diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index 27fe9c66a..c706f6da4 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -8,6 +8,7 @@ # from vulnerabilities.importers import alpine_linux +from vulnerabilities.importers import amazon_linux from vulnerabilities.importers import apache_httpd from vulnerabilities.importers import apache_kafka from vulnerabilities.importers import apache_tomcat @@ -74,6 +75,7 @@ github_osv.GithubOSVImporter, epss.EPSSImporter, vulnrichment.VulnrichImporter, + amazon_linux.AmazonLinuxImporter, pypa_importer.PyPaImporterPipeline, ] diff --git a/vulnerabilities/importers/amazon_linux.py b/vulnerabilities/importers/amazon_linux.py new file mode 100644 index 000000000..310c92f99 --- /dev/null +++ b/vulnerabilities/importers/amazon_linux.py @@ -0,0 +1,274 @@ +# +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/nexB/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +import logging +from datetime import datetime +from typing import Any +from typing import Iterable +from typing import List +from typing import Optional + +import pytz +from bs4 import BeautifulSoup +from packageurl import PackageURL +from univers.versions import RpmVersion + +from vulnerabilities.importer import AdvisoryData +from vulnerabilities.importer import AffectedPackage +from vulnerabilities.importer import Importer +from vulnerabilities.importer import Reference +from vulnerabilities.importer import VulnerabilitySeverity +from vulnerabilities.rpm_utils import rpm_to_purl +from vulnerabilities.severity_systems import SCORING_SYSTEMS +from vulnerabilities.utils import fetch_response +from vulnerabilities.utils import is_cve + +LOGGER = logging.getLogger(__name__) +BASE_URL = "https://alas.aws.amazon.com/" + + +class AmazonLinuxImporter(Importer): + spdx_license_expression = "CC BY 4.0" + license_url = " " # TODO + + importer_name = "Amazon Linux Importer" + + def advisory_data(self) -> Iterable[AdvisoryData]: + amazon_linux_1_url = BASE_URL + "/index.html" + amazon_linux_2_url = BASE_URL + "/alas2.html" + amazon_linux_2023_url = BASE_URL + "/alas2023.html" + amazonlinux_advisories_pages = [ + amazon_linux_1_url, + amazon_linux_2_url, + amazon_linux_2023_url, + ] + alas_dict = {} + for amazonlinux_advisories_page in amazonlinux_advisories_pages: + alas_dict.update(fetch_alas_id_and_advisory_links(amazonlinux_advisories_page)) + + for alas_id, alas_url in alas_dict.items(): + # It iterates through alas_dict to get alas ids and alas url + if alas_id and alas_url: + alas_advisory_page_content = fetch_response(alas_url).content + yield process_advisory_data(alas_id, alas_advisory_page_content, alas_url) + + +def fetch_alas_id_and_advisory_links(page_url: str) -> dict[str, str]: + """ + Return a dictionary where 'ALAS' entries are the keys and + their corresponding advisory page links are the values. + """ + + page_response_content = fetch_response(page_url).content + # Parse the HTML content + soup = BeautifulSoup(page_response_content, "html.parser") + alas_dict = {} + + if page_url == "https://alas.aws.amazon.com/index.html": + # Find all relevant ALAS links and their IDs + for row in soup.find_all("tr", id=True): + alas_id = row["id"] + link_tag = row.find("a", href=True) + if link_tag: + full_url = "https://alas.aws.amazon.com/" + link_tag["href"] + alas_dict[alas_id] = full_url + + elif page_url == "https://alas.aws.amazon.com/alas2.html": + # Find all relevant ALAS links and their IDs + for row in soup.find_all("tr", id=True): + alas_id = row["id"] + link_tag = row.find("a", href=True) + if link_tag: + full_url = "https://alas.aws.amazon.com/AL2" + link_tag["href"] + alas_dict[alas_id] = full_url + + else: + # Find all relevant ALAS links and their IDs + for row in soup.find_all("tr", id=True): + alas_id = row["id"] + link_tag = row.find("a", href=True) + if link_tag: + full_url = "https://alas.aws.amazon.com/AL2023/" + link_tag["href"] + alas_dict[alas_id] = full_url + return alas_dict + + +def process_advisory_data(alas_id, alas_advisory_page_content, alas_url) -> Optional[AdvisoryData]: + + """ + Processes an Amazon Linux Security Advisory HTML page to extract relevant data and return it in a structured format. + + Args: + alas_id (str): The unique identifier for the Amazon Linux Security Advisory (e.g., "ALAS-2024-2628"). + alas_advisory_page_content (str): The HTML content of the advisory page. + alas_url (str): The URL of the advisory page. + + Returns: + Optional[AdvisoryData]: An object containing the processed advisory data, or None if the necessary data couldn't be extracted. + """ + + soup = BeautifulSoup(alas_advisory_page_content, "html.parser") + aliases = [] + aliases.append(alas_id) + + # Find the advisory release date + release_date_span = next( + ( + span + for span in soup.find_all("span", class_="alas-info") + if "Advisory Release Date:" in span.get_text(strip=True) + ), + None, + ) + + release_date = ( + release_date_span.get_text(strip=True).split(":", 1)[1].strip() + if release_date_span + else None + ) + date_published = get_date_published(release_date) + + # Extract Issue Overview (all points of issue overviews texts) + issue_overview = [] + for p in soup.find("div", id="issue_overview").find_all("p"): + # Replace
tags with a newline, then split the text + text_parts = p.decode_contents().split("
") + + # Clean and append each part + for part in text_parts: + clean_text = part.strip() + if clean_text: # Avoid adding empty strings + issue_overview.append(clean_text) + # Filter out any blank entries from the list + issue_overview_filtered = [item for item in issue_overview if item] + + summary = create_summary(issue_overview_filtered) + + # Extract Affected Packages (list of strings) + processed_affected_packages = [] + affected_packages_section = soup.find("div", id="affected_packages") + if affected_packages_section: + affected_packages = affected_packages_section.find_all("p") + affected_packages = [pkg.text.strip() for pkg in affected_packages] + + # getting new packages + new_packages_div = soup.find("div", id="new_packages") + + # Extract the text elements between
tags within this div + if new_packages_div: + new_packages_list = [ + element.strip() for element in new_packages_div.pre.stripped_strings if element.strip() + ] + else: + new_packages_list = [] + + exclude_items = ["i686:", "noarch:", "src:", "x86_64:", "aarch64:"] + filtered_new_packages_list = [ + package for package in new_packages_list if package not in exclude_items + ] + + # new packages are the fixed packages + for new_package in filtered_new_packages_list: + new_package_purl = rpm_to_purl(new_package, "alas.aws.amazon") + if new_package_purl: + try: + processed_affected_packages.append( + AffectedPackage( + package=PackageURL( + type="rpm", + namespace="alas.aws.amazon", + name=new_package_purl.name, + qualifiers=new_package_purl.qualifiers, + subpath=new_package_purl.subpath, + ), + affected_version_range=None, + fixed_version=RpmVersion(new_package_purl.version), + ) + ) + except ValueError as e: + logging.error( + f"Invalid RPM version '{new_package_purl.version}' for package '{new_package_purl.name}': {e}" + ) + + cve_list = [] + for link in soup.find("div", id="references").find_all("a", href=True): + if "CVE-" in link.text: + cve_list.append((link.text.strip(), "https://alas.aws.amazon.com" + link["href"])) + + references: List[Reference] = [] + for cve_id, cve_url in cve_list: + aliases.append(cve_id) + cve_json_url = f"https://explore.alas.aws.amazon.com/{cve_id}.json" + response = fetch_response(cve_json_url) + + # Parse the JSON data + cve_info = response.json() + severity_scores = cve_info.get("scores", []) + severity = [] + for score in severity_scores: + severity.append( + VulnerabilitySeverity( + system=SCORING_SYSTEMS[score.get("type", "").lower()], + value=score.get("score", ""), + scoring_elements=score.get("vector", ""), + ) + ) + references.append(Reference(reference_id=cve_id, url=cve_url, severities=severity)) + + additional_references = [] + # Find all

tags within the links-container div + links_container = soup.find("div", class_="links-container") + if links_container: + p_tags = links_container.find_all("p") + for p_tag in p_tags: + a_tag = p_tag.find("a") + if a_tag: + cve_id = a_tag.get_text(strip=True) # Extract the CVE ID text + url = a_tag["href"] # Extract the URL from href attribute + additional_references.append((cve_id, url)) + for cve_id, ref_link in additional_references: + references.append(Reference(reference_id=cve_id, url=ref_link, severities=[])) + + url = alas_url + + return AdvisoryData( + aliases=aliases, + date_published=date_published, + summary=summary, + references=references, + affected_packages=processed_affected_packages, + url=url, + ) + + +def get_date_published(release_date_string): + + # Parse the date and time + if release_date_string: + date_part = release_date_string[:16] + time_zone = release_date_string[17:] + else: + return None + + # Convert to datetime object (naive) + naive_date = datetime.strptime(date_part, "%Y-%m-%d %H:%M") + + # Convert to aware datetime by adding the Pacific time zone + timezone = pytz.timezone("America/Los_Angeles") + date_published = timezone.localize(naive_date) + return date_published + + +def create_summary(summary_point: List): + summary = ". ".join(summary_point) + # Add a period at the end if the final sentence doesn't end with one + if not summary.endswith("."): + summary += "." + return summary diff --git a/vulnerabilities/improvers/__init__.py b/vulnerabilities/improvers/__init__.py index b84cbdbb1..2578d8c51 100644 --- a/vulnerabilities/improvers/__init__.py +++ b/vulnerabilities/improvers/__init__.py @@ -31,6 +31,7 @@ vulnerability_status.VulnerabilityStatusImprover, vulnerability_kev.VulnerabilityKevImprover, flag_ghost_packages.FlagGhostPackagePipeline, + valid_versions.AmazonLinuxImprover, ] IMPROVERS_REGISTRY = {x.qualified_name: x for x in IMPROVERS_REGISTRY} diff --git a/vulnerabilities/improvers/valid_versions.py b/vulnerabilities/improvers/valid_versions.py index d23508bea..ca82b5ec1 100644 --- a/vulnerabilities/improvers/valid_versions.py +++ b/vulnerabilities/improvers/valid_versions.py @@ -25,6 +25,7 @@ from vulnerabilities.importer import AffectedPackage from vulnerabilities.importer import Importer from vulnerabilities.importer import UnMergeablePackageError +from vulnerabilities.importers.amazon_linux import AmazonLinuxImporter from vulnerabilities.importers.apache_httpd import ApacheHTTPDImporter from vulnerabilities.importers.apache_kafka import ApacheKafkaImporter from vulnerabilities.importers.apache_tomcat import ApacheTomcatImporter @@ -472,3 +473,8 @@ class RubyImprover(ValidVersionImprover): class GithubOSVImprover(ValidVersionImprover): importer = GithubOSVImporter ignorable_versions = [] + + +class AmazonLinuxImprover(ValidVersionImprover): + importer = AmazonLinuxImporter + ignorable_versions = [] diff --git a/vulnerabilities/tests/test_amazon_linux.py b/vulnerabilities/tests/test_amazon_linux.py new file mode 100644 index 000000000..ce179d5ff --- /dev/null +++ b/vulnerabilities/tests/test_amazon_linux.py @@ -0,0 +1,55 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/nexB/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +import json +import os +from unittest import TestCase + +from bs4 import BeautifulSoup + +from vulnerabilities.importers.amazon_linux import process_advisory_data +from vulnerabilities.tests import util_tests + +BASE_DIR = os.path.dirname(os.path.abspath(__file__)) +TEST_DATA = os.path.join(BASE_DIR, "test_data/amazon_linux") + + +class TestAmazonLinuxImporter(TestCase): + def test_process_advisory_data1(self): + with open( + os.path.join(TEST_DATA, "amazon_linux_advisory_test1.html"), "r", encoding="utf-8" + ) as file: + html_content = file.read() + result = process_advisory_data( + "ALAS-2024-1943", html_content, "https://alas.aws.amazon.com/ALAS-2024-1943.html" + ).to_dict() + expected_file = os.path.join(TEST_DATA, "amazon_linux_expected1.json") + util_tests.check_results_against_json(result, expected_file) + + def test_process_advisory_data2(self): + with open( + os.path.join(TEST_DATA, "amazon_linux_advisory_test2.html"), "r", encoding="utf-8" + ) as file: + html_content = file.read() + result = process_advisory_data( + "ALAS-2024-2628", html_content, "https://alas.aws.amazon.com/AL2/ALAS-2024-2628.html" + ).to_dict() + expected_file = os.path.join(TEST_DATA, "amazon_linux_expected2.json") + util_tests.check_results_against_json(result, expected_file) + + def test_process_advisory_data3(self): + with open( + os.path.join(TEST_DATA, "amazon_linux_advisory_test3.html"), "r", encoding="utf-8" + ) as file: + html_content = file.read() + result = process_advisory_data( + "ALAS-2024-676", html_content, "https://alas.aws.amazon.com/AL2023/ALAS-2024-676.html" + ).to_dict() + expected_file = os.path.join(TEST_DATA, "amazon_linux_expected3.json") + util_tests.check_results_against_json(result, expected_file) diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test1.html b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test1.html new file mode 100644 index 000000000..682dd3cf8 --- /dev/null +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test1.html @@ -0,0 +1,130 @@ + + + + + + ALAS-2024-1943 + + + + + + + + + + + + + + + +

+
+ +
+
+
+
+

ALAS-2024-1943

+
+ +
+
+ + Amazon Linux 1 Security Advisory: ALAS-2024-1943 +
+ Advisory Release Date: 2024-07-03 21:01 Pacific
+ Advisory Updated Date: 2024-07-08 17:04 Pacific
+ +
+ Severity: + + + + + + Important
+
+ + + +
+
+ Issue Overview: +

In the Linux kernel, the following vulnerability has been resolved:

x86/kvm: Disable kvmclock on all CPUs on shutdown (CVE-2021-47110)

+
+ +
+
+ Affected Packages: +
+

kernel

+
+ +
+
+ Issue Correction: +
Run yum update kernel to update your system.
+
+
+ New Packages:
i686:
    kernel-debuginfo-4.14.348-187.565.amzn1.i686
    kernel-devel-4.14.348-187.565.amzn1.i686
    kernel-tools-devel-4.14.348-187.565.amzn1.i686
    kernel-headers-4.14.348-187.565.amzn1.i686
    perf-debuginfo-4.14.348-187.565.amzn1.i686
    kernel-debuginfo-common-i686-4.14.348-187.565.amzn1.i686
    kernel-tools-4.14.348-187.565.amzn1.i686
    perf-4.14.348-187.565.amzn1.i686
    kernel-4.14.348-187.565.amzn1.i686
    kernel-tools-debuginfo-4.14.348-187.565.amzn1.i686

src:
    kernel-4.14.348-187.565.amzn1.src

x86_64:
    kernel-devel-4.14.348-187.565.amzn1.x86_64
    kernel-tools-debuginfo-4.14.348-187.565.amzn1.x86_64
    kernel-4.14.348-187.565.amzn1.x86_64
    kernel-headers-4.14.348-187.565.amzn1.x86_64
    kernel-tools-4.14.348-187.565.amzn1.x86_64
    kernel-tools-devel-4.14.348-187.565.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.14.348-187.565.amzn1.x86_64
    perf-4.14.348-187.565.amzn1.x86_64
    kernel-debuginfo-4.14.348-187.565.amzn1.x86_64
    perf-debuginfo-4.14.348-187.565.amzn1.x86_64

+
+
+

Additional References

+

+ Red Hat: CVE-2021-47110

+

+ Mitre: CVE-2021-47110

+
+
+
+
+ + + + \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test2.html b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test2.html new file mode 100644 index 000000000..55c2cd50d --- /dev/null +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test2.html @@ -0,0 +1,137 @@ + + + + + + ALAS-2024-2628 + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+

ALAS-2024-2628

+
+ +
+
+ + Amazon Linux 2 Security Advisory: ALAS-2024-2628 +
+ Advisory Release Date: 2024-08-14 19:06 Pacific
+ Advisory Updated Date: 2024-08-20 16:40 Pacific
+ +
+ Severity: + + + + + + Low
+
+ + + +
+
+ Issue Overview: +

A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions. (CVE-2021-25317)

+
+ +
+
+ Affected Packages: +
+

cups

+
+
+ Note: +

+ This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section + for the difference between AL2 Core and AL2 Extras advisories. +

+
+ +
+
+ Issue Correction: +
Run yum update cups to update your system.
+
+
+ New Packages:
aarch64:
    cups-1.6.3-51.amzn2.0.5.aarch64
    cups-client-1.6.3-51.amzn2.0.5.aarch64
    cups-devel-1.6.3-51.amzn2.0.5.aarch64
    cups-libs-1.6.3-51.amzn2.0.5.aarch64
    cups-lpd-1.6.3-51.amzn2.0.5.aarch64
    cups-ipptool-1.6.3-51.amzn2.0.5.aarch64
    cups-debuginfo-1.6.3-51.amzn2.0.5.aarch64

i686:
    cups-1.6.3-51.amzn2.0.5.i686
    cups-client-1.6.3-51.amzn2.0.5.i686
    cups-devel-1.6.3-51.amzn2.0.5.i686
    cups-libs-1.6.3-51.amzn2.0.5.i686
    cups-lpd-1.6.3-51.amzn2.0.5.i686
    cups-ipptool-1.6.3-51.amzn2.0.5.i686
    cups-debuginfo-1.6.3-51.amzn2.0.5.i686

noarch:
    cups-filesystem-1.6.3-51.amzn2.0.5.noarch

src:
    cups-1.6.3-51.amzn2.0.5.src

x86_64:
    cups-1.6.3-51.amzn2.0.5.x86_64
    cups-client-1.6.3-51.amzn2.0.5.x86_64
    cups-devel-1.6.3-51.amzn2.0.5.x86_64
    cups-libs-1.6.3-51.amzn2.0.5.x86_64
    cups-lpd-1.6.3-51.amzn2.0.5.x86_64
    cups-ipptool-1.6.3-51.amzn2.0.5.x86_64
    cups-debuginfo-1.6.3-51.amzn2.0.5.x86_64

+
+
+

Additional References

+

+ Red Hat: CVE-2021-25317

+

+ Mitre: CVE-2021-25317

+
+
+
+
+ + + + \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test3.html b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test3.html new file mode 100644 index 000000000..37055d13c --- /dev/null +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test3.html @@ -0,0 +1,130 @@ + + + + + + ALAS-2024-676 + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+

ALAS-2024-676

+
+ +
+
+ + Amazon Linux 2023 Security Advisory: ALAS-2024-676 +
+ Advisory Release Date: 2024-08-01 04:06 Pacific
+ Advisory Updated Date: 2024-08-06 15:00 Pacific
+ +
+ Severity: + + + + + + Important
+
+ + + +
+
+ Issue Overview: +

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. (CVE-2024-6345)

+
+ +
+
+ Affected Packages: +
+

python-setuptools

+
+ +
+
+ Issue Correction: +
Run dnf update python-setuptools --releasever 2023.5.20240805 to update your system.
+
+
+ New Packages:
noarch:
    python3-setuptools-wheel-59.6.0-2.amzn2023.0.5.noarch
    python3-setuptools-59.6.0-2.amzn2023.0.5.noarch

src:
    python-setuptools-59.6.0-2.amzn2023.0.5.src

+
+
+

Additional References

+

+ Red Hat: CVE-2024-6345

+

+ Mitre: CVE-2024-6345

+
+
+
+
+ + + + \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected1.json b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected1.json new file mode 100644 index 000000000..2e09284aa --- /dev/null +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected1.json @@ -0,0 +1,290 @@ +{ + "aliases": [ + "ALAS-2024-1943", + "CVE-2021-47110" + ], + "summary": "In the Linux kernel, the following vulnerability has been resolved:. x86/kvm: Disable kvmclock on all CPUs on shutdown (CVE-2021-47110).", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-debuginfo", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-devel", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools-devel", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-headers", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "perf-debuginfo", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-debuginfo-common-i686", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "perf", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools-debuginfo", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-devel", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-headers", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools-devel", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-debuginfo-common-x86_64", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "perf", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "perf-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + } + ], + "references": [ + { + "reference_id": "CVE-2021-47110", + "reference_type": "", + "url": "https://alas.aws.amazon.com/cve/html/CVE-2021-47110.html", + "severities": [ + { + "system": "cvssv3", + "value": "7.1", + "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" + } + ] + }, + { + "reference_id": "CVE-2021-47110", + "reference_type": "", + "url": "https://access.redhat.com/security/cve/CVE-2021-47110", + "severities": [] + }, + { + "reference_id": "CVE-2021-47110", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47110", + "severities": [] + } + ], + "date_published": "2024-07-03T21:01:00-07:00", + "weaknesses": [], + "url": "https://alas.aws.amazon.com/ALAS-2024-1943.html" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected2.json b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected2.json new file mode 100644 index 000000000..49d284360 --- /dev/null +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected2.json @@ -0,0 +1,324 @@ +{ + "aliases": [ + "ALAS-2024-2628", + "CVE-2021-25317" + ], + "summary": "A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions. (CVE-2021-25317).", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-client", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-devel", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-libs", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-lpd", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-ipptool", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-client", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-devel", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-libs", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-lpd", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-ipptool", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-debuginfo", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-filesystem", + "version": "", + "qualifiers": "arch=noarch", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-client", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-devel", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-libs", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-lpd", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-ipptool", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + } + ], + "references": [ + { + "reference_id": "CVE-2021-25317", + "reference_type": "", + "url": "https://alas.aws.amazon.com/cve/html/CVE-2021-25317.html", + "severities": [ + { + "system": "cvssv3", + "value": "3.3", + "scoring_elements": "NVD: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + { + "system": "cvssv3", + "value": "3.3", + "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + { + "system": "cvssv2", + "value": "2.1", + "scoring_elements": "AV:L/AC:L/Au:N/C:N/I:P/A:N" + } + ] + }, + { + "reference_id": "CVE-2021-25317", + "reference_type": "", + "url": "https://access.redhat.com/security/cve/CVE-2021-25317", + "severities": [] + }, + { + "reference_id": "CVE-2021-25317", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25317", + "severities": [] + } + ], + "date_published": "2024-08-14T19:06:00-07:00", + "weaknesses": [], + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2628.html" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected3.json b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected3.json new file mode 100644 index 000000000..3750acfb8 --- /dev/null +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected3.json @@ -0,0 +1,79 @@ +{ + "aliases": [ + "ALAS-2024-676", + "CVE-2024-6345" + ], + "summary": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. (CVE-2024-6345).", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "python3-setuptools-wheel", + "version": "", + "qualifiers": "arch=noarch", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "59.6.0-2.amzn2023.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "python3-setuptools", + "version": "", + "qualifiers": "arch=noarch", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "59.6.0-2.amzn2023.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "python-setuptools", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "59.6.0-2.amzn2023.0.5" + } + ], + "references": [ + { + "reference_id": "CVE-2024-6345", + "reference_type": "", + "url": "https://alas.aws.amazon.com/cve/html/CVE-2024-6345.html", + "severities": [ + { + "system": "cvssv3", + "value": "8.8", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "system": "cvssv3", + "value": "8.8", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ] + }, + { + "reference_id": "CVE-2024-6345", + "reference_type": "", + "url": "https://access.redhat.com/security/cve/CVE-2024-6345", + "severities": [] + }, + { + "reference_id": "CVE-2024-6345", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6345", + "severities": [] + } + ], + "date_published": "2024-08-01T04:06:00-07:00", + "weaknesses": [], + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-676.html" +} \ No newline at end of file