fix: KeyError: 'REDHAT'

[smirgel]

Description

When running a scan on an installed piece of software I get "KeyError: 'REDHAT'":

╭─────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮
│ /usr/local/bin/cve-bin-tool:8 in <module>                                                        │
│                                                                                                  │
│   5 from cve_bin_tool.cli import main                                                            │
│   6 if __name__ == '__main__':                                                                   │
│   7 │   sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])                         │
│ ❱ 8 │   sys.exit(main())                                                                         │
│   9                                                                                              │
│                                                                                                  │
│ /usr/local/lib/python3.12/dist-packages/cve_bin_tool/cli.py:1103 in main                         │
│                                                                                                  │
│   1100 │   │   )                                                                                 │
│   1101 │   │                                                                                     │
│   1102 │   │   if not args["quiet"]:                                                             │
│ ❱ 1103 │   │   │   output.output_file_wrapper(output_formats)                                    │
│   1104 │   │   │   if args["backport_fix"] or args["available_fix"]:                             │
│   1105 │   │   │   │   distro_info = args["backport_fix"] or args["available_fix"]               │
│   1106 │   │   │   │   is_backport = True if args["backport_fix"] else False                     │
│                                                                                                  │
│ /usr/local/lib/python3.12/dist-packages/cve_bin_tool/output_engine/__init__.py:977 in            │
│ output_file_wrapper                                                                              │
│                                                                                                  │
│    974 │   def output_file_wrapper(self, output_types=["console"]):                              │
│    975 │   │   """Call output_file method for all output types."""                               │
│    976 │   │   for output_type in output_types:                                                  │
│ ❱  977 │   │   │   self.output_file(output_type)                                                 │
│    978 │                                                                                         │
│    979 │   def output_file(self, output_type="console"):                                         │
│    980 │   │   """Generate a file for list of CVE"""                                             │
│                                                                                                  │
│ /usr/local/lib/python3.12/dist-packages/cve_bin_tool/output_engine/__init__.py:1037 in           │
│ output_file                                                                                      │
│                                                                                                  │
│   1034 │   │   │   │   self.output_cves(f, output_type)                                          │
│   1035 │   │   else:                                                                             │
│   1036 │   │   │   with open(self.filename, "w", encoding="utf8") as f:                          │
│ ❱ 1037 │   │   │   │   self.output_cves(f, output_type)                                          │
│   1038 │                                                                                         │
│   1039 │   def check_file_path(self, filepath: str, output_type: str, prefix: str = "output"):   │
│   1040 │   │   """Generate a new filename if file already exists."""                             │
│                                                                                                  │
│ /usr/local/lib/python3.12/dist-packages/cve_bin_tool/output_engine/__init__.py:793 in            │
│ output_cves                                                                                      │
│                                                                                                  │
│    790 │   │   │   self.logger.info(f"Output stored at {self.append}")                           │
│    791 │   │                                                                                     │
│    792 │   │   if self.vex_filename != "":                                                       │
│ ❱  793 │   │   │   self.generate_vex(self.all_cve_data, self.vex_filename)                       │
│    794 │   │   if self.sbom_filename != "":                                                      │
│    795 │   │   │   self.generate_sbom(                                                           │
│    796 │   │   │   │   self.all_product_data,                                                    │
│                                                                                                  │
│ /usr/local/lib/python3.12/dist-packages/cve_bin_tool/output_engine/__init__.py:851 in            │
│ generate_vex                                                                                     │
│                                                                                                  │
│    848 │   │   │   │   vulnerability["id"] = id                                                  │
│    849 │   │   │   │   vulnerability["source"] = {                                               │
│    850 │   │   │   │   │   "name": cve.data_source,                                              │
│ ❱  851 │   │   │   │   │   "url": source_url[cve.data_source] + id,                              │
│    852 │   │   │   │   }                                                                         │
│    853 │   │   │   │   # Assume CVSS vulnerability scores are in accordance with NVD guidance    │
│    854 │   │   │   │   if cve.cvss_version == 3:                                                 │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
KeyError: 'REDHAT'

To reproduce

Steps to reproduce the behaviour:

1. scan using these flags "cve-bin-tool . --severity high -f console,html -o report --vex triage_out.vex"

It is probably related to one of the components but it is hard to tell which one:

[10:51:21] INFO     cve_bin_tool - Overall CVE summary:                                                                                                                                                          cli.py:1059
           INFO     cve_bin_tool - There are 103 products with known CVEs detected                                                                                                                               cli.py:1060
           INFO     cve_bin_tool - Known CVEs in ('apache.camel', '2.25.4'), ('apache.commons_compress', '1.14'), ('apache.commons_compress', '1.19'), ('apache.log4j', '1.2.12'), ('apache.log4j', '1.2.17'),   cli.py:1071
                    ('gnu.gcc', '2.95.4'), ('gnu.gcc', '3.4.2'), ('gnu.gcc', '3.4.3'), ('gnu.gcc', '3.4.6'), ('gnu.gcc', '4.1.2'), ('gnu.gcc', '4.2.1'), ('gnu.gcc', '4.2.4'), ('gnu.gcc', '4.4.4'), ('gnu.gcc',
                    '4.4.7'), ('gnu.gcc', '4.8.1'), ('gnu.gcc', '4.8.3'), ('gnu.gcc', '4.8.5'), ('gnu.gcc', '5.5.0'), ('gnu.gcc', '9.2'), ('google.guava', '22.0-android'), ('google.guava', '25.1-jre'),
                    ('google.guava', '26.0-android'), ('google.guava', '30.1-jre'), ('h2database.h2', '1.4.200'), ('haxx.libcurl', '7.86.0'), ('hdfgroup.hdf5', '1.12.1'), ('ijg.libjpeg', '6b'),
                    ('ijg.libjpeg', '8d'), ('jenkins.junit', '3.8.1'), ('jenkins.junit', '3.8.2'), ('jenkins.junit', '4.10'), ('jenkins.junit', '4.11'), ('jenkins.junit', '4.12'), ('jenkins.junit', '4.13'),
                    ('jenkins.junit', '4.13.2'), ('jenkins.junit', '4.4'), ('jenkins.junit', '4.7'), ('jenkins.junit', '4.8.1'), ('jenkins.junit', '4.8.2'), ('jenkins.junit', '4.9'), ('joyent.json', '1.1.4'),
                    ('jq_project.jq', '0.2'), ('json-c.json-c', '0.13.99'), ('json_project.json', '1.1.4'), ('libexpat_project.libexpat', '2.0.1'), ('libexpat_project.libexpat', '2.4.1'),
                    ('libexpat_project.libexpat', '2.4.4'), ('libexpat_project.libexpat', '2.4.8'), ('libssh2.libssh2', '1.10.0'), ('libtiff.libtiff', '4.3.0'), ('libtiff.libtiff', '4.6.0'),
                    ('mit.kerberos_5', '1.19.3'), ('openssl.openssl', '1.1.1k'), ('openssl.openssl', '1.1.1v'), ('pcre.pcre', '8.32'), ('pypa.pip', '23.0.1'), ('pypa.pip', '24.0'), ('pypa.pip', '9.0.1'),
                    ('python.python', '3.9.19'), ('sqlite.sqlite', '3.39.4'), ('tukaani.xz', '1.6'), ('tukaani.xz', '1.8'), ('unknown.Pillow', '10.1.0'), ('unknown.camel', '2.25.4'), ('unknown.core',
                    '2024.2.31859-4619'), ('unknown.guava', '22.0-android'), ('unknown.guava', '25.1-jre'), ('unknown.guava', '26.0-android'), ('unknown.guava', '30.1-jre'), ('unknown.h2', '1.4.200'),
                    ('unknown.json', '1.1.4'), ('unknown.junit', '3.8.1'), ('unknown.junit', '3.8.2'), ('unknown.junit', '4.10'), ('unknown.junit', '4.11'), ('unknown.junit', '4.12'), ('unknown.junit',
                    '4.13'), ('unknown.junit', '4.13.2'), ('unknown.junit', '4.4'), ('unknown.junit', '4.7'), ('unknown.junit', '4.8.1'), ('unknown.junit', '4.8.2'), ('unknown.junit', '4.9'),
                    ('unknown.jython-standalone', '2.7.1'), ('unknown.log4j', '1.2.12'), ('unknown.log4j', '1.2.17'), ('unknown.log4j', '2.22.0'), ('unknown.logback-classic', '1.2.3'), ('unknown.pip',
                    '23.0.1'), ('unknown.pip', '24.0'), ('unknown.pip', '9.0.1'), ('unknown.project', '1.0.7'), ('unknown.spring-beans', '4.0.0.RELEASE'), ('unknown.spring-core', '4.0.0.RELEASE'),
                    ('unknown.spring-web', '4.0.0.RELEASE'), ('unknown.woodstox-core', '6.4.0'), ('unknown.xalan', '2.7.1'), ('unknown.xstream', '1.4.20'), ('xwiki.commons', '5'), ('zlib.zlib', '1.2.11'),
                    ('zlib.zlib', '1.2.12'), ('zlib.zlib', '1.2.13'), ('zlib.zlib', '1.2.3'):

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.3
Installed from pypi.
Operating system: Ubuntu 22.04
Python version: Python 3.12.2

Anything else?

[terriko]

This looks like a bug. It's trying to look up vulnerability data from redhat and not finding it, (likely because the database didn't download). I think we're likely missing a check in output_engine/__init__.py at line 851 as it lists above. Probably an easy fix as long as that's the only place the mistake was made!

You can probably temporarily work around it by telling cve-bin-tool to skip the REDHAT data source, though I hope we can get a fix in fairly quickly.

[smirgel]

Thanks! I was able to get a successful scan by adding "--disable-data-source REDHAT".