diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index 3394dd989..34a74e5e1 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -35,6 +35,7 @@ from vulnerabilities.importers import vulnrichment from vulnerabilities.importers import xen from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline +from vulnerabilities.pipelines import almalinux_importer from vulnerabilities.pipelines import github_importer from vulnerabilities.pipelines import gitlab_importer from vulnerabilities.pipelines import nginx_importer @@ -78,6 +79,7 @@ github_importer.GitHubAPIImporterPipeline, nvd_importer.NVDImporterPipeline, pysec_importer.PyPIImporterPipeline, + almalinux_importer.AlmalinuxImporterPipeline, ] IMPORTERS_REGISTRY = { diff --git a/vulnerabilities/importers/osv.py b/vulnerabilities/importers/osv.py index 90f4200e8..141f5773a 100644 --- a/vulnerabilities/importers/osv.py +++ b/vulnerabilities/importers/osv.py @@ -41,6 +41,8 @@ "go": "golang", "hex": "hex", "cargo": "cargo", + "almalinux:8": "rpm", + "almalinux:9": "rpm", } @@ -213,6 +215,8 @@ def get_affected_purl(affected_pkg, raw_id): namespace = "" if purl_type == "maven": namespace, _, name = name.partition(":") + if ecosys == "almalinux:8" or ecosys == "almalinux:9": + namespace = "almalinux" purl = PackageURL(type=purl_type, namespace=namespace, name=name) else: diff --git a/vulnerabilities/improvers/__init__.py b/vulnerabilities/improvers/__init__.py index dd73eb02d..393ffb234 100644 --- a/vulnerabilities/improvers/__init__.py +++ b/vulnerabilities/improvers/__init__.py @@ -34,6 +34,7 @@ valid_versions.RubyImprover, valid_versions.GithubOSVImprover, vulnerability_status.VulnerabilityStatusImprover, + valid_versions.AlmaImprover, valid_versions.CurlImprover, flag_ghost_packages.FlagGhostPackagePipeline, enhance_with_kev.VulnerabilityKevPipeline, diff --git a/vulnerabilities/improvers/valid_versions.py b/vulnerabilities/improvers/valid_versions.py index 916f36f59..712c94226 100644 --- a/vulnerabilities/improvers/valid_versions.py +++ b/vulnerabilities/improvers/valid_versions.py @@ -41,6 +41,7 @@ from vulnerabilities.improver import Inference from vulnerabilities.models import Advisory from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline +from vulnerabilities.pipelines.almalinux_importer import AlmalinuxImporterPipeline from vulnerabilities.pipelines.github_importer import GitHubAPIImporterPipeline from vulnerabilities.pipelines.gitlab_importer import GitLabImporterPipeline from vulnerabilities.pipelines.nginx_importer import NginxImporterPipeline @@ -478,6 +479,11 @@ class GithubOSVImprover(ValidVersionImprover): ignorable_versions = [] +class AlmaImprover(ValidVersionImprover): + importer = AlmalinuxImporterPipeline + ignorable_versions = [] + + class CurlImprover(ValidVersionImprover): importer = CurlImporter ignorable_versions = [] diff --git a/vulnerabilities/pipelines/almalinux_importer.py b/vulnerabilities/pipelines/almalinux_importer.py new file mode 100644 index 000000000..61a6ae9a5 --- /dev/null +++ b/vulnerabilities/pipelines/almalinux_importer.py @@ -0,0 +1,69 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# +import json +import logging +from pathlib import Path +from typing import Iterable + +from fetchcode.vcs import fetch_via_vcs + +from vulnerabilities.importer import AdvisoryData +from vulnerabilities.importers.osv import parse_advisory_data +from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline +from vulnerabilities.utils import get_advisory_url + +logger = logging.getLogger(__name__) + + +class AlmalinuxImporterPipeline(VulnerableCodeBaseImporterPipeline): + """Collect Almalinux advisories.""" + + pipeline_id = "almalinux_importer" + spdx_license_expression = "MIT" + license_url = "https://github.com/AlmaLinux/osv-database/blob/master/LICENSE" + importer_name = "Almalinux Importer" + repo_url = "git+https://github.com/AlmaLinux/osv-database" + + @classmethod + def steps(cls): + return ( + cls.clone, + cls.collect_and_store_advisories, + cls.import_new_advisories, + cls.clean_downloads, + ) + + def clone(self): + self.log(f"Cloning `{self.repo_url}") + self.vcs_response = fetch_via_vcs(self.repo_url) + + def advisories_count(self): + vuln_directory = Path(self.vcs_response.dest_dir) / "advisories" + return len(list(vuln_directory.rglob("*.json"))) + + def collect_advisories(self) -> Iterable[AdvisoryData]: + base_directory = Path(self.vcs_response.dest_dir) + vuln_directory = base_directory / "advisories" + + for file in vuln_directory.rglob("*.json"): + advisory_url = get_advisory_url( + file=file, + base_path=base_directory, + url="https://github.com/AlmaLinux/osv-database/blob/master/", + ) + with open(file) as f: + raw_data = json.load(f) + yield parse_advisory_data( + raw_data=raw_data, supported_ecosystems=["rpm"], advisory_url=advisory_url + ) + + def clean_downloads(self): + if self.vcs_response: + self.log(f"Removing cloned repository") + self.vcs_response.delete() diff --git a/vulnerabilities/tests/pipelines/test_almalinux_importer_pipeline.py b/vulnerabilities/tests/pipelines/test_almalinux_importer_pipeline.py new file mode 100644 index 000000000..4de06b118 --- /dev/null +++ b/vulnerabilities/tests/pipelines/test_almalinux_importer_pipeline.py @@ -0,0 +1,58 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/nexB/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# +import json +import os +from pathlib import Path +from unittest import TestCase + +from vulnerabilities.importers.osv import parse_advisory_data +from vulnerabilities.tests import util_tests + +TEST_DATA = Path(__file__).parent.parent / "test_data" / "almalinux" + + +class TestAlmalinuxImporterPipelin(TestCase): + def test_almalinux_importer1(self): + with open(os.path.join(TEST_DATA, "almalinux_test_1.json")) as f: + mock_response = json.load(f) + expected_file = os.path.join(TEST_DATA, "almalinux_expected_1.json") + imported_data = parse_advisory_data( + raw_data=mock_response, + supported_ecosystems="rpm", + advisory_url="https://github.com/AlmaLinux/osv-database" + "/blob/master/advisories/almalinux8/almalinux_test_1.json", + ) + result = imported_data.to_dict() + util_tests.check_results_against_json(result, expected_file) + + def test_almalinux_importer2(self): + with open(os.path.join(TEST_DATA, "almalinux_test_2.json")) as f: + mock_response = json.load(f) + expected_file = os.path.join(TEST_DATA, "almalinux_expected_2.json") + imported_data = parse_advisory_data( + raw_data=mock_response, + supported_ecosystems="rpm", + advisory_url="https://github.com/AlmaLinux/osv-database" + "/blob/master/advisories/almalinux8/almalinux_test_2.json", + ) + result = imported_data.to_dict() + util_tests.check_results_against_json(result, expected_file) + + def test_almalinux_importer3(self): + with open(os.path.join(TEST_DATA, "almalinux_test_3.json")) as f: + mock_response = json.load(f) + expected_file = os.path.join(TEST_DATA, "almalinux_expected_3.json") + imported_data = parse_advisory_data( + raw_data=mock_response, + supported_ecosystems="rpm", + advisory_url="https://github.com/AlmaLinux/osv-database" + "/blob/master/advisories/almalinux8/almalinux_test_3.json", + ) + result = imported_data.to_dict() + util_tests.check_results_against_json(result, expected_file) diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json new file mode 100644 index 000000000..f83d2839a --- /dev/null +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json @@ -0,0 +1,29 @@ +{ + "aliases": ["ALBA-2019:3336"], + "summary": "nss-altfiles bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "nss-altfiles", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "2.18.1-12.el8" + } + ], + "references": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://errata.almalinux.org/8/ALBA-2019-3336.html", + "severities": [] + } + ], + "date_published": "2019-11-05T17:32:18+00:00", + "weaknesses": [], + "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_1.json" +} diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json new file mode 100644 index 000000000..64c08e1f9 --- /dev/null +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json @@ -0,0 +1,24 @@ +{ + "aliases": [ + "ALEA-2019:3314" + ], + "summary": "python3-azure-sdk bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "python3-azure-sdk", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.0.0-9.el8" + } + ], + "references": [], + "date_published": "2019-11-05T17:29:24+00:00", + "weaknesses": [], + "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_2.json" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json new file mode 100644 index 000000000..267895464 --- /dev/null +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json @@ -0,0 +1,145 @@ +{ + "aliases": [ + "ALSA-2022:8221" + ], + "summary": "Moderate: xorg-x11-server security and bug fix update\nX.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es)n\n* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319)\n* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension VE-2022-2320)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-Xdmx", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + }, + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-Xephyr", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + }, + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-Xnest", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + }, + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-Xorg", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + }, + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-Xvfb", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + }, + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-common", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + }, + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-devel", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + }, + { + "package": { + "type": "rpm", + "namespace": "almalinux", + "name": "xorg-x11-server-source", + "version": "", + "qualifiers": "", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.20.11-11.el9" + } + ], + "references": [ + { + "reference_id": "", + "reference_type": "", + "url": "https://access.redhat.com/errata/RHSA-2022:8221", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://access.redhat.com/security/cve/CVE-2022-2319", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://access.redhat.com/security/cve/CVE-2022-2320", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://bugzilla.redhat.com/2106671", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://bugzilla.redhat.com/2106683", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://errata.almalinux.org/9/ALSA-2022-8221.html", + "severities": [] + } + ], + "date_published": "2022-11-15T00:00:00+00:00", + "weaknesses": [], + "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_3.json" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_test_1.json b/vulnerabilities/tests/test_data/almalinux/almalinux_test_1.json new file mode 100644 index 000000000..215e74aa2 --- /dev/null +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_test_1.json @@ -0,0 +1,35 @@ +{ + "id": "ALBA-2019:3336", + "summary": "nss-altfiles bug fix and enhancement update", + "affected": [ + { + "package": { + "ecosystem": "AlmaLinux:8", + "name": "nss-altfiles" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.18.1-12.el8" + } + ] + } + ] + } + ], + "related": [], + "published": "2019-11-05T17:32:18Z", + "modified": "2021-11-12T10:20:54Z", + "details": "For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "references": [ + { + "url": "https://errata.almalinux.org/8/ALBA-2019-3336.html", + "type": "ADVISORY" + } + ] +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_test_2.json b/vulnerabilities/tests/test_data/almalinux/almalinux_test_2.json new file mode 100644 index 000000000..8328da6b7 --- /dev/null +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_test_2.json @@ -0,0 +1,30 @@ +{ + "id": "ALEA-2019:3314", + "summary": "python3-azure-sdk bug fix and enhancement update", + "affected": [ + { + "package": { + "ecosystem": "AlmaLinux:8", + "name": "python3-azure-sdk" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.0.0-9.el8" + } + ] + } + ] + } + ], + "related": [], + "published": "2019-11-05T17:29:24Z", + "modified": "2021-08-11T11:18:28Z", + "details": "For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "references": [] +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_test_3.json b/vulnerabilities/tests/test_data/almalinux/almalinux_test_3.json new file mode 100644 index 000000000..f2a43032e --- /dev/null +++ b/vulnerabilities/tests/test_data/almalinux/almalinux_test_3.json @@ -0,0 +1,191 @@ +{ + "id": "ALSA-2022:8221", + "summary": "Moderate: xorg-x11-server security and bug fix update", + "affected": [ + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-Xdmx" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-Xephyr" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-Xnest" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-Xorg" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-Xvfb" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-common" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-devel" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "AlmaLinux:9", + "name": "xorg-x11-server-source" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.11-11.el9" + } + ] + } + ] + } + ], + "related": [ + "CVE-2022-2319", + "CVE-2022-2320" + ], + "published": "2022-11-15T00:00:00Z", + "modified": "2022-11-18T13:12:08Z", + "details": "X.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es)n\n* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319)\n* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension VE-2022-2320)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", + "references": [ + { + "url": "https://access.redhat.com/errata/RHSA-2022:8221", + "type": "ADVISORY" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-2319", + "type": "REPORT" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-2320", + "type": "REPORT" + }, + { + "url": "https://bugzilla.redhat.com/2106671", + "type": "REPORT" + }, + { + "url": "https://bugzilla.redhat.com/2106683", + "type": "REPORT" + }, + { + "url": "https://errata.almalinux.org/9/ALSA-2022-8221.html", + "type": "ADVISORY" + } + ] +} \ No newline at end of file