File tree Expand file tree Collapse file tree 2 files changed +47
-0
lines changed
cve_bin_tool/output_engine Expand file tree Collapse file tree 2 files changed +47
-0
lines changed Original file line number Diff line number Diff line change @@ -57,7 +57,14 @@ def save_intermediate(
5757
5858def output_csv (all_cve_data : Dict [ProductInfo , CVEData ], outfile ):
5959 """Output a CSV of CVEs"""
60+
6061 formatted_output = format_output (all_cve_data )
62+
63+ # Trim any leading -, =, + or @ to avoid excel macros
64+ for cve_entry in formatted_output :
65+ for key , value in cve_entry .items ():
66+ cve_entry [key ] = value .strip ("-=+@" )
67+
6168 writer = csv .DictWriter (
6269 outfile ,
6370 fieldnames = [
Original file line number Diff line number Diff line change @@ -844,3 +844,43 @@ def test_output_file_incorrect_filename(self):
844844
845845 # assert
846846 self .assertEqual (contains_sb , True )
847+
848+ def test_csv_macros (self ):
849+ """tests that output engine will not output leading -, =, + or @
850+ characters, used in spreadsheet macros"""
851+
852+ bad_input = {
853+ ProductInfo ("=vendor0" , "+product0" , "@1.0" ): CVEData (
854+ cves = [
855+ CVE (
856+ "-CVE-1234-1234" ,
857+ "@-=+MEDIUM" ,
858+ score = 4.2 ,
859+ cvss_version = 2 ,
860+ cvss_vector = "C:H" ,
861+ ),
862+ ],
863+ paths = {"@@@@bad" },
864+ ),
865+ }
866+ expected_output = [
867+ {
868+ "vendor" : "vendor0" ,
869+ "product" : "product0" ,
870+ "version" : "1.0" ,
871+ "cve_number" : "CVE-1234-1234" ,
872+ "severity" : "MEDIUM" ,
873+ "score" : "4.2" ,
874+ "cvss_version" : "2" ,
875+ "cvss_vector" : "C:H" ,
876+ "paths" : "bad" ,
877+ "remarks" : "NewFound" ,
878+ "comments" : "" ,
879+ },
880+ ]
881+
882+ output_csv (bad_input , self .mock_file )
883+ self .mock_file .seek (0 ) # reset file position
884+ reader = csv .DictReader (self .mock_file )
885+ actual_output = [dict (x ) for x in reader ]
886+ self .assertEqual (actual_output , expected_output )
You can’t perform that action at this time.
0 commit comments