Merge pull request #34 from CycloneDX/fix/issue-33-pipfile-lock-parse-failure

BUG: Fixe for `Pipfile.lock` parsing + accidental data sharing issues identified during testing

Author: madpah

cyclonedx/model/__init__.py

@@ -28,6 +28,16 @@
 
 
 def sha1sum(filename: str) -> str:
+    """
+    Generate a SHA1 hash of the provided file.
+
+    Args:
+        filename:
+            Absolute path to file to hash as `str`
+
+    Returns:
+        SHA-1 hash
+    """
     h = hashlib.sha1()
     b = bytearray(128 * 1024)
     mv = memoryview(b)
@@ -67,9 +77,6 @@ class HashType:
         See the CycloneDX Schema for hashType: https://cyclonedx.org/docs/1.3/#type_hashType
     """
 
-    _algorithm: HashAlgorithm
-    _value: str
-
     @staticmethod
     def from_composite_str(composite_hash: str):
         """
@@ -84,7 +91,7 @@ def from_composite_str(composite_hash: str):
         Returns:
             An instance of `HashType` when possible, else `None`.
         """
-        algorithm: HashAlgorithm = None
+        algorithm = None
         parts = composite_hash.split(':')
 
         algorithm_prefix = parts[0].lower()
@@ -110,6 +117,9 @@ def get_algorithm(self) -> HashAlgorithm:
     def get_hash_value(self) -> str:
         return self._value
 
+    def __repr__(self):
+        return f'<Hash {self._algorithm.value}:{self._value}>'
+
 
 class ExternalReferenceType(Enum):
     """
@@ -144,20 +154,13 @@ class ExternalReference:
     .. note::
         See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.3/#type_externalReference
     """
-    _reference_type: ExternalReferenceType
-    _url: str
-    _comment: str
-    _hashes: List[HashType] = []
 
     def __init__(self, reference_type: ExternalReferenceType, url: str, comment: str = None,
                  hashes: List[HashType] = None):
-        self._reference_type = reference_type
+        self._reference_type: ExternalReferenceType = reference_type
         self._url = url
         self._comment = comment
-        if not hashes:
-            self._hashes.clear()
-        else:
-            self._hashes = hashes
+        self._hashes: List[HashType] = hashes if hashes else []
 
     def add_hash(self, our_hash: HashType):
         """
@@ -204,3 +207,6 @@ def get_url(self) -> str:
             URI as a `str`.
         """
         return self._url
+
+    def __repr__(self):
+        return f'<ExternalReference {self._reference_type.name}, {self._url}> {self._hashes}'

cyclonedx/model/bom.py

@@ -37,16 +37,11 @@ class Tool:
         See the CycloneDX Schema for toolType: https://cyclonedx.org/docs/1.3/#type_toolType
     """
 
-    _vendor: str = None
-    _name: str = None
-    _version: str = None
-    _hashes: List[HashType] = []
-
     def __init__(self, vendor: str, name: str, version: str, hashes: List[HashType] = []):
         self._vendor = vendor
         self._name = name
         self._version = version
-        self._hashes = hashes
+        self._hashes: List[HashType] = hashes
 
     def get_hashes(self) -> List[HashType]:
         """
@@ -107,15 +102,11 @@ class BomMetaData:
         See the CycloneDX Schema for Bom metadata: https://cyclonedx.org/docs/1.3/#type_metadata
     """
 
-    _timestamp: datetime.datetime
-    _tools: List[Tool] = []
-
     def __init__(self, tools: List[Tool] = []):
         self._timestamp = datetime.datetime.now(tz=datetime.timezone.utc)
-        self._tools.clear()
+        self._tools: List[Tool] = tools
         if len(tools) == 0:
             tools.append(ThisTool)
-        self._tools = tools
 
     def add_tool(self, tool: Tool):
         """
@@ -158,10 +149,6 @@ class Bom:
     `cyclonedx.output.BaseOutput` to produce a CycloneDX document according to a specific schema version and format.
     """
 
-    _uuid: str
-    _metadata: BomMetaData = None
-    _components: List[Component] = []
-
     @staticmethod
     def from_parser(parser: BaseParser):
         """
@@ -185,8 +172,8 @@ def __init__(self):
             New, empty `cyclonedx.model.bom.Bom` instance.
         """
         self._uuid = uuid4()
-        self._metadata = BomMetaData(tools=[])
-        self._components.clear()
+        self._metadata: BomMetaData = BomMetaData(tools=[])
+        self._components: List[Component] = []
 
     def add_component(self, component: Component):
         """

cyclonedx/model/component.py

@@ -50,21 +50,6 @@ class Component:
     .. note::
         See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.3/#type_component
     """
-    _type: ComponentType
-    _package_url_type: str
-    _namespace: str
-    _name: str
-    _version: str
-    _qualifiers: str
-    _subpath: str
-
-    _author: str = None
-    _description: str = None
-    _license: str = None
-
-    _hashes: List[HashType] = []
-    _vulnerabilites: List[Vulnerability] = []
-    _external_references: List[ExternalReference] = []
 
     @staticmethod
     def for_file(absolute_file_path: str, path_for_bom: str = None):
@@ -96,7 +81,7 @@ def for_file(absolute_file_path: str, path_for_bom: str = None):
         )
 
     def __init__(self, name: str, version: str, namespace: str = None, qualifiers: str = None, subpath: str = None,
-                 hashes: List[HashType] = None,
+                 hashes: List[HashType] = None, author: str = None, description: str = None, license_str: str = None,
                  component_type: ComponentType = ComponentType.LIBRARY, package_url_type: str = 'pypi'):
         self._package_url_type = package_url_type
         self._namespace = namespace
@@ -106,11 +91,13 @@ def __init__(self, name: str, version: str, namespace: str = None, qualifiers: s
         self._qualifiers = qualifiers
         self._subpath = subpath
 
-        self._hashes.clear()
-        if hashes:
-            self._hashes = hashes
-        self._vulnerabilites.clear()
-        self._external_references.clear()
+        self._author: str = author
+        self._description: str = description
+        self._license: str = license_str
+
+        self._hashes: List[HashType] = hashes if hashes else []
+        self._vulnerabilites: List[Vulnerability] = []
+        self._external_references: List[ExternalReference] = []
 
     def add_external_reference(self, reference: ExternalReference):
         """
@@ -122,15 +109,15 @@ def add_external_reference(self, reference: ExternalReference):
         """
         self._external_references.append(reference)
 
-    def add_hash(self, hash: HashType):
+    def add_hash(self, a_hash: HashType):
         """
         Adds a hash that pins/identifies this Component.
 
         Args:
-            hash:
+            a_hash:
                 `HashType` instance
         """
-        self._hashes.append(hash)
+        self._hashes.append(a_hash)
 
     def add_vulnerability(self, vulnerability: Vulnerability):
         """

cyclonedx/model/vulnerability.py

@@ -119,7 +119,7 @@ def get_from_cvss_scores(scores: tuple = None):
         if scores is None:
             return VulnerabilitySeverity.UNKNOWN
 
-        max_cvss_score = max(scores)
+        max_cvss_score: float = max(scores)
 
         if max_cvss_score >= 9.0:
             return VulnerabilitySeverity.CRITICAL
@@ -140,12 +140,6 @@ class VulnerabilityRating:
     .. note::
         See `scoreType` in https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd
     """
-    _score_base: float
-    _score_impact: float
-    _score_exploitability: float
-    _severity: VulnerabilitySeverity
-    _method: VulnerabilitySourceType
-    _vector: str
 
     def __init__(self, score_base: float = None, score_impact: float = None, score_exploitability=None,
                  severity: VulnerabilitySeverity = None, method: VulnerabilitySourceType = None,
@@ -216,26 +210,18 @@ class Vulnerability:
     """
     Represents <xs:complexType name="vulnerability">
     """
-    _id: str
-    _source_name: str
-    _source_url: ParseResult
-    _ratings: List[VulnerabilityRating] = []
-    _cwes: List[int] = []
-    _description: str = None
-    _recommendations: List[str] = []
-    _advisories: List[str] = []
 
     def __init__(self, id: str, source_name: str = None, source_url: str = None,
-                 ratings: List[VulnerabilityRating] = [], cwes: List[int] = [], description: str = None,
-                 recommendations: List[str] = [], advisories: List[str] = []):
+                 ratings: List[VulnerabilityRating] = None, cwes: List[int] = None, description: str = None,
+                 recommendations: List[str] = None, advisories: List[str] = None):
         self._id = id
         self._source_name = source_name
-        self._source_url = urlparse(source_url) if source_url else None
-        self._ratings = ratings
-        self._cwes = cwes
+        self._source_url: ParseResult = urlparse(source_url) if source_url else None
+        self._ratings: List[VulnerabilityRating] = ratings
+        self._cwes: List[int] = cwes
         self._description = description
-        self._recommendations = recommendations
-        self._advisories = advisories
+        self._recommendations: List[str] = recommendations
+        self._advisories: List[str] = advisories
 
     def get_id(self) -> str:
         return self._id

cyclonedx/parser/pipenv.py

@@ -35,16 +35,18 @@ def __init__(self, pipenv_contents: str):
                 name=package_name, version=str(package_data['version']).strip('='),
             )
 
-            if package_data['index'] == 'pypi':
+            if 'index' in package_data.keys() and package_data['index'] == 'pypi':
                 # Add download location with hashes stored in Pipfile.lock
-                for pip_hash in package_data['hashes']:
-                    ext_ref = ExternalReference(
-                        reference_type=ExternalReferenceType.DISTRIBUTION,
-                        url=c.get_pypi_url(),
-                        comment='Distribution available from pypi.org'
-                    )
-                    ext_ref.add_hash(HashType.from_composite_str(pip_hash))
-                    c.add_external_reference(ext_ref)
+                if 'hashes' in package_data.keys():
+                    for pip_hash in package_data['hashes']:
+
+                        ext_ref = ExternalReference(
+                            reference_type=ExternalReferenceType.DISTRIBUTION,
+                            url=c.get_pypi_url(),
+                            comment='Distribution available from pypi.org'
+                        )
+                        ext_ref.add_hash(HashType.from_composite_str(pip_hash))
+                        c.add_external_reference(ext_ref)
 
             self._components.append(c)
 

tests/fixtures/pipfile-lock-no-index-example.txt

@@ -0,0 +1,37 @@
+{
+    "_meta": {
+        "hash": {
+            "sha256": "8ca3da46acf801a7780c6781bed1d6b7012664226203447640cda114b13aa8aa"
+        },
+        "pipfile-spec": 6,
+        "requires": {
+            "python_version": "3.9"
+        },
+        "sources": [
+            {
+                "name": "pypi",
+                "url": "https://pypi.org/simple",
+                "verify_ssl": true
+            }
+        ]
+    },
+    "default": {
+        "anyio": {
+            "hashes": [
+                "sha256:56ceaeed2877723578b1341f4f68c29081db189cfb40a97d1922b9513f6d7db6",
+                "sha256:8eccec339cb4a856c94a75d50fc1d451faf32a05ef406be462e2efc59c9838b0"
+            ],
+            "markers": "python_full_version >= '3.6.2'",
+            "version": "==3.3.3"
+        },
+        "toml": {
+            "hashes": [
+                "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b",
+                "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"
+            ],
+            "index": "pypi",
+            "version": "==0.10.2"
+        }
+    },
+    "develop": {}
+}

tests/test_parser_pipenv.py

@@ -35,3 +35,22 @@ def test_simple(self):
         self.assertEqual('0.10.2', components[0].get_version())
         self.assertEqual(len(components[0].get_external_references()), 2)
         self.assertEqual(len(components[0].get_external_references()[0].get_hashes()), 1)
+
+    def test_with_multiple_and_no_index(self):
+        tests_pipfile_lock = os.path.join(os.path.dirname(__file__), 'fixtures/pipfile-lock-no-index-example.txt')
+
+        parser = PipEnvFileParser(pipenv_lock_filename=tests_pipfile_lock)
+        self.assertEqual(2, parser.component_count())
+        components = parser.get_components()
+
+        c_anyio = [x for x in components if x.get_name() == 'anyio'][0]
+        c_toml = [x for x in components if x.get_name() == 'toml'][0]
+
+        self.assertEqual('anyio', c_anyio.get_name())
+        self.assertEqual('3.3.3', c_anyio.get_version())
+        self.assertEqual(0, len(c_anyio.get_external_references()))
+
+        self.assertEqual('toml', c_toml.get_name())
+        self.assertEqual('0.10.2', c_toml.get_version())
+        self.assertEqual(len(c_toml.get_external_references()), 2)
+        self.assertEqual(len(c_toml.get_external_references()[0].get_hashes()), 1)