │
│   145 │   │   │   ):                                                                             │
│   146 │   │   │   │   passes_end = True                                                          │
│   147                                                                                            │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
TypeError: '<=' not supported between instances of 'str' and 'Version'

The offending code is here:

cve-bin-tool/cve_bin_tool/cve_scanner.py

Lines 140 to 146 in 8c1f773

	# check the end range
	passes_end = False
	if (
	version_end_including is not self.RANGE_UNSET
	and parsed_version <= parse_version(version_end_including)
	):
	passes_end = True

As evident from the error text parsed_version is just str but parse_version(version_end_including) is Version.

cve-bin-tool/cve_bin_tool/cve_scanner.py

Line 13 in 8c1f773

from pkg_resources import parse_version

pkg_resources is part of setuptools and I'm not sure how this worked before. Probably Version was implicitly comparable to str before? I didn't dig deep enough to find out but I have setuptools v60.5.0 in this venv. This is a regression from 6cd49cf.

Anyway, a quick fix would probably be to call parse_version when assigning parsed_version (this seems to be the intended way).

But I suspect that the better fix would be to move away from pkg_resources entirely due to this guidance:

Use of pkg_resources is discouraged in favor of importlib.resources, importlib.metadata, and their backports (resources, metadata). Please consider using those libraries instead of pkg_resources.

P.S. This is on latest commit 8c1f773, that's why the error is different from user report.