Merge branch 'main' into cve_vulntotal

Author: keshav-space

vulntotal/datasources/github.py

@@ -81,7 +81,7 @@ def supported_ecosystem(cls):
             "pypi": "PIP",
             "gem": "RUBYGEMS",
             "golang": "GO",
-            "rust": "RUST",
+            "cargo": "RUST",
             "npm": "NPM",
             "erlang": "ERLANG",
             "pub": "PUB",

vulntotal/datasources/osv.py

@@ -52,12 +52,12 @@ def supported_ecosystem(cls):
             "golang": "Go",
             "nuget": "NuGet",
             "pypi": "PyPI",
-            "rubygems": "RubyGems",
-            "crates.io": "crates.io",
+            "gem": "RubyGems",
+            "cargo": "crates.io",
             "composer": "Packagist",
             "linux": "Linux",
             "oss-fuzz": "OSS-Fuzz",
-            "debian": "Debian",
+            "deb": "Debian",
             "hex": "Hex",
             "android": "Android",
         }

vulntotal/datasources/snyk.py

@@ -61,7 +61,7 @@ def supported_ecosystem(cls):
             "npm": "npm",
             "nuget": "nuget",
             "pypi": "pip",
-            "rubygems": "rubygems",
+            "gem": "rubygems",
             # any purl.type not in supported_ecosystem shall implicitly be treated as unmanaged type
             "unmanaged": "unmanaged",
         }

vulntotal/datasources/vulnerablecode.py

@@ -79,9 +79,13 @@ def parse_advisory(fetched_advisory, purl) -> VendorData:
     affected_versions = []
     fixed_versions = []
     for instance in fetched_advisory["affected_packages"]:
-        affected_versions.append(PackageURL.from_string(instance["purl"]).version)
+        affected_purl = PackageURL.from_string(instance["purl"])
+        if affected_purl.type == purl.type:
+            affected_versions.append(affected_purl.version)
     for instance in fetched_advisory["fixed_packages"]:
-        fixed_versions.append(PackageURL.from_string(instance["purl"]).version)
+        fixed_purl = PackageURL.from_string(instance["purl"])
+        if fixed_purl.type == purl.type:
+            fixed_versions.append(fixed_purl.version)
     return VendorData(
         purl=PackageURL(purl.type, purl.namespace, purl.name),
         aliases=aliases,

vulntotal/tests/test_github.py

@@ -28,8 +28,8 @@ def test_generate_graphql_payload_from_purl(self):
             "pkg:npm/[email protected]",
             "pkg:golang/github.com/cloudflare/[email protected]",
             "pkg:composer/symfony/[email protected]",
-            "pkg:rust/[email protected]",
-            "pkg:erlang/[email protected]",
+            "pkg:cargo/[email protected]",
+            "pkg:hex/[email protected]",
             "pkg:gem/[email protected]",
         ]
         results = [

vulntotal/tests/test_osv.py

@@ -25,11 +25,11 @@ def test_generate_payload(self):
         purls = [
             "pkg:pypi/[email protected]",
             "pkg:android/System@10",
-            "pkg:debian:8/[email protected]",
+            "pkg:deb:8/[email protected]",
             "pkg:maven/org.apache.tomcat/[email protected]",
             "pkg:linux/[email protected]",
             "pkg:packagist/dolibarr/[email protected]",
-            "pkg:crates.io/[email protected]",
+            "pkg:cargo/[email protected]",
             "pkg:npm/[email protected]",
             "pkg:golang/github.com/cloudflare/[email protected]",
         ]

vulntotal/tests/test_snyk.py

@@ -30,7 +30,7 @@ def test_generate_package_advisory_url(self):
             "pkg:nuget/[email protected]",
             "pkg:cocoapods/[email protected]",
             "pkg:hex/[email protected]",
-            "pkg:rubygems/[email protected]",
+            "pkg:gem/[email protected]",
             "pkg:unmanaged/[email protected]",
         ]
         results = [

vulntotal/tests/test_vulnerablecode.py

@@ -24,9 +24,7 @@ def test_parse_advisory(self):
         advisory_file = self.get_test_loc("advisory.json")
         with open(advisory_file) as f:
             advisory = json.load(f)
-        results = [
-            vulnerablecode.parse_advisory(adv, PackageURL("generic", "namespace", "test")).to_dict()
-            for adv in advisory
-        ]
+        input_purl = PackageURL.from_string("pkg:maven/org.apache.tomcat/[email protected]")
+        results = [vulnerablecode.parse_advisory(adv, input_purl).to_dict() for adv in advisory]
         expected_file = self.get_test_loc("parse_advisory-expected.json", must_exist=False)
         util_tests.check_results_against_json(results, expected_file)