-
Notifications
You must be signed in to change notification settings - Fork 214
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1049 from TG1999/migrate/ubuntu_usn
Migrate ubuntu usn importer #1051
- Loading branch information
Showing
6 changed files
with
150 additions
and
99 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,8 +19,48 @@ | |
|
|
||
|
|
||
| class UbuntuImporter(OvalImporter): | ||
| spdx_license_expression = "GPL" | ||
| license_url = "https://ubuntu.com/legal/terms" | ||
| spdx_license_expression = "LicenseRef-scancode-other-permissive" | ||
| notice = """ | ||
| From: Seth Arnold <[email protected]> | ||
| Date: Wed, Jan 25, 2023 at 2:02 AM | ||
| Subject: Re: [ubuntu-hardened] Usage of Ubuntu Security Data in VulnerableCode | ||
| To: Tushar Goel <[email protected]> | ||
| Cc: <[email protected]>, Philippe Ombredanne <[email protected]>, [email protected] <[email protected]> | ||
| On Wed, Jan 11, 2023 at 06:27:38PM +0530, Tushar Goel wrote: | ||
| > We would like to integrate the Ubuntu usn data[1][2] and | ||
| > Ubuntu security data (OVAL format)[3] in vulnerablecode[4] | ||
| > which is a FOSS db of FOSS vulnerability data. We were not | ||
| > able to know under which license this security data comes. | ||
| > We would be grateful to have your acknowledgement over usage of | ||
| > the ubuntu security data in vulnerablecode and have | ||
| > some kind of licensing declaration from your side. | ||
| Hello Tushar, we do not have an explicit license on this data. | ||
| We share our data with the intention that others will use it. Please | ||
| feel free to use it for the general furtherance of security. | ||
| Much of the data that's contained within our databases is sourced from | ||
| third parties, who also shared their data with the intention that others | ||
| will use it. I'm not sure what it would look like to try to put a license | ||
| on data that is crowd-sourced from thousands of contributors. (If you were | ||
| to start such a project today, it'd probably be one of the first things to | ||
| formalize. But when CVE was started two decades ago, the primary goal was | ||
| sharing knowledge and simplifying the vulnerability remediation process, | ||
| and licensing the data was, as far as I can remember, not considered. | ||
| Sharing was the goal.) | ||
| I will ask that vulnerablecode 'be nice' to our infrastructure that | ||
| hosts the databases -- some automated uses of our infrastructure by | ||
| vulnerability scanner tools has lead to significant load and engineering | ||
| effort. In general, please prefer a small handful of systems updating | ||
| mirrors roughly twice a day rather than thousands of hosts pulling | ||
| data hourly. | ||
| Thanks | ||
| """ | ||
|
|
||
| def __init__(self, *args, **kwargs): | ||
| super().__init__(*args, **kwargs) | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -15,55 +15,81 @@ | |
| from vulnerabilities.importer import AdvisoryData | ||
| from vulnerabilities.importer import Importer | ||
| from vulnerabilities.importer import Reference | ||
| from vulnerabilities.utils import create_etag | ||
| from vulnerabilities.utils import is_cve | ||
|
|
||
|
|
||
| class UbuntuUSNImporter(Importer): | ||
| def updated_advisories(self): | ||
| advisories = [] | ||
| if create_etag(data_src=self, url=self.config.db_url, etag_key="etag"): | ||
| advisories.extend(self.to_advisories(fetch(self.config.db_url))) | ||
|
|
||
| return self.batch_advisories(advisories) | ||
|
|
||
| def create_etag(self, url): | ||
| etag = requests.head(url).headers.get("etag") | ||
| if not etag: | ||
| return True | ||
|
|
||
| elif url in self.config.etags: | ||
| if self.config.etags[url] == etag: | ||
| return False | ||
|
|
||
| self.config.etags[url] = etag | ||
| return True | ||
| db_url = "https://usn.ubuntu.com/usn-db/database-all.json.bz2" | ||
| spdx_license_expression = "LicenseRef-scancode-other-permissive" | ||
| notice = """ | ||
| From: Seth Arnold <[email protected]> | ||
| Date: Wed, Jan 25, 2023 at 2:02 AM | ||
| Subject: Re: [ubuntu-hardened] Usage of Ubuntu Security Data in VulnerableCode | ||
| To: Tushar Goel <[email protected]> | ||
| Cc: <[email protected]>, Philippe Ombredanne <[email protected]>, [email protected] <[email protected]> | ||
| On Wed, Jan 11, 2023 at 06:27:38PM +0530, Tushar Goel wrote: | ||
| > We would like to integrate the Ubuntu usn data[1][2] and | ||
| > Ubuntu security data (OVAL format)[3] in vulnerablecode[4] | ||
| > which is a FOSS db of FOSS vulnerability data. We were not | ||
| > able to know under which license this security data comes. | ||
| > We would be grateful to have your acknowledgement over usage of | ||
| > the ubuntu security data in vulnerablecode and have | ||
| > some kind of licensing declaration from your side. | ||
| Hello Tushar, we do not have an explicit license on this data. | ||
| We share our data with the intention that others will use it. Please | ||
| feel free to use it for the general furtherance of security. | ||
| Much of the data that's contained within our databases is sourced from | ||
| third parties, who also shared their data with the intention that others | ||
| will use it. I'm not sure what it would look like to try to put a license | ||
| on data that is crowd-sourced from thousands of contributors. (If you were | ||
| to start such a project today, it'd probably be one of the first things to | ||
| formalize. But when CVE was started two decades ago, the primary goal was | ||
| sharing knowledge and simplifying the vulnerability remediation process, | ||
| and licensing the data was, as far as I can remember, not considered. | ||
| Sharing was the goal.) | ||
| I will ask that vulnerablecode 'be nice' to our infrastructure that | ||
| hosts the databases -- some automated uses of our infrastructure by | ||
| vulnerability scanner tools has lead to significant load and engineering | ||
| effort. In general, please prefer a small handful of systems updating | ||
| mirrors roughly twice a day rather than thousands of hosts pulling | ||
| data hourly. | ||
| Thanks | ||
| """ | ||
|
|
||
| def advisory_data(self): | ||
| usn_db = fetch(self.db_url) | ||
| yield from self.to_advisories(usn_db=usn_db) | ||
|
|
||
| @staticmethod | ||
| def to_advisories(usn_db): | ||
| advisories = [] | ||
| for usn in usn_db: | ||
| reference = get_usn_references(usn_db[usn]["id"]) | ||
| for cve in usn_db[usn].get("cves", [""]): | ||
| usn_data = usn_db[usn] | ||
| references = get_usn_references(usn_data.get("id")) | ||
| for cve in usn_data.get("cves", []): | ||
| # The db sometimes contains entries like | ||
| # {'cves': ['python-pgsql vulnerabilities', 'CVE-2006-2313', 'CVE-2006-2314']} | ||
| # This `if` filters entries like 'python-pgsql vulnerabilities' | ||
| if not is_cve(cve): | ||
| cve = "" | ||
| continue | ||
|
|
||
| advisories.append( | ||
| AdvisoryData( | ||
| vulnerability_id=cve, | ||
| summary="", | ||
| references=[reference], | ||
| ) | ||
| yield AdvisoryData( | ||
| aliases=[cve], | ||
| summary="", | ||
| references=references, | ||
| ) | ||
|
|
||
| return advisories | ||
|
|
||
|
|
||
| def get_usn_references(usn_id): | ||
| return Reference(reference_id="USN-" + usn_id, url="https://usn.ubuntu.com/{}/".format(usn_id)) | ||
| if not usn_id: | ||
| return [] | ||
| return [Reference(reference_id=f"USN-{usn_id}", url=f"https://usn.ubuntu.com/{usn_id}/")] | ||
|
|
||
|
|
||
| def fetch(url): | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
34 changes: 34 additions & 0 deletions
34
vulnerabilities/tests/test_data/ubuntu_usn_db/ubuntu-usn-expected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| [ | ||
| { | ||
| "aliases": [ | ||
| "CVE-2009-0698" | ||
| ], | ||
| "summary": "", | ||
| "affected_packages": [], | ||
| "references": [ | ||
| { | ||
| "reference_id": "USN-763-1", | ||
| "url": "https://usn.ubuntu.com/763-1/", | ||
| "severities": [] | ||
| } | ||
| ], | ||
| "date_published": null, | ||
| "weaknesses": [] | ||
| }, | ||
| { | ||
| "aliases": [ | ||
| "CVE-2009-1274" | ||
| ], | ||
| "summary": "", | ||
| "affected_packages": [], | ||
| "references": [ | ||
| { | ||
| "reference_id": "USN-763-1", | ||
| "url": "https://usn.ubuntu.com/763-1/", | ||
| "severities": [] | ||
| } | ||
| ], | ||
| "date_published": null, | ||
| "weaknesses": [] | ||
| } | ||
| ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters