Skip to content

fix: check if 'type' is in severity for the OSV source #5240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: check if 'type' is in severity for the OSV source #5240

wants to merge 1 commit into from
+1 −1

Conversation

sbunwired
Copy link

Lately cve-bin-tool runs have been failing due to malformed (or outdated?) schemas in the OSV source. I'm constantly running into either cve_bin_tool - Unable to fetch OSV CVEs, skipping OSV. or

Full traceback 
15:55:09  [13:55:04] INFO     cve_bin_tool - Getting Open Source         osv_source.py:161
15:55:09                      Vulnerability Database CVEs...                              
15:58:45  ╭───────────────────── Traceback (most recent call last) ──────────────────────╮
15:58:45  │ /tmp/workspace/.venv/bin/cve-bin-tool:8 in <module>     │
15:58:45  │                                                                              │
15:58:45  │   5 from cve_bin_tool.cli import main                                        │
15:58:45  │   6 if __name__ == '__main__':                                               │
15:58:45  │   7 │   sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])     │
15:58:45  │ ❱ 8 │   sys.exit(main())                                                     │
15:58:45  │   9                                                                          │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/cli.py:891 in main                                                   │
15:58:45  │                                                                              │
15:58:45  │    888 │                                                                     │
15:58:45  │    889 │   # update db if needed                                             │
15:58:45  │    890 │   if db_update != "never":                                          │
15:58:45  │ ❱  891 │   │   cvedb_orig.get_cvelist_if_stale()                             │
15:58:45  │    892 │   else:                                                             │
15:58:45  │    893 │   │   LOGGER.warning("Not verifying CVE DB cache")                  │
15:58:45  │    894 │   │   if not cvedb_orig.check_cve_entries():                        │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/cvedb.py:316 in get_cvelist_if_stale                                 │
15:58:45  │                                                                              │
15:58:45  │    313 │   │   │   datetime.datetime.today()                                 │
15:58:45  │    314 │   │   │   - datetime.datetime.fromtimestamp(self.dbpath.stat().st_m │
15:58:45  │    315 │   │   ) > datetime.timedelta(hours=24):                             │
15:58:45  │ ❱  316 │   │   │   self.refresh_cache_and_update_db()                        │
15:58:45  │    317 │   │   │   self.time_of_last_update = datetime.datetime.today()      │
15:58:45  │    318 │   │   else:                                                         │
15:58:45  │    319 │   │   │   _ = self.get_db_update_date()                             │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/cvedb.py:299 in refresh_cache_and_update_db                          │
15:58:45  │                                                                              │
15:58:45  │    296 │   │   """Refresh cached NVD and update CVE database with latest dat │
15:58:45  │    297 │   │   self.LOGGER.debug("Updating CVE data. This will take a few mi │
15:58:45  │    298 │   │   # refresh the nvd cache                                       │
15:58:45  │ ❱  299 │   │   run_coroutine(self.refresh())                                 │
15:58:45  │    300 │   │                                                                 │
15:58:45  │    301 │   │   # if the database isn't open, open it                         │
15:58:45  │    302 │   │   self.init_database()                                          │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/async_utils.py:90 in run_coroutine                                   │
15:58:45  │                                                                              │
15:58:45  │    87 │   """                                                                │
15:58:45  │    88 │   loop = get_event_loop()                                            │
15:58:45  │    89 │   aws = asyncio.ensure_future(coro, loop=loop)                       │
15:58:45  │ ❱  90 │   result = loop.run_until_complete(aws)                              │
15:58:45  │    91 │   return result                                                      │
15:58:45  │    92                                                                        │
15:58:45  │    93                                                                        │
15:58:45  │                                                                              │
15:58:45  │ /usr/lib/python3.10/asyncio/base_events.py:649 in run_until_complete         │
15:58:45  │                                                                              │
15:58:45  │    646 │   │   if not future.done():                                         │
15:58:45  │    647 │   │   │   raise RuntimeError('Event loop stopped before Future comp │
15:58:45  │    648 │   │                                                                 │
15:58:45  │ ❱  649 │   │   return future.result()                                        │
15:58:45  │    650 │                                                                     │
15:58:45  │    651 │   def stop(self):                                                   │
15:58:45  │    652 │   │   """Stop running the event loop.                               │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/cvedb.py:293 in refresh                                              │
15:58:45  │                                                                              │
15:58:45  │    290 │   │   if self.version_check:                                        │
15:58:45  │    291 │   │   │   check_latest_version()                                    │
15:58:45  │    292 │   │                                                                 │
15:58:45  │ ❱  293 │   │   await self.get_data()                                         │
15:58:45  │    294 │                                                                     │
15:58:45  │    295 │   def refresh_cache_and_update_db(self) -> None:                    │
15:58:45  │    296 │   │   """Refresh cached NVD and update CVE database with latest dat │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/cvedb.py:403 in get_data                                             │
15:58:45  │                                                                              │
15:58:45  │    400 │   │   │   if source is not None:                                    │
15:58:45  │    401 │   │   │   │   tasks.append(source.get_cve_data())                   │
15:58:45  │    402 │   │                                                                 │
15:58:45  │ ❱  403 │   │   for r in await asyncio.gather(*tasks):                        │
15:58:45  │    404 │   │   │   self.data.append(r)                                       │
15:58:45  │    405 │                                                                     │
15:58:45  │    406 │   def init_database(self) -> None:                                  │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/data_sources/osv_source.py:375 in get_cve_data                       │
15:58:45  │                                                                              │
15:58:45  │   372 │   │                                                                  │
15:58:45  │   373 │   │   await self.update_cve_entries()                                │
15:58:45  │   374 │   │                                                                  │
15:58:45  │ ❱ 375 │   │   return self.format_data(self.all_cve_entries), self.source_nam │
15:58:45  │   376                                                                        │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/data_sources/osv_source.py:260 in format_data                        │
15:58:45  │                                                                              │
15:58:45  │   257 │   │   │                                                              │
15:58:45  │   258 │   │   │   # getting score                                            │
15:58:45  │   259 │   │   │   # OSV Schema currently only provides CVSS V3 scores, thoug │
15:58:45  │ ❱ 260 │   │   │   if severity is not None and "CVSS_V3" in [x["type"] for x  │
15:58:45  │   261 │   │   │   │   try:                                                   │
15:58:45  │   262 │   │   │   │   │   # Ensure CVSS vector is valid                      │
15:58:45  │   263 │   │   │   │   │   if severity[0]["score"].endswith("/"):             │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/data_sources/osv_source.py:260 in <listcomp>                         │
15:58:45  │                                                                              │
15:58:45  │   257 │   │   │                                                              │
15:58:45  │   258 │   │   │   # getting score                                            │
15:58:45  │   259 │   │   │   # OSV Schema currently only provides CVSS V3 scores, thoug │
15:58:45  │ ❱ 260 │   │   │   if severity is not None and "CVSS_V3" in [x["type"] for x  │
15:58:45  │   261 │   │   │   │   try:                                                   │
15:58:45  │   262 │   │   │   │   │   # Ensure CVSS vector is valid                      │
15:58:45  │   263 │   │   │   │   │   if severity[0]["score"].endswith("/"):             │
15:58:45  ╰──────────────────────────────────────────────────────────────────────────────╯
15:58:45  KeyError: 'type'

This aims to work around the issue by checking first for the 'type' key to avoid running in an exception.

@beauremus beauremus mentioned this pull request Jul 23, 2025
Closed
@mattkjames7 mattkjames7 mentioned this pull request Jul 24, 2025
Closed
@captainreality
Copy link
Contributor

This seems to fix the problem in #5241 .

@captainreality captainreality mentioned this pull request Jul 25, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sbunwired @captainreality