Skip to content

fix: c-ares, sqlite and zstd version parsing#308

Open
richardlau wants to merge 3 commits into
mainfrom
sqlite
Open

fix: c-ares, sqlite and zstd version parsing#308
richardlau wants to merge 3 commits into
mainfrom
sqlite

Conversation

@richardlau

@richardlau richardlau commented Jul 17, 2026

Copy link
Copy Markdown
Member
  • The version parser for sqlite was only expecting a single space between the #define SQLITE_VERSION and the version string but the actual header has multiple spaces.
  • The header file for zstd defines ZSTD_VERSION_RELEASE instead of ZSTD_VERSION_PATCH. Allow for multiple spaces is the definition. The CPE vendor for zstd is facebook and the product is zstandard.
  • Newer versions of c-ares have multiple spaces in the definition of ARES_VERSION_STR that break the existing parsing.

Fixes: #307

@richardlau

Copy link
Copy Markdown
Member Author

@richardlau

Copy link
Copy Markdown
Member Author

Workflow run with this branch: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/29587905355

Now we get to further issues, this time with zstd:
https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/29587905355/job/87909392694

Traceback (most recent call last):
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 261, in <module>
    exit(main())
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 236, in main
    nvd_vulnerabilities: list[Vulnerability] = query_nvd(
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 156, in query_nvd
    virtualMatchString=dep.get_cpe(repo_path),
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/dependencies.py", line 29, in get_cpe
    return f"cpe:2.3:a:{self.cpe.vendor}:{self.cpe.product}:{self.version_parser(repo_path)}:*:*:*:*:*:*:*"
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/versions_parser.py", line 269, in get_zstd_version
    raise RuntimeError("Error extracting version number for zstd")
RuntimeError: Error extracting version number for zstd

@richardlau richardlau changed the title fix: sqlite version parsing fix: sqlite and zstd version parsing Jul 17, 2026
@richardlau

Copy link
Copy Markdown
Member Author

zstd parsing needs to be updated as well.

Trying again: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/29589593474

@richardlau

Copy link
Copy Markdown
Member Author

Trying again: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/29589593474

😞
https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/29589593474/job/87915129295

Traceback (most recent call last):
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 261, in <module>
    exit(main())
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 236, in main
    nvd_vulnerabilities: list[Vulnerability] = query_nvd(
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 155, in query_nvd
    for cve in searchCVE(
  File "/opt/hostedtoolcache/Python/3.9.25/x64/lib/python3.9/site-packages/nvdlib/cve.py", line 161, in searchCVE
    raw = __get('cve', headers, parameters, limit, verbose, delay)
  File "/opt/hostedtoolcache/Python/3.9.25/x64/lib/python3.9/site-packages/nvdlib/get.py", line 27, in __get
    raw.raise_for_status()
  File "/opt/hostedtoolcache/Python/3.9.25/x64/lib/python3.9/site-packages/requests/models.py", line 1026, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe%3A2.3%3Aa%3Azstd%3Azstd%3A+++1.+++5.+7%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A
Error: Process completed with exit code 1.

@richardlau

Copy link
Copy Markdown
Member Author

Looks like the CPE vendor for zstd should be facebook instead of zstd.

Trying again: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/29590267659

@richardlau

Copy link
Copy Markdown
Member Author

Looks like the CPE vendor for zstd should be facebook instead of zstd.

Trying again: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/29590267659

Nope.

Traceback (most recent call last):
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 261, in <module>
    exit(main())
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 236, in main
    nvd_vulnerabilities: list[Vulnerability] = query_nvd(
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 155, in query_nvd
    for cve in searchCVE(
  File "/opt/hostedtoolcache/Python/3.9.25/x64/lib/python3.9/site-packages/nvdlib/cve.py", line 161, in searchCVE
    raw = __get('cve', headers, parameters, limit, verbose, delay)
  File "/opt/hostedtoolcache/Python/3.9.25/x64/lib/python3.9/site-packages/nvdlib/get.py", line 27, in __get
    raw.raise_for_status()
  File "/opt/hostedtoolcache/Python/3.9.25/x64/lib/python3.9/site-packages/requests/models.py", line 1026, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe%3A2.3%3Aa%3Afacebook%3Azstd%3A+++1.+++5.+7%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A
Error: Process completed with exit code 1.

I think we may still have a version parsing issue (those + in front of the version numbers). Also CPE product might need to be zstandard based on https://nvd.nist.gov/vuln/detail/CVE-2019-11922.

@richardlau

Copy link
Copy Markdown
Member Author

@richardlau

Copy link
Copy Markdown
Member Author

Once more: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/29592007779

This one looks more promising -- it has got to the stage of creating issues for found CVEs.

Comment thread dep_checker/__pycache__/versions_parser.cpython-313.pyc Outdated
The version parser for sqlite was only expecting a single space between
the `#define SQLITE_VERSION` and the version string but the actual
header has multiple spaces.

Signed-off-by: Richard Lau <richard.lau@ibm.com>
The header file for zstd defines `ZSTD_VERSION_RELEASE` instead of
`ZSTD_VERSION_PATCH`. Allow for multiple spaces is the definition.

The CPE vendor for zstd is `facebook` and the product is `zstandard`.

Signed-off-by: Richard Lau <richard.lau@ibm.com>
Newer versions of c-ares have multiple spaces in the definition of
`ARES_VERSION_STR` that break the existing parsing.

Signed-off-by: Richard Lau <richard.lau@ibm.com>
@richardlau

Copy link
Copy Markdown
Member Author

😢 (on main) https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/29592007779/job/87927243998

Traceback (most recent call last):
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 261, in <module>
    exit(main())
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 236, in main
    nvd_vulnerabilities: list[Vulnerability] = query_nvd(
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/main.py", line 156, in query_nvd
    virtualMatchString=dep.get_cpe(repo_path),
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/dependencies.py", line 29, in get_cpe
    return f"cpe:2.3:a:{self.cpe.vendor}:{self.cpe.product}:{self.version_parser(repo_path)}:*:*:*:*:*:*:*"
  File "/home/runner/work/nodejs-dependency-vuln-assessments/nodejs-dependency-vuln-assessments/dep_checker/versions_parser.py", line 48, in get_c_ares_version
    raise RuntimeError("Error extracting version number for c-ares")
RuntimeError: Error extracting version number for c-ares
Error: Process completed with exit code 1.

Looks like newer c-ares has multiple spaces in the definition of ARES_VERSION_STR that breaks the existing parsing.
Updated and trying again: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/29594101003

@richardlau richardlau changed the title fix: sqlite and zstd version parsing fix: c-ares, sqlite and zstd version parsing Jul 17, 2026
@richardlau richardlau mentioned this pull request Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Workflow broken

1 participant