Include vendor for npm

Prabhu Subramanian · Prabhu Subramanian · commit ffba91c275da · 2020-07-24T21:59:16.000+01:00
diff --git a/setup.py b/setup.py
@@ -5,7 +5,7 @@
 
 setuptools.setup(
     name="appthreat-vulnerability-db",
-    version="1.4.3",
+    version="1.4.4",
     author="Team AppThreat",
     author_email="cloud@appthreat.com",
     description="AppThreat's vulnerability database and package search library with a built-in file based storage. CVE, GitHub, npm are the primary sources of vulnerabilities.",
diff --git a/vdb/cli.py b/vdb/cli.py
@@ -78,6 +78,11 @@ def build_args():
         dest="search",
         help="Search for package and version in the database. Use colon to separate package and version. Use comma to specify multiple values. Eg: android:8.0",
     )
+    parser.add_argument(
+        "--search-npm",
+        dest="search_npm",
+        help="Search for package and version in the database. Use colon to separate package and version. Use comma to specify multiple values. Eg: android:8.0",
+    )
     parser.add_argument(
         "--list",
         action="store_true",
@@ -158,6 +163,10 @@ def main():
         for s in [GitHubSource()]:
             LOG.info("Syncing {}".format(s.__class__.__name__))
             s.download_recent()
+    if args.search_npm:
+        source = NpmSource()
+        results = source.bulk_search(config.npm_app_info, [args.search_npm])
+        print_results(results)
     if args.list:
         db = dbLib.get()
         results = dbLib.list_all_occurrence(db)
diff --git a/vdb/lib/config.py b/vdb/lib/config.py
@@ -31,6 +31,8 @@
 npm_audit_url = npm_server + "/-/npm/v1/security/audits"
 npm_advisories_url = npm_server + "/-/npm/v1/security/advisories"
 
+npm_app_info = {"name": "appthreat-vdb", "version": "1.0.0"}
+
 CVE_TPL = """
 {"cve":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"%(cve_id)s","ASSIGNER":"%(assigner)s"},"problemtype":{"problemtype_data":[{"description":[{"lang":"en","value":"%(cwe_id)s"}]}]},"references":{"reference_data": %(references)s},"description":{"description_data":[{"lang":"en","value":"%(description)s"}]}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:%(vendor)s:%(product)s:%(version)s:*:*:*:*:*:*:*","versionStartExcluding":"%(version_start_excluding)s","versionEndExcluding":"%(version_end_excluding)s","versionStartIncluding":"%(version_start_including)s","versionEndIncluding":"%(version_end_including)s"}, {"vulnerable":false,"cpe23Uri":"cpe:2.3:a:%(vendor)s:%(product)s:%(fix_version_start_including)s:*:*:*:*:*:*:*","versionStartExcluding":"%(fix_version_start_excluding)s","versionEndExcluding":"%(fix_version_end_excluding)s","versionStartIncluding":"%(fix_version_start_including)s","versionEndIncluding":"%(fix_version_end_including)s"}]}]},"impact":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"%(vectorString)s","attackVector":"NETWORK","attackComplexity":"%(attackComplexity)s","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"%(severity)s","integrityImpact":"%(severity)s","availabilityImpact":"%(severity)s","baseScore":%(score).1f,"baseSeverity":"%(severity)s"},"exploitabilityScore":%(exploitabilityScore).1f,"impactScore":%(score).1f},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":%(score).1f},"severity":"%(severity)s","exploitabilityScore":%(exploitabilityScore).1f,"impactScore":%(score).1f,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"publishedDate":"%(publishedDate)s","lastModifiedDate":"%(lastModifiedDate)s"}
 """
diff --git a/vdb/lib/npm.py b/vdb/lib/npm.py
@@ -40,15 +40,22 @@ def bulk_search(self, app_info, pkg_list):
         requires = {}
         dependencies = {}
         for pkg in pkg_list:
+            vendor = None
             if isinstance(pkg, dict):
+                vendor = pkg.get("vendor")
                 name = pkg.get("name")
                 version = pkg.get("version")
             else:
                 tmpA = pkg.split("|")
                 version = tmpA[len(tmpA) - 1]
                 name = tmpA[len(tmpA) - 2]
-            requires[name] = version
-            dependencies[name] = {"version": version}
+                if len(tmpA) == 3:
+                    vendor = tmpA[0]
+            key = name
+            if vendor:
+                key = f"{vendor}/{name}"
+            requires[key] = version
+            dependencies[key] = {"version": version}
         payload["requires"] = requires
         payload["dependencies"] = dependencies
         return convert_to_occurrence(serialize_vuln_list(self.fetch(payload)))
@@ -148,10 +155,11 @@ def convert(self, adv_data):
             for d in adv_data:
                 self.to_vuln(d, ret_data)
         else:
-            for k, v in adv_data.get("advisories").items():
-                if v["deleted"]:
-                    continue
-                self.to_vuln(v, ret_data)
+            if adv_data.get("advisories"):
+                for k, v in adv_data.get("advisories").items():
+                    if v["deleted"]:
+                        continue
+                    self.to_vuln(v, ret_data)
         return ret_data
 
     def to_vuln(self, v, ret_data):
