From e29df3b7963796b97e9c34cc084b7816948f0916 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Tue, 24 Oct 2023 07:59:10 -0400 Subject: [PATCH] fix: ignore trailing slash in GH CVSS strings Sometimes these strings have a trailing slash; ignore the trailing slash rather than throwing away the entire CVSS info because of it. Signed-off-by: Will Murphy --- src/vunnel/providers/github/parser.py | 1 + tests/unit/providers/github/test_github.py | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/src/vunnel/providers/github/parser.py b/src/vunnel/providers/github/parser.py index 77c7ab54..636040a1 100644 --- a/src/vunnel/providers/github/parser.py +++ b/src/vunnel/providers/github/parser.py @@ -548,6 +548,7 @@ def _severity(self): def _make_cvss(self, cvss_vector: str, vulnerability_id: str) -> CVSS | None: try: + cvss_vector = cvss_vector.removesuffix("/") cvss3_obj = CVSS3(cvss_vector) cvss_object = CVSS( diff --git a/tests/unit/providers/github/test_github.py b/tests/unit/providers/github/test_github.py index 681a8af5..a1b73749 100644 --- a/tests/unit/providers/github/test_github.py +++ b/tests/unit/providers/github/test_github.py @@ -200,6 +200,19 @@ def test_gets_cvss(self, node): assert result["CVSS"] == expected assert result.CVSS == expected + def test_trailing_slash_cvss(self, node): + node["cvss"]["vectorString"] = node["cvss"]["vectorString"] + "/" + result = parser.NodeParser(node).parse() + expected = CVSS( + version="3.0", + vector_string="CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + base_metrics=CVSSBaseMetrics(base_score=9.8, exploitability_score=3.9, impact_score=5.9, base_severity="Critical"), + status="N/A", + ) + + assert result["CVSS"] == expected + assert result.CVSS == expected + def test_gets_published(self, node): result = parser.NodeParser(node).parse() result["published"] = "2020-02-04T03:07:31Z"