feat: Use purl2cpe also for the sbom manager #4593
Description
Description
It would be cool to identify the vendor based on the package url for SBOM inputs:
cve-bin-tool/cve_bin_tool/sbom_manager/parse.py
Lines 407 to 414 in 7cbac8f
Right now this works only for checkers/parsers. Maybe moving
find_vendor_from_purl to the CVEDB where it's accessible for the Parser and the SBOM manager.
Why?
To avoid false-positives in case there is no CPE available, just a package url.
Environment context (optional)
- I am using cve-bin-tool version 3.4 from pypi with python3.11 on linux
- I am using the cvedb and cvescan with custom sources and with a modified scanner which adds the results automatically to the input sbom (cyclonedx) with some extra information.
Anything else?
Something like that:
46 async def decode_purl(self, string) -> (str | None, str | None, str | None):
47 purl = PackageURL.from_string(string)
48 vendor = await self._cvedb.find_vendor_from_purl(purl)
49 return [vendor, None, purl.version or None] 145 async def cpe2vendors(self, string):
146 cpe = CPE(string)
147 for vendor in cpe.get_vendor():
148 yield vendor
149
150 async def find_vendor_from_purl(self, purl):
151 param1 = f"pkg:{purl.type}/{purl.name}"
152 param2 = f"pkg:{purl.type}/%/{purl.name}"
153
154 query = """
155 SELECT cpe from purl2cpe WHERE purl LIKE ?
156 UNION
157 SELECT cpe from purl2cpe WHERE purl LIKE ?
158 """
159 try:
160 vendors = set()
161 async with self.get_db() as db:
162 async with db.execute(query, (param1, param2)) as cursor:
163 for row in await cursor.fetchall():
164 async for vendor in self.cpe2vendors(row["cpe"]):
165 vendors.add(vendor)
166 return vendors
167 except Exception as err:
168 logger.opt(exception=err).debug("Unable to access purl2cpe database.")
169 return None