From d51b97313a7041d828f4334220f3977ed57a205a Mon Sep 17 00:00:00 2001 From: ambuj Date: Sun, 23 Jun 2024 02:07:28 +0530 Subject: [PATCH 01/12] Add Almalinux advisories Added almalinux advisories and tests for it Signed-off-by: ambuj --- vulnerabilities/importers/__init__.py | 2 + vulnerabilities/importers/almalinux.py | 49 ++++++++ vulnerabilities/tests/test_almalinux.py | 114 ++++++++++++++++++ .../almalinux/almalinux_expected_1.json | 0 .../test_data/almalinux/almalinux_test_1.json | 35 ++++++ 5 files changed, 200 insertions(+) create mode 100644 vulnerabilities/importers/almalinux.py create mode 100644 vulnerabilities/tests/test_almalinux.py create mode 100644 vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json create mode 100644 vulnerabilities/tests/test_data/almalinux/almalinux_test_1.json diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index cedd8902b..8e09d08fc 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -7,6 +7,7 @@ # See https://aboutcode.org for more information about nexB OSS projects. # +from vulnerabilities.importers import almalinux from vulnerabilities.importers import alpine_linux from vulnerabilities.importers import apache_httpd from vulnerabilities.importers import apache_kafka @@ -71,6 +72,7 @@ oss_fuzz.OSSFuzzImporter, ruby.RubyImporter, github_osv.GithubOSVImporter, + almalinux.AlmaImporter, ] IMPORTERS_REGISTRY = {x.qualified_name: x for x in IMPORTERS_REGISTRY} diff --git a/vulnerabilities/importers/almalinux.py b/vulnerabilities/importers/almalinux.py new file mode 100644 index 000000000..5f88df24e --- /dev/null +++ b/vulnerabilities/importers/almalinux.py @@ -0,0 +1,49 @@ +# +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/nexB/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +import json +import logging +from pathlib import Path +from typing import Any +from typing import Iterable + +from vulnerabilities.importer import AdvisoryData +from vulnerabilities.importer import Importer +from vulnerabilities.importers.osv import parse_advisory_data +from vulnerabilities.utils import get_advisory_url + +LOGGER = logging.getLogger(__name__) +BASE_URL = "https://github.com/AlmaLinux/osv-database" + + +class AlmaImporter(Importer): + spdx_license_expression = "MIT License" + license_url = "https://github.com/AlmaLinux/osv-database/blob/master/LICENSE" + importer_name = "Alma Linux Importer" + + def advisory_data(self) -> Iterable[AdvisoryData]: + supported_ecosystems = ["AlmaLinux:8", "AlmaLinux:9"] + try: + self.clone(repo_url=self.BASE_URL) + base_path = Path(self.vcs_response.dest_dir) + advisory_dirs = base_path / "tree/master/advisories" + # Iterate throught the directories in the repo and get the .json files + for file in advisory_dirs.glob("**/*.json"): + advisory_url = get_advisory_url( + file=file, + base_path=base_path, + url="https://github.com/AlmaLinux/osv-database/blob/master", + ) + with open(file) as f: + raw_data = json.load(f) + yield parse_advisory_data(raw_data, supported_ecosystems, advisory_url) + finally: + if self.vcs_response: + self.vcs_response.delete() diff --git a/vulnerabilities/tests/test_almalinux.py b/vulnerabilities/tests/test_almalinux.py new file mode 100644 index 000000000..91b846670 --- /dev/null +++ b/vulnerabilities/tests/test_almalinux.py @@ -0,0 +1,114 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/nexB/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# +import json +import os +from unittest import TestCase + +from vulnerabilities.importers.osv import parse_advisory_data +from vulnerabilities.tests import util_tests + +BASE_DIR = os.path.dirname(os.path.abspath(__file__)) +TEST_DATA = os.path.join(BASE_DIR, "test_data/almalinux") + + +class AlmaImporter(TestCase): + def test_alma_importer1(self): + with open(os.path.join(TEST_DATA, "almalinux_test_1.json")) as f: + mock_response = json.load(f) + expected_file = os.path.join(TEST_DATA, "almalinux_expected_1.json") + imported_data = parse_advisory_data( + mock_response, + supported_ecosystems=["AlmaLinux:8"], + advisory_url="https://github.com/AlmaLinux/osv-database" + "/blob/master/advisories/almalinux8/almalinux_test_1.json", + ) + result = imported_data.to_dict() + print(f"The expected result is {result}") + util_tests.check_results_against_json(result, expected_file) + + # def test_github_osv_importer2(self): + # with open(os.path.join(TEST_DATA, "github_osv_test_2.json")) as f: + # mock_response = json.load(f) + # expected_file = os.path.join(TEST_DATA, "github_osv_expected_2.json") + # # if supported_ecosystems = [] : the expected affected_packages = [] + # imported_data = parse_advisory_data( + # mock_response, + # supported_ecosystems=[], + # advisory_url="https://github.com/github/advisory-database" + # "/blob/main/advisories/github-reviewed/github_osv_test_2.json", + # ) + # result = imported_data.to_dict() + # util_tests.check_results_against_json(result, expected_file) + + # def test_github_osv_importer3(self): + # with open(os.path.join(TEST_DATA, "github_osv_test_3.json")) as f: + # mock_response = json.load(f) + # expected_file = os.path.join(TEST_DATA, "github_osv_expected_3.json") + # imported_data = parse_advisory_data( + # mock_response, + # supported_ecosystems=["maven"], + # advisory_url="https://github.com/github/advisory-database" + # "/blob/main/advisories/github-reviewed/github_osv_test_3.json", + # ) + # result = imported_data.to_dict() + # util_tests.check_results_against_json(result, expected_file) + + # def test_github_osv_importer4(self): + # with open(os.path.join(TEST_DATA, "github_osv_test_4.json")) as f: + # mock_response = json.load(f) + # expected_file = os.path.join(TEST_DATA, "github_osv_expected_4.json") + # imported_data = parse_advisory_data( + # mock_response, + # supported_ecosystems=["gem"], + # advisory_url="https://github.com/github/advisory-database" + # "/blob/main/advisories/github-reviewed/github_osv_test_4.json", + # ) + # result = imported_data.to_dict() + # util_tests.check_results_against_json(result, expected_file) + + # def test_github_osv_importer5(self): + # # test golang + # with open(os.path.join(TEST_DATA, "github_osv_test_5.json")) as f: + # mock_response = json.load(f) + # expected_file = os.path.join(TEST_DATA, "github_osv_expected_5.json") + # imported_data = parse_advisory_data( + # mock_response, + # supported_ecosystems=["golang"], + # advisory_url="https://github.com/github/advisory-database" + # "/blob/main/advisories/github-reviewed/github_osv_test_5.json", + # ) + # result = imported_data.to_dict() + # util_tests.check_results_against_json(result, expected_file) + + # def test_github_osv_importer6(self): + # # test golang + # with open(os.path.join(TEST_DATA, "github_osv_test_6.json")) as f: + # mock_response = json.load(f) + # expected_file = os.path.join(TEST_DATA, "github_osv_expected_6.json") + # imported_data = parse_advisory_data( + # mock_response, + # supported_ecosystems=["golang"], + # advisory_url="https://github.com/github/advisory-database" + # "/blob/main/advisories/github-reviewed/github_osv_test_6.json", + # ) + # result = imported_data.to_dict() + # util_tests.check_results_against_json(result, expected_file) + + # def test_github_osv_importer7(self): + # with open(os.path.join(TEST_DATA, "github_osv_test_7.json")) as f: + # mock_response = json.load(f) + # expected_file = os.path.join(TEST_DATA, "github_osv_expected_7.json") + # imported_data = parse_advisory_data( + # mock_response, + # supported_ecosystems=["nuget"], + # advisory_url="https://github.com/github/advisory-database" + # "/blob/main/advisories/github-reviewed/github_osv_test_7.json", + # ) + # result = imported_data.to_dict() + # util_tests.check_results_against_json(result, expected_file) diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json new file mode 100644 index 000000000..e69de29bb diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_test_1.json b/vulnerabilities/tests/test_data/almalinux/almalinux_test_1.json new file mode 100644 index 000000000..215e74aa2 --- /dev/null +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_test_1.json @@ -0,0 +1,35 @@ +{ + "id": "ALBA-2019:3336", + "summary": "nss-altfiles bug fix and enhancement update", + "affected": [ + { + "package": { + "ecosystem": "AlmaLinux:8", + "name": "nss-altfiles" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.18.1-12.el8" + } + ] + } + ] + } + ], + "related": [], + "published": "2019-11-05T17:32:18Z", + "modified": "2021-11-12T10:20:54Z", + "details": "For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "references": [ + { + "url": "https://errata.almalinux.org/8/ALBA-2019-3336.html", + "type": "ADVISORY" + } + ] +} \ No newline at end of file From c6e95bbf2a32d6271ab251f6a182963c27c7ad19 Mon Sep 17 00:00:00 2001 From: ambuj Date: Mon, 24 Jun 2024 15:46:01 +0530 Subject: [PATCH 02/12] added supported ecosystem to osv.py file Signed-off-by: ambuj --- vulnerabilities/importers/osv.py | 2 ++ vulnerabilities/tests/test_almalinux.py | 22 +++++++++++--- .../almalinux/almalinux_expected_1.json | 15 ++++++++++ .../almalinux/almalinux_expected_2.json | 0 .../almalinux/almalinux_expected_3.json | 0 .../test_data/almalinux/almalinux_test_2.json | 30 +++++++++++++++++++ .../test_data/almalinux/almalinux_test_3.json | 0 7 files changed, 65 insertions(+), 4 deletions(-) create mode 100644 vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json create mode 100644 vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json create mode 100644 vulnerabilities/tests/test_data/almalinux/almalinux_test_2.json create mode 100644 vulnerabilities/tests/test_data/almalinux/almalinux_test_3.json diff --git a/vulnerabilities/importers/osv.py b/vulnerabilities/importers/osv.py index 1ee45a1be..75a3bb86d 100644 --- a/vulnerabilities/importers/osv.py +++ b/vulnerabilities/importers/osv.py @@ -41,6 +41,8 @@ "go": "golang", "hex": "hex", "cargo": "cargo", + "almalinux:8": "AlmaLinux:8", + "almalinux:9": "AlmaLinux:9", } diff --git a/vulnerabilities/tests/test_almalinux.py b/vulnerabilities/tests/test_almalinux.py index 91b846670..1494cb1b9 100644 --- a/vulnerabilities/tests/test_almalinux.py +++ b/vulnerabilities/tests/test_almalinux.py @@ -18,15 +18,29 @@ class AlmaImporter(TestCase): - def test_alma_importer1(self): - with open(os.path.join(TEST_DATA, "almalinux_test_1.json")) as f: + # def test_almalinux_importer1(self): + # with open(os.path.join(TEST_DATA, "almalinux_test_1.json")) as f: + # mock_response = json.load(f) + # expected_file = os.path.join(TEST_DATA, "almalinux_expected_1.json") + # imported_data = parse_advisory_data( + # mock_response, + # supported_ecosystems=["AlmaLinux:8"], + # advisory_url="https://github.com/AlmaLinux/osv-database" + # "/blob/master/advisories/almalinux8/almalinux_test_1.json", + # ) + # result = imported_data.to_dict() + # print(f"The expected result is {result}") + # util_tests.check_results_against_json(result, expected_file) + + def test_almalinux_importer2(self): + with open(os.path.join(TEST_DATA, "almalinux_test_2.json")) as f: mock_response = json.load(f) - expected_file = os.path.join(TEST_DATA, "almalinux_expected_1.json") + expected_file = os.path.join(TEST_DATA, "almalinux_expected_2.json") imported_data = parse_advisory_data( mock_response, supported_ecosystems=["AlmaLinux:8"], advisory_url="https://github.com/AlmaLinux/osv-database" - "/blob/master/advisories/almalinux8/almalinux_test_1.json", + "/blob/master/advisories/almalinux8/almalinux_test_2.json", ) result = imported_data.to_dict() print(f"The expected result is {result}") diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json index e69de29bb..4cc77a291 100644 --- a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json @@ -0,0 +1,15 @@ +{ + "aliases": ["ALBA-2019: 3336"], + "summary": "nss-altfiles bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", "affected_packages": [], + "references": + [ + { + "reference_id": "", + "url": "https: //errata.almalinux.org/8/ALBA-2019-3336.html", + "severities": [] + } + ], + "date_published": "2019-11-05T17:32:18+00:00", + "weaknesses": [], + "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_1.json" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json new file mode 100644 index 000000000..e69de29bb diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json new file mode 100644 index 000000000..e69de29bb diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_test_2.json b/vulnerabilities/tests/test_data/almalinux/almalinux_test_2.json new file mode 100644 index 000000000..8328da6b7 --- /dev/null +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_test_2.json @@ -0,0 +1,30 @@ +{ + "id": "ALEA-2019:3314", + "summary": "python3-azure-sdk bug fix and enhancement update", + "affected": [ + { + "package": { + "ecosystem": "AlmaLinux:8", + "name": "python3-azure-sdk" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.0.0-9.el8" + } + ] + } + ] + } + ], + "related": [], + "published": "2019-11-05T17:29:24Z", + "modified": "2021-08-11T11:18:28Z", + "details": "For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "references": [] +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_test_3.json b/vulnerabilities/tests/test_data/almalinux/almalinux_test_3.json new file mode 100644 index 000000000..e69de29bb From d7002f9e093311fe86868660f634b46209ad96c9 Mon Sep 17 00:00:00 2001 From: ambuj Date: Tue, 25 Jun 2024 19:16:19 +0530 Subject: [PATCH 03/12] added some more tests Signed-off-by: ambuj --- vulnerabilities/importers/osv.py | 4 +- vulnerabilities/tests/test_almalinux.py | 121 +++-------- .../almalinux/almalinux_expected_2.json | 9 + .../almalinux/almalinux_expected_3.json | 40 ++++ .../test_data/almalinux/almalinux_test_3.json | 191 ++++++++++++++++++ 5 files changed, 270 insertions(+), 95 deletions(-) diff --git a/vulnerabilities/importers/osv.py b/vulnerabilities/importers/osv.py index 75a3bb86d..e5fc7aa18 100644 --- a/vulnerabilities/importers/osv.py +++ b/vulnerabilities/importers/osv.py @@ -41,8 +41,8 @@ "go": "golang", "hex": "hex", "cargo": "cargo", - "almalinux:8": "AlmaLinux:8", - "almalinux:9": "AlmaLinux:9", + "almalinux:8": "almalinux:8", + "almalinux:9": "almalinux:9", } diff --git a/vulnerabilities/tests/test_almalinux.py b/vulnerabilities/tests/test_almalinux.py index 1494cb1b9..1fb6c5f3d 100644 --- a/vulnerabilities/tests/test_almalinux.py +++ b/vulnerabilities/tests/test_almalinux.py @@ -18,19 +18,19 @@ class AlmaImporter(TestCase): - # def test_almalinux_importer1(self): - # with open(os.path.join(TEST_DATA, "almalinux_test_1.json")) as f: - # mock_response = json.load(f) - # expected_file = os.path.join(TEST_DATA, "almalinux_expected_1.json") - # imported_data = parse_advisory_data( - # mock_response, - # supported_ecosystems=["AlmaLinux:8"], - # advisory_url="https://github.com/AlmaLinux/osv-database" - # "/blob/master/advisories/almalinux8/almalinux_test_1.json", - # ) - # result = imported_data.to_dict() - # print(f"The expected result is {result}") - # util_tests.check_results_against_json(result, expected_file) + def test_almalinux_importer1(self): + with open(os.path.join(TEST_DATA, "almalinux_test_1.json")) as f: + mock_response = json.load(f) + expected_file = os.path.join(TEST_DATA, "almalinux_expected_1.json") + imported_data = parse_advisory_data( + mock_response, + supported_ecosystems=["almalinux:8","almalinux:9"], + advisory_url="https://github.com/AlmaLinux/osv-database" + "/blob/master/advisories/almalinux8/almalinux_test_1.json", + ) + result = imported_data.to_dict() + # print(f"The expected result is {result}") + util_tests.check_results_against_json(result, expected_file) def test_almalinux_importer2(self): with open(os.path.join(TEST_DATA, "almalinux_test_2.json")) as f: @@ -38,91 +38,26 @@ def test_almalinux_importer2(self): expected_file = os.path.join(TEST_DATA, "almalinux_expected_2.json") imported_data = parse_advisory_data( mock_response, - supported_ecosystems=["AlmaLinux:8"], + supported_ecosystems=["almalinux:8","almalinux:9"], advisory_url="https://github.com/AlmaLinux/osv-database" "/blob/master/advisories/almalinux8/almalinux_test_2.json", ) result = imported_data.to_dict() - print(f"The expected result is {result}") + # print(f"The expected result is {result}") util_tests.check_results_against_json(result, expected_file) - # def test_github_osv_importer2(self): - # with open(os.path.join(TEST_DATA, "github_osv_test_2.json")) as f: - # mock_response = json.load(f) - # expected_file = os.path.join(TEST_DATA, "github_osv_expected_2.json") - # # if supported_ecosystems = [] : the expected affected_packages = [] - # imported_data = parse_advisory_data( - # mock_response, - # supported_ecosystems=[], - # advisory_url="https://github.com/github/advisory-database" - # "/blob/main/advisories/github-reviewed/github_osv_test_2.json", - # ) - # result = imported_data.to_dict() - # util_tests.check_results_against_json(result, expected_file) - - # def test_github_osv_importer3(self): - # with open(os.path.join(TEST_DATA, "github_osv_test_3.json")) as f: - # mock_response = json.load(f) - # expected_file = os.path.join(TEST_DATA, "github_osv_expected_3.json") - # imported_data = parse_advisory_data( - # mock_response, - # supported_ecosystems=["maven"], - # advisory_url="https://github.com/github/advisory-database" - # "/blob/main/advisories/github-reviewed/github_osv_test_3.json", - # ) - # result = imported_data.to_dict() - # util_tests.check_results_against_json(result, expected_file) - - # def test_github_osv_importer4(self): - # with open(os.path.join(TEST_DATA, "github_osv_test_4.json")) as f: - # mock_response = json.load(f) - # expected_file = os.path.join(TEST_DATA, "github_osv_expected_4.json") - # imported_data = parse_advisory_data( - # mock_response, - # supported_ecosystems=["gem"], - # advisory_url="https://github.com/github/advisory-database" - # "/blob/main/advisories/github-reviewed/github_osv_test_4.json", - # ) - # result = imported_data.to_dict() - # util_tests.check_results_against_json(result, expected_file) - - # def test_github_osv_importer5(self): - # # test golang - # with open(os.path.join(TEST_DATA, "github_osv_test_5.json")) as f: - # mock_response = json.load(f) - # expected_file = os.path.join(TEST_DATA, "github_osv_expected_5.json") - # imported_data = parse_advisory_data( - # mock_response, - # supported_ecosystems=["golang"], - # advisory_url="https://github.com/github/advisory-database" - # "/blob/main/advisories/github-reviewed/github_osv_test_5.json", - # ) - # result = imported_data.to_dict() - # util_tests.check_results_against_json(result, expected_file) + def test_github_osv_importer3(self): + with open(os.path.join(TEST_DATA, "almalinux_test_3.json")) as f: + mock_response = json.load(f) + expected_file = os.path.join(TEST_DATA, "almalinux_expected_3.json") + imported_data = parse_advisory_data( + mock_response, + supported_ecosystems=["almalinux:8","almalinux:9"], + advisory_url="https://github.com/AlmaLinux/osv-database" + "/blob/master/advisories/almalinux8/almalinux_test_3.json", + ) + result = imported_data.to_dict() + # print(f"The expected result is {result}") + util_tests.check_results_against_json(result, expected_file) - # def test_github_osv_importer6(self): - # # test golang - # with open(os.path.join(TEST_DATA, "github_osv_test_6.json")) as f: - # mock_response = json.load(f) - # expected_file = os.path.join(TEST_DATA, "github_osv_expected_6.json") - # imported_data = parse_advisory_data( - # mock_response, - # supported_ecosystems=["golang"], - # advisory_url="https://github.com/github/advisory-database" - # "/blob/main/advisories/github-reviewed/github_osv_test_6.json", - # ) - # result = imported_data.to_dict() - # util_tests.check_results_against_json(result, expected_file) - # def test_github_osv_importer7(self): - # with open(os.path.join(TEST_DATA, "github_osv_test_7.json")) as f: - # mock_response = json.load(f) - # expected_file = os.path.join(TEST_DATA, "github_osv_expected_7.json") - # imported_data = parse_advisory_data( - # mock_response, - # supported_ecosystems=["nuget"], - # advisory_url="https://github.com/github/advisory-database" - # "/blob/main/advisories/github-reviewed/github_osv_test_7.json", - # ) - # result = imported_data.to_dict() - # util_tests.check_results_against_json(result, expected_file) diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json index e69de29bb..b4299edb1 100644 --- a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json @@ -0,0 +1,9 @@ +{ + "aliases": ["ALEA-2019:3314"], + "summary": "python3-azure-sdk bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "affected_packages": [], + "references": [], + "date_published": "2019-11-05T17:29:24+00:00", + "weaknesses": [], + "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_2.json" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json index e69de29bb..3c816c348 100644 --- a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json @@ -0,0 +1,40 @@ +{ + "aliases": ["ALSA-2022:8221"], + "summary": "Moderate: xorg-x11-server security and bug fix update\nX.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es):\n\n* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319)\n* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension (CVE-2022-2320)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "affected_packages": [], + "references": [ + { + "reference_id": "", + "url": "", + "severities": [] + }, + { + "reference_id": "", + "url": "https://access.redhat.com/security/cve/CVE-2022-2319", + "severities": [] + }, + { + "reference_id": "", + "url": "https://access.redhat.com/security/cve/CVE-2022-2320", + "severities": [] + }, + { + "reference_id": "", + "url": "https://bugzilla.redhat.com/2106671", + "severities": [] + }, + { + "reference_id": "", + "url": "https://bugzilla.redhat.com/2106683", + "everities": [] + }, + { + "reference_id": "", + "url": "https://errata.almalinux.org/9/ALSA-2022-8221.html", + "severities": [] + } + ], + "date_published": "2022-11-15T00:00:00+00:00", + "weaknesses": [], + "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_3.json" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_test_3.json b/vulnerabilities/tests/test_data/almalinux/almalinux_test_3.json index e69de29bb..f2a43032e 100644 --- a/vulnerabilities/tests/test_data/almalinux/almalinux_test_3.json +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_test_3.json @@ -0,0 +1,191 @@ +{ + "id": "ALSA-2022:8221", + "summary": "Moderate: xorg-x11-server security and bug fix update", + "affected": [ + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-Xdmx" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-Xephyr" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-Xnest" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-Xorg" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-Xvfb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-common" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-devel" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-source" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + } + ], + "related": [ + "CVE-2022-2319", + "CVE-2022-2320" + ], + "published": "2022-11-15T00:00:00Z", + "modified": "2022-11-18T13:12:08Z", + "details": "X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es)n\n* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319)\n* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension VE-2022-2320)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "references": [ + { + "url": "https://access.redhat.com/errata/RHSA-2022:8221", + "type": "ADVISORY" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-2319", + "type": "REPORT" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-2320", + "type": "REPORT" + }, + { + "url": "https://bugzilla.redhat.com/2106671", + "type": "REPORT" + }, + { + "url": "https://bugzilla.redhat.com/2106683", + "type": "REPORT" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2022-8221.html", + "type": "ADVISORY" + } + ] +} \ No newline at end of file From 4746d788656bf08f884ccb99d1c5e6046dfa34c5 Mon Sep 17 00:00:00 2001 From: ambuj Date: Tue, 2 Jul 2024 18:25:12 +0530 Subject: [PATCH 04/12] add tests for almalinux versions Signed-off-by: ambuj --- vulnerabilities/importers/almalinux.py | 2 +- vulnerabilities/tests/test_almalinux.py | 3 --- .../almalinux/almalinux_expected_1.json | 26 ++++++++++++------- .../almalinux/almalinux_expected_2.json | 10 ++++++- .../almalinux/almalinux_expected_3.json | 18 ++++++++++--- 5 files changed, 40 insertions(+), 19 deletions(-) diff --git a/vulnerabilities/importers/almalinux.py b/vulnerabilities/importers/almalinux.py index 5f88df24e..a643d9af4 100644 --- a/vulnerabilities/importers/almalinux.py +++ b/vulnerabilities/importers/almalinux.py @@ -29,7 +29,7 @@ class AlmaImporter(Importer): importer_name = "Alma Linux Importer" def advisory_data(self) -> Iterable[AdvisoryData]: - supported_ecosystems = ["AlmaLinux:8", "AlmaLinux:9"] + supported_ecosystems = ["almalinux:8", "almalinux:9"] try: self.clone(repo_url=self.BASE_URL) base_path = Path(self.vcs_response.dest_dir) diff --git a/vulnerabilities/tests/test_almalinux.py b/vulnerabilities/tests/test_almalinux.py index 1fb6c5f3d..d49fce3f3 100644 --- a/vulnerabilities/tests/test_almalinux.py +++ b/vulnerabilities/tests/test_almalinux.py @@ -29,7 +29,6 @@ def test_almalinux_importer1(self): "/blob/master/advisories/almalinux8/almalinux_test_1.json", ) result = imported_data.to_dict() - # print(f"The expected result is {result}") util_tests.check_results_against_json(result, expected_file) def test_almalinux_importer2(self): @@ -43,7 +42,6 @@ def test_almalinux_importer2(self): "/blob/master/advisories/almalinux8/almalinux_test_2.json", ) result = imported_data.to_dict() - # print(f"The expected result is {result}") util_tests.check_results_against_json(result, expected_file) def test_github_osv_importer3(self): @@ -57,7 +55,6 @@ def test_github_osv_importer3(self): "/blob/master/advisories/almalinux8/almalinux_test_3.json", ) result = imported_data.to_dict() - # print(f"The expected result is {result}") util_tests.check_results_against_json(result, expected_file) diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json index 4cc77a291..892f0b2ce 100644 --- a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json @@ -1,15 +1,21 @@ { - "aliases": ["ALBA-2019: 3336"], - "summary": "nss-altfiles bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", "affected_packages": [], - "references": - [ + "aliases": ["ALBA-2019:3336"], + "summary": "nss-altfiles bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "affected_packages": [ + { + "package": {"type": "almalinux:8", "namespace": "", "name": "nss-altfiles", "version": "", "qualifiers": "", "subpath": ""}, + "affected_version_range": null, + "fixed_version": "2.18.1-12.el8" + } + ], + "references": [ { "reference_id": "", - "url": "https: //errata.almalinux.org/8/ALBA-2019-3336.html", - "severities": [] - } + "url": "https://errata.almalinux.org/8/ALBA-2019-3336.html", + "severities": [] + } ], - "date_published": "2019-11-05T17:32:18+00:00", - "weaknesses": [], - "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_1.json" + "date_published": "2019-11-05T17:32:18+00:00", + "weaknesses": [], + "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_1.json" } \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json index b4299edb1..ffa135e51 100644 --- a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json @@ -1,7 +1,15 @@ { "aliases": ["ALEA-2019:3314"], "summary": "python3-azure-sdk bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", - "affected_packages": [], + "affected_packages": [ + { + "package": { + "type": "almalinux:8", "namespace": "", "name": "python3-azure-sdk", "version": "", "qualifiers": "", "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.0.0-9.el8" + } + ], "references": [], "date_published": "2019-11-05T17:29:24+00:00", "weaknesses": [], diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json index 3c816c348..6b89777c3 100644 --- a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json @@ -1,11 +1,21 @@ { "aliases": ["ALSA-2022:8221"], - "summary": "Moderate: xorg-x11-server security and bug fix update\nX.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es):\n\n* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319)\n* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension (CVE-2022-2320)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", - "affected_packages": [], + "summary": "Moderate: xorg-x11-server security and bug fix update\nX.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es)n\n* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319)\n* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension VE-2022-2320)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "affected_packages": [ + {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xdmx", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, + {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xephyr", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, + {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xnest", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, + {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xorg", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, + {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xvfb", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, + {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-common", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, + {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-devel", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, + {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-source", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"} + + ], "references": [ { "reference_id": "", - "url": "", + "url": "https://access.redhat.com/errata/RHSA-2022:8221", "severities": [] }, { @@ -26,7 +36,7 @@ { "reference_id": "", "url": "https://bugzilla.redhat.com/2106683", - "everities": [] + "severities": [] }, { "reference_id": "", From d2f69456603c758b74b6798371f475ff4fae0ce8 Mon Sep 17 00:00:00 2001 From: ambuj Date: Tue, 2 Jul 2024 18:27:33 +0530 Subject: [PATCH 05/12] corrected the formating errors by running make valid Signed-off-by: ambuj --- vulnerabilities/tests/test_almalinux.py | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/vulnerabilities/tests/test_almalinux.py b/vulnerabilities/tests/test_almalinux.py index d49fce3f3..484f5f73b 100644 --- a/vulnerabilities/tests/test_almalinux.py +++ b/vulnerabilities/tests/test_almalinux.py @@ -24,7 +24,7 @@ def test_almalinux_importer1(self): expected_file = os.path.join(TEST_DATA, "almalinux_expected_1.json") imported_data = parse_advisory_data( mock_response, - supported_ecosystems=["almalinux:8","almalinux:9"], + supported_ecosystems=["almalinux:8", "almalinux:9"], advisory_url="https://github.com/AlmaLinux/osv-database" "/blob/master/advisories/almalinux8/almalinux_test_1.json", ) @@ -37,7 +37,7 @@ def test_almalinux_importer2(self): expected_file = os.path.join(TEST_DATA, "almalinux_expected_2.json") imported_data = parse_advisory_data( mock_response, - supported_ecosystems=["almalinux:8","almalinux:9"], + supported_ecosystems=["almalinux:8", "almalinux:9"], advisory_url="https://github.com/AlmaLinux/osv-database" "/blob/master/advisories/almalinux8/almalinux_test_2.json", ) @@ -50,11 +50,9 @@ def test_github_osv_importer3(self): expected_file = os.path.join(TEST_DATA, "almalinux_expected_3.json") imported_data = parse_advisory_data( mock_response, - supported_ecosystems=["almalinux:8","almalinux:9"], + supported_ecosystems=["almalinux:8", "almalinux:9"], advisory_url="https://github.com/AlmaLinux/osv-database" "/blob/master/advisories/almalinux8/almalinux_test_3.json", ) result = imported_data.to_dict() util_tests.check_results_against_json(result, expected_file) - - From c328dbd68847eae48c37fd9751c2941f3c41f35c Mon Sep 17 00:00:00 2001 From: ambuj Date: Fri, 12 Jul 2024 05:55:09 +0530 Subject: [PATCH 06/12] modified almalinux importer Signed-off-by: ambuj --- vulnerabilities/importers/almalinux.py | 138 ++++++++++++++++++++++++- 1 file changed, 136 insertions(+), 2 deletions(-) diff --git a/vulnerabilities/importers/almalinux.py b/vulnerabilities/importers/almalinux.py index a643d9af4..89ac7dec1 100644 --- a/vulnerabilities/importers/almalinux.py +++ b/vulnerabilities/importers/almalinux.py @@ -13,13 +13,31 @@ from pathlib import Path from typing import Any from typing import Iterable +from typing import List +from typing import Optional + +from packageurl import PackageURL +from univers.version_range import RANGE_CLASS_BY_SCHEMES +from univers.version_range import RpmVersionRange +from univers.versions import InvalidVersion +from univers.versions import RpmVersion +from univers.versions import Version from vulnerabilities.importer import AdvisoryData +from vulnerabilities.importer import AffectedPackage from vulnerabilities.importer import Importer -from vulnerabilities.importers.osv import parse_advisory_data +from vulnerabilities.importers.osv import extract_fixed_versions +from vulnerabilities.importers.osv import get_published_date +from vulnerabilities.importers.osv import get_references +from vulnerabilities.importers.osv import get_severities + +# from vulnerabilities.importers.osv import parse_advisory_data +from vulnerabilities.utils import build_description +from vulnerabilities.utils import dedupe from vulnerabilities.utils import get_advisory_url +from vulnerabilities.utils import get_cwe_id -LOGGER = logging.getLogger(__name__) +logger = logging.getLogger(__name__) BASE_URL = "https://github.com/AlmaLinux/osv-database" @@ -28,6 +46,8 @@ class AlmaImporter(Importer): license_url = "https://github.com/AlmaLinux/osv-database/blob/master/LICENSE" importer_name = "Alma Linux Importer" + # for creating purl type is rpm namespace is almalinux names 1:2324:el8 + def advisory_data(self) -> Iterable[AdvisoryData]: supported_ecosystems = ["almalinux:8", "almalinux:9"] try: @@ -47,3 +67,117 @@ def advisory_data(self) -> Iterable[AdvisoryData]: finally: if self.vcs_response: self.vcs_response.delete() + + +"""Make follwoing changes: + alias- done + summary - done + affected packages - work + references - work + date published - done + weaknesses - work + url - done +""" + + +def parse_advisory_data(raw_data, supported_ecosystems, advisory_url) -> Optional[AdvisoryData]: + raw_id = raw_data.get("id") or "" + summary = raw_data.get("summary") or "" + details = raw_data.get("details") or "" + summary = build_description(summary=summary, description=details) + aliases = raw_data.get("aliases") or [] + if raw_id: + aliases.append(raw_id) + aliases = dedupe(original=aliases) + date_published = get_published_date(raw_data=raw_data) + severities = list(get_severities(raw_data=raw_data)) + references = get_references(raw_data=raw_data, severities=severities) + + affected_packages = [] + + for affected_pkg in raw_data.get("affected") or []: + purl = get_affected_purl(affected_pkg=affected_pkg, raw_id=raw_id) + ranges = affected_packages.get("ranges") or [] + events = ranges[0].get("events") or [] + if not purl: + logger.error(f"Unsupported package type: {affected_pkg!r} in OSV: {raw_id!r}") + continue + + affected_version_range = get_affected_version_range( + affected_pkg=affected_pkg, + raw_id=raw_id, + supported_ecosystem=purl.type, + ) + + for fixed_range in affected_pkg.get("ranges") or []: + fixed_version = get_fixed_versions( + fixed_range=fixed_range, + raw_id=raw_id, + supported_ecosystem=purl.type, # can use these information in future to update the get_fixed_version function. + ) + + for version in fixed_version: + affected_packages.append( + AffectedPackage( + package=purl, + affected_version_range=affected_version_range, + fixed_version=version, + ) + ) + + database_specific = raw_data.get("database_specific") or {} + cwe_ids = database_specific.get("cwe_ids") or [] + weaknesses = list(map(get_cwe_id, cwe_ids)) + + return AdvisoryData( + aliases=aliases, + summary=summary, + references=references, + affected_packages=affected_packages, + date_published=date_published, + weaknesses=weaknesses, + url=advisory_url, + ) + + +def get_affected_purl(affected_pkg, raw_id): + package = affected_pkg.get("package") or {} + purl = package.get("purl") + if purl: + try: + purl = PackageURL.from_string(purl) + except ValueError: + logger.error( + f"Invalid PackageURL: {purl!r} for OSV " + f"affected_pkg {affected_pkg} and id: {raw_id}" + ) + + else: + ecosys = package.get("ecosystem") + name = package.get("name") + purl = PackageURL(type="rpm", namespace="almalinux", name=name) + + return PackageURL.from_string(str(purl)) + + +def get_fixed_versions(fixed_range) -> List[Version]: + fixed_versions = [] + fixed_range_type = fixed_range["type"] + for version in extract_fixed_versions(fixed_range): + fixed_versions.append(RpmVersion(version)) + return dedupe(fixed_versions) + + +def get_affected_version_range(affected_pkg, raw_id, supported_ecosystem): + """ + Return a univers VersionRange for the ``affected_pkg`` package data mapping + or None. Use a ``raw_id`` OSV id and ``supported_ecosystem``. + """ + fixed_range = affected_pkg.get("ranges") or [] + fixed_range = fixed_range[0] if len(fixed_range) > 0 else {} + fixed_version = get_fixed_versions(fixed_range)[0] + introduced = fixed_range.get("events") or [] + introduced = introduced[0] if len(introduced) > 0 else {} + introduced_version = introduced.get("introduced") or "" + + return RpmVersionRange.from_native() From 511cdda94ca724a07f8f46234847a2f31359d9b4 Mon Sep 17 00:00:00 2001 From: ambuj Date: Sat, 13 Jul 2024 19:09:47 +0530 Subject: [PATCH 07/12] add almalinux advisories latest Signed-off-by: ambuj --- vulnerabilities/importers/almalinux.py | 96 ++++++++++--------- vulnerabilities/importers/osv.py | 2 - vulnerabilities/improvers/__init__.py | 1 + vulnerabilities/improvers/valid_versions.py | 6 ++ vulnerabilities/tests/test_almalinux.py | 5 +- .../almalinux/almalinux_expected_1.json | 2 +- .../almalinux/almalinux_expected_2.json | 2 +- .../almalinux/almalinux_expected_3.json | 16 ++-- 8 files changed, 70 insertions(+), 60 deletions(-) diff --git a/vulnerabilities/importers/almalinux.py b/vulnerabilities/importers/almalinux.py index 89ac7dec1..11d84819a 100644 --- a/vulnerabilities/importers/almalinux.py +++ b/vulnerabilities/importers/almalinux.py @@ -1,5 +1,4 @@ # -# # Copyright (c) nexB Inc. and others. All rights reserved. # VulnerableCode is a trademark of nexB Inc. # SPDX-License-Identifier: Apache-2.0 @@ -27,11 +26,10 @@ from vulnerabilities.importer import AffectedPackage from vulnerabilities.importer import Importer from vulnerabilities.importers.osv import extract_fixed_versions +from vulnerabilities.importers.osv import get_affected_version_range from vulnerabilities.importers.osv import get_published_date from vulnerabilities.importers.osv import get_references from vulnerabilities.importers.osv import get_severities - -# from vulnerabilities.importers.osv import parse_advisory_data from vulnerabilities.utils import build_description from vulnerabilities.utils import dedupe from vulnerabilities.utils import get_advisory_url @@ -46,15 +44,12 @@ class AlmaImporter(Importer): license_url = "https://github.com/AlmaLinux/osv-database/blob/master/LICENSE" importer_name = "Alma Linux Importer" - # for creating purl type is rpm namespace is almalinux names 1:2324:el8 - def advisory_data(self) -> Iterable[AdvisoryData]: - supported_ecosystems = ["almalinux:8", "almalinux:9"] try: self.clone(repo_url=self.BASE_URL) base_path = Path(self.vcs_response.dest_dir) advisory_dirs = base_path / "tree/master/advisories" - # Iterate throught the directories in the repo and get the .json files + # Iterate through the directories in the repo and get the .json files for file in advisory_dirs.glob("**/*.json"): advisory_url = get_advisory_url( file=file, @@ -63,24 +58,13 @@ def advisory_data(self) -> Iterable[AdvisoryData]: ) with open(file) as f: raw_data = json.load(f) - yield parse_advisory_data(raw_data, supported_ecosystems, advisory_url) + yield parse_advisory_data(raw_data, advisory_url) finally: if self.vcs_response: self.vcs_response.delete() -"""Make follwoing changes: - alias- done - summary - done - affected packages - work - references - work - date published - done - weaknesses - work - url - done -""" - - -def parse_advisory_data(raw_data, supported_ecosystems, advisory_url) -> Optional[AdvisoryData]: +def parse_advisory_data(raw_data, advisory_url) -> Optional[AdvisoryData]: raw_id = raw_data.get("id") or "" summary = raw_data.get("summary") or "" details = raw_data.get("details") or "" @@ -97,8 +81,6 @@ def parse_advisory_data(raw_data, supported_ecosystems, advisory_url) -> Optiona for affected_pkg in raw_data.get("affected") or []: purl = get_affected_purl(affected_pkg=affected_pkg, raw_id=raw_id) - ranges = affected_packages.get("ranges") or [] - events = ranges[0].get("events") or [] if not purl: logger.error(f"Unsupported package type: {affected_pkg!r} in OSV: {raw_id!r}") continue @@ -110,11 +92,7 @@ def parse_advisory_data(raw_data, supported_ecosystems, advisory_url) -> Optiona ) for fixed_range in affected_pkg.get("ranges") or []: - fixed_version = get_fixed_versions( - fixed_range=fixed_range, - raw_id=raw_id, - supported_ecosystem=purl.type, # can use these information in future to update the get_fixed_version function. - ) + fixed_version = get_fixed_versions(fixed_range=fixed_range) for version in fixed_version: affected_packages.append( @@ -141,6 +119,40 @@ def parse_advisory_data(raw_data, supported_ecosystems, advisory_url) -> Optiona def get_affected_purl(affected_pkg, raw_id): + """ + Generate a PackageURL for the affected package. + + Args: + affected_pkg (dict): A dictionary containing details about the affected package. + raw_id (str): The raw ID of the corresponding advisory. + + Returns: + PackageURL or None. + + For example: + >>> affected_pkg = { + ... "package": { + ... "ecosystem": "AlmaLinux:8", + ... "name": "sblim-wbemcli" + ... }, + ... "ranges": [ + ... { + ... "type": "ECOSYSTEM", + ... "events": [ + ... { + ... "introduced": "0" + ... }, + ... { + ... "fixed": "1.6.3-15.el8" + ... } + ... ] + ... } + ... ] + ... } + >>> raw_id = "ALBA-2019:3482" + >>> get_affected_purl(affected_pkg, raw_id) + [PackageURL(type="rpm", namespace="almalinux", name="sblim-wbemcli", version="", qualifiers="", subpath="")] + """ package = affected_pkg.get("package") or {} purl = package.get("purl") if purl: @@ -153,7 +165,6 @@ def get_affected_purl(affected_pkg, raw_id): ) else: - ecosys = package.get("ecosystem") name = package.get("name") purl = PackageURL(type="rpm", namespace="almalinux", name=name) @@ -161,23 +172,20 @@ def get_affected_purl(affected_pkg, raw_id): def get_fixed_versions(fixed_range) -> List[Version]: + """ + Return a list of fixed version strings given a ``fixed_range`` mapping of + OSV data. + + >>> list(extract_fixed_versions( + ... {"type": "ECOSYSTEM", "events": [{"introduced": "0"},{"fixed": "1.6.3-15.el8"}]})) + [RpmVersion('1.6.3-15.el8')] + + >>> list(extract_fixed_versions( + ... {"type": "ECOSYSTEM","events":[{"introduced": "0"}, + ... {"fixed": "1.0.6-12.el8"},{"fixed": "2.18.1-12.el8"}]})) + [RpmVersion("1.0.6-12.el8"), RpmVersion("2.18.1-12.el8")] + """ fixed_versions = [] - fixed_range_type = fixed_range["type"] for version in extract_fixed_versions(fixed_range): fixed_versions.append(RpmVersion(version)) return dedupe(fixed_versions) - - -def get_affected_version_range(affected_pkg, raw_id, supported_ecosystem): - """ - Return a univers VersionRange for the ``affected_pkg`` package data mapping - or None. Use a ``raw_id`` OSV id and ``supported_ecosystem``. - """ - fixed_range = affected_pkg.get("ranges") or [] - fixed_range = fixed_range[0] if len(fixed_range) > 0 else {} - fixed_version = get_fixed_versions(fixed_range)[0] - introduced = fixed_range.get("events") or [] - introduced = introduced[0] if len(introduced) > 0 else {} - introduced_version = introduced.get("introduced") or "" - - return RpmVersionRange.from_native() diff --git a/vulnerabilities/importers/osv.py b/vulnerabilities/importers/osv.py index e5fc7aa18..1ee45a1be 100644 --- a/vulnerabilities/importers/osv.py +++ b/vulnerabilities/importers/osv.py @@ -41,8 +41,6 @@ "go": "golang", "hex": "hex", "cargo": "cargo", - "almalinux:8": "almalinux:8", - "almalinux:9": "almalinux:9", } diff --git a/vulnerabilities/improvers/__init__.py b/vulnerabilities/improvers/__init__.py index 8cc68b9a6..ce022fbe4 100644 --- a/vulnerabilities/improvers/__init__.py +++ b/vulnerabilities/improvers/__init__.py @@ -27,6 +27,7 @@ valid_versions.RubyImprover, valid_versions.GithubOSVImprover, vulnerability_status.VulnerabilityStatusImprover, + valid_versions.AlmaImprover, ] IMPROVERS_REGISTRY = {x.qualified_name: x for x in IMPROVERS_REGISTRY} diff --git a/vulnerabilities/improvers/valid_versions.py b/vulnerabilities/improvers/valid_versions.py index d23508bea..5e5bf0dc4 100644 --- a/vulnerabilities/improvers/valid_versions.py +++ b/vulnerabilities/improvers/valid_versions.py @@ -25,6 +25,7 @@ from vulnerabilities.importer import AffectedPackage from vulnerabilities.importer import Importer from vulnerabilities.importer import UnMergeablePackageError +from vulnerabilities.importers.almalinux import AlmaImporter from vulnerabilities.importers.apache_httpd import ApacheHTTPDImporter from vulnerabilities.importers.apache_kafka import ApacheKafkaImporter from vulnerabilities.importers.apache_tomcat import ApacheTomcatImporter @@ -472,3 +473,8 @@ class RubyImprover(ValidVersionImprover): class GithubOSVImprover(ValidVersionImprover): importer = GithubOSVImporter ignorable_versions = [] + + +class AlmaImprover(ValidVersionImprover): + importer = AlmaImporter + ignorable_versions = [] diff --git a/vulnerabilities/tests/test_almalinux.py b/vulnerabilities/tests/test_almalinux.py index 484f5f73b..9a12a1142 100644 --- a/vulnerabilities/tests/test_almalinux.py +++ b/vulnerabilities/tests/test_almalinux.py @@ -10,7 +10,7 @@ import os from unittest import TestCase -from vulnerabilities.importers.osv import parse_advisory_data +from vulnerabilities.importers.almalinux import parse_advisory_data from vulnerabilities.tests import util_tests BASE_DIR = os.path.dirname(os.path.abspath(__file__)) @@ -24,7 +24,6 @@ def test_almalinux_importer1(self): expected_file = os.path.join(TEST_DATA, "almalinux_expected_1.json") imported_data = parse_advisory_data( mock_response, - supported_ecosystems=["almalinux:8", "almalinux:9"], advisory_url="https://github.com/AlmaLinux/osv-database" "/blob/master/advisories/almalinux8/almalinux_test_1.json", ) @@ -37,7 +36,6 @@ def test_almalinux_importer2(self): expected_file = os.path.join(TEST_DATA, "almalinux_expected_2.json") imported_data = parse_advisory_data( mock_response, - supported_ecosystems=["almalinux:8", "almalinux:9"], advisory_url="https://github.com/AlmaLinux/osv-database" "/blob/master/advisories/almalinux8/almalinux_test_2.json", ) @@ -50,7 +48,6 @@ def test_github_osv_importer3(self): expected_file = os.path.join(TEST_DATA, "almalinux_expected_3.json") imported_data = parse_advisory_data( mock_response, - supported_ecosystems=["almalinux:8", "almalinux:9"], advisory_url="https://github.com/AlmaLinux/osv-database" "/blob/master/advisories/almalinux8/almalinux_test_3.json", ) diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json index 892f0b2ce..e1f68984b 100644 --- a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json @@ -3,7 +3,7 @@ "summary": "nss-altfiles bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", "affected_packages": [ { - "package": {"type": "almalinux:8", "namespace": "", "name": "nss-altfiles", "version": "", "qualifiers": "", "subpath": ""}, + "package": {"type": "rpm", "namespace": "almalinux", "name": "nss-altfiles", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "2.18.1-12.el8" } diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json index ffa135e51..da542f8bc 100644 --- a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json @@ -4,7 +4,7 @@ "affected_packages": [ { "package": { - "type": "almalinux:8", "namespace": "", "name": "python3-azure-sdk", "version": "", "qualifiers": "", "subpath": "" + "type": "rpm", "namespace": "almalinux", "name": "python3-azure-sdk", "version": "", "qualifiers": "", "subpath": "" }, "affected_version_range": null, "fixed_version": "4.0.0-9.el8" diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json index 6b89777c3..389cf4482 100644 --- a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json @@ -2,14 +2,14 @@ "aliases": ["ALSA-2022:8221"], "summary": "Moderate: xorg-x11-server security and bug fix update\nX.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es)n\n* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319)\n* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension VE-2022-2320)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", "affected_packages": [ - {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xdmx", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, - {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xephyr", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, - {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xnest", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, - {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xorg", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, - {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xvfb", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, - {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-common", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, - {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-devel", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, - {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-source", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"} + {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xdmx", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, + {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xephyr", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, + {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xnest", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, + {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xorg", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, + {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xvfb", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, + {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-common", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, + {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-devel", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, + {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-source", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"} ], "references": [ From 86c18cfbb5190353fabf0533a95449e98c39c8b2 Mon Sep 17 00:00:00 2001 From: ambuj Date: Sat, 13 Jul 2024 19:59:04 +0530 Subject: [PATCH 08/12] correct some doctest almalinux importer Signed-off-by: ambuj --- vulnerabilities/importers/almalinux.py | 13 ++++++------- vulnerabilities/tests/test_almalinux.py | 2 ++ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/vulnerabilities/importers/almalinux.py b/vulnerabilities/importers/almalinux.py index 11d84819a..65887207c 100644 --- a/vulnerabilities/importers/almalinux.py +++ b/vulnerabilities/importers/almalinux.py @@ -151,7 +151,7 @@ def get_affected_purl(affected_pkg, raw_id): ... } >>> raw_id = "ALBA-2019:3482" >>> get_affected_purl(affected_pkg, raw_id) - [PackageURL(type="rpm", namespace="almalinux", name="sblim-wbemcli", version="", qualifiers="", subpath="")] + PackageURL(type='rpm', namespace='almalinux', name='sblim-wbemcli', version=None, qualifiers={}, subpath=None) """ package = affected_pkg.get("package") or {} purl = package.get("purl") @@ -176,14 +176,13 @@ def get_fixed_versions(fixed_range) -> List[Version]: Return a list of fixed version strings given a ``fixed_range`` mapping of OSV data. - >>> list(extract_fixed_versions( - ... {"type": "ECOSYSTEM", "events": [{"introduced": "0"},{"fixed": "1.6.3-15.el8"}]})) - [RpmVersion('1.6.3-15.el8')] + >>> get_fixed_versions({"type": "ECOSYSTEM", "events": [{"introduced": "0"},{"fixed": "1.6.3-15.el8"}]}) + [RpmVersion(string='1.6.3-15.el8')] - >>> list(extract_fixed_versions( + >>> get_fixed_versions( ... {"type": "ECOSYSTEM","events":[{"introduced": "0"}, - ... {"fixed": "1.0.6-12.el8"},{"fixed": "2.18.1-12.el8"}]})) - [RpmVersion("1.0.6-12.el8"), RpmVersion("2.18.1-12.el8")] + ... {"fixed": "1.0.6-12.el8"},{"fixed": "2.18.1-12.el8"}]}) + [RpmVersion(string='1.0.6-12.el8'), RpmVersion(string='2.18.1-12.el8')] """ fixed_versions = [] for version in extract_fixed_versions(fixed_range): diff --git a/vulnerabilities/tests/test_almalinux.py b/vulnerabilities/tests/test_almalinux.py index 9a12a1142..53e295711 100644 --- a/vulnerabilities/tests/test_almalinux.py +++ b/vulnerabilities/tests/test_almalinux.py @@ -10,6 +10,8 @@ import os from unittest import TestCase +from vulnerabilities.importers.almalinux import get_affected_purl +from vulnerabilities.importers.almalinux import get_fixed_versions from vulnerabilities.importers.almalinux import parse_advisory_data from vulnerabilities.tests import util_tests From 088279cb6ce1d4bed45e0aef2c3d3cba7fc4cdcc Mon Sep 17 00:00:00 2001 From: ambuj Date: Fri, 23 Aug 2024 19:30:18 +0530 Subject: [PATCH 09/12] docs(almalinux-importer): Add docstring to `parse_advisory_data` function - Added a detailed docstring to the `parse_advisory_data` function in the `almalinux-importer` module. - The docstring includes a clear description of the function's purpose, arguments, return value, and an example usage. - Improved the readability and structure of the example output in the docstring to ensure clarity and consistency. This documentation enhancement makes the `parse_advisory_data` function easier to understand and use, aiding future development and maintenance. Signed-off-by: ambuj --- vulnerabilities/importers/almalinux.py | 47 ++++++ vulnerabilities/tests/test_almalinux.py | 4 +- .../almalinux/almalinux_expected_1.json | 38 +++-- .../almalinux/almalinux_expected_2.json | 27 +-- .../almalinux/almalinux_expected_3.json | 159 ++++++++++++++---- 5 files changed, 216 insertions(+), 59 deletions(-) diff --git a/vulnerabilities/importers/almalinux.py b/vulnerabilities/importers/almalinux.py index 65887207c..2927b0146 100644 --- a/vulnerabilities/importers/almalinux.py +++ b/vulnerabilities/importers/almalinux.py @@ -65,6 +65,53 @@ def advisory_data(self) -> Iterable[AdvisoryData]: def parse_advisory_data(raw_data, advisory_url) -> Optional[AdvisoryData]: + """ + Parse Alma Linux advisory data and convert it into an AdvisoryData object. + + Args: + raw_data (dict): A dictionary containing raw advisory information. + advisory_url (str): The URL to the advisory. + + Returns: + AdvisoryData: An instance of AdvisoryData with processed information, or + None if the data cannot be parsed correctly. + + Example: + >>> raw_data = { + ... "id": "ALBA-2020:4512", + ... "summary": "libteam bug fix and enhancement update", + ... "details": "For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + ... "published": "2020-11-03T12:11:24Z", + ... "affected": [ + ... { + ... "package": { + ... "ecosystem": "AlmaLinux:8", + ... "name": "libteam" + ... }, + ... "ranges": [ + ... { + ... "type": "ECOSYSTEM", + ... "events": [ + ... {"introduced": "0"}, + ... {"fixed": "1.31-2.el8"} + ... ] + ... } + ... ] + ... } + ... ], + ... "references": [ + ... { + ... "url": "https://errata.almalinux.org/8/ALBA-2020-4512.html", + ... "type": "ADVISORY" + ... } + ... ] + ... } + >>> advisory_url = "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux/example_advisory.json" + >>> advisory = parse_advisory_data(raw_data, advisory_url).to_dict() + >>> print(advisory) + {'aliases': ['ALBA-2020:4512'], 'summary': 'libteam bug fix and enhancement update\\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.', 'affected_packages': [{'package': {'type': 'rpm', 'namespace': 'almalinux', 'name': 'libteam', 'version': '', 'qualifiers': '', 'subpath': ''}, 'affected_version_range': None, 'fixed_version': '1.31-2.el8'}], 'references': [{'reference_id': '', 'reference_type': '', 'url': 'https://errata.almalinux.org/8/ALBA-2020-4512.html', 'severities': []}], 'date_published': '2020-11-03T12:11:24+00:00', 'weaknesses': [], 'url': 'https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux/example_advisory.json'} + """ + raw_id = raw_data.get("id") or "" summary = raw_data.get("summary") or "" details = raw_data.get("details") or "" diff --git a/vulnerabilities/tests/test_almalinux.py b/vulnerabilities/tests/test_almalinux.py index 53e295711..99e4b4d57 100644 --- a/vulnerabilities/tests/test_almalinux.py +++ b/vulnerabilities/tests/test_almalinux.py @@ -10,8 +10,6 @@ import os from unittest import TestCase -from vulnerabilities.importers.almalinux import get_affected_purl -from vulnerabilities.importers.almalinux import get_fixed_versions from vulnerabilities.importers.almalinux import parse_advisory_data from vulnerabilities.tests import util_tests @@ -44,7 +42,7 @@ def test_almalinux_importer2(self): result = imported_data.to_dict() util_tests.check_results_against_json(result, expected_file) - def test_github_osv_importer3(self): + def test_almalinux_importer3(self): with open(os.path.join(TEST_DATA, "almalinux_test_3.json")) as f: mock_response = json.load(f) expected_file = os.path.join(TEST_DATA, "almalinux_expected_3.json") diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json index e1f68984b..b1344d23c 100644 --- a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json @@ -1,21 +1,31 @@ { - "aliases": ["ALBA-2019:3336"], - "summary": "nss-altfiles bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "aliases": [ + "ALBA-2019:3336" + ], + "summary": "nss-altfiles bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", "affected_packages": [ { - "package": {"type": "rpm", "namespace": "almalinux", "name": "nss-altfiles", "version": "", "qualifiers": "", "subpath": ""}, - "affected_version_range": null, - "fixed_version": "2.18.1-12.el8" - } - ], + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "nss-altfiles", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "2.18.1-12.el8" + } + ], "references": [ { - "reference_id": "", - "url": "https://errata.almalinux.org/8/ALBA-2019-3336.html", - "severities": [] - } - ], - "date_published": "2019-11-05T17:32:18+00:00", - "weaknesses": [], + "reference_id": "", + "reference_type": "", + "url": "https://errata.almalinux.org/8/ALBA-2019-3336.html", + "severities": [] + } + ], + "date_published": "2019-11-05T17:32:18+00:00", + "weaknesses": [], "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_1.json" } \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json index da542f8bc..64c08e1f9 100644 --- a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json @@ -1,17 +1,24 @@ { - "aliases": ["ALEA-2019:3314"], - "summary": "python3-azure-sdk bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "aliases": [ + "ALEA-2019:3314" + ], + "summary": "python3-azure-sdk bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", "affected_packages": [ { "package": { - "type": "rpm", "namespace": "almalinux", "name": "python3-azure-sdk", "version": "", "qualifiers": "", "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.0.0-9.el8" + "type": "rpm", + "namespace": "almalinux", + "name": "python3-azure-sdk", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.0.0-9.el8" } - ], - "references": [], - "date_published": "2019-11-05T17:29:24+00:00", - "weaknesses": [], + ], + "references": [], + "date_published": "2019-11-05T17:29:24+00:00", + "weaknesses": [], "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_2.json" } \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json index 389cf4482..267895464 100644 --- a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json @@ -1,50 +1,145 @@ { - "aliases": ["ALSA-2022:8221"], - "summary": "Moderate: xorg-x11-server security and bug fix update\nX.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es)n\n* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319)\n* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension VE-2022-2320)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "aliases": [ + "ALSA-2022:8221" + ], + "summary": "Moderate: xorg-x11-server security and bug fix update\nX.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es)n\n* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319)\n* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension VE-2022-2320)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", "affected_packages": [ - {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xdmx", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, - {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xephyr", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, - {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xnest", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, - {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xorg", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, - {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xvfb", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, - {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-common", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, - {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-devel", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, - {"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-source", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"} - - ], + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-Xdmx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + }, + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-Xephyr", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + }, + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-Xnest", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + }, + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-Xorg", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + }, + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-Xvfb", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + }, + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-common", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + }, + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-devel", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + }, + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-source", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + } + ], "references": [ { - "reference_id": "", - "url": "https://access.redhat.com/errata/RHSA-2022:8221", + "reference_id": "", + "reference_type": "", + "url": "https://access.redhat.com/errata/RHSA-2022:8221", "severities": [] - }, + }, { - "reference_id": "", - "url": "https://access.redhat.com/security/cve/CVE-2022-2319", + "reference_id": "", + "reference_type": "", + "url": "https://access.redhat.com/security/cve/CVE-2022-2319", "severities": [] - }, + }, { - "reference_id": "", - "url": "https://access.redhat.com/security/cve/CVE-2022-2320", + "reference_id": "", + "reference_type": "", + "url": "https://access.redhat.com/security/cve/CVE-2022-2320", "severities": [] - }, + }, { - "reference_id": "", - "url": "https://bugzilla.redhat.com/2106671", + "reference_id": "", + "reference_type": "", + "url": "https://bugzilla.redhat.com/2106671", "severities": [] - }, + }, { - "reference_id": "", - "url": "https://bugzilla.redhat.com/2106683", + "reference_id": "", + "reference_type": "", + "url": "https://bugzilla.redhat.com/2106683", "severities": [] - }, + }, { - "reference_id": "", - "url": "https://errata.almalinux.org/9/ALSA-2022-8221.html", + "reference_id": "", + "reference_type": "", + "url": "https://errata.almalinux.org/9/ALSA-2022-8221.html", "severities": [] } - ], - "date_published": "2022-11-15T00:00:00+00:00", - "weaknesses": [], + ], + "date_published": "2022-11-15T00:00:00+00:00", + "weaknesses": [], "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_3.json" } \ No newline at end of file From c6647c96a1cf0e5438f722887684c099c9354004 Mon Sep 17 00:00:00 2001 From: ambuj Date: Sun, 22 Dec 2024 01:34:08 +0530 Subject: [PATCH 10/12] Create almalinux importer pipeline Signed-off-by: ambuj --- vulnerabilities/importers/__init__.py | 4 +- vulnerabilities/importers/almalinux.py | 237 ------------------ vulnerabilities/importers/osv.py | 4 + vulnerabilities/improvers/valid_versions.py | 11 +- .../pipelines/almalinux_importer.py | 68 +++++ .../test_almalinux_importer_pipeline.py} | 17 +- .../almalinux/almalinux_expected_1.json | 6 +- 7 files changed, 93 insertions(+), 254 deletions(-) delete mode 100644 vulnerabilities/importers/almalinux.py create mode 100644 vulnerabilities/pipelines/almalinux_importer.py rename vulnerabilities/tests/{test_almalinux.py => pipelines/test_almalinux_importer_pipeline.py} (82%) diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index b40bdfc3a..34a74e5e1 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -7,7 +7,6 @@ # See https://aboutcode.org for more information about nexB OSS projects. # -from vulnerabilities.importers import almalinux from vulnerabilities.importers import alpine_linux from vulnerabilities.importers import apache_httpd from vulnerabilities.importers import apache_kafka @@ -36,6 +35,7 @@ from vulnerabilities.importers import vulnrichment from vulnerabilities.importers import xen from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline +from vulnerabilities.pipelines import almalinux_importer from vulnerabilities.pipelines import github_importer from vulnerabilities.pipelines import gitlab_importer from vulnerabilities.pipelines import nginx_importer @@ -69,7 +69,6 @@ oss_fuzz.OSSFuzzImporter, ruby.RubyImporter, github_osv.GithubOSVImporter, - almalinux.AlmaImporter, curl.CurlImporter, epss.EPSSImporter, vulnrichment.VulnrichImporter, @@ -80,6 +79,7 @@ github_importer.GitHubAPIImporterPipeline, nvd_importer.NVDImporterPipeline, pysec_importer.PyPIImporterPipeline, + almalinux_importer.AlmalinuxImporterPipeline, ] IMPORTERS_REGISTRY = { diff --git a/vulnerabilities/importers/almalinux.py b/vulnerabilities/importers/almalinux.py deleted file mode 100644 index 2927b0146..000000000 --- a/vulnerabilities/importers/almalinux.py +++ /dev/null @@ -1,237 +0,0 @@ -# -# Copyright (c) nexB Inc. and others. All rights reserved. -# VulnerableCode is a trademark of nexB Inc. -# SPDX-License-Identifier: Apache-2.0 -# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. -# See https://github.com/nexB/vulnerablecode for support or download. -# See https://aboutcode.org for more information about nexB OSS projects. -# - -import json -import logging -from pathlib import Path -from typing import Any -from typing import Iterable -from typing import List -from typing import Optional - -from packageurl import PackageURL -from univers.version_range import RANGE_CLASS_BY_SCHEMES -from univers.version_range import RpmVersionRange -from univers.versions import InvalidVersion -from univers.versions import RpmVersion -from univers.versions import Version - -from vulnerabilities.importer import AdvisoryData -from vulnerabilities.importer import AffectedPackage -from vulnerabilities.importer import Importer -from vulnerabilities.importers.osv import extract_fixed_versions -from vulnerabilities.importers.osv import get_affected_version_range -from vulnerabilities.importers.osv import get_published_date -from vulnerabilities.importers.osv import get_references -from vulnerabilities.importers.osv import get_severities -from vulnerabilities.utils import build_description -from vulnerabilities.utils import dedupe -from vulnerabilities.utils import get_advisory_url -from vulnerabilities.utils import get_cwe_id - -logger = logging.getLogger(__name__) -BASE_URL = "https://github.com/AlmaLinux/osv-database" - - -class AlmaImporter(Importer): - spdx_license_expression = "MIT License" - license_url = "https://github.com/AlmaLinux/osv-database/blob/master/LICENSE" - importer_name = "Alma Linux Importer" - - def advisory_data(self) -> Iterable[AdvisoryData]: - try: - self.clone(repo_url=self.BASE_URL) - base_path = Path(self.vcs_response.dest_dir) - advisory_dirs = base_path / "tree/master/advisories" - # Iterate through the directories in the repo and get the .json files - for file in advisory_dirs.glob("**/*.json"): - advisory_url = get_advisory_url( - file=file, - base_path=base_path, - url="https://github.com/AlmaLinux/osv-database/blob/master", - ) - with open(file) as f: - raw_data = json.load(f) - yield parse_advisory_data(raw_data, advisory_url) - finally: - if self.vcs_response: - self.vcs_response.delete() - - -def parse_advisory_data(raw_data, advisory_url) -> Optional[AdvisoryData]: - """ - Parse Alma Linux advisory data and convert it into an AdvisoryData object. - - Args: - raw_data (dict): A dictionary containing raw advisory information. - advisory_url (str): The URL to the advisory. - - Returns: - AdvisoryData: An instance of AdvisoryData with processed information, or - None if the data cannot be parsed correctly. - - Example: - >>> raw_data = { - ... "id": "ALBA-2020:4512", - ... "summary": "libteam bug fix and enhancement update", - ... "details": "For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", - ... "published": "2020-11-03T12:11:24Z", - ... "affected": [ - ... { - ... "package": { - ... "ecosystem": "AlmaLinux:8", - ... "name": "libteam" - ... }, - ... "ranges": [ - ... { - ... "type": "ECOSYSTEM", - ... "events": [ - ... {"introduced": "0"}, - ... {"fixed": "1.31-2.el8"} - ... ] - ... } - ... ] - ... } - ... ], - ... "references": [ - ... { - ... "url": "https://errata.almalinux.org/8/ALBA-2020-4512.html", - ... "type": "ADVISORY" - ... } - ... ] - ... } - >>> advisory_url = "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux/example_advisory.json" - >>> advisory = parse_advisory_data(raw_data, advisory_url).to_dict() - >>> print(advisory) - {'aliases': ['ALBA-2020:4512'], 'summary': 'libteam bug fix and enhancement update\\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.', 'affected_packages': [{'package': {'type': 'rpm', 'namespace': 'almalinux', 'name': 'libteam', 'version': '', 'qualifiers': '', 'subpath': ''}, 'affected_version_range': None, 'fixed_version': '1.31-2.el8'}], 'references': [{'reference_id': '', 'reference_type': '', 'url': 'https://errata.almalinux.org/8/ALBA-2020-4512.html', 'severities': []}], 'date_published': '2020-11-03T12:11:24+00:00', 'weaknesses': [], 'url': 'https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux/example_advisory.json'} - """ - - raw_id = raw_data.get("id") or "" - summary = raw_data.get("summary") or "" - details = raw_data.get("details") or "" - summary = build_description(summary=summary, description=details) - aliases = raw_data.get("aliases") or [] - if raw_id: - aliases.append(raw_id) - aliases = dedupe(original=aliases) - date_published = get_published_date(raw_data=raw_data) - severities = list(get_severities(raw_data=raw_data)) - references = get_references(raw_data=raw_data, severities=severities) - - affected_packages = [] - - for affected_pkg in raw_data.get("affected") or []: - purl = get_affected_purl(affected_pkg=affected_pkg, raw_id=raw_id) - if not purl: - logger.error(f"Unsupported package type: {affected_pkg!r} in OSV: {raw_id!r}") - continue - - affected_version_range = get_affected_version_range( - affected_pkg=affected_pkg, - raw_id=raw_id, - supported_ecosystem=purl.type, - ) - - for fixed_range in affected_pkg.get("ranges") or []: - fixed_version = get_fixed_versions(fixed_range=fixed_range) - - for version in fixed_version: - affected_packages.append( - AffectedPackage( - package=purl, - affected_version_range=affected_version_range, - fixed_version=version, - ) - ) - - database_specific = raw_data.get("database_specific") or {} - cwe_ids = database_specific.get("cwe_ids") or [] - weaknesses = list(map(get_cwe_id, cwe_ids)) - - return AdvisoryData( - aliases=aliases, - summary=summary, - references=references, - affected_packages=affected_packages, - date_published=date_published, - weaknesses=weaknesses, - url=advisory_url, - ) - - -def get_affected_purl(affected_pkg, raw_id): - """ - Generate a PackageURL for the affected package. - - Args: - affected_pkg (dict): A dictionary containing details about the affected package. - raw_id (str): The raw ID of the corresponding advisory. - - Returns: - PackageURL or None. - - For example: - >>> affected_pkg = { - ... "package": { - ... "ecosystem": "AlmaLinux:8", - ... "name": "sblim-wbemcli" - ... }, - ... "ranges": [ - ... { - ... "type": "ECOSYSTEM", - ... "events": [ - ... { - ... "introduced": "0" - ... }, - ... { - ... "fixed": "1.6.3-15.el8" - ... } - ... ] - ... } - ... ] - ... } - >>> raw_id = "ALBA-2019:3482" - >>> get_affected_purl(affected_pkg, raw_id) - PackageURL(type='rpm', namespace='almalinux', name='sblim-wbemcli', version=None, qualifiers={}, subpath=None) - """ - package = affected_pkg.get("package") or {} - purl = package.get("purl") - if purl: - try: - purl = PackageURL.from_string(purl) - except ValueError: - logger.error( - f"Invalid PackageURL: {purl!r} for OSV " - f"affected_pkg {affected_pkg} and id: {raw_id}" - ) - - else: - name = package.get("name") - purl = PackageURL(type="rpm", namespace="almalinux", name=name) - - return PackageURL.from_string(str(purl)) - - -def get_fixed_versions(fixed_range) -> List[Version]: - """ - Return a list of fixed version strings given a ``fixed_range`` mapping of - OSV data. - - >>> get_fixed_versions({"type": "ECOSYSTEM", "events": [{"introduced": "0"},{"fixed": "1.6.3-15.el8"}]}) - [RpmVersion(string='1.6.3-15.el8')] - - >>> get_fixed_versions( - ... {"type": "ECOSYSTEM","events":[{"introduced": "0"}, - ... {"fixed": "1.0.6-12.el8"},{"fixed": "2.18.1-12.el8"}]}) - [RpmVersion(string='1.0.6-12.el8'), RpmVersion(string='2.18.1-12.el8')] - """ - fixed_versions = [] - for version in extract_fixed_versions(fixed_range): - fixed_versions.append(RpmVersion(version)) - return dedupe(fixed_versions) diff --git a/vulnerabilities/importers/osv.py b/vulnerabilities/importers/osv.py index 90f4200e8..141f5773a 100644 --- a/vulnerabilities/importers/osv.py +++ b/vulnerabilities/importers/osv.py @@ -41,6 +41,8 @@ "go": "golang", "hex": "hex", "cargo": "cargo", + "almalinux:8": "rpm", + "almalinux:9": "rpm", } @@ -213,6 +215,8 @@ def get_affected_purl(affected_pkg, raw_id): namespace = "" if purl_type == "maven": namespace, _, name = name.partition(":") + if ecosys == "almalinux:8" or ecosys == "almalinux:9": + namespace = "almalinux" purl = PackageURL(type=purl_type, namespace=namespace, name=name) else: diff --git a/vulnerabilities/improvers/valid_versions.py b/vulnerabilities/improvers/valid_versions.py index 9df5a54ed..712c94226 100644 --- a/vulnerabilities/improvers/valid_versions.py +++ b/vulnerabilities/improvers/valid_versions.py @@ -24,7 +24,6 @@ from vulnerabilities.importer import AffectedPackage from vulnerabilities.importer import Importer from vulnerabilities.importer import UnMergeablePackageError -from vulnerabilities.importers.almalinux import AlmaImporter from vulnerabilities.importers.apache_httpd import ApacheHTTPDImporter from vulnerabilities.importers.apache_kafka import ApacheKafkaImporter from vulnerabilities.importers.apache_tomcat import ApacheTomcatImporter @@ -42,6 +41,7 @@ from vulnerabilities.improver import Inference from vulnerabilities.models import Advisory from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline +from vulnerabilities.pipelines.almalinux_importer import AlmalinuxImporterPipeline from vulnerabilities.pipelines.github_importer import GitHubAPIImporterPipeline from vulnerabilities.pipelines.gitlab_importer import GitLabImporterPipeline from vulnerabilities.pipelines.nginx_importer import NginxImporterPipeline @@ -477,10 +477,13 @@ class RubyImprover(ValidVersionImprover): class GithubOSVImprover(ValidVersionImprover): importer = GithubOSVImporter ignorable_versions = [] - + + class AlmaImprover(ValidVersionImprover): - importer = AlmaImporter - + importer = AlmalinuxImporterPipeline + ignorable_versions = [] + + class CurlImprover(ValidVersionImprover): importer = CurlImporter ignorable_versions = [] diff --git a/vulnerabilities/pipelines/almalinux_importer.py b/vulnerabilities/pipelines/almalinux_importer.py new file mode 100644 index 000000000..e39bcc08e --- /dev/null +++ b/vulnerabilities/pipelines/almalinux_importer.py @@ -0,0 +1,68 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# +import json +import logging +from pathlib import Path +from typing import Iterable + +from fetchcode.vcs import fetch_via_vcs + +from vulnerabilities.importer import AdvisoryData +from vulnerabilities.importers.osv import parse_advisory_data +from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline +from vulnerabilities.utils import get_advisory_url + +logger = logging.getLogger(__name__) + + +class AlmalinuxImporterPipeline(VulnerableCodeBaseImporterPipeline): + """Collect Almalinux advisories.""" + + pipeline_id = "almalinux_importer" + spdx_license_expression = "MIT" + license_url = "https://github.com/AlmaLinux/osv-database/blob/master/LICENSE" + importer_name = "Almalinux Importer" + repo_url = "https://github.com/AlmaLinux/osv-database" + + @classmethod + def steps(cls): + return ( + cls.clone, + cls.collect_and_store_advisories, + cls.import_new_advisories, + cls.clean_downloads, + ) + + def clone(self): + self.log(f"Cloning `{self.repo_url}") + self.vcs_response = fetch_via_vcs(self.repo_url) + + def advisories_count(self): + vuln_directory = Path(self.vcs_response.dest_dir) / "tree" / "master" / "advisories" + return sum(1 for _ in vuln_directory.rglob("*.json")) + + def collect_advisories(self) -> Iterable[AdvisoryData]: + base_path = Path(self.vcs_response.dest_dir) + vuln_directory = base_path / "tree" / "master" / "advisories" + for file in vuln_directory.rglob("*.json"): + advisory_url = get_advisory_url( + file=file, + base_path=base_path, + url="https://github.com/AlmaLinux/osv-database/blob/master", + ) + with open(file) as f: + raw_data = json.load(f) + yield parse_advisory_data( + raw_data=raw_data, supported_ecosystems="rpm", advisory_url=advisory_url + ) + + def clean_downloads(self): + if self.vcs_response: + self.log(f"Removing cloned repository") + self.vcs_response.delete() diff --git a/vulnerabilities/tests/test_almalinux.py b/vulnerabilities/tests/pipelines/test_almalinux_importer_pipeline.py similarity index 82% rename from vulnerabilities/tests/test_almalinux.py rename to vulnerabilities/tests/pipelines/test_almalinux_importer_pipeline.py index 99e4b4d57..4de06b118 100644 --- a/vulnerabilities/tests/test_almalinux.py +++ b/vulnerabilities/tests/pipelines/test_almalinux_importer_pipeline.py @@ -8,22 +8,23 @@ # import json import os +from pathlib import Path from unittest import TestCase -from vulnerabilities.importers.almalinux import parse_advisory_data +from vulnerabilities.importers.osv import parse_advisory_data from vulnerabilities.tests import util_tests -BASE_DIR = os.path.dirname(os.path.abspath(__file__)) -TEST_DATA = os.path.join(BASE_DIR, "test_data/almalinux") +TEST_DATA = Path(__file__).parent.parent / "test_data" / "almalinux" -class AlmaImporter(TestCase): +class TestAlmalinuxImporterPipelin(TestCase): def test_almalinux_importer1(self): with open(os.path.join(TEST_DATA, "almalinux_test_1.json")) as f: mock_response = json.load(f) expected_file = os.path.join(TEST_DATA, "almalinux_expected_1.json") imported_data = parse_advisory_data( - mock_response, + raw_data=mock_response, + supported_ecosystems="rpm", advisory_url="https://github.com/AlmaLinux/osv-database" "/blob/master/advisories/almalinux8/almalinux_test_1.json", ) @@ -35,7 +36,8 @@ def test_almalinux_importer2(self): mock_response = json.load(f) expected_file = os.path.join(TEST_DATA, "almalinux_expected_2.json") imported_data = parse_advisory_data( - mock_response, + raw_data=mock_response, + supported_ecosystems="rpm", advisory_url="https://github.com/AlmaLinux/osv-database" "/blob/master/advisories/almalinux8/almalinux_test_2.json", ) @@ -47,7 +49,8 @@ def test_almalinux_importer3(self): mock_response = json.load(f) expected_file = os.path.join(TEST_DATA, "almalinux_expected_3.json") imported_data = parse_advisory_data( - mock_response, + raw_data=mock_response, + supported_ecosystems="rpm", advisory_url="https://github.com/AlmaLinux/osv-database" "/blob/master/advisories/almalinux8/almalinux_test_3.json", ) diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json index b1344d23c..f83d2839a 100644 --- a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json @@ -1,7 +1,5 @@ { - "aliases": [ - "ALBA-2019:3336" - ], + "aliases": ["ALBA-2019:3336"], "summary": "nss-altfiles bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", "affected_packages": [ { @@ -28,4 +26,4 @@ "date_published": "2019-11-05T17:32:18+00:00", "weaknesses": [], "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_1.json" -} \ No newline at end of file +} From 1c10ad9d9f44ceccb072bc21812e12fc73a4243c Mon Sep 17 00:00:00 2001 From: ambuj Date: Mon, 23 Dec 2024 01:28:17 +0530 Subject: [PATCH 11/12] Modify almalinux importer Signed-off-by: ambuj --- vulnerabilities/pipelines/almalinux_importer.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/vulnerabilities/pipelines/almalinux_importer.py b/vulnerabilities/pipelines/almalinux_importer.py index e39bcc08e..d7d659932 100644 --- a/vulnerabilities/pipelines/almalinux_importer.py +++ b/vulnerabilities/pipelines/almalinux_importer.py @@ -28,7 +28,7 @@ class AlmalinuxImporterPipeline(VulnerableCodeBaseImporterPipeline): spdx_license_expression = "MIT" license_url = "https://github.com/AlmaLinux/osv-database/blob/master/LICENSE" importer_name = "Almalinux Importer" - repo_url = "https://github.com/AlmaLinux/osv-database" + repo_url = "git+https://github.com/AlmaLinux/osv-database" @classmethod def steps(cls): @@ -44,22 +44,23 @@ def clone(self): self.vcs_response = fetch_via_vcs(self.repo_url) def advisories_count(self): - vuln_directory = Path(self.vcs_response.dest_dir) / "tree" / "master" / "advisories" + vuln_directory = Path(self.vcs_response.dest_dir) / "advisories" return sum(1 for _ in vuln_directory.rglob("*.json")) def collect_advisories(self) -> Iterable[AdvisoryData]: - base_path = Path(self.vcs_response.dest_dir) - vuln_directory = base_path / "tree" / "master" / "advisories" + base_directory = Path(self.vcs_response.dest_dir) + vuln_directory = base_directory / "advisories" + for file in vuln_directory.rglob("*.json"): advisory_url = get_advisory_url( file=file, - base_path=base_path, - url="https://github.com/AlmaLinux/osv-database/blob/master", + base_path=base_directory, + url="https://github.com/AlmaLinux/osv-database/blob/master/", ) with open(file) as f: raw_data = json.load(f) yield parse_advisory_data( - raw_data=raw_data, supported_ecosystems="rpm", advisory_url=advisory_url + raw_data=raw_data, supported_ecosystems=["rpm"], advisory_url=advisory_url ) def clean_downloads(self): From 6300da1798d70f92b646141fd1b45d45129b7424 Mon Sep 17 00:00:00 2001 From: ambuj Date: Mon, 6 Jan 2025 19:06:19 +0530 Subject: [PATCH 12/12] Update almalinux importer Signed-off-by: ambuj --- vulnerabilities/pipelines/almalinux_importer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/pipelines/almalinux_importer.py b/vulnerabilities/pipelines/almalinux_importer.py index d7d659932..61a6ae9a5 100644 --- a/vulnerabilities/pipelines/almalinux_importer.py +++ b/vulnerabilities/pipelines/almalinux_importer.py @@ -45,7 +45,7 @@ def clone(self): def advisories_count(self): vuln_directory = Path(self.vcs_response.dest_dir) / "advisories" - return sum(1 for _ in vuln_directory.rglob("*.json")) + return len(list(vuln_directory.rglob("*.json"))) def collect_advisories(self) -> Iterable[AdvisoryData]: base_directory = Path(self.vcs_response.dest_dir)