in CVE Tool 3.2.1, --report parameter is not generate report file when no CVE found. Same issue observe in 3.3

[zongtaol]

Description

In an Linux environment, I pip install the cve-bin-tool and try to operation a python scan to generate PDF report. with --report tag which should generate report even there is no CVE found. where as the report file is not generated after scan finished. Test on both 3.2.1 & 3.3 version.

To reproduce

Steps to reproduce the behaviour:

1. docker pull amr-registry.caas.intel.com/owr/base_lnx:develop
2. docker run -it amr-registry.caas.intel.com/owr/base_lnx:develop
3. pip install cve-bin-tool==3.2.1 or 3.3
4. create a tmp folder and add requirement.txt in the folder with cve-bin-tool as text
5. cve-bin-tool tmp/requirement.txt --format=pdf --output-file=/OWR/tmp/MY_CVEScan_Report.pdf --report --log=debug
6. cd tmpDir, then ls, there is no MY_CVEScan_Report.pdf listed.

Expected behaviour: Should be a MY_CVEScan_Report.pdf under /OWR/tmp/
Actual behaviour: no pdf generated.

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.2.1 & 3.3
Installed from pypi or github? From Pip install
Operating system: Linux/Windows (other platforms are unsupported but feel free to report issues anyhow)

• On Linux (or Windows Subsystem for Linux) you can run uname -a Linux system
• On Windows you can run systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
  Python version (e.g. python3 --version):
  Running in any particular CI environment we should know about? (e.g. Github Actions)

Anything else?

The container was built based on ubuntu image which add few intel certificated and proxy setting. if any dockerfile setting could potentially causing this issue. please let me know. Attached dockefile link below.

Since my local system is Windows and some scanning only support on linux system, I can only reproduce this issue on container instead of my local machine.

amr-registry.caas.intel.com/owr/base_lnx:develop.
https://github.com/intel-innersource/frameworks.devops.intel-devops-framework.abi.core/blob/main/.devcontainer/Linux/BaseDockerfile

[terriko]

That is most definitely a bug.

First question: do you have reportlab installed? It's supposed to print out a warning message if you don't have it but that will also cause no pdf report to be generated (even if there are cves found it'll fail to make a report).

We currently print a message encouraging you to install reportlab, but don't abort the scan, so it can be easy to miss in the output. Back when the message was added our checker list was shorter and didn't push it off the screen -- we may need to re-evaluate how that's handled to make it more clear.

That said, even with reportlab installed I"m getting an error when trying to produce a null report:

│   206 │   │   │   │   │   )                                                                      │
│   207 │   │   │   │   │   row += 1                                                               │
│   208 │   │   │   pdfdoc.showtable("Productlist", widths=[3 * cm, 2 * cm, 2 * cm])               │
│ ❱ 209 │   │   │   pdfdoc.paragraph("* vendors guessed by the tool") if star_warn else None       │
│   210 │   │   │   pdfdoc.paragraph(                                                              │
│   211 │   │   │   │   f"There are {products_with_cve} products with vulnerabilities found."      │
│   212 │   │   │   )                                                                              │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
UnboundLocalError: cannot access local variable 'star_warn' where it is not associated with a value

so it looks like you've definitely found a bug. Sounds like we need a fix for that and a regression test for "empty" pdf generation.

[zongtaol]

Yes, I can reproduce this error message when I installed reportlab. After install reportlab, the PDF was generated but shows above error. I believe the expected behavior would be generate report without any error. Thank you confirm this for me. And let me know if you got ETA for fixing this. it's impact one of our customer. Thank you.

[terriko]

Lucky you -- I noticed this before I logged out for the day. Turns out it's a one-line fix just to get it working again (though it'll take me longer to set up a test and stuff). PR is here if you don't mind trying it out and making sure it works for you: #4329

Do you need this in a released version or is a patch good enough for your customer?

Since the person who normally does code review for me is out today (and I need to go in half an hour), I'll likely get the fix code reviewed and approved on Monday (or you may be able to review and approve it yourself if you're already set up for internal Intel access). I'm hoping to cut a preview pre-release later next week, but it'll probably be at least another 2 weeks before I do the 3.4 release.

[zongtaol]

Thanks for the quick update. I believe we can wait for your 3.4 release. Please let me know once you release the 3.4 for CVE-bin-tool and we will validate this with our customer again.