|
21 | 21 | # VulnerableCode is a free software tool from nexB Inc. and others. |
22 | 22 | # Visit https://github.com/nexB/vulnerablecode/ for support and download. |
23 | 23 |
|
24 | | -import dataclasses |
| 24 | +import logging |
25 | 25 | from typing import Any |
| 26 | +from typing import Iterable |
26 | 27 | from typing import List |
27 | 28 | from typing import Mapping |
28 | | -from typing import Set |
29 | 29 |
|
30 | 30 | import requests |
31 | | -from dateutil import parser as dateparser |
| 31 | +from django.db.models.query import QuerySet |
32 | 32 | from packageurl import PackageURL |
| 33 | +from univers.version_range import DebianVersionRange |
| 34 | +from univers.versions import DebianVersion |
33 | 35 |
|
| 36 | +from vulnerabilities.helpers import AffectedPackage as LegacyAffectedPackage |
| 37 | +from vulnerabilities.helpers import get_item |
34 | 38 | from vulnerabilities.helpers import nearest_patched_package |
35 | 39 | from vulnerabilities.importer import AdvisoryData |
| 40 | +from vulnerabilities.importer import AffectedPackage |
36 | 41 | from vulnerabilities.importer import Importer |
37 | 42 | from vulnerabilities.importer import Reference |
| 43 | +from vulnerabilities.importer import UnMergeablePackageError |
| 44 | +from vulnerabilities.improver import MAX_CONFIDENCE |
| 45 | +from vulnerabilities.improver import Improver |
| 46 | +from vulnerabilities.improver import Inference |
| 47 | +from vulnerabilities.models import Advisory |
38 | 48 |
|
| 49 | +logger = logging.getLogger(__name__) |
39 | 50 |
|
40 | | -class DebianImporter(Importer): |
41 | | - def __enter__(self): |
42 | | - if self.response_is_new(): |
43 | | - self._api_response = self._fetch() |
| 51 | +IGNORABLE_VERSIONS = {"3.8.20-4."} |
44 | 52 |
|
45 | | - else: |
46 | | - self._api_response = {} |
47 | 53 |
|
48 | | - def updated_advisories(self) -> Set[AdvisoryData]: |
49 | | - advisories = [] |
| 54 | +class DebianImporter(Importer): |
50 | 55 |
|
51 | | - for pkg_name, records in self._api_response.items(): |
52 | | - advisories.extend(self._parse(pkg_name, records)) |
| 56 | + spdx_license_expression = "MIT" |
| 57 | + license_url = "https://www.debian.org/license" |
53 | 58 |
|
54 | | - return self.batch_advisories(advisories) |
| 59 | + api_url = "https://security-tracker.debian.org/tracker/data/json" |
55 | 60 |
|
56 | | - def _fetch(self) -> Mapping[str, Any]: |
57 | | - return requests.get(self.config.debian_tracker_url).json() |
| 61 | + def get_response(self): |
| 62 | + return requests.get(self.api_url).json() |
58 | 63 |
|
59 | | - def _parse(self, pkg_name: str, records: Mapping[str, Any]) -> List[AdvisoryData]: |
60 | | - advisories = [] |
61 | | - ignored_versions = {"3.8.20-4."} |
| 64 | + def advisory_data(self) -> Iterable[AdvisoryData]: |
| 65 | + response = self.get_response() |
| 66 | + for pkg_name, records in response.items(): |
| 67 | + yield from self.parse(pkg_name, records) |
62 | 68 |
|
| 69 | + def parse( |
| 70 | + self, pkg_name: str, records: Mapping[str, Any], ignored_versions=IGNORABLE_VERSIONS |
| 71 | + ) -> Iterable[AdvisoryData]: |
63 | 72 | for cve_id, record in records.items(): |
64 | | - impacted_purls, resolved_purls = [], [] |
| 73 | + affected_versions, fixed_versions = [], [] |
65 | 74 | if not cve_id.startswith("CVE"): |
| 75 | + logger.error(f"Invalid CVE ID: {cve_id} in {record} in package {pkg_name}") |
66 | 76 | continue |
67 | 77 |
|
68 | 78 | # vulnerabilities starting with something else may not be public yet |
69 | 79 | # see for instance https://web.archive.org/web/20201215213725/https://security-tracker.debian.org/tracker/TEMP-0000000-A2EB44 |
70 | 80 | # TODO: this would need to be revisited though to ensure we are not missing out on anything |
71 | 81 |
|
72 | 82 | for release_name, release_record in record["releases"].items(): |
73 | | - if not release_record.get("repositories", {}).get(release_name): |
74 | | - continue |
| 83 | + version = get_item(release_record, "repositories", release_name) |
75 | 84 |
|
76 | | - version = release_record["repositories"][release_name] |
| 85 | + if not version: |
| 86 | + logger.error( |
| 87 | + f"Version not found for {release_name} in {record} in package {pkg_name}" |
| 88 | + ) |
| 89 | + continue |
77 | 90 |
|
78 | 91 | if version in ignored_versions: |
| 92 | + logger.error(f"Ignoring version {version} in {record} in package {pkg_name}") |
79 | 93 | continue |
80 | 94 |
|
81 | 95 | purl = PackageURL( |
82 | 96 | name=pkg_name, |
83 | 97 | type="deb", |
84 | 98 | namespace="debian", |
85 | | - version=version, |
86 | 99 | qualifiers={"distro": release_name}, |
87 | 100 | ) |
88 | 101 |
|
89 | 102 | if release_record.get("status", "") == "resolved": |
90 | | - resolved_purls.append(purl) |
| 103 | + fixed_versions.append(version) |
91 | 104 | else: |
92 | | - impacted_purls.append(purl) |
| 105 | + affected_versions.append(version) |
93 | 106 |
|
94 | 107 | if ( |
95 | 108 | "fixed_version" in release_record |
96 | 109 | and release_record["fixed_version"] not in ignored_versions |
97 | 110 | ): |
98 | | - resolved_purls.append( |
99 | | - PackageURL( |
100 | | - name=pkg_name, |
101 | | - type="deb", |
102 | | - namespace="debian", |
103 | | - version=release_record["fixed_version"], |
104 | | - qualifiers={"distro": release_name}, |
105 | | - ) |
106 | | - ) |
| 111 | + fixed_versions.append(release_record["fixed_version"]) |
107 | 112 |
|
108 | 113 | references = [] |
109 | 114 | debianbug = record.get("debianbug") |
110 | 115 | if debianbug: |
111 | 116 | bug_url = f"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug={debianbug}" |
112 | | - references.append(Reference(url=bug_url, reference_id=debianbug)) |
113 | | - advisories.append( |
114 | | - AdvisoryData( |
115 | | - vulnerability_id=cve_id, |
116 | | - affected_packages=nearest_patched_package(impacted_purls, resolved_purls), |
117 | | - summary=record.get("description", ""), |
118 | | - references=references, |
| 117 | + references.append(Reference(url=bug_url, reference_id=str(debianbug))) |
| 118 | + affected_versions = list(dict.fromkeys(affected_versions)) |
| 119 | + fixed_versions = list(dict.fromkeys(fixed_versions)) |
| 120 | + affected_version_range = ( |
| 121 | + DebianVersionRange.from_versions(affected_versions) if affected_versions else None |
| 122 | + ) |
| 123 | + affected_packages = [] |
| 124 | + for fixed_version in fixed_versions: |
| 125 | + affected_packages.append( |
| 126 | + AffectedPackage( |
| 127 | + package=purl, |
| 128 | + affected_version_range=affected_version_range, |
| 129 | + fixed_version=DebianVersion(fixed_version), |
| 130 | + ) |
119 | 131 | ) |
| 132 | + yield AdvisoryData( |
| 133 | + aliases=[cve_id], |
| 134 | + summary=record.get("description", ""), |
| 135 | + affected_packages=affected_packages, |
| 136 | + references=references, |
120 | 137 | ) |
121 | 138 |
|
122 | | - return advisories |
123 | 139 |
|
124 | | - def response_is_new(self): |
| 140 | +class DebianBasicImprover(Improver): |
| 141 | + @property |
| 142 | + def interesting_advisories(self) -> QuerySet: |
| 143 | + return Advisory.objects.filter(created_by=DebianImporter.qualified_name) |
| 144 | + |
| 145 | + def get_inferences(self, advisory_data: AdvisoryData) -> Iterable[Inference]: |
125 | 146 | """ |
126 | | - Return True if a request response is for new data likely changed or |
127 | | - updated since we last checked. |
| 147 | + Yield Inferences for the given advisory data |
128 | 148 | """ |
129 | | - head = requests.head(self.config.debian_tracker_url) |
130 | | - date_str = head.headers.get("last-modified") |
131 | | - last_modified_date = dateparser.parse(date_str) |
132 | | - if self.config.last_run_date: |
133 | | - return self.config.last_run_date < last_modified_date |
| 149 | + if not advisory_data.affected_packages: |
| 150 | + return |
| 151 | + try: |
| 152 | + purl, affected_version_ranges, fixed_versions = AffectedPackage.merge( |
| 153 | + advisory_data.affected_packages |
| 154 | + ) |
| 155 | + except UnMergeablePackageError: |
| 156 | + logger.error(f"Cannot merge with different purls {advisory_data.affected_packages!r}") |
| 157 | + return iter([]) |
| 158 | + |
| 159 | + pkg_type = purl.type |
| 160 | + pkg_namespace = purl.namespace |
| 161 | + pkg_name = purl.name |
| 162 | + fixed_purls = [ |
| 163 | + PackageURL(type=pkg_type, namespace=pkg_namespace, name=pkg_name, version=str(version)) |
| 164 | + for version in fixed_versions |
| 165 | + ] |
| 166 | + if not affected_version_ranges: |
| 167 | + for fixed_purl in fixed_purls: |
| 168 | + yield Inference.from_advisory_data( |
| 169 | + advisory_data, |
| 170 | + confidence=MAX_CONFIDENCE, # We are getting all valid versions to get this inference |
| 171 | + affected_purls=[], |
| 172 | + fixed_purl=fixed_purl, |
| 173 | + ) |
| 174 | + else: |
| 175 | + aff_versions = set() |
| 176 | + for affected_version_range in affected_version_ranges: |
| 177 | + for constraint in affected_version_range.constraints: |
| 178 | + aff_versions.add(constraint.version.string) |
| 179 | + affected_purls = [ |
| 180 | + PackageURL(type=pkg_type, namespace=pkg_namespace, name=pkg_name, version=version) |
| 181 | + for version in aff_versions |
| 182 | + ] |
| 183 | + affected_packages: List[LegacyAffectedPackage] = nearest_patched_package( |
| 184 | + vulnerable_packages=affected_purls, resolved_packages=fixed_purls |
| 185 | + ) |
| 186 | + |
| 187 | + unique_patched_packages_with_affected_packages = {} |
| 188 | + for package in affected_packages: |
| 189 | + if package.patched_package not in unique_patched_packages_with_affected_packages: |
| 190 | + unique_patched_packages_with_affected_packages[package.patched_package] = [] |
| 191 | + unique_patched_packages_with_affected_packages[package.patched_package].append( |
| 192 | + package.vulnerable_package |
| 193 | + ) |
134 | 194 |
|
135 | | - return True |
| 195 | + for ( |
| 196 | + fixed_package, |
| 197 | + affected_packages, |
| 198 | + ) in unique_patched_packages_with_affected_packages.items(): |
| 199 | + yield Inference.from_advisory_data( |
| 200 | + advisory_data, |
| 201 | + confidence=MAX_CONFIDENCE, # We are getting all valid versions to get this inference |
| 202 | + affected_purls=affected_packages, |
| 203 | + fixed_purl=fixed_package, |
| 204 | + ) |
0 commit comments