Move to requirements.txt; update dependencies; partial update for NIS…

…T NVD CPE API (2.0)
mo-5 · Jul 6, 2024 · aa96aa3 · aa96aa3
1 parent 7ab023d
commit aa96aa3
Show file tree

Hide file tree

Showing 38 changed files with 241 additions and 1,568 deletions.
diff --git a/.coveragerc b/.coveragerc
@@ -1,3 +1,6 @@
 [run]
-omit = 
- *tests*
+source = ddssa
+omit = ddssa/tests
+
+[report]
+fail_under = 36
diff --git a/.github/workflows/build-and-verify.yaml b/.github/workflows/build-and-verify.yaml
@@ -0,0 +1,25 @@
+name: Build and verify
+
+on: push
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Set up Python
+ uses: actions/setup-python@v5
+ with:
+ python-version: 3.12
+ cache: pip
+ - run: pip install -r requirements.txt -r requirements-dev.txt
+
+ - name: Formatting check [black]
+ run: black --check .
+
+ - name: Linting check [pylint]
+ run: pylint ddssa
+
+ - name: Run tests
+ run: pytest
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
diff --git a/README.md b/README.md
@@ -7,31 +7,27 @@ This project provides a software security assessment tool using a data-driven ap
 ### Tools
 
 - Code editor: [VSCode](https://code.visualstudio.com/)
-- Python: [3.9+](https://www.python.org/downloads/)
-- Python package manager: [Poetry](https://www.python-poetry.org/)
+- Python: [3.12](https://www.python.org/downloads/)
 - GUI design: [Qt Designer](https://build-system.fman.io/qt-designer-download)
 
 ### Getting Started
 
 1. Clone the repository
 
-2. Poetry
+2. Create and activate a virtual environemnt
 
- 1. Install poetry: [instructions](https://python-poetry.org/docs/#installation)
- 2. Add the poetry path to your environment variables after installation
- 3. Run `poetry install` in the project's root directory
- 4. To activate the project's virtual environment, run `poetry shell`
+ 1. `python -m venv venv`
+ 2. * `source venv/bin/activate` (Unix)
+ * `venv\Scripts\activate` (Windows, Command prompt)
+ * `venv\Scripts\Activate.ps1` (Windows, PowerShell)
+ 3. `pip install --upgrade pip`
+ 4. `pip install -r requirements.txt -r requirements-dev.txt` OR `pip install -e ".[dev]"` (to install from `setup.py`)
 
 3. To use the GUI, run the following from the project's root directory:
 
- ```bash
- poetry run python ./ddssa/frontend/ui.py
- ```
- If the Poetry virtual environment is active, this simplifies to:
  ```bash
  python ./ddssa/frontend/ui.py
  ```
- Further instructions will assume that the Poetry virtual environment is active.
 
 4. To use the CLI, run the following command from the project's root directory:
  ```bash
@@ -43,6 +39,8 @@ This project provides a software security assessment tool using a data-driven ap
  ```
 5. To make changes to the user interface, open the [main.ui](./ddssa/frontend/main.ui) in Qt Designer. To synchronize changes to the Python GUI file run `pyuic5 -o ./ddssa/frontend/main.py ./ddssa/frontend/main.ui`.
 
+5. To run tests: `pytest`
+
 6. To make changes to the code, open the project's root directory in VSCode.
 
 ### Additional Tools

diff --git a/ddssa/backend/api/vulnerability_query.py b/ddssa/backend/api/vulnerability_query.py
@@ -1,4 +1,5 @@
 """This module contains the Vulnerability Query class"""
+
 from time import sleep
 
 import numpy as np
@@ -40,7 +41,7 @@ class VulnerabilityQuery:
  _solutions = []
  _summaries = []
  _cvss = CVESearch("https://cve.circl.lu")
- _url = "https://services.nvd.nist.gov/rest/json/cpes/1.0/"
+ _url = "https://services.nvd.nist.gov/rest/json/cpes/2.0/"
 
  def __init__(self, api_key=None):
  self._api_key = api_key
@@ -69,11 +70,9 @@ def query(self, df):
  # Determine the keyword for the query
  keyword = self._determine_keyword(col_data.values)
  default_params = {
- "addOns": "cves",
- "keyword": keyword,
- "resultsPerPage": 2000,
+ "keywordSearch": keyword,
+ "resultsPerPage": 20,
  "startIndex": 0,
- "includeDeprecated": "true",
  }
 
  # Add the API key if exists

diff --git a/ddssa/backend/cst/ast_coordinator.py b/ddssa/backend/cst/ast_coordinator.py
@@ -1,6 +1,5 @@
 """This module contains the ASTCoordinator class"""
 
-
 import ast
 
 from ddssa.backend.cst.cst_supplier import CSTSupplier

diff --git a/ddssa/backend/cst/cst_supplier.py b/ddssa/backend/cst/cst_supplier.py
@@ -1,6 +1,5 @@
 """This module contains the CSTSupplier class"""
 
-
 import ast
 import libcst
 import os

diff --git a/ddssa/backend/metrics/stall_visitor.py b/ddssa/backend/metrics/stall_visitor.py
@@ -1,6 +1,5 @@
 """This module contains the StallVisitor class"""
 
-
 import libcst
 
 

diff --git a/ddssa/backend/parsing/package_ids.py b/ddssa/backend/parsing/package_ids.py
@@ -1,6 +1,5 @@
 """This module contains the PackageIds enum class"""
 
-
 from enum import Enum
 
 

diff --git a/ddssa/backend/parsing/package_supplier.py b/ddssa/backend/parsing/package_supplier.py
@@ -1,4 +1,5 @@
 """ This module contains the PackageSupplier class"""
+
 from ddssa.backend.api.vulnerability_aggregator import (
  VulnerabilityAggregator,
 )

diff --git a/ddssa/backend/parsing/pip_parser.py b/ddssa/backend/parsing/pip_parser.py
@@ -1,6 +1,5 @@
 """This module contains the PipParser class"""
 
-
 from dparse import parse, filetypes
 from ddssa.backend.parsing.package_parser import PackageParser
 

diff --git a/ddssa/backend/parsing/poetry_lock_parser.py b/ddssa/backend/parsing/poetry_lock_parser.py
@@ -1,6 +1,5 @@
 """This module contains the PoetryLockParser class"""
 
-
 import tomli
 
 from ddssa.backend.parsing.package_ids import PackageIds

diff --git a/ddssa/backend/parsing/pyproject_parser.py b/ddssa/backend/parsing/pyproject_parser.py
@@ -1,6 +1,5 @@
 """"This module contians the PyProjectParser class"""
 
-
 import tomli
 
 from ddssa.backend.parsing.package_parser import PackageParser

diff --git a/ddssa/backend/parsing/req_parser.py b/ddssa/backend/parsing/req_parser.py
@@ -1,6 +1,5 @@
 """This module contains the RequirementsParser class"""
 
-
 import pkg_resources
 
 from ddssa.backend.parsing.package_parser import PackageParser
@@ -17,7 +16,7 @@ def parse_packages(self):
  try:
  for i, req in enumerate(f.readlines()):
  self.basic_req_parse(i, req)
- except pkg_resources.packaging.requirements.InvalidRequirement as e:
+ except pkg_resources._vendor.packaging.requirements.InvalidRequirement as e:
  raise RuntimeError(
  "requirements.txt file contains an unknown requirement"
  ) from e

diff --git a/ddssa/backend/parsing/setup_parser.py b/ddssa/backend/parsing/setup_parser.py
@@ -1,6 +1,5 @@
 """This module contains the SetupParser class"""
 
-
 import configparser
 import os
 import sys

diff --git a/ddssa/frontend/ddssa.py b/ddssa/frontend/ddssa.py
@@ -1,6 +1,5 @@
 """This module contains the DDSSA class and a main method"""
 
-
 import argparse
 import concurrent.futures
 import os

diff --git a/ddssa/frontend/loading.py b/ddssa/frontend/loading.py
@@ -1,6 +1,5 @@
 """This module contains the LoadingScreen class"""
 
-
 import os
 from PyQt5 import QtGui, QtCore
 from PyQt5.QtWidgets import (

diff --git a/ddssa/tests/schemas/cpe_api_json_2.0.schema.json b/ddssa/tests/schemas/cpe_api_json_2.0.schema.json
@@ -0,0 +1,113 @@
+{
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "title": "JSON Schema for NVD Common Product Enumeration (CPE) API version 2.0",
+ "$id": "https://csrc.nist.gov/schema/nvd/api/2.0/cpe_api_json_2.0.schema",
+ "definitions": {
+ "defTitle": {
+ "description": "Human readable title for CPE",
+ "type": "object",
+ "properties": {
+ "title": {"type": "string"},
+ "lang": {"type": "string"}
+ },
+ "required": ["title", "lang"],
+ "additionalProperties": false
+ },
+ "defReference": {
+ "description": "Internet resource for CPE",
+ "type": "object",
+ "properties": {
+ "ref": {
+ "type": "string",
+ "pattern": "^([A-Za-z][A-Za-z0-9+.-]+):(\\/\\/([^@]+@)?([A-Za-z0-9.\\-_~]+)(:\\d+)?)?((?:[A-Za-z0-9-._~]|%[A-Fa-f0-9]|[!$&'\\[\\]()*+,;=:@])+(?:\\/(?:[A-Za-z0-9-._~]|%[A-Fa-f0-9]|[!$&'\\[\\]()*+,;=:@])*)*|(?:\\/(?:[A-Za-z0-9-._~]|%[A-Fa-f0-9]|[!$&'()*+,;=:@])+)*)?(\\?(?:[A-Za-z0-9-._~]|%[A-Fa-f0-9]|[!$&'\\[\\]()*+,;=:@]|[/?])*)?(\\#(?:[A-Za-z0-9-._~]|%[A-Fa-f0-9]|[!$&'\\[\\]()*+,;=:@]|[/?])*)?$"
+ },
+ "type": {
+ "type": "string",
+ "enum": [
+ "Advisory",
+ "Change Log",
+ "Product",
+ "Project",
+ "Vendor",
+ "Version"
+ ]
+ }
+ },
+ "required": ["ref"],
+ "additionalProperties": false
+ },
+
+ "defCpe": {
+ "type": "object",
+ "properties": {
+ "cpe": {
+ "type": "object",
+ "properties": {
+ "deprecated" : {"type" : "boolean"},
+ "cpeName": {"type": "string"},
+ "cpeNameId": {"type": "string", "format": "uuid"},
+ "created": {"type": "string", "format": "date-time"},
+ "lastModified": {"type": "string", "format": "date-time"},
+ "titles": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/defTitle"}
+ },
+ "refs": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/defReference"}
+ },
+ "deprecatedBy": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "cpeName": {"type": "string"},
+ "cpeNameId": {"type": "string", "format": "uuid"}
+ }
+ }
+ },
+ "deprecates": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "cpeName": {"type": "string"},
+ "cpeNameId": {"type": "string", "format": "uuid"}
+ }
+ }
+ }
+ },
+ "required": ["cpeName", "cpeNameId", "deprecated", "lastModified", "created"],
+ "additionalProperties": false
+ }
+ },
+ "required": ["cpe"],
+ "additionalProperties": false
+ }
+
+ },
+ "type": "object",
+ "properties": {
+ "resultsPerPage": {"type": "integer"},
+ "startIndex": {"type": "integer"},
+ "totalResults": {"type": "integer"},
+ "format": {"type": "string"},
+ "version": {"type": "string"},
+ "timestamp": {"type": "string", "format": "date-time"},
+ "products": {
+ "description": "NVD feed array of CPE",
+ "type": "array",
+ "items": {"$ref": "#/definitions/defCpe"}
+ }
+ },
+ "required": [
+ "resultsPerPage",
+ "startIndex",
+ "totalResults",
+ "format",
+ "version",
+ "timestamp",
+ "products"
+ ],
+ "additionalProperties": false
+}