fix(uC/lib): handling of product names with special characters

[JigyasuRajput]

Description-

Fixes #4417
In this issue cve-bin tool was deleting the triage data for micrium uC/Lib, it showed unexplored in the html & csv reports (which was not expected)

This was occurring because of the way URNs were parsed in cve-bin tool for the product names (specially for special characters like "/")
for ex - urn:cbt:1/micrium#uc/lib:1.38.01 - the slash in "uc/lib" was causing the issue.

Solution -

• Improved the current URN handling to make sure slashes in the product names are maintained
• HTML ID Normalization - Added a normalize_id() function which safely converts product names with special characters into valid HTML IDs
• added tests to reproduce and verify the fix

Steps to reproduce the issue From comments

1. add the file test_SBOM.csv
2. add the file test_cve-bin-tool_triageFile.json
3. Run this command (with venv) -
   cve-bin-tool -i test_SBOM.csv --vex-file test_cve-bin-tool_triageFile.json -f csv,html --vex-output triage0919a.json

Python version - Python 3.11.0rc1
OS - Windows 10 (WSL)

Output after the fix - Output csv file

Html reports screenshots -

1. 
2. 

[terriko]

I'm going to approve the tests to run, but I'm not sure if this will actually solve our problem: we may need less normalization because I think the character is actually in the CPE definition so taking it out may break things.

[ffontaine]

In addition to @terriko remark, location has been dropped from ProductInfo since commit 96ff61b resulting in the following build failure:

FAILED test/test_vex.py::TestVexParse::test_parse_cyclonedx[cyclonedx-test_cyclonedx_vex.json-expected_parsed_data0] - TypeError: ProductInfo.__new__() got an unexpected keyword argument 'location'

PR should be updated to take this change into account.

[JigyasuRajput]

yes! thanks for information, and sorry for the delay (due to end-sem exams). I'll soon update the PR to fix this issue...

[terriko]

Looks like the tests most definitely did not pass, and this may need some other updates, so I'm marking it as needing changes.

[JigyasuRajput]

Hey!
Just an update on this PR, I reduced the normalization and addressed the location parameter (which was dropped) the scan is working fine i.e

1. it's not deleting triage data based on the product name mismatch (for uc/lib)
2. it does show the actual vulnerabilities after the scan in the reports (which it deleted initially).

However, while testing with another file, I ran into an issue — it does show the triage data for uc/lib, but it marked it as "unexplored" (this worked fine in the other file).
I'll try fixing this and then push the code for feedback and further improvements in it.

[JigyasuRajput]

Hi @terriko, I've improved the normalization on HTML IDs, added normalization to cve parser and to the product name for comparison.
Also I tried to reduce normalization but it was not fixing the bug completely, the code was using raw slashes ('/' i.e uc/lib), while in other places it was using escaped slashes ('\ /' i.e uc\ /lib). When the VEX parser was trying to match the product info from the VEX file with what was already in the scanner's database, the different representations caused a mismatch.

I know this still might need improvements, but I wanted to get your thoughts on the approach first before I go ahead with test fixes and cleanup.

[terriko]

I'm going to approve the tests to run, but some general feedback:

• We should see if we can handle escaped characters directly through the python CSV libary rather than having to do quite so many replace functions. I feel like it's got to be possible but I haven't really dug through the docs yet: https://docs.python.org/3/library/csv.html
• I see you've got a normalize_product_name in parse_csv but aren't using the same "use a utility function" elsewhere. is there a reason for that? We probably want to just stick this into cve_bin_tool.util and re-use as much as possible.

[JigyasuRajput]

I'm going to approve the tests to run, but some general feedback:

• We should see if we can handle escaped characters directly through the python CSV libary rather than having to do quite so many replace functions. I feel like it's got to be possible but I haven't really dug through the docs yet: https://docs.python.org/3/library/csv.html
• I see you've got a normalize_product_name in parse_csv but aren't using the same "use a utility function" elsewhere. is there a reason for that? We probably want to just stick this into cve_bin_tool.util and re-use as much as possible.

thanks for the feedback!
Yes I'll need to do some digging, I also believe that the issue also lies in the way in which HTML and JS handles these special characters (along with the csv parsing logic). But yes I agree I should be using the built in library to avoid any breaking changes 👍