Merge branch 'main' into compare_0

intel · Nov 19, 2024 · d9d3771 · d9d3771
2 parents 1b46b8e + 28cf48d
commit d9d3771
Show file tree

Hide file tree

Showing 271 changed files with 1,898 additions and 953 deletions.
diff --git a/.github/workflows/build-wheel.yml b/.github/workflows/build-wheel.yml
@@ -28,7 +28,7 @@ jobs:
         egress-policy: audit
 
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+    - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
       with:
         python-version: ${{ matrix.python-version }}
         cache: 'pip'
@@ -44,11 +44,11 @@ jobs:
         echo "tar=$(cd dist/ && echo *.tar.gz)" >> $GITHUB_OUTPUT
         echo "whl=$(cd dist/ && echo *.tar.gz)" >> $GITHUB_OUTPUT
     - name: Attest Build Provenance for tar
-      uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+      uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
       with:
         subject-path: "dist/${{ steps.filename.outputs.tar }}"
     - name: Attest Build Provenance for whl
-      uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+      uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
       with:
         subject-path: "dist/${{ steps.filename.outputs.whl }}"
     # TODO Upload to pypi on release creation
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -51,7 +51,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+      uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+      uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
diff --git a/.github/workflows/cve_scan.yml b/.github/workflows/cve_scan.yml
@@ -22,7 +22,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.11'
           cache: 'pip'

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -24,4 +24,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@a6993e2c61fd5dc440b409aa1d6904921c5e1894 # v4.3.5
+        uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0
diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml
@@ -24,7 +24,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.11'
           cache: 'pip'

diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml
@@ -19,7 +19,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Python 
-        uses: actions/setup-python@v5.2.0
+        uses: actions/setup-python@v5.3.0
         with:
           python-version: 3.9  
 

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -23,7 +23,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.11'
           cache: 'pip'

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -27,7 +27,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: ${{ matrix.python }}
           cache: 'pip'

diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml
@@ -19,7 +19,7 @@ jobs:
         egress-policy: audit
 
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: check-spelling/[email protected].22
+    - uses: check-spelling/[email protected].24
       with:
         extra_dictionaries:
           cspell:python/src/python/python.txt

diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -49,7 +49,7 @@ jobs:
             pypi.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.11'
           cache: 'pip'
@@ -108,7 +108,7 @@ jobs:
             www.sqlite.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: ${{ matrix.python }}
           cache: 'pip'
@@ -240,7 +240,7 @@ jobs:
             www.sqlite.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.10'
           cache: 'pip'
@@ -339,7 +339,7 @@ jobs:
           test/test_cvedb.py
       - name: Upload code coverage to codecov
         if: env.sbom != 'true'
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+        uses: codecov/codecov-action@5c47607acb93fed5485fdbf7232e8a31425f672a # v5.0.2
         with:
           files: ./coverage.xml
           flags: longtests
@@ -397,7 +397,7 @@ jobs:
             www.sqlite.org:443
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.10'
           cache: 'pip'
@@ -503,7 +503,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.12'
           cache: 'pip'
@@ -566,7 +566,7 @@ jobs:
           path: ~/conda_pkgs_dir
           key: ${{ runner.os }}-conda-${{ env.CACHE_NUMBER }}-${{
             hashFiles('requirements.txt') }}
-      - uses: conda-incubator/setup-miniconda@a4260408e20b96e80095f42ff7f1a15b27dd94ca # v3.0.4
+      - uses: conda-incubator/setup-miniconda@d2e6a045a86077fb6cad6f5adf368e9076ddaa8d # v3.1.0
         with:
           auto-update-conda: true
           activate-environment: pdftotext
@@ -583,7 +583,7 @@ jobs:
       - name: Test PDF generation on Windows
         run: pytest test/test_output_engine.py -k test_output_pdf --cov --cov-append --cov-report=xml --durations=50
       - name: Upload code coverage to codecov
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+        uses: codecov/codecov-action@5c47607acb93fed5485fdbf7232e8a31425f672a # v5.0.2
         with:
           files: ./coverage.xml
           flags: win-longtests

diff --git a/.github/workflows/update-cache.yml b/.github/workflows/update-cache.yml
@@ -31,7 +31,7 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.10'
           cache: 'pip'

diff --git a/.github/workflows/update-js-dependencies.yml b/.github/workflows/update-js-dependencies.yml
@@ -28,7 +28,7 @@ jobs:
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.11'
 

diff --git a/.github/workflows/update-pre-commit.yml b/.github/workflows/update-pre-commit.yml
@@ -28,7 +28,7 @@ jobs:
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.11'
 

diff --git a/.github/workflows/validate-yml.yml b/.github/workflows/validate-yml.yml
@@ -19,7 +19,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: '3.11'
           cache: 'pip'

diff --git a/cve_bin_tool/available_fix/debian_cve_tracker.py b/cve_bin_tool/available_fix/debian_cve_tracker.py
@@ -33,7 +33,27 @@
 
 
 class DebianCVETracker:
+    """
+    A class for tracking CVEs (Common Vulnerabilities and Exposures) for Debian-based distributions.
+
+    This class is designed to monitor CVEs specific to a given Debian distribution,
+    taking into account the distribution name, codename, and whether the package is a backport.
+
+    Attributes:
+        distro_name (str): The name of the Debian-based distribution (e.g., "Debian", "Ubuntu").
+        distro_codename (str): The codename of the distribution release (e.g., "buster", "focal").
+        is_backport (bool): Flag indicating if the package is a backport.
+    """
+
     def __init__(self, distro_name: str, distro_codename: str, is_backport: bool):
+        """
+        Initializes a DebianCVETracker instance with distribution information.
+
+        Parameters:
+            distro_name (str): The name of the Debian-based distribution.
+            distro_codename (str): The codename for the distribution release.
+            is_backport (bool): Specifies if the package is a backport.
+        """
         self.distro_name = distro_name
         self.distro_codename = distro_codename
         self.is_backport = is_backport
@@ -42,7 +62,17 @@ def cve_info(
         self,
         all_cve_data: dict[ProductInfo, CVEData],
     ):
-        """Produces the Backported fixes' info"""
+        """
+        Generates information on backported CVE fixes for a given set of CVE data.
+
+        This function processes CVE data and checks for resolved vulnerabilities in
+        the Debian or Ubuntu distributions. If a fix is available or backported, it logs
+        relevant information about the fix's availability and version.
+
+        Parameters:
+            all_cve_data (dict[ProductInfo, CVEData]): Dictionary containing CVE data,
+            organized by product and version.
+        """
 
         cve_data = format_output(all_cve_data, None)
         json_data = self.get_data()
@@ -72,19 +102,43 @@ def cve_info(
                     )
 
     def get_data(self):
+        """
+        Retrieves CVE data from the Debian CVE JSON file.
+
+        This method opens and loads the Debian CVE JSON file for processing
+        vulnerability data, calling `check_json` to verify that the file is
+        up-to-date before loading.
+
+        Returns:
+            dict: Loaded JSON data from the Debian CVE JSON file.
+        """
         check_json()
         with open(DEB_CVE_JSON_PATH) as jsonfile:
             return load(jsonfile)
 
     def compute_distro(self):
+        """
+        Computes the distribution codename based on the Debian or Ubuntu release.
+
+        Maps the specified distribution codename to either Ubuntu or Debian based
+        on the provided `distro_name`.
+
+        Returns:
+            str: The mapped codename for the distribution.
+        """
         if self.distro_name == "ubuntu":
             return UBUNTU_DEBIAN_MAP[self.distro_codename]
         elif self.distro_name == "debian":
             return self.distro_codename
 
 
 def check_json():
-    """Check to update the Debian CVE JSON file"""
+    """
+    Verifies if the Debian CVE JSON file is current and triggers an update if outdated.
+
+    This function checks the modification time of the JSON file. If it's older than
+    one day, it calls `update_json` to download a fresh version.
+    """
 
     if (
         not DEB_CVE_JSON_PATH.exists()
@@ -94,7 +148,12 @@ def check_json():
 
 
 def update_json():
-    """Update the Debian CVE JSON file"""
+    """
+    Updates the Debian CVE JSON file by downloading the latest data.
+
+    This function requests the JSON data from the specified URL and saves it to
+    the `DEB_CVE_JSON_PATH` location, logging the update status.
+    """
 
     LOGGER.info("Updating Debian CVE JSON file for checking available fixes.")
     # timeout = 300s = 5min. This is a guess at a valid default

diff --git a/cve_bin_tool/output_engine/__init__.py b/cve_bin_tool/output_engine/__init__.py
@@ -882,7 +882,10 @@ def output_file(self, output_type="console"):
             with open(self.filename, "wb") as f:
                 self.output_cves(f, output_type)
         else:
-            with open(self.filename, "w", encoding="utf8") as f:
+            # if type is csv, file should be opened with newline=''
+            # see https://docs.python.org/3/library/csv.html#csv.writer
+            newline = "" if output_type == "csv" else None
+            with open(self.filename, mode="w", newline=newline, encoding="utf8") as f:
                 self.output_cves(f, output_type)
 
     def check_file_path(self, filepath: str, output_type: str, prefix: str = "output"):

diff --git a/cve_bin_tool/parsers/env.py b/cve_bin_tool/parsers/env.py
@@ -15,6 +15,12 @@
 
 @dataclasses.dataclass
 class EnvNamespaceConfig:
+    """
+    Configuration details for environment namespace in the CVE Bin tool
+    Attributes:
+        CVE ID associated with this namespace, vendor name, product name, version of the product, file path where product is located
+    """
+
     ad_hoc_cve_id: str
     vendor: str
     product: str
@@ -24,6 +30,12 @@ class EnvNamespaceConfig:
 
 @dataclasses.dataclass
 class EnvConfig:
+    """
+    Configuration for multiple environment namespaces
+    Attributes:
+        A dictionary mapping namespace names to their configurations
+    """
+
     namespaces: dict[str, EnvNamespaceConfig]
 
 
@@ -40,6 +52,13 @@ class EnvParser(Parser):
 
     @staticmethod
     def parse_file_contents(contents):
+        """
+        Parse the contents of an environment configuration file
+        Args:
+            contents(str): textual content of environment configuration file
+        Returns:
+            EnvConfig: EnvConfig instance containing parsed namespace configurations
+        """
         lines = list(
             [
                 line