Fix issue with lib4sbom

tgagneret-embedded · tgagneret-embedded · commit 06953210636e · 2024-01-24T13:53:43.000+01:00
lib4sbom always set cpe as version 2.3 even if it's 2.2. For now, we check that CPE begins with "cpe:2.3" before parsing it anthonyharrison/lib4sbom#28
diff --git a/cve_bin_tool/sbom_manager/__init__.py b/cve_bin_tool/sbom_manager/__init__.py
@@ -44,7 +44,7 @@ def __init__(
         # Connect to the database
         self.cvedb = CVEDB(version_check=False)
 
-    def _extract_info_from_cpe(self, cpe: str):
+    def _extract_info_from_cpe23(self, cpe: str):
         cpe_parser = CpeParser()
         result = cpe_parser.parser(cpe)
         return result["product"], result["version"]
@@ -133,11 +133,13 @@ def parse_sbom(self):
                             modules.append([purl_info["name"], purl_info["version"]])
                             extra_id_found = True
                     elif ref[1] == "cpe23Type":
-                        package_name, package_version = self._extract_info_from_cpe(
-                            ref[2]
-                        )
-                        modules.append([package_name, package_version])
-                        extra_id_found = True
+                        # https://github.com/anthonyharrison/lib4sbom/issues/28
+                        if ref[2].startswith("cpe:2.3"):
+                            package_name, package_version = self._extract_info_from_cpe23(
+                                ref[2]
+                            )
+                            modules.append([package_name, package_version])
+                            extra_id_found = True
             if not extra_id_found:
                 if package.get("version") is not None:
                     modules.append([package["name"], package["version"]])
