Add importer for vmware/photon/wiki/Security-Advisories vulnerabilities advisories #1683
Conversation
…h affected packages, and added error handling and logging for advisory processing
…h affected packages, and added error handling and logging for advisory processing and imported advisories
There was a problem hiding this comment.
Thanks @Samk1710, see some suggestions.
- Should we instead use the Photon advisory republished in OSV by @captn3m0 ?Datasource Request: Photon OS Advisories #1586
- Add your DCO signoff in the commit itself, and also make sure to go through the contribution guidelines on how to write a good commit message https://aboutcode.readthedocs.io/en/latest/contributing/writing_good_commit_messages.html
- Run the code formatting command
make validbefore committing code, as mentioned in the tutorial https://vulnerablecode.readthedocs.io/en/latest/tutorial_add_importer_pipeline.html#implement-the-collect-advisories-method - Also, don't forget to add unit tests.
.qdrant-initialized
Outdated
There was a problem hiding this comment.
Why commit the Qdrant init config?
| advisories = [] | ||
| for url in self.urls: | ||
| try: | ||
| response = requests.get(url) |
There was a problem hiding this comment.
Why fetch these twice? both in advisories_count and here.
|
|
||
| # Use GenericVersion to handle non-semver versions | ||
| try: | ||
| fixed_version = GenericVersion(rev_ver) |
There was a problem hiding this comment.
Should we add support for PhotonVersion, or could we instead use RpmVersion?
| response = requests.get(url) | ||
| response.raise_for_status() | ||
| advisories_data = response.json() # Fetch the data from the API | ||
| advisories.extend(self.to_advisory(advisories_data)) # Collect advisories for each URL |
There was a problem hiding this comment.
Not the right approach, advisory should always be yielded. No need to compute all advisory at once. See the other importer pipelines like https://github.com/aboutcode-org/vulnerablecode/blob/main/vulnerabilities/pipelines/nginx_importer.py
There was a problem hiding this comment.
Thankyou @keshav-space for the suggestions. I will look into them and make the changes. Thankyou.
Since this code already uses the CVE feed, the additional source I use in generating in the OSV feed are the Photon Security Advisories which are in markdown. Just for context, the additional information you get from the PHSA feed is the following:
As an example, PHSA-2024-5.0-0301 includes updates for libarchive - ['CVE-2024-26256'] and openssl - ['CVE-2024-4741']. The CVE JSON feed includes the following information: while the PHSA page calls it a "Important" update with an issue date of The only additional information I consume for the OSV feed is the PHSA ID (I'm planning to add the checksums), so the gains are quite minor - except for interoperability perhaps by relying on OSV imports directly. |
|
@captn3m0 Thanks for all the work on the PhotonOS OSV Advisory. We will be using it in this pipeline. |
Added an importer at vulnerabilities/pipelines/vmwarephoton_importer.py and registered in vulnerabilities/importers/init.py
Addressing issue: #36
Signed-off-by: Sampurna Pyne [email protected]