feat: support for localising vectors (i.e. stripping out any scheme prefix)

madpah · madpah · commit b9e9e17ba1e2 · 2021-09-15T16:22:59.000+01:00
Signed-off-by: Paul Horton &lt;phorton@sonatype.com&gt;
diff --git a/cyclonedx/model/vulnerability.py b/cyclonedx/model/vulnerability.py
@@ -17,6 +17,7 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
+import re
 from enum import Enum
 from typing import List, Union
 from urllib.parse import ParseResult, urlparse
@@ -59,8 +60,16 @@ def get_localised_vector(self, vector: str) -> str:
         :param vector:
         :return:
         """
-        if self == VulnerabilitySourceType.CVSS_V3:
-            return
+        if self == VulnerabilitySourceType.CVSS_V3 and vector.startswith('CVSS:3.'):
+            return re.sub('^CVSS:3\\.\\d/?', '', vector)
+
+        if self == VulnerabilitySourceType.CVSS_V2 and vector.startswith('CVSS:2.'):
+            return re.sub('^CVSS:2\\.\\d/?', '', vector)
+
+        if self == VulnerabilitySourceType.OWASP and vector.startswith('OWASP'):
+            return re.sub('^OWASP/?', '', vector)
+
+        return vector
 
 
 class VulnerabilitySeverity(Enum):
@@ -77,7 +86,7 @@ class VulnerabilitySeverity(Enum):
     @staticmethod
     def get_from_cvss_scores(scores: tuple[float] = None):
         if type(scores) is float:
-            scores = (scores, )
+            scores = (scores,)
 
         if scores is None:
             return VulnerabilitySeverity.UNKNOWN
diff --git a/tests/fixtures/bom_v1.3_setuptools_with_vulnerabilities.xml b/tests/fixtures/bom_v1.3_setuptools_with_vulnerabilities.xml
@@ -28,7 +28,7 @@
                         <v:rating>
                             <v:severity>Low</v:severity>
                             <v:method>OWASP Risk</v:method>
-                            <v:vector>OWASP/K9:M1:O0:Z2/D1:X1:W1:L3/C2:I1:A1:T1/F1:R1:S2:P3/50</v:vector>
+                            <v:vector>K9:M1:O0:Z2/D1:X1:W1:L3/C2:I1:A1:T1/F1:R1:S2:P3/50</v:vector>
                         </v:rating>
                     </v:ratings>
                     <v:cwes>
diff --git a/tests/test_model_vulnerability.py b/tests/test_model_vulnerability.py
@@ -76,3 +76,69 @@ def test_v_source_parse_owasp_1(self):
             VulnerabilitySourceType.get_from_vector('OWASP/K9:M1:O0:Z2/D1:X1:W1:L3/C2:I1:A1:T1/F1:R1:S2:P3/50'),
             VulnerabilitySourceType.OWASP
         )
+
+    def test_v_source_get_localised_vector_cvss3_1(self):
+        self.assertEqual(
+            VulnerabilitySourceType.CVSS_V3.get_localised_vector(vector='CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'),
+            'AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'
+        )
+
+    def test_v_source_get_localised_vector_cvss3_2(self):
+        self.assertEqual(
+            VulnerabilitySourceType.CVSS_V3.get_localised_vector(vector='CVSS:3.0AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'),
+            'AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'
+        )
+
+    def test_v_source_get_localised_vector_cvss3_3(self):
+        self.assertEqual(
+            VulnerabilitySourceType.CVSS_V3.get_localised_vector(vector='AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'),
+            'AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'
+        )
+
+    def test_v_source_get_localised_vector_cvss2_1(self):
+        self.assertEqual(
+            VulnerabilitySourceType.CVSS_V2.get_localised_vector(vector='CVSS:2.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'),
+            'AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'
+        )
+
+    def test_v_source_get_localised_vector_cvss2_2(self):
+        self.assertEqual(
+            VulnerabilitySourceType.CVSS_V2.get_localised_vector(vector='CVSS:2.1AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'),
+            'AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'
+        )
+
+    def test_v_source_get_localised_vector_cvss2_3(self):
+        self.assertEqual(
+            VulnerabilitySourceType.CVSS_V2.get_localised_vector(vector='AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'),
+            'AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'
+        )
+
+    def test_v_source_get_localised_vector_owasp_1(self):
+        self.assertEqual(
+            VulnerabilitySourceType.OWASP.get_localised_vector(vector='OWASP/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'),
+            'AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'
+        )
+
+    def test_v_source_get_localised_vector_owasp_2(self):
+        self.assertEqual(
+            VulnerabilitySourceType.OWASP.get_localised_vector(vector='OWASPAV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'),
+            'AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'
+        )
+
+    def test_v_source_get_localised_vector_owasp_3(self):
+        self.assertEqual(
+            VulnerabilitySourceType.OWASP.get_localised_vector(vector='AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'),
+            'AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'
+        )
+
+    def test_v_source_get_localised_vector_other_1(self):
+        self.assertEqual(
+            VulnerabilitySourceType.OPEN_FAIR.get_localised_vector(vector='SOMETHING_OR_OTHER'),
+            'SOMETHING_OR_OTHER'
+        )
+
+    def test_v_source_get_localised_vector_other_2(self):
+        self.assertEqual(
+            VulnerabilitySourceType.OTHER.get_localised_vector(vector='SOMETHING_OR_OTHER'),
+            'SOMETHING_OR_OTHER'
+        )
