From 1df47ffe963d6f1df71da36577d497b4b350ccee Mon Sep 17 00:00:00 2001 From: zhangzuoqiang Date: Thu, 30 Sep 2021 15:50:44 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=E8=B0=83=E7=94=A8deps.dev=E8=BF=9B?= =?UTF-8?q?=E8=A1=8C=E7=BB=84=E4=BB=B6=E6=BC=8F=E6=B4=9E=E6=A3=80=E6=B5=8B?= =?UTF-8?q?=E6=97=B6=E7=9A=84bug=E4=BF=AE=E5=A4=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- core/vuln_apis/depsdev.py | 49 ++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 27 deletions(-) diff --git a/core/vuln_apis/depsdev.py b/core/vuln_apis/depsdev.py index 4ceb0373..a6f09233 100644 --- a/core/vuln_apis/depsdev.py +++ b/core/vuln_apis/depsdev.py @@ -2,7 +2,8 @@ import requests from urllib.parse import quote -__DEPSDEVAPIURL = "https://deps.dev/_/s/{ecosystem}/p/{package}/v/{version}" +# __DEPSDEVAPIURL = "https://deps.dev/_/s/{ecosystem}/p/{package}/v/{version}" +__DEPSDEVAPIURL = "https://deps.dev/_/s/{eco_system}/p/{package}/v/{version}/dependencies" __DEPSDEVADVISORYURL = "https://deps.dev/_/advisory/{source}/{source_id}" __SEVERITY_DICT = { "UNKNOWN": 1, @@ -20,36 +21,30 @@ def get_vulns_from_depsdev(ecosystem, package_name, version): package_name = quote(package_name, safe='') url = __DEPSDEVAPIURL.format(ecosystem=ecosystem, package=package_name, version=version) - resp = requests.get(url) + resp = requests.get(url, timeout=6) if resp.status_code == 200: data = json.loads(resp.content) - - # 获取组件自身漏洞 - if "version" in data.keys(): # deps.dev版本展示有错误,有一些组件展示的与go.mod中不一致 - if len(data["version"]["advisories"]) > 0: - for advisorie in data["version"]["advisories"]: - vuln = {} - vuln["vuln_id"] = advisorie["sourceID"] - vuln["title"] = advisorie["title"] - vuln["severity"] = __SEVERITY_DICT[advisorie["severity"]] - vuln["description"] = advisorie["description"] - - cves = [] - for cve in advisorie["CVEs"]: - cves.append(cve) - - vuln["cves"] = json.dumps(cves) - vuln["reference"] = advisorie["sourceURL"] - - # 获取全部影响版本 - source = advisorie["source"] - affected_versions = __get_affected_versions(package_name, source, vuln["vuln_id"]) - vuln["affected_versions"] = affected_versions - - result.append(vuln) - + if "dependencies" in data.keys(): + for pack in data['dependencies']: + if len(pack['advisories']) > 0: + for advisory in pack['advisories']: + vul = {"vuln_id": advisory["sourceID"], "title": advisory["title"], + "severity": __SEVERITY_DICT[advisory["severity"]], + "description": advisory["description"]} + + if advisory["CVEs"]: + cves = [cve for cve in advisory["CVEs"]] + vul["cves"] = json.dumps(cves) + vul["reference"] = advisory["sourceURL"] + # 获取全部影响版本 + source = advisory["source"] + affected_versions = __get_affected_versions(package_name, source, vul["vuln_id"]) + vul["affected_versions"] = affected_versions + + result.append(vul) return result + def __get_affected_versions(package_name, source, source_id): result = [] From 7d33793cf9abc6e60a1e3f694b0845ba0c842c89 Mon Sep 17 00:00:00 2001 From: zhangzuoqiang Date: Thu, 30 Sep 2021 16:28:11 +0800 Subject: [PATCH 2/2] =?UTF-8?q?=E8=B0=83=E7=94=A8deps.dev=E8=BF=9B?= =?UTF-8?q?=E8=A1=8C=E7=BB=84=E4=BB=B6=E6=BC=8F=E6=B4=9E=E6=89=AB=E6=8F=8F?= =?UTF-8?q?=E6=97=B6bug=E4=BF=AE=E5=A4=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- core/vuln_apis/depsdev.py | 1 - 1 file changed, 1 deletion(-) diff --git a/core/vuln_apis/depsdev.py b/core/vuln_apis/depsdev.py index a6f09233..fcaf3a8a 100644 --- a/core/vuln_apis/depsdev.py +++ b/core/vuln_apis/depsdev.py @@ -2,7 +2,6 @@ import requests from urllib.parse import quote -# __DEPSDEVAPIURL = "https://deps.dev/_/s/{ecosystem}/p/{package}/v/{version}" __DEPSDEVAPIURL = "https://deps.dev/_/s/{eco_system}/p/{package}/v/{version}/dependencies" __DEPSDEVADVISORYURL = "https://deps.dev/_/advisory/{source}/{source_id}" __SEVERITY_DICT = {