fix: [bug description] Unknown version in a SBOM component results in exception being raised #5302
Description
Description
A SBOM component with a version 'UNKNOWN' results in an exception being raised.
╭─────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮
│ /root/Documents/cve-bin-tool:8 in <module> │
│ │
│ 5 from cve_bin_tool.cli import main │
│ 6 if __name__ == '__main__': │
│ 7 │ sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0]) │
│ ❱ 8 │ sys.exit(main()) │
│ 9 │
│ │
│ /root/Documents//lib/python3.10/site-packages/cve_bin_tool/cli.py:1185 in │
│ main │
│ │
│ 1182 │ │ │ ) │
│ 1183 │ │ │ for product_info, triage_data in parsed_data.items(): │
│ 1184 │ │ │ │ LOGGER.debug(f"{product_info}, {triage_data}") │
│ ❱ 1185 │ │ │ │ cve_scanner.get_cves(product_info, triage_data) │
│ 1186 │ │ │
│ 1187 │ │ if args["vex_file"]: │
│ 1188 │ │ │ # use auto so that lib4vex can auto-detect the vex type. │
│ │
│ /root/Documents//lib/python3.10/site-packages/cve_bin_tool/cve_scanner.py │
│ :211 in get_cves │
│ │
│ 208 │ │ │ │
│ 209 │ │ │ if ( │
│ 210 │ │ │ │ version_end_excluding is not self.RANGE_UNSET │
│ ❱ 211 │ │ │ │ and parsed_version < Version(version_end_excluding) │
│ 212 │ │ │ ): │
│ 213 │ │ │ │ passes_end = True │
│ 214 │
│ │
│ /root/Documents/lib/python3.10/site-packages/cve_bin_tool/version_compar │
│ e.py:189 in __lt__ │
│ │
│ 186 │ │
│ 187 │ def __lt__(self, other): │
│ 188 │ │ """<""" │
│ ❱ 189 │ │ return bool(version_compare(self, other) < 0) │
│ 190 │ │
│ 191 │ def __le__(self, other): │
│ 192 │ │ """<=""" │
│ │
│ /root/Documents/lib/python3.10/site-packages/cve_bin_tool/version_compar │
│ e.py:71 in version_compare │
│ │
│ 68 │ returns 1 if v1 > v2 │
│ 69 │ returns -1 if v1 < v2 │
│ 70 │ """ │
│ ❱ 71 │ v1_array = parse_version(v1) │
│ 72 │ v2_array = parse_version(v2) │
│ 73 │ │
│ 74 │ # We'll treat the following strings as pre-releases. │
│ │
│ /root/Documents/lib/python3.10/site-packages/cve_bin_tool/version_compar │
│ e.py:39 in parse_version │
│ │
│ 36 │ """ │
│ 37 │ │
│ 38 │ if not version_string or version_string.lower() == "unknown": │
│ ❱ 39 │ │ raise UnknownVersion(f"version string = {version_string}") │
│ 40 │ │
│ 41 │ versionString = version_string.strip() │
│ 42 │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
UnknownVersion: version string = UNKNOWN
To reproduce
Steps to reproduce the behaviour:
-
scan using the following command
cve-bin-tool --sbom cyclonedx --sbom-file 1755972506.cdx.json -u never --metrics --format json -o /tmp/cve-bin-tool.json -
The SBOM is very large but here is a snippet of a failing component:
{
"bom-ref": "pkg:maven/tools/tools?package-id=0cbc7253058df023",
"type": "library",
"name": "tools",
"version": "UNKNOWN",
"cpe": "cpe:2.3:a:tools:tools::::::::",
"purl": "pkg:maven/tools/tools",
}
Expected behaviour:
Would expect that the component without a version (or UNKNOWN) would be ignored and the scan would continue
Actual behaviour:
Scan is terminated
Version/platform info
Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.4.1
Installed from pypi or github? GitHub
Operating system: Linux
Python version (e.g. python3 --version): 3.10.8
Running in any particular CI environment we should know about? (e.g. Github Actions)
Anything else?
Feel free to add any other context here.