oasis-open / csaf-parser Goto Github PK

In the current implementation some function calls accept a list as parameter.

Problem is that the default value is an empty list (constructor).

Python parses the function signatures upon import only once and evaluates that default values to a specific single instance.

Subsequent calls to such functions with no list given explicitly may lead to surprising side effects using the one default list instance over and over again.

Suggested is to fix by using the classical python pattern of a marked value None as default and inside the function to execute a conditional guard for restoring the list type of that variable.

Environment information:

• Windows 10, main Python installation is 3.10, also have 3.9.12 installed
• Tried both Python 3.10 with latest lxml (4.8.0) and a 3.9 venv with matching lxml (4.6.3), same error

Reproduction:

1. Clone the repo
2. Execute the first sample code python cvrf_util.py --file examples/1.1/ms_cvrf.xml --schema schemata/cvrf/1.1/cvrf.xsd --cvrf-version 1.1 --output-format csv --output-file ms_cvrf.csv --vuln ProductID --include-related-product-elements --unique-products --related-product-tags all
3. Encounter error:

cvrf_util.py: Unable to check cvrf version in document. Cannot parse document or get node based on specified parseable elements!
Probably a cvrf version mismatch...try using different cvrf version.

Log:

04/12/2022 10:41:57 AM -----------------------------------------------
04/12/2022 10:41:57 AM cvrf_util.py v1.2.0
04/12/2022 10:41:57 AM command line args: ['cvrf_util.py', '--file', 'examples/1.1/ms_cvrf.xml', '--schema', 'schemata/cvrf/1.1/cvrf.xsd', '--cvrf-version', '1.1', '--output-format', 'csv', '--output-file', 'ms_cvrf.csv', '--vuln', 'ProductID', '--include-related-product-elements', '--unique-products', '--related-product-tags', 'all']
04/12/2022 10:41:57 AM cvrf_version: 1.1
04/12/2022 10:41:57 AM command line args processed successfully
04/12/2022 10:41:57 AM Namespace(file='examples/1.1/ms_cvrf.xml', cvrf_version='1.1', output_file='ms_cvrf.csv', output_format='csv', include_related_product_elements=True, related_product_tags=['all'], unique_products=True, cvrf=None, vuln=['{http://www.icasi.org/CVRF/schema/vuln/1.1}ProductID'], prod=None, collate_vuln=False, strip_ns=False, validate=False, schema='schemata/cvrf/1.1/cvrf.xsd', catalog=None)
04/12/2022 10:41:57 AM file to parse: examples/1.1/ms_cvrf.xml
04/12/2022 10:41:57 AM schema: schemata/cvrf/1.1/cvrf.xsd
04/12/2022 10:41:57 AM catalog: schemata/catalog_1_1.xml
04/12/2022 10:41:57 AM output format: csv
04/12/2022 10:41:57 AM output file: ms_cvrf.csv
04/12/2022 10:41:57 AM related_product_tags: ProductID,Status,CVE,Title,BaseScore,Vector,TemporalScore,Note,FullProductName,Branch,Revision,Remediation,Acknowledgment,Threat
04/12/2022 10:41:57 AM parse doc for below elements
04/12/2022 10:41:57 AM {http://www.icasi.org/CVRF/schema/vuln/1.1}ProductID
04/12/2022 10:41:57 AM parsing document...
04/12/2022 10:41:57 AM document successfully parsed
04/12/2022 10:41:57 AM verifying cvrf version...
04/12/2022 10:41:57 AM cvrf version from document: 
04/12/2022 10:41:57 AM cvrf version from args: http://www.icasi.org/CVRF/schema/cvrf/1.1
04/12/2022 10:41:57 AM Unable to check cvrf version in document. Cannot parse document or get node based on specified parseable elements!
Probably a cvrf version mismatch...try using different cvrf version.

Problem seems to be the use of the ElementTree library member functions.

How to reproduce: Call the script on one of the example documents.

At the top of main(), the function sets the default encoding to utf-8 using the sys.setdefaultencoding trick.

reload(sys)
sys.setdefaultencoding('utf8')

That can cause problems elsewhere, because it changes the default encoding for the whole interpreter. It would be better to explicitly decode to unicode on read, and encode back to bytestrings on write.

References

https://anonbadger.wordpress.com/2015/06/16/why-sys-setdefaultencoding-will-break-code/
https://stackoverflow.com/questions/28657010/dangers-of-sys-setdefaultencodingutf-8/29561747#29561747
https://nedbatchelder.com/text/unipain.html
https://github.com/jdunck/python-unicodecsv

The current version of the CSAF CVRF parser supports CVRF 1.2 (XML) only. It does not support the CSAF 2.0 JSON draft schema. This should be reflected in the README.md documentation.

I'm working on a Cyber analysis tool. In doing this, I create C# classes from XSD files using XSD.exe. When attempting to do this for cvrf.xsd, I kept getting the following error:

Error: Error generating classes for schema 'cvrf_common_prod_vuln_cpe-language_2_3'.
The datatype 'http://scap.nist.gov/schema/cvss-v2/1.0:zeroToTenDecimalType' is missing.

In order to solve this issue, I had to change references from "cvssv2" to "cvssv3".

As the actions execute pytest and pytest considers running without tests to be an error ...
let us add some minimally meaningful tests for the current state of "the script".

Currently, the tool is only usable via the command line. Ideally, the actual parsing behavior would be accessible via an API, and the package could be installed from PyPI, for example.

As we close in on the CSAF v2.0 specification we should plan on providing a reference implementation for a CSAF v2.0 parser.

@tschmidtb51, @santosomar - I would label this as enhancement but it seems my permissions for this repository currently are on level -1 😉

We should bump to lxml 4.7.1 to mitigate a vulnerability of the old version we use - but do so consistently (not like the typical dependably hack).