Open
Description
The import crashes with this error:
Traceback (most recent call last):
File "/app/vulnerabilities/management/commands/import.py", line 70, in import_data
ImportRunner(importer).run()
File "/app/vulnerabilities/import_runner.py", line 62, in run
count = self.process_advisories(advisory_datas=advisory_datas, importer_name=importer_name)
File "/app/vulnerabilities/import_runner.py", line 105, in process_advisories
for data in advisory_datas:
File "/app/vulnerabilities/importers/github_osv.py", line 53, in advisory_data
yield parse_advisory_data(raw_data, supported_ecosystems, advisory_url)
File "/app/vulnerabilities/importers/osv.py", line 70, in parse_advisory_data
purl = get_affected_purl(affected_pkg=affected_pkg, raw_id=raw_id)
File "/app/vulnerabilities/importers/osv.py", line 223, in get_affected_purl
return PackageURL.from_string(str(purl))
File "/usr/local/lib/python3.9/site-packages/packageurl/__init__.py", line 508, in from_string
raise ValueError(msg)
ValueError: Invalid purl 'pkg:npm/org.webjars.npm:json-pointer' cannot contain a "user:pass@host:port" URL Authority component: ''.
The correct purl should have been:
pkg:maven/org.webjars.npm/json-pointer
and not that:pkg:npm/org.webjars.npm:json-pointer
We have three issues:
- some bug in parsing OSV data where this is not parsed correctly: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-7mg4-w3w5-x5pc/GHSA-7mg4-w3w5-x5pc.json
- the packageurl-python should not have crashed on a colon in the namespace/name even if this is not correct for maven
- the importer should not crash on such an issue but log and keep processing instead #1856