diff --git a/.github/workflows/pythonapp.yml b/.github/workflows/pythonapp.yml index 78748d0..ba673dc 100644 --- a/.github/workflows/pythonapp.yml +++ b/.github/workflows/pythonapp.yml @@ -53,3 +53,4 @@ jobs: - name: CLI tests run: | python vdb/cli.py --search "pkg:maven/org.springframework/spring-core@6.0.13" + python vdb/cli.py --search "pkg:maven/org.hibernate.orm/hibernate-core@6.2.9.Final" diff --git a/pyproject.toml b/pyproject.toml index 098ae1a..5cb155d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "appthreat-vulnerability-db" -version = "6.0.10" +version = "6.0.11" description = "AppThreat's vulnerability database and package search library with a built-in sqlite based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities." authors = [ {name = "Team AppThreat", email = "cloud@appthreat.com"}, diff --git a/test/data/CVE-2020-25638.json b/test/data/CVE-2020-25638.json new file mode 100644 index 0000000..18f687f --- /dev/null +++ b/test/data/CVE-2020-25638.json @@ -0,0 +1,745 @@ +{ + "mitigation": "Set hibernate.use_sql_comments to false, which is the default value, or use named parameters instead of literals. Please refer to details in https://docs.jboss.org/hibernate/orm/5.4/userguide/html_single/Hibernate_User_Guide.html#configurations-logging and https://docs.jboss.org/hibernate/orm/5.4/userguide/html_single/Hibernate_User_Guide.html#sql-query-parameters.", + "affected_release": [ + { + "product_name": "Red Hat Decision Manager 7", + "release_date": "2021-02-17T00:00:00Z", + "advisory": "RHSA-2021:0603", + "package": "hibernate-core-kie-server-ee8", + "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7.10" + }, + { + "product_name": "Red Hat Integration", + "release_date": "2021-05-19T00:00:00Z", + "advisory": "RHSA-2021:2039", + "package": "hibernate-core", + "cpe": "cpe:/a:redhat:integration:1" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7", + "release_date": "2020-11-23T00:00:00Z", + "advisory": "RHSA-2020:5174", + "package": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5344", + "package": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-11-23T00:00:00Z", + "advisory": "RHSA-2020:5175", + "package": "eap7-hibernate-0:5.3.18-2.Final_redhat_00002.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-activemq-artemis-0:2.9.0-6.redhat_00016.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-fge-btf-0:1.2.0-1.redhat_00007.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-fge-msg-simple-0:1.1.0-1.redhat_00007.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-hal-console-0:3.2.11-1.Final_redhat_00001.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-hibernate-validator-0:6.0.21-1.Final_redhat_00001.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-jackson-annotations-0:2.10.4-1.redhat_00002.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-jackson-core-0:2.10.4-1.redhat_00002.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-jackson-coreutils-0:1.6.0-1.redhat_00006.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-jackson-jaxrs-providers-0:2.10.4-1.redhat_00002.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-jackson-modules-base-0:2.10.4-3.redhat_00002.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-jackson-modules-java8-0:2.10.4-1.redhat_00002.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-jasypt-0:1.9.3-1.redhat_00002.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-jboss-marshalling-0:2.0.10-1.Final_redhat_00001.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-jboss-remoting-0:5.0.19-1.Final_redhat_00001.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-jboss-server-migration-0:1.7.2-3.Final_redhat_00004.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-jboss-xnio-base-0:3.7.11-1.Final_redhat_00001.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-undertow-0:2.0.32-1.SP1_redhat_00001.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-wildfly-0:7.3.4-3.GA_redhat_00003.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-wildfly-elytron-0:1.10.9-1.Final_redhat_00001.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5340", + "package": "eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.el6eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-11-23T00:00:00Z", + "advisory": "RHSA-2020:5175", + "package": "eap7-hibernate-0:5.3.18-2.Final_redhat_00002.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-activemq-artemis-0:2.9.0-6.redhat_00016.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-fge-btf-0:1.2.0-1.redhat_00007.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-fge-msg-simple-0:1.1.0-1.redhat_00007.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-hal-console-0:3.2.11-1.Final_redhat_00001.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-hibernate-validator-0:6.0.21-1.Final_redhat_00001.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-jackson-annotations-0:2.10.4-1.redhat_00002.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-jackson-core-0:2.10.4-1.redhat_00002.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-jackson-coreutils-0:1.6.0-1.redhat_00006.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-jackson-jaxrs-providers-0:2.10.4-1.redhat_00002.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-jackson-modules-base-0:2.10.4-3.redhat_00002.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-jackson-modules-java8-0:2.10.4-1.redhat_00002.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-jasypt-0:1.9.3-1.redhat_00002.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-jboss-marshalling-0:2.0.10-1.Final_redhat_00001.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-jboss-remoting-0:5.0.19-1.Final_redhat_00001.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-jboss-server-migration-0:1.7.2-3.Final_redhat_00004.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-jboss-xnio-base-0:3.7.11-1.Final_redhat_00001.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-undertow-0:2.0.32-1.SP1_redhat_00001.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-wildfly-0:7.3.4-3.GA_redhat_00003.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-wildfly-elytron-0:1.10.9-1.Final_redhat_00001.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5341", + "package": "eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.el7eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-11-23T00:00:00Z", + "advisory": "RHSA-2020:5175", + "package": "eap7-hibernate-0:5.3.18-2.Final_redhat_00002.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-activemq-artemis-0:2.9.0-6.redhat_00016.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-fge-btf-0:1.2.0-1.redhat_00007.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-fge-msg-simple-0:1.1.0-1.redhat_00007.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-hal-console-0:3.2.11-1.Final_redhat_00001.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-hibernate-validator-0:6.0.21-1.Final_redhat_00001.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-jackson-annotations-0:2.10.4-1.redhat_00002.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-jackson-core-0:2.10.4-1.redhat_00002.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-jackson-coreutils-0:1.6.0-1.redhat_00006.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-jackson-jaxrs-providers-0:2.10.4-1.redhat_00002.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-jackson-modules-base-0:2.10.4-3.redhat_00002.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-jackson-modules-java8-0:2.10.4-1.redhat_00002.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-jasypt-0:1.9.3-1.redhat_00002.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-jboss-marshalling-0:2.0.10-1.Final_redhat_00001.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-jboss-remoting-0:5.0.19-1.Final_redhat_00001.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-jboss-server-migration-0:1.7.2-3.Final_redhat_00004.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-jboss-xnio-base-0:3.7.11-1.Final_redhat_00001.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-undertow-0:2.0.32-1.SP1_redhat_00001.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-wildfly-0:7.3.4-3.GA_redhat_00003.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-wildfly-elytron-0:1.10.9-1.Final_redhat_00001.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", + "release_date": "2020-12-03T00:00:00Z", + "advisory": "RHSA-2020:5342", + "package": "eap7-wildfly-openssl-0:1.0.12-1.Final_redhat_00001.1.el8eap", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8" + }, + { + "product_name": "Red Hat JBoss Fuse 7", + "release_date": "2021-08-11T00:00:00Z", + "advisory": "RHSA-2021:3140", + "package": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_fuse:7" + }, + { + "product_name": "Red Hat JBoss Web Server 5", + "release_date": "2021-06-29T00:00:00Z", + "advisory": "RHSA-2021:2562", + "package": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5" + }, + { + "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 7", + "release_date": "2021-06-29T00:00:00Z", + "advisory": "RHSA-2021:2561", + "package": "jws5-ecj-0:4.12.0-3.redhat_2.2.el7jws", + "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7" + }, + { + "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 7", + "release_date": "2021-06-29T00:00:00Z", + "advisory": "RHSA-2021:2561", + "package": "jws5-mod_cluster-0:1.4.3-2.Final_redhat_00002.1.el7jws", + "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7" + }, + { + "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 7", + "release_date": "2021-06-29T00:00:00Z", + "advisory": "RHSA-2021:2561", + "package": "jws5-tomcat-0:9.0.43-11.redhat_00011.1.el7jws", + "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7" + }, + { + "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 7", + "release_date": "2021-06-29T00:00:00Z", + "advisory": "RHSA-2021:2561", + "package": "jws5-tomcat-native-0:1.2.26-3.redhat_3.el7jws", + "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7" + }, + { + "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 7", + "release_date": "2021-06-29T00:00:00Z", + "advisory": "RHSA-2021:2561", + "package": "jws5-tomcat-vault-0:1.1.8-2.Final_redhat_00003.1.el7jws", + "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7" + }, + { + "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 8", + "release_date": "2021-06-29T00:00:00Z", + "advisory": "RHSA-2021:2561", + "package": "jws5-ecj-0:4.12.0-3.redhat_2.2.el8jws", + "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8" + }, + { + "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 8", + "release_date": "2021-06-29T00:00:00Z", + "advisory": "RHSA-2021:2561", + "package": "jws5-mod_cluster-0:1.4.3-2.Final_redhat_00002.1.el8jws", + "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8" + }, + { + "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 8", + "release_date": "2021-06-29T00:00:00Z", + "advisory": "RHSA-2021:2561", + "package": "jws5-tomcat-0:9.0.43-11.redhat_00011.1.el8jws", + "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8" + }, + { + "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 8", + "release_date": "2021-06-29T00:00:00Z", + "advisory": "RHSA-2021:2561", + "package": "jws5-tomcat-native-0:1.2.26-3.redhat_3.el8jws", + "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8" + }, + { + "product_name": "Red Hat JBoss Web Server 5.5 on RHEL 8", + "release_date": "2021-06-29T00:00:00Z", + "advisory": "RHSA-2021:2561", + "package": "jws5-tomcat-vault-0:1.1.8-2.Final_redhat_00003.1.el8jws", + "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8" + }, + { + "product_name": "Red Hat Process Automation 7", + "release_date": "2021-02-17T00:00:00Z", + "advisory": "RHSA-2021:0600", + "package": "hibernate-core-kie-server-ee8", + "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.10" + }, + { + "product_name": "Red Hat Single Sign-On 7", + "release_date": "2020-11-30T00:00:00Z", + "advisory": "RHSA-2020:5254", + "package": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_single_sign_on:7.4" + }, + { + "product_name": "Text-Only RHOAR", + "release_date": "2020-12-01T00:00:00Z", + "advisory": "RHSA-2020:5302", + "package": "hibernate-core", + "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0" + }, + { + "product_name": "Text-Only RHOAR", + "release_date": "2020-12-16T00:00:00Z", + "advisory": "RHSA-2020:5361", + "package": "hibernate-core", + "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0" + }, + { + "product_name": "Text-Only RHOAR", + "release_date": "2021-01-07T00:00:00Z", + "advisory": "RHSA-2020:5388", + "package": "hibernate-core", + "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0" + }, + { + "product_name": "Text-Only RHOAR", + "release_date": "2021-02-02T00:00:00Z", + "advisory": "RHSA-2021:0292", + "package": "hibernate-core", + "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0" + }, + { + "product_name": "Text-Only RHSSO", + "release_date": "2020-12-15T00:00:00Z", + "advisory": "RHSA-2020:5533", + "package": "hibernate-core", + "cpe": "cpe:/a:redhat:red_hat_single_sign_on" + } + ], + "package_state": [ + { + "product_name": "A-MQ Clients 2", + "fix_state": "Not affected", + "package_name": "hibernate-core", + "cpe": "cpe:/a:redhat:a_mq_clients:2" + }, + { + "product_name": "Red Hat BPM Suite 6", + "fix_state": "Out of support scope", + "package_name": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6" + }, + { + "product_name": "Red Hat CodeReady Studio 12", + "fix_state": "Affected", + "package_name": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_developer_studio:12." + }, + { + "product_name": "Red Hat Decision Manager 7", + "fix_state": "Will not fix", + "package_name": "hibernate-core-kie-server-ee7", + "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7" + }, + { + "product_name": "Red Hat Integration Camel K", + "fix_state": "Not affected", + "package_name": "hibernate-core", + "cpe": "cpe:/a:redhat:integration:1" + }, + { + "product_name": "Red Hat JBoss BRMS 5", + "fix_state": "Out of support scope", + "package_name": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5" + }, + { + "product_name": "Red Hat JBoss BRMS 6", + "fix_state": "Out of support scope", + "package_name": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6" + }, + { + "product_name": "Red Hat JBoss Data Virtualization 6", + "fix_state": "Out of support scope", + "package_name": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_data_virtualization:6" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 5", + "fix_state": "Out of support scope", + "package_name": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5" + }, + { + "product_name": "Red Hat JBoss Enterprise Application Platform 6", + "fix_state": "Out of support scope", + "package_name": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6" + }, + { + "product_name": "Red Hat JBoss Fuse 6", + "fix_state": "Out of support scope", + "package_name": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_fuse:6" + }, + { + "product_name": "Red Hat JBoss Fuse Service Works 6", + "fix_state": "Out of support scope", + "package_name": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_fuse_service_works:6" + }, + { + "product_name": "Red Hat JBoss Operations Network 3", + "fix_state": "Out of support scope", + "package_name": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_operations_network:3" + }, + { + "product_name": "Red Hat JBoss SOA Platform 5", + "fix_state": "Out of support scope", + "package_name": "hibernate-core", + "cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5" + }, + { + "product_name": "Red Hat OpenShift Application Runtimes", + "fix_state": "Affected", + "package_name": "hibernate-core", + "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0" + }, + { + "product_name": "Red Hat OpenStack Platform 10 (Newton)", + "fix_state": "Out of support scope", + "package_name": "opendaylight", + "cpe": "cpe:/a:redhat:openstack:10" + }, + { + "product_name": "Red Hat OpenStack Platform 13 (Queens)", + "fix_state": "Will not fix", + "package_name": "opendaylight", + "cpe": "cpe:/a:redhat:openstack:13" + }, + { + "product_name": "Red Hat Process Automation 7", + "fix_state": "Will not fix", + "package_name": "hibernate-core-kie-server-ee7", + "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" + } + ], + "threat_severity": "Important", + "public_date": "2020-10-01T00:00:00Z", + "bugzilla": { + "description": "CVE-2020-25638 hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used", + "id": "1881353", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881353" + }, + "cvss": { + "cvss_base_score": "", + "cvss_scoring_vector": "", + "status": "" + }, + "cvss3": { + "cvss3_base_score": "7.4", + "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "status": "verified" + }, + "iava": "", + "cwe": "CWE-89", + "statement": "", + "acknowledgement": "", + "name": "CVE-2020-25638", + "document_distribution": "", + "details": [ + "A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", + "A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity." + ], + "references": null +} \ No newline at end of file diff --git a/test/data/CVE-2024-3801.json b/test/data/CVE-2024-3801.json new file mode 100644 index 0000000..6bad05d --- /dev/null +++ b/test/data/CVE-2024-3801.json @@ -0,0 +1,97 @@ +{ + "id": "CVE-2024-3801", + "sourceIdentifier": "cvd@cert.pl", + "published": "2024-06-28T13:15:03.157", + "lastModified": "2024-07-03T14:36:52.797", + "vulnStatus": "Analyzed", + "descriptions": [ + { + "lang": "en", + "value": "Sites managed in S@M CMS (Concept Intermedia) might be vulnerable to Reflected XSS via including scripts in one of GET header parameters. \nOnly a part of observed services is vulnerable, but since vendor has not investigated the root problem, it is hard to determine when the issue appears." + }, + { + "lang": "es", + "value": "Los sitios administrados en S@M CMS (Concept Intermedia) pueden ser vulnerables a XSS Reflejado al incluir scripts en uno de los parámetros del encabezado GET. Sólo una parte de los servicios observados es vulnerable, pero como el proveedor no ha investigado la raíz del problema, es difícil determinar cuándo aparece el problema." + } + ], + "metrics": { + "cvssMetricV31": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "REQUIRED", + "scope": "CHANGED", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "availabilityImpact": "NONE", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" + }, + "exploitabilityScore": 2.8, + "impactScore": 2.7 + } + ] + }, + "weaknesses": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + }, + { + "source": "cvd@cert.pl", + "type": "Secondary", + "description": [ + { + "lang": "en", + "value": "CWE-79" + } + ] + } + ], + "configurations": [ + { + "nodes": [ + { + "operator": "OR", + "negate": false, + "cpeMatch": [ + { + "vulnerable": true, + "criteria": "cpe:2.3:a:conceptintermedia:s\\@m_cms:*:*:*:*:*:*:*:*", + "matchCriteriaId": "00A1AF5A-47FF-4080-A506-DB634A54CD6C", + "versionEndIncluding": "3.3" + } + ] + } + ] + } + ], + "references": [ + { + "url": "https://cert.pl/en/posts/2024/06/CVE-2024-3800", + "source": "cvd@cert.pl", + "tags": [ + "Third Party Advisory" + ] + }, + { + "url": "https://cert.pl/posts/2024/06/CVE-2024-3800", + "source": "cvd@cert.pl", + "tags": [ + "Third Party Advisory" + ] + } + ] +} \ No newline at end of file diff --git a/test/test_source.py b/test/test_source.py index c1d5c71..95b7d00 100644 --- a/test/test_source.py +++ b/test/test_source.py @@ -100,6 +100,15 @@ def test_nvd_api_signal_json(): return json.loads(fp.read()) +@pytest.fixture +def test_nvd_api_at_json(): + test_cve_data = os.path.join( + os.path.dirname(os.path.realpath(__file__)), "data", "CVE-2024-3801.json" + ) + with open(test_cve_data, mode="r", encoding="utf-8") as fp: + return json.loads(fp.read()) + + @pytest.fixture def test_osv_rust_json(): test_cve_data = os.path.join( @@ -370,6 +379,15 @@ def test_aqua_redhat2_json(): return json.loads(fp.read()) +@pytest.fixture +def test_aqua_redhat3_json(): + test_cve_data = os.path.join( + os.path.dirname(os.path.realpath(__file__)), "data", "CVE-2020-25638.json" + ) + with open(test_cve_data, mode="r", encoding="utf-8") as fp: + return json.loads(fp.read()) + + @pytest.fixture def test_aqua_arch_json(): test_cve_data = os.path.join( @@ -731,6 +749,27 @@ def test_nvd_api_convert3(test_nvd_api_signal_json): assert results_count == 1 +def test_nvd_api_convert4(test_nvd_api_at_json): + db6.clear_all() + nvdlatest = NvdSource() + # signal ios + vulnerabilities = nvdlatest.convert(test_nvd_api_at_json) + assert len(vulnerabilities) == 1 + assert len(vulnerabilities[0].details) == 1 + nvdlatest.store(vulnerabilities) + cve_data_count, cve_index_count = db6.stats() + assert cve_data_count == 1 + assert cve_index_count == 1 + results_count = len(list(search.search_by_any("CVE-2024-3801"))) + assert results_count == 1 + results_count = len( + list( + search.search_by_any("pkg:generic/conceptintermedia/s_m_cms") + ) + ) + assert results_count == 1 + + @pytest.mark.skip(reason="This downloads and tests with live data") def test_nvd_download(): nvdlatest = NvdSource() @@ -1044,6 +1083,7 @@ def test_aqua_convert( test_aqua_ubuntu3_json, test_aqua_redhat_json, test_aqua_redhat2_json, + test_aqua_redhat3_json, test_aqua_arch_json, test_aqua_opensuse_json, test_aqua_suse_json, @@ -1183,6 +1223,18 @@ def test_aqua_convert( results_count = len(list(search.search_by_any("CVE-2022-21824"))) assert results_count == 7 + # redhat3 + cve_data = aqualatest.convert(test_aqua_redhat3_json) + assert cve_data + assert len(cve_data) == 73 + db6.clear_all() + aqualatest.store(cve_data) + cve_data_count, cve_index_count = db6.stats() + assert cve_data_count == 73 + assert cve_index_count == 73 + results_count = len(list(search.search_by_any("CVE-2020-25638"))) + assert results_count == 73 + # arch cve_data = aqualatest.convert(test_aqua_arch_json) assert cve_data diff --git a/vdb/lib/aqua.py b/vdb/lib/aqua.py index 1777a09..5a79555 100644 --- a/vdb/lib/aqua.py +++ b/vdb/lib/aqua.py @@ -134,13 +134,14 @@ def alsa_to_vuln(cve_data): cwe_id = "" cve_references = cve_data.get("references", []) references = [] - for aref in cve_references: - references.append( - {"name": aref.get("title", "id"), "url": aref.get("href")} - ) - references = orjson.dumps(references, option=orjson.OPT_NAIVE_UTC) - if isinstance(references, bytes): - references = references.decode("utf-8", "ignore") + if cve_references: + for aref in cve_references: + references.append( + {"name": aref.get("title", "id"), "url": aref.get("href")} + ) + references = orjson.dumps(references, option=orjson.OPT_NAIVE_UTC) + if isinstance(references, bytes): + references = references.decode("utf-8", "ignore") description = cve_data.get("description", "") if not description and cve_data.get("title"): description = f"""# {cve_data.get("summary")} @@ -228,11 +229,12 @@ def alas_rlsa_to_vuln(cve_data, vendor): cwe_id = "" cve_references = cve_data.get("references", []) references = [] - for aref in cve_references: - references.append({"name": aref.get("id"), "url": aref.get("href")}) - references = orjson.dumps(references, option=orjson.OPT_NAIVE_UTC) - if isinstance(references, bytes): - references = references.decode("utf-8", "ignore") + if cve_references: + for aref in cve_references: + references.append({"name": aref.get("id"), "url": aref.get("href")}) + references = orjson.dumps(references, option=orjson.OPT_NAIVE_UTC) + if isinstance(references, bytes): + references = references.decode("utf-8", "ignore") if not cve_id.startswith("CVE") and cve_data.get("cveids"): cve_id = cve_data.get("cveids")[0] description = cve_data.get("description", "") @@ -314,11 +316,12 @@ def ubuntu_to_vuln(cve_data): cwe_id = "" cve_references = cve_data.get("References", []) references = [] - for aref in cve_references: - references.append({"name": aref, "url": aref}) - references = orjson.dumps(references, option=orjson.OPT_NAIVE_UTC) - if isinstance(references, bytes): - references = references.decode("utf-8", "ignore") + if cve_references: + for aref in cve_references: + references.append({"name": aref, "url": aref}) + references = orjson.dumps(references, option=orjson.OPT_NAIVE_UTC) + if isinstance(references, bytes): + references = references.decode("utf-8", "ignore") description = cve_data.get("Description") if "** DISPUTED **" in description or "** REJECT **" in description: return ret_data @@ -414,19 +417,28 @@ def redhat_to_vuln(cve_data): cvss3 = cve_data.get("cvss3", {}) if cvss3.get("status") is not None and cvss3.get("status") != "verified": return ret_data + ignore_cpes = {} packages = cve_data.get("affected_release", []) + package_state = cve_data.get("package_state", []) + if package_state: + for ps in package_state: + fix_state = ps.get("fix_state") + cpe = ps.get("cpe") + if fix_state and fix_state.lower() != "affected": + ignore_cpes[cpe] = True if not packages or not len(packages) > 0: return ret_data cve_id = cve_data.get("name") cwe_id = cve_data.get("cwe") cve_references = cve_data.get("references", "") references = [] - for aref in cve_references: - for bref in aref.split("\n"): - references.append({"name": bref, "url": bref}) - references = orjson.dumps(references, option=orjson.OPT_NAIVE_UTC) - if isinstance(references, bytes): - references = references.decode("utf-8", "ignore") + if cve_references: + for aref in cve_references: + for bref in aref.split("\n"): + references.append({"name": bref, "url": bref}) + references = orjson.dumps(references, option=orjson.OPT_NAIVE_UTC) + if isinstance(references, bytes): + references = references.decode("utf-8", "ignore") description = "\n".join(cve_data.get("details", [])) assigner = "redhat" vector_string = cvss3.get("cvss3_scoring_vector") @@ -451,9 +463,11 @@ def redhat_to_vuln(cve_data): done_pkgs = {} for arelease in packages: pkg_key = arelease.get("package") - if done_pkgs.get(pkg_key): + cpe = arelease.get("cpe", "") + # Ignore CPEs that are out of support or won't be fixed + if ignore_cpes.get(cpe) or done_pkgs.get(pkg_key): continue - tmp_a = pkg_key.split(":" if ":" in pkg_key else "-") + tmp_a = pkg_key.split(":") if len(tmp_a) < 2: continue pkg_name = tmp_a[0] @@ -462,12 +476,11 @@ def redhat_to_vuln(cve_data): if ":" in pkg_key: version = pkg_key.split(":")[-1] else: - version = pkg_key.replace(pkg_name + "-", "") + continue # Remove epoch if ":" in version: version = version.split(":")[-1] edition = "*" - cpe = arelease.get("cpe", "") if cpe and cpe.startswith("cpe:"): tmpc = cpe.split(":") if len(tmpc) > 2: @@ -622,13 +635,14 @@ def suse_to_vuln(self, cve_data): cwe_id = "" cve_references = avuln.get("References", []) references = [] - for aref in cve_references: - references.append( - {"name": aref.get("Description", "id"), "url": aref.get("URL")} - ) - references = orjson.dumps(references, option=orjson.OPT_NAIVE_UTC) - if isinstance(references, bytes): - references = references.decode("utf-8", "ignore") + if cve_references: + for aref in cve_references: + references.append( + {"name": aref.get("Description", "id"), "url": aref.get("URL")} + ) + references = orjson.dumps(references, option=orjson.OPT_NAIVE_UTC) + if isinstance(references, bytes): + references = references.decode("utf-8", "ignore") assigner = "suse" ( score, diff --git a/vdb/lib/utils.py b/vdb/lib/utils.py index 5dbe8d0..bfe2669 100644 --- a/vdb/lib/utils.py +++ b/vdb/lib/utils.py @@ -1200,4 +1200,5 @@ def clean_cpe_uri(cpe_uri): cpe_uri = cpe_uri.replace("_-_" , "-") cpe_uri = cpe_uri.replace("_/_" , "/") cpe_uri = cpe_uri.replace("__" , "_") + cpe_uri = cpe_uri.replace("@" , "_") return cpe_uri