Coverage for /home/benjarobin/Bootlin/projects/Schneider-Electric-Senux/sbom-cve-check/src/sbom_cve_check/export/export_spdx3.py: 97%

36 statements  

« prev     ^ index     » next       coverage.py v7.11.1, created at 2025-11-28 15:37 +0100

1# -*- coding: utf-8 -*- 

2# SPDX-License-Identifier: GPL-2.0-only 

3 

4import pathlib 

5from collections.abc import Generator 

6 

7from ..cve_db.annot_aggregate import AggregateAnnotEntry 

8from ..sbom.component import CompBuild 

9from ..sbom.sbom_base import Sbom 

10from ..sbom.sbom_spdx3 import Spdx3Sbom 

11from ..vuln.cve import CveInfo, CveVexRejectedAssessment 

12from .export_base import BaseExport 

13from .registry import register_export 

14 

15 

16@register_export("spdx3") 

17class Spdx3Export(BaseExport): 

18 """ 

19 Export the CVE information in SPDX3 format. 

20 

21 This requires having parsed an SPDX3 SBOM as input. 

22 """ 

23 

24 def __init__(self, sbom: Sbom, out_path: pathlib.Path) -> None: 

25 super().__init__(sbom, out_path) 

26 if not isinstance(self._sbom, Spdx3Sbom): 

27 raise NotImplementedError( 

28 "Export to SPDX3 is only supported with SPDX3 input file" 

29 ) 

30 

31 def start_export(self) -> Generator[None, None, None]: 

32 self._sbom.update_sbom_generation_tools() 

33 yield 

34 self._sbom.write_to_file(self._out_path) 

35 

36 def _cleanup_filtered_cve(self, annotation: AggregateAnnotEntry) -> None: 

37 if isinstance(annotation.vex_assessment, CveVexRejectedAssessment): 

38 self._sbom.remove_all_cve_vulnerability(annotation.identifier) 

39 

40 def export_comp_info( 

41 self, comp_build: CompBuild 

42 ) -> Generator[None, tuple[bool, AggregateAnnotEntry], None]: 

43 while True: 

44 is_filtered, annotation = yield 

45 if is_filtered: 

46 self._cleanup_filtered_cve(annotation) 

47 continue 

48 

49 metrics = annotation.group_cvss_metrics(key=lambda x: x.cvss_ver) 

50 sorted_metrics = sorted(metrics.items(), key=lambda d: d[0].value) 

51 # noinspection PyTypeChecker 

52 ext_refs = sorted(annotation.external_refs) 

53 

54 cve_info = CveInfo( 

55 cve_id=annotation.identifier, 

56 date_published=annotation.date_published, 

57 date_modified=annotation.date_modified, 

58 description=annotation.description, 

59 cvss_metrics=[m[0] for _, m in sorted_metrics], 

60 references=ext_refs, 

61 vex_assessment=annotation.vex_assessment, 

62 ) 

63 

64 update_vuln_info = True 

65 for comp in self._filter_components(comp_build): 

66 comp.add_cve_vulnerability(cve_info, update_vuln_info=update_vuln_info) 

67 update_vuln_info = False