aboutcode-org · ambuj-1211 · Jun 22, 2024 · Jun 24, 2024 · Jun 25, 2024 · Jul 2, 2024
diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py
@@ -35,6 +35,7 @@
 from vulnerabilities.importers import vulnrichment
 from vulnerabilities.importers import xen
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline
+from vulnerabilities.pipelines import almalinux_importer
 from vulnerabilities.pipelines import github_importer
 from vulnerabilities.pipelines import gitlab_importer
 from vulnerabilities.pipelines import nginx_importer
@@ -78,6 +79,7 @@
     github_importer.GitHubAPIImporterPipeline,
     nvd_importer.NVDImporterPipeline,
     pysec_importer.PyPIImporterPipeline,
+    almalinux_importer.AlmalinuxImporterPipeline,
 ]
 
 IMPORTERS_REGISTRY = {

diff --git a/vulnerabilities/importers/osv.py b/vulnerabilities/importers/osv.py
@@ -41,6 +41,8 @@
     "go": "golang",
     "hex": "hex",
     "cargo": "cargo",
+    "almalinux:8": "rpm",
+    "almalinux:9": "rpm",
 }
 
 
@@ -213,6 +215,8 @@ def get_affected_purl(affected_pkg, raw_id):
             namespace = ""
             if purl_type == "maven":
                 namespace, _, name = name.partition(":")
+            if ecosys == "almalinux:8" or ecosys == "almalinux:9":
+                namespace = "almalinux"
 
             purl = PackageURL(type=purl_type, namespace=namespace, name=name)
         else:

diff --git a/vulnerabilities/improvers/__init__.py b/vulnerabilities/improvers/__init__.py
@@ -34,6 +34,7 @@
     valid_versions.RubyImprover,
     valid_versions.GithubOSVImprover,
     vulnerability_status.VulnerabilityStatusImprover,
+    valid_versions.AlmaImprover,
     valid_versions.CurlImprover,
     flag_ghost_packages.FlagGhostPackagePipeline,
     enhance_with_kev.VulnerabilityKevPipeline,

diff --git a/vulnerabilities/improvers/valid_versions.py b/vulnerabilities/improvers/valid_versions.py
@@ -41,6 +41,7 @@
 from vulnerabilities.improver import Inference
 from vulnerabilities.models import Advisory
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline
+from vulnerabilities.pipelines.almalinux_importer import AlmalinuxImporterPipeline
 from vulnerabilities.pipelines.github_importer import GitHubAPIImporterPipeline
 from vulnerabilities.pipelines.gitlab_importer import GitLabImporterPipeline
 from vulnerabilities.pipelines.nginx_importer import NginxImporterPipeline
@@ -478,6 +479,11 @@ class GithubOSVImprover(ValidVersionImprover):
     ignorable_versions = []
 
 
+class AlmaImprover(ValidVersionImprover):
+    importer = AlmalinuxImporterPipeline
+    ignorable_versions = []
+
+
 class CurlImprover(ValidVersionImprover):
     importer = CurlImporter
     ignorable_versions = []
diff --git a/vulnerabilities/pipelines/almalinux_importer.py b/vulnerabilities/pipelines/almalinux_importer.py
@@ -0,0 +1,69 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+import json
+import logging
+from pathlib import Path
+from typing import Iterable
+
+from fetchcode.vcs import fetch_via_vcs
+
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importers.osv import parse_advisory_data
+from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline
+from vulnerabilities.utils import get_advisory_url
+
+logger = logging.getLogger(__name__)
+
+
+class AlmalinuxImporterPipeline(VulnerableCodeBaseImporterPipeline):
+    """Collect Almalinux advisories."""
+
+    pipeline_id = "almalinux_importer"
+    spdx_license_expression = "MIT"
+    license_url = "https://github.com/AlmaLinux/osv-database/blob/master/LICENSE"
+    importer_name = "Almalinux Importer"
+    repo_url = "git+https://github.com/AlmaLinux/osv-database"
+
+    @classmethod
+    def steps(cls):
+        return (
+            cls.clone,
+            cls.collect_and_store_advisories,
+            cls.import_new_advisories,
+            cls.clean_downloads,
+        )
+
+    def clone(self):
+        self.log(f"Cloning `{self.repo_url}")
+        self.vcs_response = fetch_via_vcs(self.repo_url)
+
+    def advisories_count(self):
+        vuln_directory = Path(self.vcs_response.dest_dir) / "advisories"
+        return len(list(vuln_directory.rglob("*.json")))
+
+    def collect_advisories(self) -> Iterable[AdvisoryData]:
+        base_directory = Path(self.vcs_response.dest_dir)
+        vuln_directory = base_directory / "advisories"
+
+        for file in vuln_directory.rglob("*.json"):
+            advisory_url = get_advisory_url(
+                file=file,
+                base_path=base_directory,
+                url="https://github.com/AlmaLinux/osv-database/blob/master/",
+            )
+            with open(file) as f:
+                raw_data = json.load(f)
+            yield parse_advisory_data(
+                raw_data=raw_data, supported_ecosystems=["rpm"], advisory_url=advisory_url
+            )
+
+    def clean_downloads(self):
+        if self.vcs_response:
+            self.log(f"Removing cloned repository")
+            self.vcs_response.delete()
diff --git a/vulnerabilities/tests/pipelines/test_almalinux_importer_pipeline.py b/vulnerabilities/tests/pipelines/test_almalinux_importer_pipeline.py
@@ -0,0 +1,58 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+import json
+import os
+from pathlib import Path
+from unittest import TestCase
+
+from vulnerabilities.importers.osv import parse_advisory_data
+from vulnerabilities.tests import util_tests
+
+TEST_DATA = Path(__file__).parent.parent / "test_data" / "almalinux"
+
+
+class TestAlmalinuxImporterPipelin(TestCase):
+    def test_almalinux_importer1(self):
+        with open(os.path.join(TEST_DATA, "almalinux_test_1.json")) as f:
+            mock_response = json.load(f)
+        expected_file = os.path.join(TEST_DATA, "almalinux_expected_1.json")
+        imported_data = parse_advisory_data(
+            raw_data=mock_response,
+            supported_ecosystems="rpm",
+            advisory_url="https://github.com/AlmaLinux/osv-database"
+            "/blob/master/advisories/almalinux8/almalinux_test_1.json",
+        )
+        result = imported_data.to_dict()
+        util_tests.check_results_against_json(result, expected_file)
+
+    def test_almalinux_importer2(self):
+        with open(os.path.join(TEST_DATA, "almalinux_test_2.json")) as f:
+            mock_response = json.load(f)
+        expected_file = os.path.join(TEST_DATA, "almalinux_expected_2.json")
+        imported_data = parse_advisory_data(
+            raw_data=mock_response,
+            supported_ecosystems="rpm",
+            advisory_url="https://github.com/AlmaLinux/osv-database"
+            "/blob/master/advisories/almalinux8/almalinux_test_2.json",
+        )
+        result = imported_data.to_dict()
+        util_tests.check_results_against_json(result, expected_file)
+
+    def test_almalinux_importer3(self):
+        with open(os.path.join(TEST_DATA, "almalinux_test_3.json")) as f:
+            mock_response = json.load(f)
+        expected_file = os.path.join(TEST_DATA, "almalinux_expected_3.json")
+        imported_data = parse_advisory_data(
+            raw_data=mock_response,
+            supported_ecosystems="rpm",
+            advisory_url="https://github.com/AlmaLinux/osv-database"
+            "/blob/master/advisories/almalinux8/almalinux_test_3.json",
+        )
+        result = imported_data.to_dict()
+        util_tests.check_results_against_json(result, expected_file)
diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json
@@ -0,0 +1,29 @@
+{
+  "aliases": ["ALBA-2019:3336"],
+  "summary": "nss-altfiles bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
+  "affected_packages": [
+    {
+      "package": {
+        "type": "rpm",
+        "namespace": "almalinux",
+        "name": "nss-altfiles",
+        "version": "",
+        "qualifiers": "",
+        "subpath": ""
+      },
+      "affected_version_range": null,
+      "fixed_version": "2.18.1-12.el8"
+    }
+  ],
+  "references": [
+    {
+      "reference_id": "",
+      "reference_type": "",
+      "url": "https://errata.almalinux.org/8/ALBA-2019-3336.html",
+      "severities": []
+    }
+  ],
+  "date_published": "2019-11-05T17:32:18+00:00",
+  "weaknesses": [],
+  "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_1.json"
+}
diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json
@@ -0,0 +1,24 @@
+{
+    "aliases": [
+        "ALEA-2019:3314"
+    ],
+    "summary": "python3-azure-sdk bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
+    "affected_packages": [
+        {
+            "package": {
+                "type": "rpm",
+                "namespace": "almalinux",
+                "name": "python3-azure-sdk",
+                "version": "",
+                "qualifiers": "",
+                "subpath": ""
+            },
+            "affected_version_range": null,
+            "fixed_version": "4.0.0-9.el8"
+        }
+    ],
+    "references": [],
+    "date_published": "2019-11-05T17:29:24+00:00",
+    "weaknesses": [],
+    "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_2.json"
+}
diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json
@@ -0,0 +1,145 @@
+{
+    "aliases": [
+        "ALSA-2022:8221"
+    ],
+    "summary": "Moderate: xorg-x11-server security and bug fix update\nX.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es)n\n* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319)\n* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension VE-2022-2320)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
+    "affected_packages": [
+        {
+            "package": {
+                "type": "rpm",
+                "namespace": "almalinux",
+                "name": "xorg-x11-server-Xdmx",
+                "version": "",
+                "qualifiers": "",
+                "subpath": ""
+            },
+            "affected_version_range": null,
+            "fixed_version": "1.20.11-11.el9"
+        },
+        {
+            "package": {
+                "type": "rpm",
+                "namespace": "almalinux",
+                "name": "xorg-x11-server-Xephyr",
+                "version": "",
+                "qualifiers": "",
+                "subpath": ""
+            },
+            "affected_version_range": null,
+            "fixed_version": "1.20.11-11.el9"
+        },
+        {
+            "package": {
+                "type": "rpm",
+                "namespace": "almalinux",
+                "name": "xorg-x11-server-Xnest",
+                "version": "",
+                "qualifiers": "",
+                "subpath": ""
+            },
+            "affected_version_range": null,
+            "fixed_version": "1.20.11-11.el9"
+        },
+        {
+            "package": {
+                "type": "rpm",
+                "namespace": "almalinux",
+                "name": "xorg-x11-server-Xorg",
+                "version": "",
+                "qualifiers": "",
+                "subpath": ""
+            },
+            "affected_version_range": null,
+            "fixed_version": "1.20.11-11.el9"
+        },
+        {
+            "package": {
+                "type": "rpm",
+                "namespace": "almalinux",
+                "name": "xorg-x11-server-Xvfb",
+                "version": "",
+                "qualifiers": "",
+                "subpath": ""
+            },
+            "affected_version_range": null,
+            "fixed_version": "1.20.11-11.el9"
+        },
+        {
+            "package": {
+                "type": "rpm",
+                "namespace": "almalinux",
+                "name": "xorg-x11-server-common",
+                "version": "",
+                "qualifiers": "",
+                "subpath": ""
+            },
+            "affected_version_range": null,
+            "fixed_version": "1.20.11-11.el9"
+        },
+        {
+            "package": {
+                "type": "rpm",
+                "namespace": "almalinux",
+                "name": "xorg-x11-server-devel",
+                "version": "",
+                "qualifiers": "",
+                "subpath": ""
+            },
+            "affected_version_range": null,
+            "fixed_version": "1.20.11-11.el9"
+        },
+        {
+            "package": {
+                "type": "rpm",
+                "namespace": "almalinux",
+                "name": "xorg-x11-server-source",
+                "version": "",
+                "qualifiers": "",
+                "subpath": ""
+            },
+            "affected_version_range": null,
+            "fixed_version": "1.20.11-11.el9"
+        }
+    ],
+    "references": [
+        {
+            "reference_id": "",
+            "reference_type": "",
+            "url": "https://access.redhat.com/errata/RHSA-2022:8221",
+            "severities": []
+        },
+        {
+            "reference_id": "",
+            "reference_type": "",
+            "url": "https://access.redhat.com/security/cve/CVE-2022-2319",
+            "severities": []
+        },
+        {
+            "reference_id": "",
+            "reference_type": "",
+            "url": "https://access.redhat.com/security/cve/CVE-2022-2320",
+            "severities": []
+        },
+        {
+            "reference_id": "",
+            "reference_type": "",
+            "url": "https://bugzilla.redhat.com/2106671",
+            "severities": []
+        },
+        {
+            "reference_id": "",
+            "reference_type": "",
+            "url": "https://bugzilla.redhat.com/2106683",
+            "severities": []
+        },
+        {
+            "reference_id": "",
+            "reference_type": "",
+            "url": "https://errata.almalinux.org/9/ALSA-2022-8221.html",
+            "severities": []
+        }
+    ],
+    "date_published": "2022-11-15T00:00:00+00:00",
+    "weaknesses": [],
+    "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_3.json"
+}