Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Import data from GSD #706 #787

Merged
merged 1 commit into from
Sep 10, 2024
Merged

Import data from GSD #706 #787

merged 1 commit into from
Sep 10, 2024

Conversation

ziadhany
Copy link
Collaborator

@ziadhany ziadhany commented Jul 2, 2022

This PR adds a new importer for the GSD #706
Signed-off-by: Ziad [email protected]

@ziadhany ziadhany marked this pull request as ready for review July 5, 2022 14:11
@ziadhany ziadhany self-assigned this Jul 5, 2022
@pombredanne pombredanne changed the title GSD importer Import data from GSD #706 Jul 12, 2022
vulnerabilities/importers/gsd.py Outdated Show resolved Hide resolved
vulnerabilities/importers/gsd.py Show resolved Hide resolved
vulnerabilities/importers/gsd.py Outdated Show resolved Hide resolved
vulnerabilities/importers/gsd.py Show resolved Hide resolved
vulnerabilities/importers/gsd.py Show resolved Hide resolved
"references": {
"reference_data": [
{
"name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10198",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Try to extract a reference ID from the reference url, I think a valid id for this example can be SB10198

vulnerabilities/importers/gsd.py Show resolved Hide resolved
vulnerabilities/importers/gsd.py Show resolved Hide resolved
@TG1999
Copy link
Contributor

TG1999 commented Jul 14, 2022

@ziadhany please run this importer and add logs for that here, and also run the improve command over this imported data and provide the logs for that

@ziadhany
Copy link
Collaborator Author

ziadhany commented Sep 6, 2022

Importing data using vulnerabilities.importers.gsd.GSDImporter
JSONDecodeError('Expecting value: line 1 column 2 (char 1)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Extra data: line 1 column 2 (char 1)')
JSONDecodeError('Extra data: line 1 column 2 (char 1)')
JSONDecodeError('Extra data: line 1 column 2 (char 1)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Extra data: line 1 column 2 (char 1)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
Successfully imported data using vulnerabilities.importers.gsd.GSDImporter

Process finished with exit code 0

@ziadhany
Copy link
Collaborator Author

ziadhany commented Sep 6, 2022

` in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression., provided: sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool. The issues has been fixed in sqlparse 0.4.2.
Inconsistent summary for <Vulnerability: VULCOID-20V>. Existing: Path Traversal in SharpZipLib, provided: SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry `../evil.txt` may be extracted in the parent directory of `destFolder`. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.
Inconsistent summary for <Vulnerability: VULCOID-20U>. Existing: Path Traversal in SharpZipLib, provided: SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.3.0 and prior to version 1.3.3, a check was added if the destination file is under destination directory. However, it is not enforced that `destDir` ends with slash. If the `destDir` is not slash terminated like `/home/user/dir` it is possible to create a file with a name thats begins with the destination directory, i.e. `/home/user/dir.sh`. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. Version 1.3.3 contains a patch for this vulnerability.
Traceback (most recent call last):
  File "/home/ziad/PycharmProjects/vulnerablecode/vulnerabilities/management/commands/improve.py", line 59, in improve_data
    ImproveRunner(improver).run()
  File "/home/ziad/PycharmProjects/vulnerablecode/vulnerabilities/improve_runner.py", line 40, in run
    inferences = improver.get_inferences(advisory_data=advisory.to_advisory_data())
  File "/home/ziad/PycharmProjects/vulnerablecode/vulnerabilities/models.py", line 403, in to_advisory_data
    affected_packages=[AffectedPackage.from_dict(pkg) for pkg in self.affected_packages],
  File "/home/ziad/PycharmProjects/vulnerablecode/vulnerabilities/models.py", line 403, in <listcomp>
    affected_packages=[AffectedPackage.from_dict(pkg) for pkg in self.affected_packages],
  File "/home/ziad/PycharmProjects/vulnerablecode/vulnerabilities/importer.py", line 208, in from_dict
    affected_version_range = VersionRange.from_string(
  File "/home/ziad/PycharmProjects/univers/venv/lib/python3.10/site-packages/univers/version_range.py", line 118, in from_string
    raise ValueError(f"{vers!r} specifies no version range constraints.")
ValueError: 'vers:gem/' specifies no version range constraints.
Failed to run improver vulnerabilities.improvers.default.DefaultImprover. Continuing...
CommandError: 1 failed!: vulnerabilities.improvers.default.DefaultImprover

@ziadhany ziadhany mentioned this pull request Sep 22, 2022
9 tasks
@TG1999 TG1999 added this to the v31.0 milestone Oct 11, 2022
@TG1999
Copy link
Contributor

TG1999 commented Nov 18, 2022

@ziadhany according to your logs the improver has some errors, were you able to investigate or identify the underlying issues.

@ziadhany
Copy link
Collaborator Author

ziadhany commented Dec 6, 2022

@ziadhany according to your logs the improver has some errors, were you able to investigate or identify the underlying issues.

I am trying to reduce the size of GSD by downloading the zip file so I can easily debug the importer and improve.

@pombredanne pombredanne modified the milestones: v31.0, v32.0.0 Dec 8, 2022
@TG1999 TG1999 marked this pull request as draft January 3, 2023 16:50
@TG1999 TG1999 modified the milestones: v32.0.0, v33.0.0 Jan 13, 2023
@TG1999 TG1999 modified the milestones: v33.0.0, v34.0.0 Sep 12, 2023
@pombredanne
Copy link
Member

Based on discussions it seems that GSD has unique vulnerabilities for the Linux kernel that are not available elsewhere and we need to reconsider what to do with these.

@ziadhany
Copy link
Collaborator Author

Based on discussions it seems that GSD has unique vulnerabilities for the Linux kernel that are not available elsewhere and we need to reconsider what to do with these.

ok, I'll work on that this week

@TG1999
Copy link
Contributor

TG1999 commented Dec 6, 2023

@pombredanne @ziadhany what have we decided on this PR, is it ready for review ?

Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ziadhany Let's not activate the importer for now for all the reasons we have discussed here and in weekly calls.
Once deactivated (with the suggested modifications) we can then merge.

@@ -59,6 +60,7 @@
elixir_security.ElixirSecurityImporter,
apache_tomcat.ApacheTomcatImporter,
xen.XenImporter,
gsd.GSDImporter,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could merge the PR even if we do not actually run the importer just yet. I would like to merge the code as we may use it in the future.

Suggested change
gsd.GSDImporter,

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

vulnerabilities/importers/__init__.py Outdated Show resolved Hide resolved
@TG1999 TG1999 marked this pull request as ready for review July 22, 2024 15:05
Copy link
Contributor

@TG1999 TG1999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! @pombredanne please see if this can be merged ?

@pombredanne pombredanne modified the milestones: v35.0.0, v36.0.0 Aug 5, 2024
Copy link
Contributor

@TG1999 TG1999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Add gsd test

Signed-off-by: ziadhany <[email protected]>
@ziadhany ziadhany requested a review from TG1999 September 10, 2024 15:07
@TG1999 TG1999 merged commit b342145 into aboutcode-org:main Sep 10, 2024
5 checks passed
@pombredanne pombredanne modified the milestones: v36.0.0, v35.0.0 - 2-next Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants