Dump yaml in favor of saneyaml

requirements.txt

@@ -57,4 +57,5 @@ zipp==0.6.0
 requests==2.23.0
 toml==0.10.2
 PyYAML==5.4
-freezegun==1.1.0
+freezegun==1.1.0
+saneyaml==0.5.2

vulnerabilities/helpers.py

@@ -28,9 +28,9 @@
 from typing import List
 
 import requests
+import saneyaml
 import toml
 import urllib3
-import yaml
 from packageurl import PackageURL
 from univers.versions import version_class_by_package_type
 
@@ -49,7 +49,7 @@ class AffectedPackage:
 
 def load_yaml(path):
     with open(path) as f:
-        return yaml.safe_load(f)
+        return saneyaml.load(f)
 
 
 def load_json(path):
@@ -64,7 +64,7 @@ def load_toml(path):
 
 def fetch_yaml(url):
     response = requests.get(url)
-    return yaml.safe_load(response.content)
+    return saneyaml.load(response.content)
 
 
 # FIXME: this is NOT how etags work .

vulnerabilities/importers/alpine_linux.py

@@ -28,7 +28,7 @@
 from typing import Set
 
 import requests
-import yaml
+import saneyaml
 from bs4 import BeautifulSoup
 from packageurl import PackageURL
 from schema import Or
@@ -113,7 +113,7 @@ def updated_advisories(self) -> Set[Advisory]:
     def _process_link(self, link) -> List[Advisory]:
         advisories = []
         yaml_response = requests.get(link).content
-        record = yaml.safe_load(yaml_response)
+        record = saneyaml.load(yaml_response)
 
         if record["packages"] is None:
             return advisories

vulnerabilities/importers/elixir_security.py

@@ -19,21 +19,19 @@
 #  for any legal advice.
 #  VulnerableCode is a free software tool from nexB Inc. and others.
 #  Visit https://github.com/nexB/vulnerablecode/ for support and download.
-
 import asyncio
-from typing import List, Set
+from typing import Set
 
-import yaml
+from packageurl import PackageURL
 from univers.version_specifier import VersionSpecifier
 from univers.versions import SemverVersion
-from packageurl import PackageURL
 
-from vulnerabilities.data_source import GitDataSource
 from vulnerabilities.data_source import Advisory
+from vulnerabilities.data_source import GitDataSource
 from vulnerabilities.data_source import Reference
-from vulnerabilities.package_managers import HexVersionAPI
 from vulnerabilities.helpers import load_yaml
 from vulnerabilities.helpers import nearest_patched_package
+from vulnerabilities.package_managers import HexVersionAPI
 
 
 class ElixirSecurityDataSource(GitDataSource):

vulnerabilities/importers/istio.py

@@ -19,19 +19,21 @@
 #  for any legal advice.
 #  VulnerableCode is a free software tool from nexB Inc. and others.
 #  Visit https://github.com/nexB/vulnerablecode/ for support and download.
-
 import asyncio
 import re
-from typing import List, Set
-import yaml
+from typing import List
+from typing import Set
 
+import saneyaml
+from packageurl import PackageURL
 from univers.version_specifier import VersionSpecifier
 from univers.versions import SemverVersion
-from packageurl import PackageURL
 
-from vulnerabilities.data_source import Advisory, GitDataSource, Reference
-from vulnerabilities.package_managers import GitHubTagsAPI
+from vulnerabilities.data_source import Advisory
+from vulnerabilities.data_source import GitDataSource
+from vulnerabilities.data_source import Reference
 from vulnerabilities.helpers import nearest_patched_package
+from vulnerabilities.package_managers import GitHubTagsAPI
 
 is_release = re.compile(r"^[\d.]+$", re.IGNORECASE).match
 
@@ -89,7 +91,7 @@ def get_data_from_yaml_lines(self, yaml_lines):
             'cves': '[CVE-2019-12243]'}
         """
 
-        return yaml.safe_load("\n".join(yaml_lines))
+        return saneyaml.load("\n".join(yaml_lines))
 
     def get_yaml_lines(self, lines):
         """The istio advisory file contains lines similar to yaml format .

vulnerabilities/importers/suse_backports.py

@@ -19,13 +19,12 @@
 #  for any legal advice.
 #  VulnerableCode is a free software code scanning tool from nexB Inc. and others.
 #  Visit https://github.com/nexB/vulnerablecode/ for support and download.
-
-import yaml
 import dataclasses
 
 import requests
-from packageurl import PackageURL
+import saneyaml
 from bs4 import BeautifulSoup
+from packageurl import PackageURL
 
 from vulnerabilities.data_source import Advisory
 from vulnerabilities.data_source import DataSource
@@ -65,7 +64,7 @@ def _fetch_yaml(self, url):
         try:
             resp = requests.get(url)
             resp.raise_for_status()
-            return yaml.safe_load(resp.content)
+            return saneyaml.load(resp.content)
 
         except requests.HTTPError:
             return {}

vulnerabilities/importers/suse_scores.py

@@ -45,23 +45,23 @@ def to_advisory(score_data):
             for cvss_score in score_data[cve_id]["cvss"]:
                 score = None
                 vector = None
-                if cvss_score["version"] == 2.0:
+                if cvss_score["version"] == "2.0":
                     score = VulnerabilitySeverity(
                         system=scoring_systems["cvssv2"], value=str(cvss_score["score"])
                     )
                     vector = VulnerabilitySeverity(
                         system=scoring_systems["cvssv2_vector"], value=str(cvss_score["vector"])
                     )
 
-                elif cvss_score["version"] == 3:
+                elif cvss_score["version"] == "3":
                     score = VulnerabilitySeverity(
                         system=scoring_systems["cvssv3"], value=str(cvss_score["score"])
                     )
                     vector = VulnerabilitySeverity(
                         system=scoring_systems["cvssv3_vector"], value=str(cvss_score["vector"])
                     )
 
-                elif cvss_score["version"] == 3.1:
+                elif cvss_score["version"] == "3.1":
                     score = VulnerabilitySeverity(
                         system=scoring_systems["cvssv3.1"], value=str(cvss_score["score"])
                     )

vulnerabilities/tests/test_alpine.py

@@ -20,15 +20,13 @@
 #  for any legal advice.
 #  VulnerableCode is a free software tool from nexB Inc. and others.
 #  Visit https://github.com/nexB/vulnerablecode/ for support and download.
-
 import os
-import yaml
 from unittest import TestCase
-from unittest.mock import patch, MagicMock
-
-from packageurl import PackageURL
+from unittest.mock import MagicMock
+from unittest.mock import patch
 
-from vulnerabilities.data_source import Advisory, Reference
+from vulnerabilities.data_source import Advisory
+from vulnerabilities.data_source import Reference
 from vulnerabilities.importers.alpine_linux import AlpineDataSource
 
 

vulnerabilities/tests/test_istio.py

@@ -20,7 +20,6 @@
 #  VulnerableCode is a free software tool from nexB Inc. and others.
 #  Visit https://github.com/nexB/vulnerablecode/ for support and download.
 
-import datetime
 import os
 from collections import OrderedDict
 from unittest import TestCase
@@ -70,7 +69,7 @@ def test_get_data_from_md(self):
             "cvss": "8.9",
             "vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C",
             "releases": ["1.1 to 1.1.15", "1.2 to 1.2.6", "1.3 to 1.3.1"],
-            "publishdate": datetime.date(2019, 5, 28),
+            "publishdate": "2019-05-28",
         }
 
         assert expected_data == actual_data