fix(parser): multiple vendors for java #2802
Conversation
|
@ffontaine Could you help me find out what is wrong with this fix? |
|
Look closer to the top of the error in the logs, specifically at the package_names line. self = <cve_bin_tool.cvedb.CVEDB object at 0x000001E01D0FDF90>
package_names = <Element '{http://maven.apache.org/POM/4.0.0}artifactId' at 0x000001E01DBD34C0>
def get_vendor_product_pairs(self, package_names) -> list[dict[str, str]]:
"""
Fetches vendor from the database for packages that doesn't have vendor info for Package List Parser Utility and Universal Python package checker.
"""
cursor = self.db_open_and_get_cursor()
vendor_package_pairs = []
query = """
SELECT DISTINCT vendor FROM cve_range
WHERE product=?
"""
# For python package checkers we don't need the progress bar running
if type(package_names) != list:
> cursor.execute(query, [package_names])
E sqlite3.InterfaceError: Error binding parameter 0 - probably unsupported type.
cve_bin_tool\cvedb.py:474: InterfaceError
============================== warnings summary ===============================
test/test_csv2cve.py: 8 warnings
test/test_cvescanner.py: 10 warnings
test/test_exploits.py: 4 warnings
test/test_merge.py: 3 warnings
C:\hostedtoolcache\windows\Python\3.10.10\x64\lib\site-packages\packaging\version.py:111: DeprecationWarning: Creating a LegacyVersion has been deprecated and will be removed in the next major release
warnings.warn(
-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
=========================== short test summary info ===========================
FAILED test/test_language_scanner.py::TestLanguageScanner::test_java_package[D:\\a\\cve-bin-tool\\cve-bin-tool\\test\\language_data\\pom.xml-commons_io] - sqlite3.InterfaceError: Error binding parameter 0 - probably unsupported type.
FAILED test/test_language_scanner.py::TestLanguageScanner::test_language_package_none_found[D:\\a\\cve-bin-tool\\cve-bin-tool\\test\\language_data\\fail_pom.xml] - sqlite3.InterfaceError: Error binding parameter 0 - probably unsupported type.you might want to toss a debug line in there or something, but it looks like the package names you're passing in aren't getting turned into searchable strings before you put them into sql. |
|
@terriko @metabiswadeep I have a fix which applies to all language parsers (I needed this for the SBOM generation work I am doing at the moment) although I haven't looked at the impact that it wll have on the tests. |
|
@anthonyharrison Ok, then should I close this PR? |
|
@metabiswadeep No carry on. I hadn't realised that you were already fixing the issue. I will pick up the fix once it gets merged. |
Codecov Report
@@ Coverage Diff @@
## main #2802 +/- ##
==========================================
+ Coverage 82.41% 82.59% +0.17%
==========================================
Files 671 671
Lines 10597 10602 +5
Branches 1426 1429 +3
==========================================
+ Hits 8734 8757 +23
+ Misses 1493 1479 -14
+ Partials 370 366 -4
Flags with carried forward coverage won't be shown. Click here to find out more.
... and 4 files with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
|
@terriko Is this okay now? |
|
@terriko Are there any changes necessary for this? |
|
Hey, sorry this one fell off my radar! I've got to run in a few minutes so i don't have time to do detailed code review, but I'll put a tag on it so I know I need to come back and do that hopefully later today. |
|
@terriko Looks like all tests are passing. Is this okay? |
There was a problem hiding this comment.
I feel like this needs a little refactoring to avoid duplicating the code. Rather than removing the find_vendor function and moving the code twice, can you just make sure the find_vendor function returns multiple matches and that they're used correctly in the other code?
|
@terriko I have refactored the code. |
Fixes #2798