feat: Add mapping of vulnerable libraries to components (Fixed #1657) (#1658)

Author: anthonyharrison

cve_bin_tool/output_engine/__init__.py

@@ -20,6 +20,7 @@
 from .util import (
     add_extension_if_not,
     format_output,
+    format_path,
     generate_filename,
     get_cve_summary,
     intermediate_output,
@@ -299,7 +300,64 @@ def output_pdf(
             pdfdoc.showtable(
                 "Productlist", widths=[3 * cm, 3 * cm, 2 * cm, 4 * cm, 5 * cm]
             )
-        pdfdoc.paragraph("* vendors guessed by the tool") if star_warn else None
+            pdfdoc.paragraph("* vendors guessed by the tool") if star_warn else None
+
+            pdfdoc.heading(1, "List of Vulnerabilities mapped to Components")
+            pdfdoc.paragraph(
+                "The following vulnerabilities are reported against the identified components which contain the reported libraries."
+            )
+            pdfdoc.createtable(
+                "Applicationlist",
+                ["Vendor", "Product", "Version", "Root", "Filename"],
+                pdfdoc.tblStyle,
+                [10, 10, None, None, None],
+            )
+            row = 1
+            star_warn = False
+            application_elements = []
+            for product_info, cve_data in all_cve_data.items():
+                for cve in cve_data["cves"]:
+                    if cve.cve_number != "UNKNOWN":
+                        if "*" in product_info.vendor:
+                            star_warn = True
+
+                        path_elements = ", ".join(cve_data["paths"])
+                        for path_element in path_elements.split(","):
+                            path_root = format_path(cve_data["paths"])
+                            path_entry = {
+                                "vendor": product_info.vendor,
+                                "product": product_info.product,
+                                "version": product_info.version,
+                                "root": path_root[0],
+                                "filename": path_root[1],
+                            }
+                            if path_entry not in application_elements:
+                                application_elements.append(path_entry)
+                                pdfdoc.addrow(
+                                    "Applicationlist",
+                                    path_entry,
+                                    [
+                                        (
+                                            "TEXTCOLOR",
+                                            (0, row),
+                                            (2, row),
+                                            pdfdoc.black,
+                                        ),
+                                        ("FONT", (0, row), (2, row), "Helvetica"),
+                                        (
+                                            "TEXTCOLOR",
+                                            (3, row),
+                                            (4, row),
+                                            severity_colour[cve.severity.upper()],
+                                        ),
+                                        ("FONT", (3, row), (4, row), "Helvetica-Bold"),
+                                    ],
+                                )
+                                row += 1
+
+            pdfdoc.showtable(
+                "Applicationlist", widths=[3 * cm, 3 * cm, 2 * cm, 4 * cm, 3 * cm]
+            )
 
         pdfdoc.pagebreak()
         pdfdoc.paragraph("END OF DOCUMENT.")

cve_bin_tool/output_engine/console.py

@@ -1,12 +1,10 @@
 # Copyright (C) 2021 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-from __future__ import annotations
-
 import textwrap
 from collections import defaultdict
 from datetime import datetime
-from typing import Any, DefaultDict
+from typing import Any, DefaultDict, Dict
 
 from rich.console import Console
 from rich.markdown import Markdown
@@ -20,7 +18,7 @@
 from ..theme import cve_theme
 from ..util import ProductInfo, VersionInfo
 from ..version import VERSION
-from .util import get_cve_summary
+from .util import format_path, get_cve_summary
 
 
 def format_version_range(version_info: VersionInfo) -> str:
@@ -80,9 +78,9 @@ def output_console(*args: Any):
 
 
 def _output_console_nowrap(
-    all_cve_data: dict[ProductInfo, CVEData],
-    all_cve_version_info: dict[str, VersionInfo],
-    time_of_last_update: datetime | str,
+    all_cve_data: Dict[ProductInfo, CVEData],
+    all_cve_version_info: Dict[str, VersionInfo],
+    time_of_last_update: datetime,
     affected_versions: int,
     exploits: bool = False,
     console: Console = Console(theme=cve_theme),
@@ -138,7 +136,8 @@ def _output_console_nowrap(
     console.print(table)
 
     cve_by_remarks: DefaultDict[Remarks, list[dict[str, str]]] = defaultdict(list)
-    # group cve_data by its remarks
+    cve_by_paths: DefaultDict[Remarks, list[dict[str, str]]] = defaultdict(list)
+    # group cve_data by its remarks and separately by paths
     for product_info, cve_data in all_cve_data.items():
         for cve in cve_data["cves"]:
             cve_by_remarks[cve.remarks].append(
@@ -152,6 +151,16 @@ def _output_console_nowrap(
                     "cvss_version": cve.cvss_version,
                 }
             )
+            path_elements = ", ".join(cve_data["paths"])
+            for path_element in path_elements.split(","):
+                path_entry = {
+                    "vendor": product_info.vendor,
+                    "product": product_info.product,
+                    "version": product_info.version,
+                    "paths": path_element,
+                }
+                if path_entry not in cve_by_paths[cve.remarks]:
+                    cve_by_paths[cve.remarks].append(path_entry)
             if affected_versions != 0:
                 try:
                     version_info = all_cve_version_info[cve.cve_number]
@@ -203,3 +212,32 @@ def _output_console_nowrap(
             if "*" in cve_data["vendor"]:
                 console.print("* vendors guessed by the tool")
                 break
+
+        # Show table of vulnerable products mapped to filename paths
+        for remarks in sorted(cve_by_paths):
+            color = "yellow"
+            console.print(
+                Panel(f"[{color}] {remarks.name} CVEs [/{color}]", expand=False)
+            )
+            # Table instance
+            table = Table()
+
+            # Add Head Columns to the Table
+            table.add_column("Vendor")
+            table.add_column("Product")
+            table.add_column("Version")
+            table.add_column("Root")
+            table.add_column("Filename")
+            color = "green"
+            for cve_data in cve_by_paths[remarks]:
+                path_root = format_path(cve_data["paths"])
+                cells = [
+                    Text.styled(cve_data["vendor"], color),
+                    Text.styled(cve_data["product"], color),
+                    Text.styled(cve_data["version"], color),
+                    Text.styled(path_root[0], color),
+                    Text.styled(path_root[1], color),
+                ]
+                table.add_row(*cells)
+        # Print the table to the console
+        console.print(table)

cve_bin_tool/output_engine/util.py

@@ -211,3 +211,11 @@ def group_cve_by_remark(
             }
         )
     return cve_by_remarks
+
+
+def format_path(path_element: str) -> List[str]:
+    """Extract filenames from path element"""
+    path = path_element.split(" contains ")
+    if len(path) > 1:
+        return [os.path.basename(path[0]), os.path.basename(path[1])]
+    return [os.path.basename(path[0]), " - "]