feat: PURL generation for PythonParser (#3945)

joydeep049 · inosmeet · terriko · web-flow · commit da495bd8b5d8 · 2024-04-03T12:37:20.000-07:00
Co-authored-by: Joydeep Tripathy &lt;113792434+crazytrain328@users.noreply.github.com&gt;
Co-authored-by: Meet Soni &lt;meetsoni3017@gmail.com&gt;
Co-authored-by: Terri Oda &lt;terri.oda@intel.com&gt;
diff --git a/cve_bin_tool/parsers/python.py b/cve_bin_tool/parsers/python.py
@@ -1,7 +1,8 @@
-# Copyright (C) 2022 Intel Corporation
+# Copyright (C) 2024 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 import json
+import re
 import subprocess
 from re import MULTILINE, compile, search
 
@@ -13,10 +14,44 @@
 
 
 class PythonRequirementsParser(Parser):
+    """
+    Parser for Python requirements files.
+    This parser is designed to parse Python requirements files (usually named
+    requirements.txt) and generate PURLs (Package URLs) for the listed packages.
+    """
+
     def __init__(self, cve_db, logger):
+        """Initialize the python requirements file parser."""
+        self.purl_pkg_type = "pypi"
         super().__init__(cve_db, logger)
 
+    def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
+        """Generates PURL after normalizing all components."""
+        product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
+        version = re.sub(r"[^a-zA-Z0-9.+-]", "", version)
+        vendor = "UNKNOWN"
+
+        if not product or not version:
+            return None
+
+        purl = super().generate_purl(
+            product,
+            version,
+            vendor,
+            qualifier,
+            subpath,
+        )
+
+        return purl
+
     def run_checker(self, filename):
+        """
+        Parse the requirements file and yield PURLs for the listed packages.
+        Args:
+            filename (str): The path to the requirements file.
+        Yields:
+            str: PURLs for the packages listed in the file.
+        """
         self.filename = filename
         try:
             output = subprocess.check_output(
@@ -71,9 +106,36 @@ def run_checker(self, filename):
 
 
 class PythonParser(Parser):
+    """
+    Parser for Python package metadata files.
+    This parser is designed to parse Python package metadata files (usually named
+    PKG-INFO or METADATA) and generate PURLs (Package URLs) for the package.
+    """
+
     def __init__(self, cve_db, logger):
+        """Initialize the python package metadata parser."""
+        self.purl_pkg_type = "pypi"
         super().__init__(cve_db, logger)
 
+    def generate_purl(self, product, version, vendor, qualifier={}, subpath=None):
+        """Generates PURL after normalizing all components."""
+        product = re.sub(r"[^a-zA-Z0-9._-]", "", product).lower()
+        version = re.sub(r"[^a-zA-Z0-9.+-]", "", version)
+        vendor = "UNKNOWN"
+
+        if not product or not version:
+            return None
+
+        purl = super().generate_purl(
+            product,
+            version,
+            vendor,
+            qualifier,
+            subpath,
+        )
+
+        return purl
+
     def run_checker(self, filename):
         """
         This generator runs only for python packages.
@@ -97,5 +159,4 @@ def run_checker(self, filename):
         # There are packages with a METADATA file in them containing different data from what the tool expects
         except AttributeError:
             self.logger.debug(f"{filename} is an invalid METADATA/PKG-INFO")
-
         self.logger.debug(f"Done scanning file: {filename}")
