feat: add affected-versions to all formats (#1342)

cve_bin_tool/available_fix/debian_cve_tracker.py

@@ -44,7 +44,7 @@ def cve_info(
     ):
         """Produces the Backported fixes' info"""
 
-        cve_data = format_output(all_cve_data)
+        cve_data = format_output(all_cve_data, None)
         json_data = self.get_data()
         for cve in cve_data:
             try:

cve_bin_tool/available_fix/redhat_cve_tracker.py

@@ -24,7 +24,7 @@ def cve_info(
     ):
         """Produces the available fixes' info"""
 
-        cve_data = format_output(all_cve_data)
+        cve_data = format_output(all_cve_data, None)
         for cve in cve_data:
             if cve["cve_number"] != "UNKNOWN":
                 json_data = self.get_data(cve["cve_number"], cve["product"])

cve_bin_tool/output_engine/__init__.py

@@ -7,31 +7,38 @@
 import time
 from datetime import datetime
 from logging import Logger
-from typing import IO, Dict, List, Union
+from typing import IO, Dict, List, Optional, Union
 
 from ..cve_scanner import CVEData
 from ..cvedb import CVEDB
 from ..error_handler import ErrorHandler, ErrorMode
 from ..log import LOGGER
-from ..util import ProductInfo, Remarks
+from ..util import ProductInfo, Remarks, VersionInfo
 from ..version import VERSION
 from .console import output_console
 from .html import output_html
 from .util import (
     add_extension_if_not,
     format_output,
     format_path,
+    format_version_range,
     generate_filename,
     get_cve_summary,
     intermediate_output,
 )
 
 
 def output_json(
-    all_cve_data: Dict[ProductInfo, CVEData], outfile: IO, detailed: bool = False
+    all_cve_data: Dict[ProductInfo, CVEData],
+    all_cve_version_info: Optional[Dict[str, VersionInfo]],
+    outfile: IO,
+    detailed: bool = False,
+    affected_versions: int = 0,
 ):
     """Output a JSON of CVEs"""
-    formatted_output = format_output(all_cve_data, detailed)
+    formatted_output = format_output(
+        all_cve_data, all_cve_version_info, detailed, affected_versions
+    )
     json.dump(formatted_output, outfile, indent="    ")
 
 
@@ -59,10 +66,16 @@ def save_intermediate(
 
 
 def output_csv(
-    all_cve_data: Dict[ProductInfo, CVEData], outfile, detailed: bool = False
+    all_cve_data: Dict[ProductInfo, CVEData],
+    all_cve_version_info: Optional[Dict[str, VersionInfo]],
+    outfile,
+    detailed: bool = False,
+    affected_versions: int = 0,
 ):
     """Output a CSV of CVEs"""
-    formatted_output = format_output(all_cve_data, detailed)
+    formatted_output = format_output(
+        all_cve_data, all_cve_version_info, detailed, affected_versions
+    )
 
     # Trim any leading -, =, +, @, tab or CR to avoid excel macros
     for cve_entry in formatted_output:
@@ -87,6 +100,8 @@ def output_csv(
     )
     if detailed:
         writer.fieldnames.append("description")
+    if affected_versions != 0:
+        writer.fieldnames.append("affected_versions")
     writer.writeheader()
     writer.writerows(formatted_output)
 
@@ -100,8 +115,10 @@ def output_pdf(
         all_cve_data: Dict[ProductInfo, CVEData],
         is_report,
         products_with_cve,
+        all_cve_version_info,
         outfile,
         merge_report,
+        affected_versions: int = 0,
         exploits: bool = False,
     ):
         """Output a PDF of CVEs"""
@@ -255,11 +272,16 @@ def output_pdf(
             pdfdoc.paragraph(
                 "The following vulnerabilities are reported against the identified versions of the libraries."
             )
+            col_headings = ["Vendor", "Product", "Version", "CVE Number", "Severity"]
+            col_dist = [10, 10, None, None, None]
+            if affected_versions != 0:
+                col_headings.append("Affected Versions")
+                col_dist.append(None)
             pdfdoc.createtable(
                 "Productlist",
-                ["Vendor", "Product", "Version", "CVE Number", "Severity"],
+                col_headings,
                 pdfdoc.tblStyle,
-                [10, 10, None, None, None],
+                col_dist,
             )
             row = 1
             star_warn = False
@@ -275,6 +297,12 @@ def output_pdf(
                             cve.cve_number,
                             cve.severity,
                         ]
+                        if affected_versions != 0:
+                            try:
+                                version_info = all_cve_version_info[cve.cve_number]
+                            except KeyError:  # TODO: handle 'UNKNOWN' and some cves more cleanly
+                                version_info = VersionInfo("", "", "", "")
+                            entry.append(format_version_range(version_info))
                         pdfdoc.addrow(
                             "Productlist",
                             entry,
@@ -297,9 +325,10 @@ def output_pdf(
                         )
                         row += 1
 
-            pdfdoc.showtable(
-                "Productlist", widths=[3 * cm, 3 * cm, 2 * cm, 4 * cm, 5 * cm]
-            )
+            widths = [3 * cm, 3 * cm, 2 * cm, 4 * cm, 5 * cm]
+            if affected_versions != 0:
+                widths.append(4 * cm)
+            pdfdoc.showtable("Productlist", widths=widths)
             pdfdoc.paragraph("* vendors guessed by the tool") if star_warn else None
 
             pdfdoc.heading(1, "List of Vulnerabilities mapped to Components")
@@ -369,8 +398,10 @@ def output_pdf(
         all_cve_data: Dict[ProductInfo, CVEData],
         is_report,
         products_with_cve,
+        all_cve_version_info,
         outfile,
         merge_report,
+        affected_versions,
         exploits: bool = False,
     ):
         LOGGER.warning("PDF output requires install of reportlab")
@@ -423,21 +454,36 @@ def output_cves(self, outfile, output_type="console"):
         to other formats like CSV or JSON
         """
         if output_type == "json":
-            output_json(self.all_cve_data, outfile, self.detailed)
+            output_json(
+                self.all_cve_data,
+                self.all_cve_version_info,
+                outfile,
+                self.detailed,
+                self.affected_versions,
+            )
         elif output_type == "csv":
-            output_csv(self.all_cve_data, outfile, self.detailed)
+            output_csv(
+                self.all_cve_data,
+                self.all_cve_version_info,
+                outfile,
+                self.detailed,
+                self.affected_versions,
+            )
         elif output_type == "pdf":
             output_pdf(
                 self.all_cve_data,
                 self.is_report,
                 self.products_with_cve,
+                self.all_cve_version_info,
                 outfile,
                 self.merge_report,
+                self.affected_versions,
                 self.exploits,
             )
         elif output_type == "html":
             output_html(
                 self.all_cve_data,
+                self.all_cve_version_info,
                 self.scanned_dir,
                 self.filename,
                 self.themes_dir,
@@ -447,6 +493,7 @@ def output_cves(self, outfile, output_type="console"):
                 self.merge_report,
                 self.logger,
                 outfile,
+                self.affected_versions,
             )
         else:  # console, or anything else that is unrecognised
             output_console(

cve_bin_tool/output_engine/console.py

@@ -18,47 +18,7 @@
 from ..theme import cve_theme
 from ..util import ProductInfo, VersionInfo
 from ..version import VERSION
-from .util import format_path, get_cve_summary
-
-
-def format_version_range(version_info: VersionInfo) -> str:
-    """
-    Format version info to desirable output
-
-    Example:
-    ```
-        format_version_range('', '', '', '') => "-"
-        format_version_range('2.2.8', '', '2.2.11', '') => "[2.2.8 - 2.2.11]"
-        format_version_range('2.2.8', '', '', '2.2.11') => "[2.2.8 - 2.2.11)"
-        format_version_range('', '2.2.8', '2.2.11', '') => "(2.2.8 - 2.2.11]"
-        format_version_range('', '2.2.8', '', '2.2.11') => "(2.2.8 - 2.2.11])"
-        format_version_range('2.2.8', '', '', '') => ">= 2.2.8"
-        format_version_range('', '2.2.8', '', '') => "> 2.2.8"
-        format_version_range('', '', '2.2.11', '') => "<= 2.2.11"
-        format_version_range('', '', '', '2.2.11') => "< 2.2.11"
-    ```
-
-    Reference for Interval terminologies: https://en.wikipedia.org/wiki/Interval_(mathematics)
-    """
-
-    (start_including, start_excluding, end_including, end_excluding) = version_info
-    if start_including and end_including:
-        return f"[{start_including} - {end_including}]"
-    if start_including and end_excluding:
-        return f"[{start_including} - {end_excluding})"
-    if start_excluding and end_including:
-        return f"({start_excluding} - {end_including}]"
-    if start_excluding and end_excluding:
-        return f"({start_excluding} - {end_excluding})"
-    if start_including:
-        return f">= {start_including}"
-    if start_excluding:
-        return f"> {start_excluding}"
-    if end_including:
-        return f"<= {end_including}"
-    if end_excluding:
-        return f"< {end_excluding}"
-    return "-"
+from .util import format_path, format_version_range, get_cve_summary
 
 
 def output_console(*args: Any):

cve_bin_tool/output_engine/html.py

@@ -4,7 +4,7 @@
 import os
 from collections import Counter, defaultdict
 from datetime import datetime
-from typing import Dict, List, Union
+from typing import Dict, List, Optional, Union
 
 import plotly.graph_objects as go
 from jinja2 import Environment, FileSystemLoader, select_autoescape
@@ -13,7 +13,7 @@
 from cve_bin_tool.merge import MergeReports
 
 from ..log import LOGGER
-from ..util import CVEData, ProductInfo, Remarks
+from ..util import CVEData, ProductInfo, Remarks, VersionInfo
 from ..version import VERSION
 from .print_mode import html_print_mode
 from .util import group_cve_by_remark
@@ -59,6 +59,7 @@ def render_cves(
 
 def output_html(
     all_cve_data: Dict[ProductInfo, CVEData],
+    all_cve_version_info: Optional[Dict[str, VersionInfo]],
     scanned_dir: str,
     filename: str,
     theme_dir: str,
@@ -68,6 +69,7 @@ def output_html(
     merge_report: Union[None, MergeReports],
     logger: LOGGER,
     outfile,
+    affected_versions: int = 0,
 ):
     """Returns a HTML report for CVE's"""
 
@@ -347,6 +349,7 @@ def output_html(
             all_paths=all_paths,
             print_mode=html_print_mode(
                 all_cve_data,
+                all_cve_version_info,
                 scanned_dir,
                 products_with_cve,
                 products_without_cve,
@@ -355,6 +358,7 @@ def output_html(
                 merge_report,
                 version=VERSION,
                 full_html=False,
+                affected_versions=affected_versions,
             ),
             products_found="".join(products_found),
             version=VERSION,

cve_bin_tool/output_engine/print_mode.py

@@ -3,17 +3,19 @@
 
 import os
 from datetime import datetime
-from typing import Union
+from typing import Dict, Optional, Union
 
 from jinja2 import Environment, FileSystemLoader, select_autoescape
 
 from cve_bin_tool.merge import MergeReports
 
-from ..util import CVEData
+from ..util import CVEData, VersionInfo
+from .util import format_version_range
 
 
 def html_print_mode(
     all_cve_data: CVEData,
+    all_cve_version_info: Optional[Dict[str, VersionInfo]],
     directory: str,
     products_with_cve: int,
     products_without_cve: int,
@@ -22,6 +24,7 @@ def html_print_mode(
     merge_report: Union[None, MergeReports],
     version: str,
     full_html: bool = True,
+    affected_versions: int = 0,
 ) -> str:
 
     root = os.path.dirname(os.path.abspath(__file__))
@@ -61,7 +64,13 @@ def html_print_mode(
         )
     rendered_report.append(
         content.render(
-            all_cve_data=all_cve_data, directory=directory, star_warn=star_warn
+            all_cve_data=all_cve_data,
+            all_cve_version_info=all_cve_version_info,
+            directory=directory,
+            star_warn=star_warn,
+            affected_versions=affected_versions,
+            format_version_range=format_version_range,
+            VersionInfo=VersionInfo,
         )
     )
 

cve_bin_tool/output_engine/print_mode/templates/content.html

@@ -32,13 +32,19 @@
                                 <th>Description</th>
                                 <th>Severity</th>
                                 <th>Remarks</th>
+                                {% if affected_versions != 0 %}
+                                    <th>Affected Versions</th>
+                                {% endif %}
                             </tr>    
                         {% for cve in cve_data['cves'] %}
                             <tr>
                                 <td>{{ cve.cve_number }}</td>
                                 <td>{{ cve.description }}</td>
                                 <td>{{ cve.severity }}</td>
                                 <td>{{ cve.remarks }}</td>
+                                {% if affected_versions != 0 %}
+                                    <td>{{ format_version_range(all_cve_version_info[cve.cve_number] if cve.cve_number in all_cve_version_info else VersionInfo("", "", "", "")) }}</td>
+                                {% endif %}
                             </tr>
                         {% endfor %}
                         </table>