Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add firstPatchedVersion in github API #748

Merged
merged 4 commits into from
May 24, 2022
Merged

Add firstPatchedVersion in github API #748

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6e974c8
Add firstPatchedVersion in github API
TG1999 May 21, 2022
63f5873
Don't raise exception if package does not have vendor/name
TG1999 May 23, 2022
9b99070
Sort aliases in github advisory
TG1999 May 24, 2022
0f3404b
Add corner cases for get_item
TG1999 May 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 44 additions & 39 deletions vulnerabilities/importers/github.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
from dateutil import parser as dateparser
from django.db.models.query import QuerySet
from packageurl import PackageURL
from univers.version_range import RANGE_CLASS_BY_SCHEMES
from univers.version_range import build_range_from_github_advisory_constraint

from vulnerabilities import severity_systems
Expand All @@ -48,6 +49,7 @@
from vulnerabilities.package_managers import VersionAPI
from vulnerabilities.package_managers import get_api_package_name
from vulnerabilities.utils import AffectedPackage as LegacyAffectedPackage
from vulnerabilities.utils import dedupe
from vulnerabilities.utils import get_affected_packages_by_patched_package
from vulnerabilities.utils import get_item
from vulnerabilities.utils import nearest_patched_package
Expand Down Expand Up @@ -153,6 +155,9 @@
severity
publishedAt
}
firstPatchedVersion{
identifier
}
package {
name
}
Expand Down Expand Up @@ -236,60 +241,64 @@ def process_response(resp: dict, package_type: str) -> Iterable[AdvisoryData]:
return

for vulnerability in vulnerabilities:
aliases = []
affected_packages = []
aliases = set()
github_advisory = get_item(vulnerability, "node")
if not github_advisory:
logger.error(f"No node found in {vulnerability!r}")
continue

name = get_item(github_advisory, "package", "name")
if not name:
logger.error(f"No name found in {github_advisory!r}")
continue

purl = get_purl(pkg_type=package_type, github_name=name)
if not purl:
continue

vulnerable_range = get_item(github_advisory, "vulnerableVersionRange")
if not vulnerable_range:
logger.error(f"No affected range found in {github_advisory!r}")
continue

affected_range = None
try:
affected_range = build_range_from_github_advisory_constraint(
package_type, vulnerable_range
)
except InvalidVersionRange:
logger.error(f"Could not parse affected range {vulnerable_range!r}")
continue

if affected_range != NotImplementedError:
affected_packages.append(
AffectedPackage(
package=purl,
affected_version_range=affected_range,
)
)

advisory = get_item(github_advisory, "advisory")
if not advisory:
logger.error(f"No advisory found in {github_advisory!r}")
continue

summary = get_item(advisory, "summary") or ""

references = get_item(advisory, "references") or []
if references:
urls = (ref["url"] for ref in references)
references = [Reference.from_url(u) for u in urls]

summary = get_item(advisory, "summary")
date_published = get_item(advisory, "publishedAt")
if date_published:
date_published = dateparser.parse(date_published)

name = get_item(github_advisory, "package", "name")
if name:
purl = get_purl(pkg_type=package_type, github_name=name)
if purl:
affected_range = get_item(github_advisory, "vulnerableVersionRange")
fixed_version = get_item(github_advisory, "firstPatchedVersion", "identifier")
if affected_range:
try:
affected_range = build_range_from_github_advisory_constraint(
package_type, affected_range
)
except InvalidVersionRange as e:
logger.error(f"Could not parse affected range {affected_range!r} {e!r}")
affected_range = None
if fixed_version:
try:
fixed_version = RANGE_CLASS_BY_SCHEMES[package_type].version_class(
fixed_version
)
except Exception as e:
logger.error(f"Invalid fixed version {fixed_version!r} {e!r}")
fixed_version = None
if affected_range or fixed_version:
affected_packages.append(
AffectedPackage(
package=purl,
affected_version_range=affected_range,
fixed_version=fixed_version,
)
)
identifiers = get_item(advisory, "identifiers") or []
for identifier in identifiers:
value = identifier["value"]
identifier_type = identifier["type"]
aliases.add(value)
aliases.append(value)
# attach the GHSA with severity score
if identifier_type == "GHSA":
# Each Node has only one GHSA, hence exit after attaching
Expand All @@ -310,12 +319,8 @@ def process_response(resp: dict, package_type: str) -> Iterable[AdvisoryData]:
else:
logger.error(f"Unknown identifier type {identifier_type!r} and value {value!r}")

date_published = get_item(advisory, "publishedAt")
if date_published:
date_published = dateparser.parse(date_published)

yield AdvisoryData(
aliases=sorted(list(aliases)),
TG1999 marked this conversation as resolved.
Show resolved Hide resolved
aliases=dedupe(aliases),
summary=summary,
references=references,
affected_packages=affected_packages,
Expand Down
3 changes: 0 additions & 3 deletions vulnerabilities/package_managers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -395,9 +395,6 @@ class ComposerVersionAPI(VersionAPI):
package_type = "composer"

def fetch(self, pkg: str) -> Iterable[PackageVersion]:
if "/" not in pkg:
raise Exception(f"Composer package: {pkg!r} does not have a vendor/name structure.")

response = get_response(url=f"https://repo.packagist.org/p/{pkg}.json")
if response:
yield from self.extract_versions(response, pkg)
Expand Down
18 changes: 9 additions & 9 deletions vulnerabilities/tests/test_data/github_api/composer-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[
{
"aliases": [
"CVE-2022-0832",
"GHSA-6qcc-whgp-pjj2"
"GHSA-6qcc-whgp-pjj2",
"CVE-2022-0832"
],
"summary": "Cross-site Scripting in Pimcore",
"affected_packages": [
Expand Down Expand Up @@ -50,8 +50,8 @@
},
{
"aliases": [
"CVE-2022-0831",
"GHSA-q67f-3jq4-mww2"
"GHSA-q67f-3jq4-mww2",
"CVE-2022-0831"
],
"summary": "Cross-site Scripting in Pimcore",
"affected_packages": [
Expand Down Expand Up @@ -99,8 +99,8 @@
},
{
"aliases": [
"CVE-2022-0895",
"GHSA-x28w-hvwc-mp75"
"GHSA-x28w-hvwc-mp75",
"CVE-2022-0895"
],
"summary": "Static Code Injection in Microweber",
"affected_packages": [
Expand Down Expand Up @@ -148,8 +148,8 @@
},
{
"aliases": [
"CVE-2022-0589",
"GHSA-gj26-g5qf-jrh7"
"GHSA-gj26-g5qf-jrh7",
"CVE-2022-0589"
],
"summary": "Cross-site Scripting in librenms",
"affected_packages": [
Expand All @@ -163,7 +163,7 @@
"subpath": null
},
"affected_version_range": "vers:composer/<22.1.0",
"fixed_version": null
"fixed_version": "22.1.0"
}
],
"references": [
Expand Down
3 changes: 3 additions & 0 deletions vulnerabilities/tests/test_data/github_api/composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,9 @@
"package": {
"name": "librenms/librenms"
},
"firstPatchedVersion": {
"identifier" :"22.1.0"
},
"vulnerableVersionRange": "< 22.1.0"
}
}
Expand Down
22 changes: 11 additions & 11 deletions vulnerabilities/tests/test_data/github_api/gem-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[
{
"aliases": [
"CVE-2009-4492",
"GHSA-6mq2-37j5-w6r6"
"GHSA-6mq2-37j5-w6r6",
"CVE-2009-4492"
],
"summary": "Moderate severity vulnerability that affects webrick",
"affected_packages": [
Expand All @@ -16,7 +16,7 @@
"subpath": null
},
"affected_version_range": "vers:gem/<=1.3.1",
"fixed_version": null
"fixed_version": "1.3.2"
}
],
"references": [
Expand Down Expand Up @@ -85,8 +85,8 @@
},
{
"aliases": [
"CVE-2022-21831",
"GHSA-w749-p3v6-hccq"
"GHSA-w749-p3v6-hccq",
"CVE-2022-21831"
],
"summary": "Possible code injection vulnerability in Rails / Active Storage",
"affected_packages": [
Expand Down Expand Up @@ -139,8 +139,8 @@
},
{
"aliases": [
"CVE-2022-21831",
"GHSA-w749-p3v6-hccq"
"GHSA-w749-p3v6-hccq",
"CVE-2022-21831"
],
"summary": "Possible code injection vulnerability in Rails / Active Storage",
"affected_packages": [
Expand Down Expand Up @@ -193,8 +193,8 @@
},
{
"aliases": [
"CVE-2022-21831",
"GHSA-w749-p3v6-hccq"
"GHSA-w749-p3v6-hccq",
"CVE-2022-21831"
],
"summary": "Possible code injection vulnerability in Rails / Active Storage",
"affected_packages": [
Expand Down Expand Up @@ -247,8 +247,8 @@
},
{
"aliases": [
"CVE-2022-21831",
"GHSA-w749-p3v6-hccq"
"GHSA-w749-p3v6-hccq",
"CVE-2022-21831"
],
"summary": "Possible code injection vulnerability in Rails / Active Storage",
"affected_packages": [
Expand Down
3 changes: 3 additions & 0 deletions vulnerabilities/tests/test_data/github_api/gem.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,9 @@
"package": {
"name": "webrick"
},
"firstPatchedVersion": {
"identifier" :"1.3.2"
},
"vulnerableVersionRange": "<= 1.3.1"
}
},
Expand Down
14 changes: 7 additions & 7 deletions vulnerabilities/tests/test_data/github_api/golang-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
[
{
"aliases": [
"CVE-2014-9356",
"GHSA-vj3f-3286-r4pf"
"GHSA-vj3f-3286-r4pf",
"CVE-2014-9356"
],
"summary": "Path Traversal in Docker",
"affected_packages": [
Expand All @@ -16,7 +16,7 @@
"subpath": null
},
"affected_version_range": "vers:golang/<1.3.3",
"fixed_version": null
"fixed_version": "1.3.3"
}
],
"references": [
Expand Down Expand Up @@ -65,8 +65,8 @@
},
{
"aliases": [
"CVE-2014-9356",
"GHSA-vj3f-3286-r4pf"
"GHSA-vj3f-3286-r4pf",
"CVE-2014-9356"
],
"summary": "Path Traversal in Docker",
"affected_packages": [
Expand Down Expand Up @@ -129,8 +129,8 @@
},
{
"aliases": [
"CVE-2021-39183",
"GHSA-2hfj-cxw7-g45p"
"GHSA-2hfj-cxw7-g45p",
"CVE-2021-39183"
],
"summary": "Unsafe inline XSS in pasting DOM element into chat",
"affected_packages": [
Expand Down
3 changes: 3 additions & 0 deletions vulnerabilities/tests/test_data/github_api/golang.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@
"package": {
"name": "github.com/moby/moby"
},
"firstPatchedVersion": {
"identifier" :"1.3.3"
},
"vulnerableVersionRange": "< 1.3.3"
}
},
Expand Down
Loading