Bug fixes

Prabhu Subramanian · Prabhu Subramanian · commit e48d2ad5f90c · 2021-04-23T09:22:06.000+01:00
diff --git a/setup.py b/setup.py
@@ -5,7 +5,7 @@
 
 setuptools.setup(
     name="appthreat-vulnerability-db",
-    version="1.6.10",
+    version="1.6.11",
     author="Team AppThreat",
     author_email="cloud@appthreat.com",
     description="AppThreat's vulnerability database and package search library with a built-in file based storage. CVE, GitHub, npm are the primary sources of vulnerabilities.",
diff --git a/vdb/lib/db.py b/vdb/lib/db.py
@@ -128,6 +128,8 @@ def _key_func(data, match_list):
         max_affected_version_including = data.details.max_affected_version_including
         min_affected_version_excluding = data.details.min_affected_version_excluding
         max_affected_version_excluding = data.details.max_affected_version_excluding
+    if not cpe_uri:
+        return False
     vendor, _, _ = parse_cpe(cpe_uri)
     for match in match_list:
         name_ver = match.split("|")
diff --git a/vdb/lib/nvd.py b/vdb/lib/nvd.py
@@ -135,7 +135,7 @@ def convert_vuln(vuln):
         # Issue 12 - Ignore disputed vulnerabilities
         if "** DISPUTED **" in description:
             return None
-        rdata = vuln["cve"]["references"]["reference_data"]
+        rdata = vuln.get("cve", {}).get("references", {}).get("reference_data", [])
         related_urls = [r["url"] for r in rdata]
         if "baseMetricV3" in vuln["impact"]:
             cvss_data = vuln["impact"]["baseMetricV3"]["cvssV3"]
@@ -193,7 +193,9 @@ def convert_vuln_detail(vuln):
             fix_cpe_uri = None
             for cpe in cpe_list:
                 detail = {}
-                if cpe["vulnerable"]:
+                if not cpe.get("cpe23Uri"):
+                    continue
+                if cpe["vulnerable"] and cpe.get("cpe23Uri"):
                     detail["cpe_uri"] = cpe["cpe23Uri"]
                     detail["min_affected_version_including"] = cpe.get(
                         "versionStartIncluding"
@@ -209,7 +211,7 @@ def convert_vuln_detail(vuln):
                     )
                     detail["source_update_time"] = vuln["lastModifiedDate"]
                     cpe_details_list.append(detail)
-                else: # cpe is not vulnerable
+                else:  # cpe is not vulnerable
                     if node["operator"] == "OR":
                         fix_cpe_uri = cpe["cpe23Uri"]
             # Add fix version details
diff --git a/vdb/lib/storage.py b/vdb/lib/storage.py
@@ -17,25 +17,27 @@ def store(datas, db_file=config.vdb_bin_file, index_file=config.vdb_bin_index):
     data_list = serialize_vuln_list(datas)
     index_list = []
     for data in data_list:
-        vendor, _, _ = parse_cpe(data["details"]["cpe_uri"])
-        index_list.append(
-            {
-                "vendor": vendor.lower(),
-                "name": data["details"]["package"].lower(),
-                "min_affected_version_including": data["details"].get(
-                    "min_affected_version_including"
-                ),
-                "max_affected_version_including": data["details"].get(
-                    "max_affected_version_including"
-                ),
-                "min_affected_version_excluding": data["details"].get(
-                    "min_affected_version_excluding"
-                ),
-                "max_affected_version_excluding": data["details"].get(
-                    "max_affected_version_excluding"
-                ),
-            }
-        )
+        if data["details"]["cpe_uri"]:
+            vendor, _, _ = parse_cpe(data["details"]["cpe_uri"])
+            if vendor:
+                index_list.append(
+                    {
+                        "vendor": vendor.lower(),
+                        "name": data["details"]["package"].lower(),
+                        "min_affected_version_including": data["details"].get(
+                            "min_affected_version_including"
+                        ),
+                        "max_affected_version_including": data["details"].get(
+                            "max_affected_version_including"
+                        ),
+                        "min_affected_version_excluding": data["details"].get(
+                            "min_affected_version_excluding"
+                        ),
+                        "max_affected_version_excluding": data["details"].get(
+                            "max_affected_version_excluding"
+                        ),
+                    }
+                )
     packed_obj = msgpack.packb(data_list, use_bin_type=True)
     with open(db_file, mode="ab") as fp:
         fp.write(packed_obj)
diff --git a/vdb/lib/utils.py b/vdb/lib/utils.py
@@ -501,7 +501,10 @@ def parse_cpe(cpe_uri):
     :return: Individual parts
     """
     parts = CPE_REGEX.match(cpe_uri)
-    return parts.group("vendor"), parts.group("package"), parts.group("version")
+    if parts:
+        return parts.group("vendor"), parts.group("package"), parts.group("version")
+    else:
+        return "", None, None
 
 
 def get_default_cve_data(severity):
