fix: Added None checks for parsed purls (fixes #3478) (#3490)

weichslgartner · web-flow · commit c4ec1fa454ac · 2023-10-31T09:16:11.000-07:00
fixes #3478
diff --git a/cve_bin_tool/sbom_manager/__init__.py b/cve_bin_tool/sbom_manager/__init__.py
@@ -123,8 +123,9 @@ def parse_sbom(self):
                     if ref[1] == "purl":
                         # Process purl identifier
                         purl_info = PackageURL.from_string(ref[2]).to_dict()
-                        modules.append([purl_info["name"], purl_info["version"]])
-                        purl_found = True
+                        if purl_info["name"] and purl_info["version"]:
+                            modules.append([purl_info["name"], purl_info["version"]])
+                            purl_found = True
             if not purl_found:
                 if package.get("version") is not None:
                     modules.append([package["name"], package["version"]])
diff --git a/test/sbom/cyclonedx_mixed_test.json b/test/sbom/cyclonedx_mixed_test.json
@@ -33,6 +33,12 @@
         "name": "GLIBC",
         "version": "2.11.1",
         "purl": "pkg:maven/org.gnu.glibc/glibc@2.11.1"
+      },
+      {
+        "name": "invalid_purl_package",
+        "version": "1.1.0",
+        "type": "library",
+        "purl": "pkg:xxx/xxx/xxx"
       }
     ]
   }

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,12 @@`
`33`	`33`	`"name": "GLIBC",`
`34`	`34`	`"version": "2.11.1",`
`35`	`35`	`"purl": "pkg:maven/org.gnu.glibc/glibc@2.11.1"`
	`36`	`+ },`
	`37`	`+ {`
	`38`	`+ "name": "invalid_purl_package",`
	`39`	`+ "version": "1.1.0",`
	`40`	`+ "type": "library",`
	`41`	`+ "purl": "pkg:xxx/xxx/xxx"`
`36`	`42`	`}`
`37`	`43`	`]`
`38`	`44`	`}`