Merge branch 'main' into compare_0

.github/workflows/cve_scan.yml

@@ -12,8 +12,9 @@ permissions:
 jobs:
   cve_scan:
     name: CVE scan on dependencies
-    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
-    timeout-minutes: 30
+    # runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 60
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -31,7 +32,7 @@ jobs:
         run: |
           echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
       - name: Get cached database
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: cache
           key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}

.github/workflows/fuzzing.yml

@@ -51,13 +51,13 @@ jobs:
           echo "yesterday=$(/bin/date -d "-1 day" -u "+%Y%m%d")" >> $GITHUB_OUTPUT
 
       - name: Get today's cached database
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         id: todays-cache
         with:
           path: fuzz-cache
           key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}
       - name: Get yesterday's cached database if today's is not available
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         if: steps.todays-cache.outputs.cache-hit != 'true'
         with:
           path: fuzz-cache

.github/workflows/testing.yml

@@ -135,13 +135,13 @@ jobs:
           echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}"
           echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}"
       - name: Get today's cached database
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         id: todays-cache
         with:
           path: cache
           key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}
       - name: Get yesterday's cached database if today's is not available
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         if: steps.todays-cache.outputs.cache-hit != 'true'
         with:
           path: cache
@@ -197,7 +197,7 @@ jobs:
           github.head_ref
         )
       )
-    runs-on: 'ubuntu-latest'
+    runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
     timeout-minutes: 120
     env:
       LONG_TESTS: 1
@@ -267,13 +267,13 @@ jobs:
           echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}"
           echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}"
       - name: Get today's cached database
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         id: todays-cache
         with:
           path: cache
           key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}
       - name: Get yesterday's cached database if today's is not available
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         if: steps.todays-cache.outputs.cache-hit != 'true'
         with:
           path: cache
@@ -411,13 +411,13 @@ jobs:
           echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}"
           echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}"
       - name: Get today's cached database
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         id: todays-cache
         with:
           path: cache
           key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}
       - name: Get yesterday's cached database if today's is not available
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         if: steps.todays-cache.outputs.cache-hit != 'true'
         with:
           path: cache
@@ -517,14 +517,14 @@ jobs:
           echo "Today's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.DATE }}"
           echo "Yesterday's Cache Key: Linux-cve-bin-tool-${{ steps.get-date.outputs.YESTERDAY }}"
       - name: Get today's cached database
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         id: todays-cache
         with:
           path: cache
           key: Linux-cve-bin-tool-${{ steps.get-date.outputs.DATE }}
           enableCrossOsArchive: true
       - name: Get yesterday's cached database if today's is not available
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         if: steps.todays-cache.outputs.cache-hit != 'true'
         with:
           path: cache
@@ -558,7 +558,7 @@ jobs:
           test/test_cli.py
           test/test_cvedb.py
       - name: Cache conda
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         env:
           # Increase to reset cache if requirements.txt file has not changed
           CACHE_NUMBER: 0

.github/workflows/update-cache.yml

@@ -39,7 +39,7 @@ jobs:
         id: get-date
         run: |
           echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: cache
           key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }}

.github/workflows/update-js-dependencies.yml

@@ -36,7 +36,7 @@ jobs:
         run: python .github/workflows/update_js_dependencies.py
 
       - name: Get cached Python packages
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}

.pre-commit-config.yaml

@@ -6,6 +6,7 @@ repos:
         verbose: True
         exclude: ^(locales|presentation|fuzz/generated|test|cve_bin_tool/checkers|build)
         args: ["-vv", "-i", "-I", "-M", "-C", "-n", "-p", "-f", "60.0"]
+        # args for cut and paste: interrogate -vv -i -I -M -C -n -p -f 60.0
 
 -   repo: https://github.com/pycqa/isort
     rev: 5.13.2
@@ -14,13 +15,13 @@ repos:
       exclude: ^fuzz/generated/
 
 -   repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 24.8.0
+    rev: 24.10.0
     hooks:
     - id: black
       exclude: ^fuzz/generated/
 
 -   repo: https://github.com/asottile/pyupgrade
-    rev: v3.17.0
+    rev: v3.19.0
     hooks:
     - id: pyupgrade
       exclude: ^fuzz/generated/
@@ -45,7 +46,7 @@ repos:
     - id: gitlint
 
 -   repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.11.2
+    rev: v1.13.0
     hooks:
     - id: mypy
       additional_dependencies:

cve_bin_tool/vex_manager/generate.py

@@ -1,5 +1,6 @@
 # Copyright (C) 2024 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
+
 from logging import Logger
 from pathlib import Path
 from typing import Dict, List, Optional
@@ -12,6 +13,26 @@
 
 
 class VEXGenerate:
+    """
+    A class for generating VEX (Vulnerability Exploitability eXchange) documents.
+
+    This class maintains the state of vulnerability analysis for different VEX types,
+    including CycloneDX, CSAF, and OpenVEX. The `analysis_state` dictionary maps
+    remarks related to vulnerability status to their corresponding states for each
+    VEX type.
+
+    Attributes:
+        analysis_state (dict): A dictionary containing the mapping of remarks to
+        analysis states for different VEX types. The keys are the VEX types ("cyclonedx",
+        "csaf", "openvex"), and the values are dictionaries mapping `Remarks` enum values
+        to their corresponding vulnerability analysis states.
+
+    Example:
+        >>> vex_gen = VEXGenerate()
+        >>> state = vex_gen.analysis_state["cyclonedx"][Remarks.Confirmed]
+        >>> print(state)  # Output: "exploitable"
+    """
+
     analysis_state = {
         "cyclonedx": {
             Remarks.NewFound: "in_triage",
@@ -53,6 +74,23 @@ def __init__(
         logger: Optional[Logger] = None,
         validate: bool = True,
     ):
+        """
+        Initializes a VEXGenerate instance with specified product, release, and other parameters
+        for managing CVE data and generating vulnerability exchange (VEX) documents.
+
+        Parameters:
+            product (str): The name of the product being analyzed.
+            release (str): The product release version.
+            vendor (str): The name of the product vendor.
+            filename (str): The filename to use for generated VEX data.
+            vextype (str): The type of VEX document.
+            all_cve_data (Dict[ProductInfo, CVEData]): Dictionary containing CVE data by product.
+            revision_reason (str, optional): Reason for the VEX document revision. Defaults to "".
+            sbom_serial_number (str, optional): The serial number for the software bill of materials. Defaults to "".
+            sbom (Optional[str], optional): Software bill of materials, if available. Defaults to None.
+            logger (Optional[Logger], optional): Logger instance for logging. Defaults to None.
+            validate (bool, optional): Flag indicating if input validation is required. Defaults to True.
+        """
         self.product = product
         self.release = release
         self.vendor = vendor
@@ -67,7 +105,12 @@ def __init__(
 
     def generate_vex(self) -> None:
         """
-        Generates VEX code based on the specified VEX type.
+        Generates a VEX (Vulnerability Exploitability eXchange) document based on the specified VEX type
+        and stores it in the given filename.
+
+        This method sets up a VEX generator instance with the product name, release version, and other
+        metadata. It automatically assigns a filename if none is provided, logs the update status if the
+        file already exists, and generates the VEX document with product vulnerability data.
 
         Returns:
             None
@@ -82,11 +125,11 @@ def generate_vex(self) -> None:
         vexgen.set_product(**kwargs)
         if not self.filename:
             self.logger.info(
-                "No filename defined, Generating a new filename with Default Naming Convention"
+                "No filename defined, generating a new filename with default naming convention."
             )
             self.filename = self.__generate_vex_filename()
         if Path(self.filename).is_file():
-            self.logger.info(f"Updating the vex file: {self.filename}")
+            self.logger.info(f"Updating the VEX file: {self.filename}")
 
         vexgen.generate(
             project_name=self.product,
@@ -97,10 +140,13 @@ def generate_vex(self) -> None:
 
     def __generate_vex_filename(self) -> str:
         """
-        Generates a VEX filename based on the current date and time.
+        Generates a default VEX filename using the product, release, vendor, and VEX type information.
+
+        The filename is structured as "{product}_{release}_{vendor}_{vextype}.json" and is saved in the
+        current working directory.
 
         Returns:
-            str: The generated VEX filename.
+            str: The generated VEX filename as a string.
         """
         filename = (
             Path.cwd()
@@ -109,6 +155,17 @@ def __generate_vex_filename(self) -> str:
         return str(filename)
 
     def __get_metadata(self) -> Dict:
+        """
+        Generates metadata for the VEX document based on the specified VEX type, product, release,
+        and vendor information.
+
+        This method creates a dictionary containing metadata fields, such as `id`, `supplier`,
+        `author`, and `revision_reason`, depending on the VEX type. Metadata fields are populated
+        according to the VEX format requirements, such as "cyclonedx," "csaf," or "openvex".
+
+        Returns:
+            Dict: A dictionary containing the metadata for the VEX document.
+        """
         metadata = {}
         if self.vextype == "cyclonedx":
             if self.product:
@@ -128,10 +185,17 @@ def __get_metadata(self) -> Dict:
 
     def __get_vulnerabilities(self) -> List[Vulnerability]:
         """
-        Retrieves a list of vulnerabilities.
+        Retrieves and constructs a list of vulnerability objects based on the current CVE data.
+
+        This method iterates through all CVE data associated with the product and vendor,
+        creating and configuring `Vulnerability` objects for each entry. It sets attributes
+        like name, release, ID, description, status, and additional metadata such as package
+        URLs (purl) and bill of materials (BOM) links. If a vulnerability includes comments
+        or justification, these are added to the vulnerability details.
 
         Returns:
-            A list of Vulnerability objects representing the vulnerabilities.
+            List[Vulnerability]: A list of `Vulnerability` objects representing the identified
+            vulnerabilities, enriched with metadata and details.
         """
         vulnerabilities = []
         for product_info, cve_data in self.all_cve_data.items():
@@ -156,7 +220,6 @@ def __get_vulnerabilities(self) -> List[Vulnerability]:
                     if cve.comments
                     else cve.remarks.name
                 )
-                # more details will be added using set_value()
                 if purl is None:
                     purl = f"pkg:generic/{vendor}/{product}@{version}"
                 bom_version = 1
@@ -170,7 +233,6 @@ def __get_vulnerabilities(self) -> List[Vulnerability]:
                 vulnerability.set_value("action", detail)
                 vulnerability.set_value("source", cve.data_source)
                 vulnerability.set_value("updated", cve.last_modified)
-                # vulnerability.show_vulnerability()
                 vulnerabilities.append(vulnerability.get_vulnerability())
         self.logger.debug(f"Vulnerabilities: {vulnerabilities}")
         return vulnerabilities

dev-requirements.txt

@@ -1,14 +1,15 @@
-black==24.8.0
+black==24.10.0; python_version > "3.8"
+black==24.8.0; python_version <= "3.8"
 isort; python_version < "3.8"
 isort==5.13.2; python_version >= "3.8"
 pre-commit; python_version <= "3.8"
-pre-commit==3.8.0; python_version > "3.8"
+pre-commit==4.0.1; python_version > "3.8"
 flake8; python_version < "3.8"
 flake8==7.1.1; python_version >= "3.8"
 bandit==1.7.10
 gitlint==v0.19.1
 interrogate
-mypy==v1.11.2
+mypy==v1.13.0
 pytest>=7.2.0
 pytest-xdist
 pytest-cov