-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Almalinux advisories #1491
base: main
Are you sure you want to change the base?
Add Almalinux advisories #1491
Changes from 9 commits
d51b973
c6e95bb
d7002f9
4746d78
d2f6945
c328dbd
511cdda
86c18cf
e82f47e
c679856
088279c
4dcc863
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||
---|---|---|---|---|---|---|---|---|
@@ -0,0 +1,190 @@ | ||||||||
# | ||||||||
# Copyright (c) nexB Inc. and others. All rights reserved. | ||||||||
# VulnerableCode is a trademark of nexB Inc. | ||||||||
# SPDX-License-Identifier: Apache-2.0 | ||||||||
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. | ||||||||
# See https://github.com/nexB/vulnerablecode for support or download. | ||||||||
# See https://aboutcode.org for more information about nexB OSS projects. | ||||||||
# | ||||||||
|
||||||||
import json | ||||||||
import logging | ||||||||
from pathlib import Path | ||||||||
from typing import Any | ||||||||
from typing import Iterable | ||||||||
from typing import List | ||||||||
from typing import Optional | ||||||||
|
||||||||
from packageurl import PackageURL | ||||||||
from univers.version_range import RANGE_CLASS_BY_SCHEMES | ||||||||
from univers.version_range import RpmVersionRange | ||||||||
from univers.versions import InvalidVersion | ||||||||
Comment on lines
+19
to
+21
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @ambuj-1211 please remove the unused imports.
Suggested change
|
||||||||
from univers.versions import RpmVersion | ||||||||
from univers.versions import Version | ||||||||
|
||||||||
from vulnerabilities.importer import AdvisoryData | ||||||||
from vulnerabilities.importer import AffectedPackage | ||||||||
from vulnerabilities.importer import Importer | ||||||||
from vulnerabilities.importers.osv import extract_fixed_versions | ||||||||
from vulnerabilities.importers.osv import get_affected_version_range | ||||||||
from vulnerabilities.importers.osv import get_published_date | ||||||||
from vulnerabilities.importers.osv import get_references | ||||||||
from vulnerabilities.importers.osv import get_severities | ||||||||
from vulnerabilities.utils import build_description | ||||||||
from vulnerabilities.utils import dedupe | ||||||||
from vulnerabilities.utils import get_advisory_url | ||||||||
from vulnerabilities.utils import get_cwe_id | ||||||||
|
||||||||
logger = logging.getLogger(__name__) | ||||||||
BASE_URL = "https://github.com/AlmaLinux/osv-database" | ||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please keep the URL within the importer class. |
||||||||
|
||||||||
|
||||||||
class AlmaImporter(Importer): | ||||||||
spdx_license_expression = "MIT License" | ||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please refer to https://spdx.org/licenses/ before writing the SPDX license expression.
Suggested change
|
||||||||
license_url = "https://github.com/AlmaLinux/osv-database/blob/master/LICENSE" | ||||||||
importer_name = "Alma Linux Importer" | ||||||||
|
||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||
def advisory_data(self) -> Iterable[AdvisoryData]: | ||||||||
try: | ||||||||
self.clone(repo_url=self.BASE_URL) | ||||||||
base_path = Path(self.vcs_response.dest_dir) | ||||||||
advisory_dirs = base_path / "tree/master/advisories" | ||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @ambuj-1211 This path isn't functioning; the importer isn't actually importing any data.
Suggested change
Please ensure you run the importer and verify the data is correctly imported. |
||||||||
# Iterate through the directories in the repo and get the .json files | ||||||||
for file in advisory_dirs.glob("**/*.json"): | ||||||||
advisory_url = get_advisory_url( | ||||||||
file=file, | ||||||||
base_path=base_path, | ||||||||
url="https://github.com/AlmaLinux/osv-database/blob/master", | ||||||||
) | ||||||||
with open(file) as f: | ||||||||
raw_data = json.load(f) | ||||||||
yield parse_advisory_data(raw_data, advisory_url) | ||||||||
finally: | ||||||||
if self.vcs_response: | ||||||||
self.vcs_response.delete() | ||||||||
|
||||||||
|
||||||||
def parse_advisory_data(raw_data, advisory_url) -> Optional[AdvisoryData]: | ||||||||
ziadhany marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||
raw_id = raw_data.get("id") or "" | ||||||||
summary = raw_data.get("summary") or "" | ||||||||
details = raw_data.get("details") or "" | ||||||||
summary = build_description(summary=summary, description=details) | ||||||||
aliases = raw_data.get("aliases") or [] | ||||||||
if raw_id: | ||||||||
aliases.append(raw_id) | ||||||||
aliases = dedupe(original=aliases) | ||||||||
date_published = get_published_date(raw_data=raw_data) | ||||||||
severities = list(get_severities(raw_data=raw_data)) | ||||||||
references = get_references(raw_data=raw_data, severities=severities) | ||||||||
|
||||||||
affected_packages = [] | ||||||||
|
||||||||
for affected_pkg in raw_data.get("affected") or []: | ||||||||
purl = get_affected_purl(affected_pkg=affected_pkg, raw_id=raw_id) | ||||||||
if not purl: | ||||||||
logger.error(f"Unsupported package type: {affected_pkg!r} in OSV: {raw_id!r}") | ||||||||
continue | ||||||||
|
||||||||
affected_version_range = get_affected_version_range( | ||||||||
affected_pkg=affected_pkg, | ||||||||
raw_id=raw_id, | ||||||||
supported_ecosystem=purl.type, | ||||||||
) | ||||||||
|
||||||||
for fixed_range in affected_pkg.get("ranges") or []: | ||||||||
fixed_version = get_fixed_versions(fixed_range=fixed_range) | ||||||||
|
||||||||
for version in fixed_version: | ||||||||
affected_packages.append( | ||||||||
AffectedPackage( | ||||||||
package=purl, | ||||||||
affected_version_range=affected_version_range, | ||||||||
fixed_version=version, | ||||||||
) | ||||||||
) | ||||||||
|
||||||||
database_specific = raw_data.get("database_specific") or {} | ||||||||
cwe_ids = database_specific.get("cwe_ids") or [] | ||||||||
weaknesses = list(map(get_cwe_id, cwe_ids)) | ||||||||
|
||||||||
return AdvisoryData( | ||||||||
aliases=aliases, | ||||||||
summary=summary, | ||||||||
references=references, | ||||||||
affected_packages=affected_packages, | ||||||||
date_published=date_published, | ||||||||
weaknesses=weaknesses, | ||||||||
url=advisory_url, | ||||||||
) | ||||||||
|
||||||||
|
||||||||
def get_affected_purl(affected_pkg, raw_id): | ||||||||
""" | ||||||||
Generate a PackageURL for the affected package. | ||||||||
|
||||||||
Args: | ||||||||
affected_pkg (dict): A dictionary containing details about the affected package. | ||||||||
raw_id (str): The raw ID of the corresponding advisory. | ||||||||
|
||||||||
Returns: | ||||||||
PackageURL or None. | ||||||||
|
||||||||
For example: | ||||||||
>>> affected_pkg = { | ||||||||
... "package": { | ||||||||
... "ecosystem": "AlmaLinux:8", | ||||||||
... "name": "sblim-wbemcli" | ||||||||
... }, | ||||||||
... "ranges": [ | ||||||||
... { | ||||||||
... "type": "ECOSYSTEM", | ||||||||
... "events": [ | ||||||||
... { | ||||||||
... "introduced": "0" | ||||||||
... }, | ||||||||
... { | ||||||||
... "fixed": "1.6.3-15.el8" | ||||||||
... } | ||||||||
... ] | ||||||||
... } | ||||||||
... ] | ||||||||
... } | ||||||||
>>> raw_id = "ALBA-2019:3482" | ||||||||
>>> get_affected_purl(affected_pkg, raw_id) | ||||||||
PackageURL(type='rpm', namespace='almalinux', name='sblim-wbemcli', version=None, qualifiers={}, subpath=None) | ||||||||
""" | ||||||||
package = affected_pkg.get("package") or {} | ||||||||
purl = package.get("purl") | ||||||||
if purl: | ||||||||
try: | ||||||||
purl = PackageURL.from_string(purl) | ||||||||
except ValueError: | ||||||||
logger.error( | ||||||||
f"Invalid PackageURL: {purl!r} for OSV " | ||||||||
f"affected_pkg {affected_pkg} and id: {raw_id}" | ||||||||
) | ||||||||
|
||||||||
else: | ||||||||
name = package.get("name") | ||||||||
purl = PackageURL(type="rpm", namespace="almalinux", name=name) | ||||||||
|
||||||||
return PackageURL.from_string(str(purl)) | ||||||||
|
||||||||
|
||||||||
def get_fixed_versions(fixed_range) -> List[Version]: | ||||||||
""" | ||||||||
Return a list of fixed version strings given a ``fixed_range`` mapping of | ||||||||
OSV data. | ||||||||
|
||||||||
>>> get_fixed_versions({"type": "ECOSYSTEM", "events": [{"introduced": "0"},{"fixed": "1.6.3-15.el8"}]}) | ||||||||
[RpmVersion(string='1.6.3-15.el8')] | ||||||||
|
||||||||
>>> get_fixed_versions( | ||||||||
... {"type": "ECOSYSTEM","events":[{"introduced": "0"}, | ||||||||
... {"fixed": "1.0.6-12.el8"},{"fixed": "2.18.1-12.el8"}]}) | ||||||||
[RpmVersion(string='1.0.6-12.el8'), RpmVersion(string='2.18.1-12.el8')] | ||||||||
""" | ||||||||
fixed_versions = [] | ||||||||
for version in extract_fixed_versions(fixed_range): | ||||||||
fixed_versions.append(RpmVersion(version)) | ||||||||
return dedupe(fixed_versions) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
# | ||
# Copyright (c) nexB Inc. and others. All rights reserved. | ||
# VulnerableCode is a trademark of nexB Inc. | ||
# SPDX-License-Identifier: Apache-2.0 | ||
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. | ||
# See https://github.com/nexB/vulnerablecode for support or download. | ||
# See https://aboutcode.org for more information about nexB OSS projects. | ||
# | ||
import json | ||
import os | ||
from unittest import TestCase | ||
|
||
from vulnerabilities.importers.almalinux import get_affected_purl | ||
from vulnerabilities.importers.almalinux import get_fixed_versions | ||
from vulnerabilities.importers.almalinux import parse_advisory_data | ||
from vulnerabilities.tests import util_tests | ||
|
||
BASE_DIR = os.path.dirname(os.path.abspath(__file__)) | ||
TEST_DATA = os.path.join(BASE_DIR, "test_data/almalinux") | ||
|
||
|
||
class AlmaImporter(TestCase): | ||
def test_almalinux_importer1(self): | ||
with open(os.path.join(TEST_DATA, "almalinux_test_1.json")) as f: | ||
mock_response = json.load(f) | ||
expected_file = os.path.join(TEST_DATA, "almalinux_expected_1.json") | ||
imported_data = parse_advisory_data( | ||
mock_response, | ||
advisory_url="https://github.com/AlmaLinux/osv-database" | ||
"/blob/master/advisories/almalinux8/almalinux_test_1.json", | ||
) | ||
result = imported_data.to_dict() | ||
util_tests.check_results_against_json(result, expected_file) | ||
|
||
def test_almalinux_importer2(self): | ||
with open(os.path.join(TEST_DATA, "almalinux_test_2.json")) as f: | ||
mock_response = json.load(f) | ||
expected_file = os.path.join(TEST_DATA, "almalinux_expected_2.json") | ||
imported_data = parse_advisory_data( | ||
mock_response, | ||
advisory_url="https://github.com/AlmaLinux/osv-database" | ||
"/blob/master/advisories/almalinux8/almalinux_test_2.json", | ||
) | ||
result = imported_data.to_dict() | ||
util_tests.check_results_against_json(result, expected_file) | ||
|
||
def test_github_osv_importer3(self): | ||
with open(os.path.join(TEST_DATA, "almalinux_test_3.json")) as f: | ||
mock_response = json.load(f) | ||
expected_file = os.path.join(TEST_DATA, "almalinux_expected_3.json") | ||
imported_data = parse_advisory_data( | ||
mock_response, | ||
advisory_url="https://github.com/AlmaLinux/osv-database" | ||
"/blob/master/advisories/almalinux8/almalinux_test_3.json", | ||
) | ||
result = imported_data.to_dict() | ||
util_tests.check_results_against_json(result, expected_file) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
{ | ||
"aliases": ["ALBA-2019:3336"], | ||
"summary": "nss-altfiles bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", | ||
"affected_packages": [ | ||
{ | ||
"package": {"type": "rpm", "namespace": "almalinux", "name": "nss-altfiles", "version": "", "qualifiers": "", "subpath": ""}, | ||
"affected_version_range": null, | ||
"fixed_version": "2.18.1-12.el8" | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"reference_id": "", | ||
"url": "https://errata.almalinux.org/8/ALBA-2019-3336.html", | ||
"severities": [] | ||
} | ||
], | ||
"date_published": "2019-11-05T17:32:18+00:00", | ||
"weaknesses": [], | ||
"url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_1.json" | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
{ | ||
"aliases": ["ALEA-2019:3314"], | ||
"summary": "python3-azure-sdk bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", | ||
"affected_packages": [ | ||
{ | ||
"package": { | ||
"type": "rpm", "namespace": "almalinux", "name": "python3-azure-sdk", "version": "", "qualifiers": "", "subpath": "" | ||
}, | ||
"affected_version_range": null, | ||
"fixed_version": "4.0.0-9.el8" | ||
} | ||
], | ||
"references": [], | ||
"date_published": "2019-11-05T17:29:24+00:00", | ||
"weaknesses": [], | ||
"url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_2.json" | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
{ | ||
"aliases": ["ALSA-2022:8221"], | ||
"summary": "Moderate: xorg-x11-server security and bug fix update\nX.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es)n\n* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319)\n* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension VE-2022-2320)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", | ||
"affected_packages": [ | ||
{"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xdmx", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, | ||
{"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xephyr", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, | ||
{"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xnest", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, | ||
{"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xorg", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, | ||
{"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-Xvfb", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, | ||
{"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-common", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, | ||
{"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-devel", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, | ||
{"package": {"type": "rpm", "namespace": "almalinux", "name": "xorg-x11-server-source", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"} | ||
|
||
], | ||
"references": [ | ||
{ | ||
"reference_id": "", | ||
"url": "https://access.redhat.com/errata/RHSA-2022:8221", | ||
"severities": [] | ||
}, | ||
{ | ||
"reference_id": "", | ||
"url": "https://access.redhat.com/security/cve/CVE-2022-2319", | ||
"severities": [] | ||
}, | ||
{ | ||
"reference_id": "", | ||
"url": "https://access.redhat.com/security/cve/CVE-2022-2320", | ||
"severities": [] | ||
}, | ||
{ | ||
"reference_id": "", | ||
"url": "https://bugzilla.redhat.com/2106671", | ||
"severities": [] | ||
}, | ||
{ | ||
"reference_id": "", | ||
"url": "https://bugzilla.redhat.com/2106683", | ||
"severities": [] | ||
}, | ||
{ | ||
"reference_id": "", | ||
"url": "https://errata.almalinux.org/9/ALSA-2022-8221.html", | ||
"severities": [] | ||
} | ||
], | ||
"date_published": "2022-11-15T00:00:00+00:00", | ||
"weaknesses": [], | ||
"url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_3.json" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.