import data from oss_fuzz using osv format

ziadhany · ziadhany · commit 043cea8925c7 · 2022-09-04T19:14:51.000+02:00
Signed-off-by: ziad &lt;ziadhany2016@gmail.com&gt;
diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py
@@ -14,6 +14,7 @@
 from vulnerabilities.importers import nginx
 from vulnerabilities.importers import nvd
 from vulnerabilities.importers import openssl
+from vulnerabilities.importers import oss_fuzz
 from vulnerabilities.importers import pypa
 from vulnerabilities.importers import pysec
 from vulnerabilities.importers import redhat
@@ -27,8 +28,9 @@
     redhat.RedhatImporter,
     pysec.PyPIImporter,
     debian.DebianImporter,
-    gitlab.GitLabAPIImporter,
+    gitlab.GitLabGitImporter,
     pypa.PyPaImporter,
+    oss_fuzz.OSS_FuzzImporter,
 ]
 
 IMPORTERS_REGISTRY = {x.qualified_name: x for x in IMPORTERS_REGISTRY}
diff --git a/vulnerabilities/importers/oss_fuzz.py b/vulnerabilities/importers/oss_fuzz.py
@@ -0,0 +1,55 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+import logging
+import os
+from typing import Iterable
+
+import saneyaml
+from fetchcode.vcs.git import fetch_via_git
+
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import Importer
+from vulnerabilities.importers.osv import parse_advisory_data
+
+logger = logging.getLogger(__name__)
+
+
+class OSS_FuzzImporter(Importer):
+    license_url = "https://github.com/google/oss-fuzz-vulns/blob/main/LICENSE"
+    spdx_license_expression = "CC-BY-4.0"
+    url = "git+https://github.com/google/oss-fuzz-vulns"
+
+    def advisory_data(self) -> Iterable[AdvisoryData]:
+        for file in fork_and_get_files(self.url):
+            yield parse_advisory_data(file, supported_ecosystem="oss-fuzz")
+
+
+class ForkError(Exception):
+    pass
+
+
+def fork_and_get_files(url) -> dict:
+    """
+    Fetch the github repository and go to vulns directory ,
+    then open directories one by one and return a file .
+    """
+    try:
+        fork_directory = fetch_via_git(url=url)
+    except Exception as e:
+        logger.error(f"Can't clone url {url}")
+        raise ForkError(url) from e
+
+    advisory_dirs = os.path.join(fork_directory.dest_dir, "vulns")
+    for root, _, files in os.walk(advisory_dirs):
+        for file in files:
+            if not file.endswith(".yaml"):
+                logger.warning(f"unsupported file {file}")
+            else:
+                with open(os.path.join(root, file), "r") as f:
+                    yield saneyaml.load(f.read())
diff --git a/vulnerabilities/importers/osv.py b/vulnerabilities/importers/osv.py
@@ -192,6 +192,7 @@ def get_fixed_version(fixed_range, raw_id) -> List[Version]:
                     fixed_version.append(SemverVersion(i))
                 except InvalidVersion:
                     logger.error(f"Invalid Version - SemverVersion - {raw_id !r} - {i !r}")
+
             # if fixed_range_type == "GIT":
             # TODO add GitHubVersion univers fix_version
             #     logger.error(f"NotImplementedError GIT Version - {raw_id !r} - {i !r}")
diff --git a/vulnerablecode/settings.py b/vulnerablecode/settings.py
@@ -30,7 +30,7 @@
 ALLOWED_HOSTS = env.list("ALLOWED_HOSTS", default=[".localhost", "127.0.0.1", "[::1]"])
 
 # SECURITY WARNING: don't run with debug turned on in production
-DEBUG = env.bool("VULNERABLECODE_DEBUG", default=False)
+DEBUG = env.bool("VULNERABLECODE_DEBUG", default=True)
 
 # Application definition
 
