Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve .NET package CPE generation #3764

Merged
merged 1 commit into from
Mar 28, 2025
Merged

Improve .NET package CPE generation #3764

merged 1 commit into from
Mar 28, 2025

Conversation

wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Mar 27, 2025
edited
Loading

This is a follow up to #3563 to improve the CPE generation for .NET packages. Take for instance OWASP.AntiSamy where a good CPE example is cpe:2.3:a:spassarop:owasp_antisamy_.net:*:*:*:*:*:*:*:*.

Today we're generating for this package:

[
  {
    "cpe": "cpe:2.3:a:OWASP.AntiSamy:OWASP.AntiSamy:1.2.1:*:*:*:*:*:*:*",
    "source": "syft-generated"
  }
]

Taking a look at the CPE dictionary it seems that most (all?) .NET applications normalize . to _ and some get a .net suffix. With these changes + adding in other data sources from the metadata we can generate this:

[
  {
    "cpe": "cpe:2.3:a:owasp_antisamy:owasp_antisamy_.net:1.2.1:*:*:*:*:*:*:*",
    "source": "syft-generated"
  },
  {
    "cpe": "cpe:2.3:a:owasp_antisamy:owasp_antisamy:1.2.1:*:*:*:*:*:*:*",
    "source": "syft-generated"
  },
  {
    "cpe": "cpe:2.3:a:owasp_antisamy:antisamy_.net:1.2.1:*:*:*:*:*:*:*",
    "source": "syft-generated"
  },
  {
    "cpe": "cpe:2.3:a:spassaro:owasp_antisamy_.net:1.2.1:*:*:*:*:*:*:*",
    "source": "syft-generated"
  },
  {
    "cpe": "cpe:2.3:a:owasp_antisamy:antisamy:1.2.1:*:*:*:*:*:*:*",
    "source": "syft-generated"
  },
  {
    "cpe": "cpe:2.3:a:spassaro:owasp_antisamy:1.2.1:*:*:*:*:*:*:*",
    "source": "syft-generated"
  },
  {
    "cpe": "cpe:2.3:a:spassaro:antisamy_.net:1.2.1:*:*:*:*:*:*:*",
    "source": "syft-generated"
  },
  {
    "cpe": "cpe:2.3:a:spassaro:antisamy:1.2.1:*:*:*:*:*:*:*",
    "source": "syft-generated"
  }
]

This is about as close as we can get to the candidate (note that the vendor on the CVE has a suffix p, but this is not present in the underlying data).

I also found a few tests out of place and with extra vars not used anywhere.

Type of change

  • New feature (non-breaking change which adds functionality)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@wagoodman
better .NET cpe generation
46dd36a 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman added the enhancement New feature or request label Mar 27, 2025
@wagoodman wagoodman self-assigned this Mar 27, 2025
@wagoodman wagoodman merged commit 40dd5d0 into main Mar 28, 2025
13 checks passed
@wagoodman wagoodman deleted the better-dotnet-cpes branch March 28, 2025 14:59
@BrewTestBot BrewTestBot mentioned this pull request Apr 1, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

Assignees

@wagoodman wagoodman

Labels
enhancement New feature or request
Projects
OSS
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wagoodman @kzantow