Mapping vul. url to each OSS

bjk7119 · bjk7119 · commit bb2c990c86e6 · 2024-12-27T08:03:20.000+09:00
diff --git a/requirements.txt b/requirements.txt
@@ -10,3 +10,4 @@ XlsxWriter
 PyYAML
 fosslight_util>=2.1.6
 dependency-check
+Levenshtein
diff --git a/src/fosslight_binary/_binary.py b/src/fosslight_binary/_binary.py
@@ -3,20 +3,35 @@
 # Copyright (c) 2020 LG Electronics Inc.
 # SPDX-License-Identifier: Apache-2.0
 from fosslight_util.oss_item import FileItem
+import Levenshtein
 
 EXCLUDE_TRUE_VALUE = "Exclude"
 TLSH_CHECKSUM_NULL = "0"
 
 
+def find_most_similar_word(input_string, oss_name_list):
+    most_similar_word = None
+    min_distance = float('inf')
+
+    for oss in oss_name_list:
+        distance = Levenshtein.distance(input_string, oss.name)
+        if distance < min_distance:
+            min_distance = distance
+            most_similar_word = oss.name
+    return most_similar_word
+
+
 class VulnerabilityItem:
     file_path = ""
     vul_id = ""
     nvd_url = ""
+    oss_items = []
 
-    def __init__(self, file_path, id, url):
+    def __init__(self, file_path, id, url, oss_items):
         self.file_path = file_path
         self.vul_id = id
         self.nvd_url = url
+        self.oss_items = oss_items
 
 
 class BinaryItem(FileItem):
@@ -42,9 +57,29 @@ def set_oss_items(self, new_oss_list, exclude=False, exclude_msg=""):
         # Append New input OSS
         self.oss_items.extend(new_oss_list)
 
-    def get_vulnerability_items(self):
-        nvd_url = [vul_item.nvd_url for vul_item in self.vulnerability_items]
-        return ", ".join(nvd_url)
+    def get_vulnerability_items(self, oss_name):
+        nvd_url = []
+        nvd_urls = ""
+        nvd_url_dict = {}
+
+        for vul_item in self.vulnerability_items:
+            found_oss_name = ""
+
+            if vul_item.file_path == self.source_name_or_path:
+                if len(self.oss_items) > 1:
+                    if vul_item.nvd_url:
+                        found_oss_name = find_most_similar_word(vul_item.nvd_url, vul_item.oss_items)
+                        if oss_name == found_oss_name:
+                            nvd_urls = f"{nvd_urls}\n{vul_item.nvd_url}"
+                else:
+                    nvd_url = nvd_url_dict.get(vul_item.file_path)
+                    if nvd_url:
+                        nvd_url.append(vul_item.nvd_url)
+                        nvd_urls = "\n".join(nvd_url)
+                    else:
+                        nvd_url_dict[vul_item.file_path] = [vul_item.nvd_url]
+                        nvd_urls = "\n".join(nvd_url_dict[vul_item.file_path])
+        return nvd_urls.strip()
 
     def get_print_binary_only(self):
         return (self.source_name_or_path + "\t" + self.checksum + "\t" + self.tlsh)
@@ -55,7 +90,7 @@ def get_print_array(self):
             for oss in self.oss_items:
                 lic = ",".join(oss.license)
                 exclude = EXCLUDE_TRUE_VALUE if (self.exclude or oss.exclude) else ""
-                nvd_url = self.get_vulnerability_items()
+                nvd_url = self.get_vulnerability_items(oss.name)
                 items.append([self.source_name_or_path, oss.name, oss.version,
                               lic, oss.download_location, oss.homepage,
                               oss.copyright, exclude, oss.comment,
diff --git a/src/fosslight_binary/_jar_analysis.py b/src/fosslight_binary/_jar_analysis.py
@@ -86,7 +86,7 @@ def merge_binary_list(owasp_items, vulnerability_items, bin_list):
     return bin_list
 
 
-def get_vulnerability_info(file_with_path, vulnerability, vulnerability_items, remove_vulnerability_items):
+def get_vulnerability_info(file_with_path, vulnerability, vulnerability_items, remove_vulnerability_items, owasp_items):
     if vulnerability:
         try:
             for vul_info in vulnerability:
@@ -97,8 +97,8 @@ def get_vulnerability_info(file_with_path, vulnerability, vulnerability_items, r
                         vul_id = val
                     elif key == 'url':
                         nvd_url = val
-
-                vul_item = VulnerabilityItem(file_with_path, vul_id, nvd_url)
+                        
+                vul_item = VulnerabilityItem(file_with_path, vul_id, nvd_url, owasp_items[file_with_path])
 
                 remove_vulnerability_items = vulnerability_items.get(file_with_path)
                 if remove_vulnerability_items:
@@ -257,9 +257,6 @@ def analyze_jar_file(path_to_find_bin, path_to_exclude):
                     if oss_dl_url == "":
                         oss_dl_url = get_oss_dl_url(vendor_info)
 
-            # Get Vulnerability Info.
-            vulnerability_items = get_vulnerability_info(file_with_path, vulnerability, vulnerability_items, remove_vulnerability_items)
-
             if oss_name != "" or oss_ver != "" or oss_license != "" or oss_dl_url != "":
                 oss = OssItem(oss_name, oss_ver, oss_license, oss_dl_url)
                 oss.comment = "OWASP result"
@@ -269,6 +266,9 @@ def analyze_jar_file(path_to_find_bin, path_to_exclude):
                     remove_owasp_item.append(oss)
                 else:
                     owasp_items[file_with_path] = [oss]
+
+            # Get Vulnerability Info.
+            vulnerability_items = get_vulnerability_info(file_with_path, vulnerability, vulnerability_items, remove_vulnerability_items, owasp_items)
     except Exception as ex:
         logger.debug(f"Error to get depency Info in jar_contets: {ex}")
         success = False
