Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: mismatch_loader #4245

Merged
merged 4 commits into from
Jul 8, 2024
Merged

docs: mismatch_loader #4245

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
878b900
feat: added mismatch information for python's zstandard
inosmeet Jul 2, 2024
81472f8
docs: mismatch database
inosmeet Jul 6, 2024
98fead7
fix: added words in allow spelling file
inosmeet Jul 6, 2024
5b71e82
feat: added flag information
inosmeet Jul 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/actions/spelling/allow.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,7 @@ expat
Exploitablity
f
faad
facebook
fastd
fde
fedora
Expand Down Expand Up @@ -431,6 +432,7 @@ mysql
Mystylesheet
MYUSERNAME
namespaces
namespace
nano
nasm
nbd
Expand Down
4 changes: 4 additions & 0 deletions data/pypi/zstandard/mismatch_relations.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
purls:
- pkg:pypi/zstandard
invalid_vendors:
- facebook
1 change: 1 addition & 0 deletions doc/index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ The CVE Binary Tool helps you determine if your system includes known vulnerabil
sboms_for_humans/README.md
new-contributor-tips.md
pypi_downloads.md
mismatch_data.md

Indices and tables
==================
Expand Down
47 changes: 47 additions & 0 deletions doc/mismatch_data.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Adding data to mismatch database

CVE Binary Tool uses a number of sources for vulnerability and risk data. Sometimes these can produce name collision, and to tackle this we've created a `mismatch`
database.

This document details the steps for adding data to the mismatch database.

## 1. Update `data/` directory

1. Make a new file with `namespace/product_name/mismatch_relations.yml` name under the `data/` directory. For example, `pypi/zstandard/mismatch_relations.yml` for zstandard
from pypi namespace.
2. Populate the file with `purl-invalid_vendor` information.

```yml
purls:
- pkg:pypi/zstandard
invalid_vendors:
- facebook
```

## 2. Run the populator script

The [`mismatch_loader`](../cve_bin_tool/mismatch_loader.py) script populates the the mismatch database with the contents of `data/` directory.

```python
python -m cve_bin_tool.mismatch_loader
```

The default directory is `data/`, and default database file is `cve.db`.

To use a specific directory, use `--dir` flag:
```python
python -m cve_bin_tool.mismatch_loader --dir directory_location
```

To use a specific database file, use `--database` flag:
```python
python -m cve_bin_tool.mismatch_loader --database database_file_location
```

## 3. (optional) Make pull request of new-found name collision

If you find invalid relationship, please do following:

- Fork the [repo](https://github.com/intel/cve-bin-tool)
- Update the `data/` directory with purl-invalid_vendor information like [this](../data/pypi/zstandard/mismatch_relations.yml)
- Create a pull request with the details of update. [Reference](https://github.com/intel/cve-bin-tool/pull/4239)
Loading