Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Almalinux advisories #1491

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 15 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions vulnerabilities/importers/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
from vulnerabilities.importers import vulnrichment
from vulnerabilities.importers import xen
from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline
from vulnerabilities.pipelines import almalinux_importer
from vulnerabilities.pipelines import github_importer
from vulnerabilities.pipelines import gitlab_importer
from vulnerabilities.pipelines import nginx_importer
Expand Down Expand Up @@ -78,6 +79,7 @@
github_importer.GitHubAPIImporterPipeline,
nvd_importer.NVDImporterPipeline,
pysec_importer.PyPIImporterPipeline,
almalinux_importer.AlmalinuxImporterPipeline,
]

IMPORTERS_REGISTRY = {
Expand Down
4 changes: 4 additions & 0 deletions vulnerabilities/importers/osv.py
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@
"go": "golang",
"hex": "hex",
"cargo": "cargo",
"almalinux:8": "rpm",
"almalinux:9": "rpm",
}


Expand Down Expand Up @@ -213,6 +215,8 @@ def get_affected_purl(affected_pkg, raw_id):
namespace = ""
if purl_type == "maven":
namespace, _, name = name.partition(":")
if ecosys == "almalinux:8" or ecosys == "almalinux:9":
namespace = "almalinux"

purl = PackageURL(type=purl_type, namespace=namespace, name=name)
else:
Expand Down
1 change: 1 addition & 0 deletions vulnerabilities/improvers/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
valid_versions.RubyImprover,
valid_versions.GithubOSVImprover,
vulnerability_status.VulnerabilityStatusImprover,
valid_versions.AlmaImprover,
valid_versions.CurlImprover,
flag_ghost_packages.FlagGhostPackagePipeline,
enhance_with_kev.VulnerabilityKevPipeline,
Expand Down
6 changes: 6 additions & 0 deletions vulnerabilities/improvers/valid_versions.py
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
from vulnerabilities.improver import Inference
from vulnerabilities.models import Advisory
from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline
from vulnerabilities.pipelines.almalinux_importer import AlmalinuxImporterPipeline
from vulnerabilities.pipelines.github_importer import GitHubAPIImporterPipeline
from vulnerabilities.pipelines.gitlab_importer import GitLabImporterPipeline
from vulnerabilities.pipelines.nginx_importer import NginxImporterPipeline
Expand Down Expand Up @@ -478,6 +479,11 @@ class GithubOSVImprover(ValidVersionImprover):
ignorable_versions = []


class AlmaImprover(ValidVersionImprover):
importer = AlmalinuxImporterPipeline
ignorable_versions = []


class CurlImprover(ValidVersionImprover):
importer = CurlImporter
ignorable_versions = []
69 changes: 69 additions & 0 deletions vulnerabilities/pipelines/almalinux_importer.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
#
# Copyright (c) nexB Inc. and others. All rights reserved.
# VulnerableCode is a trademark of nexB Inc.
# SPDX-License-Identifier: Apache-2.0
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
# See https://github.com/aboutcode-org/vulnerablecode for support or download.
# See https://aboutcode.org for more information about nexB OSS projects.
#
import json
import logging
from pathlib import Path
from typing import Iterable

from fetchcode.vcs import fetch_via_vcs

from vulnerabilities.importer import AdvisoryData
from vulnerabilities.importers.osv import parse_advisory_data
from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline
from vulnerabilities.utils import get_advisory_url

logger = logging.getLogger(__name__)


class AlmalinuxImporterPipeline(VulnerableCodeBaseImporterPipeline):
"""Collect Almalinux advisories."""

pipeline_id = "almalinux_importer"
spdx_license_expression = "MIT"
license_url = "https://github.com/AlmaLinux/osv-database/blob/master/LICENSE"
importer_name = "Almalinux Importer"
repo_url = "git+https://github.com/AlmaLinux/osv-database"

@classmethod
def steps(cls):
return (
cls.clone,
cls.collect_and_store_advisories,
cls.import_new_advisories,
cls.clean_downloads,
)

def clone(self):
self.log(f"Cloning `{self.repo_url}")
self.vcs_response = fetch_via_vcs(self.repo_url)

def advisories_count(self):
vuln_directory = Path(self.vcs_response.dest_dir) / "advisories"
return sum(1 for _ in vuln_directory.rglob("*.json"))
ambuj-1211 marked this conversation as resolved.
Show resolved Hide resolved

def collect_advisories(self) -> Iterable[AdvisoryData]:
base_directory = Path(self.vcs_response.dest_dir)
vuln_directory = base_directory / "advisories"

for file in vuln_directory.rglob("*.json"):
advisory_url = get_advisory_url(
file=file,
base_path=base_directory,
url="https://github.com/AlmaLinux/osv-database/blob/master/",
)
with open(file) as f:
raw_data = json.load(f)
yield parse_advisory_data(
raw_data=raw_data, supported_ecosystems=["rpm"], advisory_url=advisory_url
)

def clean_downloads(self):
if self.vcs_response:
self.log(f"Removing cloned repository")
self.vcs_response.delete()
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
#
# Copyright (c) nexB Inc. and others. All rights reserved.
# VulnerableCode is a trademark of nexB Inc.
# SPDX-License-Identifier: Apache-2.0
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
# See https://github.com/nexB/vulnerablecode for support or download.
# See https://aboutcode.org for more information about nexB OSS projects.
#
import json
import os
from pathlib import Path
from unittest import TestCase

from vulnerabilities.importers.osv import parse_advisory_data
from vulnerabilities.tests import util_tests

TEST_DATA = Path(__file__).parent.parent / "test_data" / "almalinux"


class TestAlmalinuxImporterPipelin(TestCase):
def test_almalinux_importer1(self):
with open(os.path.join(TEST_DATA, "almalinux_test_1.json")) as f:
mock_response = json.load(f)
expected_file = os.path.join(TEST_DATA, "almalinux_expected_1.json")
imported_data = parse_advisory_data(
raw_data=mock_response,
supported_ecosystems="rpm",
advisory_url="https://github.com/AlmaLinux/osv-database"
"/blob/master/advisories/almalinux8/almalinux_test_1.json",
)
result = imported_data.to_dict()
util_tests.check_results_against_json(result, expected_file)

def test_almalinux_importer2(self):
with open(os.path.join(TEST_DATA, "almalinux_test_2.json")) as f:
mock_response = json.load(f)
expected_file = os.path.join(TEST_DATA, "almalinux_expected_2.json")
imported_data = parse_advisory_data(
raw_data=mock_response,
supported_ecosystems="rpm",
advisory_url="https://github.com/AlmaLinux/osv-database"
"/blob/master/advisories/almalinux8/almalinux_test_2.json",
)
result = imported_data.to_dict()
util_tests.check_results_against_json(result, expected_file)

def test_almalinux_importer3(self):
with open(os.path.join(TEST_DATA, "almalinux_test_3.json")) as f:
mock_response = json.load(f)
expected_file = os.path.join(TEST_DATA, "almalinux_expected_3.json")
imported_data = parse_advisory_data(
raw_data=mock_response,
supported_ecosystems="rpm",
advisory_url="https://github.com/AlmaLinux/osv-database"
"/blob/master/advisories/almalinux8/almalinux_test_3.json",
)
result = imported_data.to_dict()
util_tests.check_results_against_json(result, expected_file)
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{
"aliases": ["ALBA-2019:3336"],
"summary": "nss-altfiles bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"affected_packages": [
{
"package": {
"type": "rpm",
"namespace": "almalinux",
"name": "nss-altfiles",
"version": "",
"qualifiers": "",
"subpath": ""
},
"affected_version_range": null,
"fixed_version": "2.18.1-12.el8"
}
],
"references": [
{
"reference_id": "",
"reference_type": "",
"url": "https://errata.almalinux.org/8/ALBA-2019-3336.html",
"severities": []
}
],
"date_published": "2019-11-05T17:32:18+00:00",
"weaknesses": [],
"url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_1.json"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"aliases": [
"ALEA-2019:3314"
],
"summary": "python3-azure-sdk bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"affected_packages": [
{
"package": {
"type": "rpm",
"namespace": "almalinux",
"name": "python3-azure-sdk",
"version": "",
"qualifiers": "",
"subpath": ""
},
"affected_version_range": null,
"fixed_version": "4.0.0-9.el8"
}
],
"references": [],
"date_published": "2019-11-05T17:29:24+00:00",
"weaknesses": [],
"url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_2.json"
}
145 changes: 145 additions & 0 deletions vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,145 @@
{
"aliases": [
"ALSA-2022:8221"
],
"summary": "Moderate: xorg-x11-server security and bug fix update\nX.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es)n\n* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319)\n* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension VE-2022-2320)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"affected_packages": [
{
"package": {
"type": "rpm",
"namespace": "almalinux",
"name": "xorg-x11-server-Xdmx",
"version": "",
"qualifiers": "",
"subpath": ""
},
"affected_version_range": null,
"fixed_version": "1.20.11-11.el9"
},
{
"package": {
"type": "rpm",
"namespace": "almalinux",
"name": "xorg-x11-server-Xephyr",
"version": "",
"qualifiers": "",
"subpath": ""
},
"affected_version_range": null,
"fixed_version": "1.20.11-11.el9"
},
{
"package": {
"type": "rpm",
"namespace": "almalinux",
"name": "xorg-x11-server-Xnest",
"version": "",
"qualifiers": "",
"subpath": ""
},
"affected_version_range": null,
"fixed_version": "1.20.11-11.el9"
},
{
"package": {
"type": "rpm",
"namespace": "almalinux",
"name": "xorg-x11-server-Xorg",
"version": "",
"qualifiers": "",
"subpath": ""
},
"affected_version_range": null,
"fixed_version": "1.20.11-11.el9"
},
{
"package": {
"type": "rpm",
"namespace": "almalinux",
"name": "xorg-x11-server-Xvfb",
"version": "",
"qualifiers": "",
"subpath": ""
},
"affected_version_range": null,
"fixed_version": "1.20.11-11.el9"
},
{
"package": {
"type": "rpm",
"namespace": "almalinux",
"name": "xorg-x11-server-common",
"version": "",
"qualifiers": "",
"subpath": ""
},
"affected_version_range": null,
"fixed_version": "1.20.11-11.el9"
},
{
"package": {
"type": "rpm",
"namespace": "almalinux",
"name": "xorg-x11-server-devel",
"version": "",
"qualifiers": "",
"subpath": ""
},
"affected_version_range": null,
"fixed_version": "1.20.11-11.el9"
},
{
"package": {
"type": "rpm",
"namespace": "almalinux",
"name": "xorg-x11-server-source",
"version": "",
"qualifiers": "",
"subpath": ""
},
"affected_version_range": null,
"fixed_version": "1.20.11-11.el9"
}
],
"references": [
{
"reference_id": "",
"reference_type": "",
"url": "https://access.redhat.com/errata/RHSA-2022:8221",
"severities": []
},
{
"reference_id": "",
"reference_type": "",
"url": "https://access.redhat.com/security/cve/CVE-2022-2319",
"severities": []
},
{
"reference_id": "",
"reference_type": "",
"url": "https://access.redhat.com/security/cve/CVE-2022-2320",
"severities": []
},
{
"reference_id": "",
"reference_type": "",
"url": "https://bugzilla.redhat.com/2106671",
"severities": []
},
{
"reference_id": "",
"reference_type": "",
"url": "https://bugzilla.redhat.com/2106683",
"severities": []
},
{
"reference_id": "",
"reference_type": "",
"url": "https://errata.almalinux.org/9/ALSA-2022-8221.html",
"severities": []
}
],
"date_published": "2022-11-15T00:00:00+00:00",
"weaknesses": [],
"url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_3.json"
}
Loading