8000 fix an issue where vulnerabilities were missed due to case sensitivity by chisaka12 · Pull Request #814 · nttcom/threatconnectome · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix an issue where vulnerabilities were missed due to case sensitivity #814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Jul 8, 2025
Merged

fix an issue where vulnerabilities were missed due to case sensitivity #814

merged 13 commits into from
Jul 8, 2025

Conversation

chisaka12
Copy link
Collaborator
@chisaka12 chisaka12 commented Jul 3, 2025
edited
Loading

PR の目的

  • SBOM解析時のartifact_key生成前でname、ecosystem、source_name、package_managerに対し、.casehold()メソッドを付与し小文字に統一
  • api/app/tests/unittests/test_trivy_cdx_parser.pyに単体テストを追加
    • test_it_should_lowercase_package_name_and_ecosystem_from_sbom_pyjwt
      • SBOMのパース処理で、パッケージ名やエコシステム名が大文字小文字を区別せず小文字化されることを確認
      • 依存関係(dependency)が正しく抽出・生成されることを確認
      • 仕様通りのArtifactが生成されることを確認

※SBOM投入時のpurl解釈にて、エスケープ文字がどうなっているかの調査は別PRにて対応

経緯・意図・意思決定

  • SBOMファイルのmisp-cyclonedx.json内のpypiのpackageで脆弱性を検知できていないものが存在したため(補足参照)
    • SBOM投入時のファイル解析にて大文字と小文字が異なるものとして区別されていたため

補足

  • 修正前のmisp-cyclonedx.jsonに対するtrivy sbomコマンドの実行結果
    • 脆弱性が含まれているLibrary -> PyJWT (PKG-INFO)
    • 検知されたSBOM内のInstalled version -> 1.5.3、1.7.1、2.3.0
    • Fixed Version -> 2.4.0
    • 含まれている脆弱性 -> CVE-2022-29217

@chisaka12 chisaka12 marked this pull request as ready for review July 3, 2025 09:31
@Copilot Copilot AI review requested due to automatic review settings July 3, 2025 09:31
Copilot
Copilot AI reviewed Jul 3, 2025
View reviewed changes
Copy link
@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes case sensitivity issues in SBOM parsing by normalizing key package fields to lowercase and adds a corresponding integration test.

  • Lowercase pkg_name, source_name, ecosystem, and pkg_mgr in Trivy CDX parser for case-insensitive matching
  • Refactor DependencyParamsToCheck dataclass into class scope and update references
  • Add integration test test_package_name_and_ecosystem_are_lowercased_and_matched

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
api/app/sbom/parser/trivy_cdx_parser.py Lowercase package_info fields before building artifact key
api/app/tests/integrations/test_pteams.py Refactor dataclass placement and add integration test for lowercase package/ecosystem names
Comments suppressed due to low confidence (1)

api/app/tests/integrations/test_pteams.py:1309

  • [nitpick] Add a case where package_source_name is non-null and contains uppercase letters to verify that source_name is also being lowercased in the parser.
        def test_package_name_and_ecosystem_are_lowercased_and_matched(self, testdb):

@chisaka12 chisaka12 marked this pull request as draft July 3, 2025 09:51
@chisaka12 chisaka12 marked this pull request as ready for review July 4, 2025 01:26
mshim03
mshim03 requested changes Jul 4, 2025
View reviewed changes
Copy link
Collaborator
@mshim03 mshim03 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

確認お願いします

mshim03
mshim03 reviewed Jul 8, 2025
View reviewed changes
Copy link
Collaborator
@mshim03 mshim03 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

APIのテストについてコメントしました

mshim03
mshim03 requested changes Jul 8, 2025
View reviewed changes
Copy link
Collaborator
@mshim03 mshim03 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

コメントの確認お願いします

mshim03
mshim03 approved these changes Jul 8, 2025
View reviewed changes
Copy link
Collaborator
@mshim03 mshim03 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mshim03 mshim03 merged commit c09ddc2 into main Jul 8, 2025
5 checks passed
@mshim03 mshim03 deleted the topic/fix-bug-where-vulnerabilities-were-missed-due-to-case-differences branch July 8, 2025 07:51
@chisaka12 chisaka12 mentioned this pull request Jul 8, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@mshim03 mshim03 mshim03 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@chisaka12 @mshim03
0