fix: check if 'type' is in severity for the OSV source

[sbunwired]

Lately cve-bin-tool runs have been failing due to malformed (or outdated?) schemas in the OSV source. I'm constantly running into either cve_bin_tool - Unable to fetch OSV CVEs, skipping OSV. or

Full traceback

15:55:09  [13:55:04] INFO     cve_bin_tool - Getting Open Source         osv_source.py:161
15:55:09                      Vulnerability Database CVEs...                              
15:58:45  ╭───────────────────── Traceback (most recent call last) ──────────────────────╮
15:58:45  │ /tmp/workspace/.venv/bin/cve-bin-tool:8 in <module>     │
15:58:45  │                                                                              │
15:58:45  │   5 from cve_bin_tool.cli import main                                        │
15:58:45  │   6 if __name__ == '__main__':                                               │
15:58:45  │   7 │   sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])     │
15:58:45  │ ❱ 8 │   sys.exit(main())                                                     │
15:58:45  │   9                                                                          │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/cli.py:891 in main                                                   │
15:58:45  │                                                                              │
15:58:45  │    888 │                                                                     │
15:58:45  │    889 │   # update db if needed                                             │
15:58:45  │    890 │   if db_update != "never":                                          │
15:58:45  │ ❱  891 │   │   cvedb_orig.get_cvelist_if_stale()                             │
15:58:45  │    892 │   else:                                                             │
15:58:45  │    893 │   │   LOGGER.warning("Not verifying CVE DB cache")                  │
15:58:45  │    894 │   │   if not cvedb_orig.check_cve_entries():                        │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/cvedb.py:316 in get_cvelist_if_stale                                 │
15:58:45  │                                                                              │
15:58:45  │    313 │   │   │   datetime.datetime.today()                                 │
15:58:45  │    314 │   │   │   - datetime.datetime.fromtimestamp(self.dbpath.stat().st_m │
15:58:45  │    315 │   │   ) > datetime.timedelta(hours=24):                             │
15:58:45  │ ❱  316 │   │   │   self.refresh_cache_and_update_db()                        │
15:58:45  │    317 │   │   │   self.time_of_last_update = datetime.datetime.today()      │
15:58:45  │    318 │   │   else:                                                         │
15:58:45  │    319 │   │   │   _ = self.get_db_update_date()                             │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/cvedb.py:299 in refresh_cache_and_update_db                          │
15:58:45  │                                                                              │
15:58:45  │    296 │   │   """Refresh cached NVD and update CVE database with latest dat │
15:58:45  │    297 │   │   self.LOGGER.debug("Updating CVE data. This will take a few mi │
15:58:45  │    298 │   │   # refresh the nvd cache                                       │
15:58:45  │ ❱  299 │   │   run_coroutine(self.refresh())                                 │
15:58:45  │    300 │   │                                                                 │
15:58:45  │    301 │   │   # if the database isn't open, open it                         │
15:58:45  │    302 │   │   self.init_database()                                          │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/async_utils.py:90 in run_coroutine                                   │
15:58:45  │                                                                              │
15:58:45  │    87 │   """                                                                │
15:58:45  │    88 │   loop = get_event_loop()                                            │
15:58:45  │    89 │   aws = asyncio.ensure_future(coro, loop=loop)                       │
15:58:45  │ ❱  90 │   result = loop.run_until_complete(aws)                              │
15:58:45  │    91 │   return result                                                      │
15:58:45  │    92                                                                        │
15:58:45  │    93                                                                        │
15:58:45  │                                                                              │
15:58:45  │ /usr/lib/python3.10/asyncio/base_events.py:649 in run_until_complete         │
15:58:45  │                                                                              │
15:58:45  │    646 │   │   if not future.done():                                         │
15:58:45  │    647 │   │   │   raise RuntimeError('Event loop stopped before Future comp │
15:58:45  │    648 │   │                                                                 │
15:58:45  │ ❱  649 │   │   return future.result()                                        │
15:58:45  │    650 │                                                                     │
15:58:45  │    651 │   def stop(self):                                                   │
15:58:45  │    652 │   │   """Stop running the event loop.                               │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/cvedb.py:293 in refresh                                              │
15:58:45  │                                                                              │
15:58:45  │    290 │   │   if self.version_check:                                        │
15:58:45  │    291 │   │   │   check_latest_version()                                    │
15:58:45  │    292 │   │                                                                 │
15:58:45  │ ❱  293 │   │   await self.get_data()                                         │
15:58:45  │    294 │                                                                     │
15:58:45  │    295 │   def refresh_cache_and_update_db(self) -> None:                    │
15:58:45  │    296 │   │   """Refresh cached NVD and update CVE database with latest dat │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/cvedb.py:403 in get_data                                             │
15:58:45  │                                                                              │
15:58:45  │    400 │   │   │   if source is not None:                                    │
15:58:45  │    401 │   │   │   │   tasks.append(source.get_cve_data())                   │
15:58:45  │    402 │   │                                                                 │
15:58:45  │ ❱  403 │   │   for r in await asyncio.gather(*tasks):                        │
15:58:45  │    404 │   │   │   self.data.append(r)                                       │
15:58:45  │    405 │                                                                     │
15:58:45  │    406 │   def init_database(self) -> None:                                  │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/data_sources/osv_source.py:375 in get_cve_data                       │
15:58:45  │                                                                              │
15:58:45  │   372 │   │                                                                  │
15:58:45  │   373 │   │   await self.update_cve_entries()                                │
15:58:45  │   374 │   │                                                                  │
15:58:45  │ ❱ 375 │   │   return self.format_data(self.all_cve_entries), self.source_nam │
15:58:45  │   376                                                                        │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/data_sources/osv_source.py:260 in format_data                        │
15:58:45  │                                                                              │
15:58:45  │   257 │   │   │                                                              │
15:58:45  │   258 │   │   │   # getting score                                            │
15:58:45  │   259 │   │   │   # OSV Schema currently only provides CVSS V3 scores, thoug │
15:58:45  │ ❱ 260 │   │   │   if severity is not None and "CVSS_V3" in [x["type"] for x  │
15:58:45  │   261 │   │   │   │   try:                                                   │
15:58:45  │   262 │   │   │   │   │   # Ensure CVSS vector is valid                      │
15:58:45  │   263 │   │   │   │   │   if severity[0]["score"].endswith("/"):             │
15:58:45  │                                                                              │
15:58:45  │ /tmp/workspace/.venv/lib/python3.10/site-packages/cve_b │
15:58:45  │ in_tool/data_sources/osv_source.py:260 in <listcomp>                         │
15:58:45  │                                                                              │
15:58:45  │   257 │   │   │                                                              │
15:58:45  │   258 │   │   │   # getting score                                            │
15:58:45  │   259 │   │   │   # OSV Schema currently only provides CVSS V3 scores, thoug │
15:58:45  │ ❱ 260 │   │   │   if severity is not None and "CVSS_V3" in [x["type"] for x  │
15:58:45  │   261 │   │   │   │   try:                                                   │
15:58:45  │   262 │   │   │   │   │   # Ensure CVSS vector is valid                      │
15:58:45  │   263 │   │   │   │   │   if severity[0]["score"].endswith("/"):             │
15:58:45  ╰──────────────────────────────────────────────────────────────────────────────╯
15:58:45  KeyError: 'type'

This aims to work around the issue by checking first for the 'type' key to avoid running in an exception.

[captainreality]

This seems to fix the problem in #5241 .

[mastersans]

@sbunwired Thanks for the PR Looks good to me. Black linters are failing can you fix them?

[mastersans]

For now this should fix the Issue we may revisit this section of code when we want to add support for other severity types, Thanks once again!