From bea2110cb1bcb5eb95dd9ecd0f31cb9f9672ee47 Mon Sep 17 00:00:00 2001 From: Jan-Niclas Struewer Date: Wed, 21 Jun 2023 19:51:15 +0200 Subject: [PATCH 01/12] updated from_dict to return None if a package has no version range. Signed-off-by: Jan-Niclas Struewer --- vulnerabilities/importer.py | 11 +++++++---- vulnerabilities/models.py | 2 +- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/vulnerabilities/importer.py b/vulnerabilities/importer.py index 774bdb116..24dd2e32e 100644 --- a/vulnerabilities/importer.py +++ b/vulnerabilities/importer.py @@ -214,9 +214,12 @@ def from_dict(cls, affected_pkg: dict): affected_pkg["affected_version_range"] and affected_pkg["affected_version_range"] != "None" ): - affected_version_range = VersionRange.from_string( - affected_pkg["affected_version_range"] - ) + try: + affected_version_range = VersionRange.from_string( + affected_pkg["affected_version_range"] + ) + except: + return None fixed_version = affected_pkg["fixed_version"] if fixed_version and affected_version_range: # TODO: revisit after https://github.com/nexB/univers/issues/10 @@ -270,7 +273,7 @@ def from_dict(cls, advisory_data): "aliases": advisory_data["aliases"], "summary": advisory_data["summary"], "affected_packages": [ - AffectedPackage.from_dict(pkg) for pkg in advisory_data["affected_packages"] + AffectedPackage.from_dict(pkg) for pkg in advisory_data["affected_packages" if pkg is not None] ], "references": [Reference.from_dict(ref) for ref in advisory_data["references"]], "date_published": datetime.datetime.fromisoformat(date_published) diff --git a/vulnerabilities/models.py b/vulnerabilities/models.py index 7b6c9fcc6..dccf11d33 100644 --- a/vulnerabilities/models.py +++ b/vulnerabilities/models.py @@ -826,7 +826,7 @@ def to_advisory_data(self) -> AdvisoryData: return AdvisoryData( aliases=self.aliases, summary=self.summary, - affected_packages=[AffectedPackage.from_dict(pkg) for pkg in self.affected_packages], + affected_packages=[AffectedPackage.from_dict(pkg) for pkg in self.affected_packages if pkg is not None], references=[Reference.from_dict(ref) for ref in self.references], date_published=self.date_published, weaknesses=self.weaknesses, From baf0a282fe95f369401268a8e87317823de7adb8 Mon Sep 17 00:00:00 2001 From: Jan-Niclas Struewer Date: Wed, 21 Jun 2023 19:58:15 +0200 Subject: [PATCH 02/12] fixed incorrect [ Signed-off-by: Jan-Niclas Struewer --- vulnerabilities/importer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/importer.py b/vulnerabilities/importer.py index 24dd2e32e..76c107b38 100644 --- a/vulnerabilities/importer.py +++ b/vulnerabilities/importer.py @@ -273,7 +273,7 @@ def from_dict(cls, advisory_data): "aliases": advisory_data["aliases"], "summary": advisory_data["summary"], "affected_packages": [ - AffectedPackage.from_dict(pkg) for pkg in advisory_data["affected_packages" if pkg is not None] + AffectedPackage.from_dict(pkg) for pkg in advisory_data["affected_packages"] if pkg is not None ], "references": [Reference.from_dict(ref) for ref in advisory_data["references"]], "date_published": datetime.datetime.fromisoformat(date_published) From 65317e586a0fa7d21ffc82c3fda060645d1e9d4c Mon Sep 17 00:00:00 2001 From: Jan-Niclas Struewer Date: Wed, 21 Jun 2023 20:05:51 +0200 Subject: [PATCH 03/12] moved affected_package.affected_version_range into the try except block, as this call can fail due the affected_package to be None. Signed-off-by: Jan-Niclas Struewer --- vulnerabilities/improvers/default.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulnerabilities/improvers/default.py b/vulnerabilities/improvers/default.py index 5c00a28c5..ac384e126 100644 --- a/vulnerabilities/improvers/default.py +++ b/vulnerabilities/improvers/default.py @@ -94,11 +94,11 @@ def get_exact_purls(affected_package: AffectedPackage) -> Tuple[List[PackageURL] >>> assert expected == got """ - vr = affected_package.affected_version_range # We need ``if c`` below because univers returns None as version # in case of vers:nginx/* # TODO: Revisit after https://github.com/nexB/univers/issues/33 try: + vr = affected_package.affected_version_range affected_purls = [] fixed_versions = [] if vr: From 5ceda4fb1f130e60867f4baaf456347b00dc7458 Mon Sep 17 00:00:00 2001 From: Jan-Niclas Struewer Date: Fri, 14 Jul 2023 13:26:32 +0200 Subject: [PATCH 04/12] fixed codestyle Signed-off-by: Jan-Niclas Struewer --- vulnerabilities/importer.py | 4 +++- vulnerabilities/models.py | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/vulnerabilities/importer.py b/vulnerabilities/importer.py index 76c107b38..ddb26b011 100644 --- a/vulnerabilities/importer.py +++ b/vulnerabilities/importer.py @@ -273,7 +273,9 @@ def from_dict(cls, advisory_data): "aliases": advisory_data["aliases"], "summary": advisory_data["summary"], "affected_packages": [ - AffectedPackage.from_dict(pkg) for pkg in advisory_data["affected_packages"] if pkg is not None + AffectedPackage.from_dict(pkg) + for pkg in advisory_data["affected_packages"] + if pkg is not None ], "references": [Reference.from_dict(ref) for ref in advisory_data["references"]], "date_published": datetime.datetime.fromisoformat(date_published) diff --git a/vulnerabilities/models.py b/vulnerabilities/models.py index dccf11d33..287f70715 100644 --- a/vulnerabilities/models.py +++ b/vulnerabilities/models.py @@ -826,7 +826,9 @@ def to_advisory_data(self) -> AdvisoryData: return AdvisoryData( aliases=self.aliases, summary=self.summary, - affected_packages=[AffectedPackage.from_dict(pkg) for pkg in self.affected_packages if pkg is not None], + affected_packages=[ + AffectedPackage.from_dict(pkg) for pkg in self.affected_packages if pkg is not None + ], references=[Reference.from_dict(ref) for ref in self.references], date_published=self.date_published, weaknesses=self.weaknesses, From d667d5b27f48da83a4e3a8e7c09d7453a9cd1444 Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Wed, 5 Jul 2023 13:29:10 +0530 Subject: [PATCH 05/12] Remove unresolved_vulnerabilities from API response Signed-off-by: Tushar Goel Signed-off-by: Jan-Niclas Struewer --- vulnerabilities/api.py | 5 ----- vulnerabilities/tests/test_api.py | 26 -------------------------- 2 files changed, 31 deletions(-) diff --git a/vulnerabilities/api.py b/vulnerabilities/api.py index af8e5d889..2c8e913ba 100644 --- a/vulnerabilities/api.py +++ b/vulnerabilities/api.py @@ -124,11 +124,6 @@ class PackageSerializer(serializers.HyperlinkedModelSerializer): Lookup software package using Package URLs """ - def to_representation(self, instance): - data = super().to_representation(instance) - data["unresolved_vulnerabilities"] = data["affected_by_vulnerabilities"] - return data - purl = serializers.CharField(source="package_url") affected_by_vulnerabilities = serializers.SerializerMethodField("get_affected_vulnerabilities") diff --git a/vulnerabilities/tests/test_api.py b/vulnerabilities/tests/test_api.py index d02808e16..5ead38a2d 100644 --- a/vulnerabilities/tests/test_api.py +++ b/vulnerabilities/tests/test_api.py @@ -362,16 +362,6 @@ def test_api_with_single_vulnerability_and_fixed_package(self): "aliases": ["CVE-2029-1234"], }, ], - "unresolved_vulnerabilities": [ - { - "url": f"http://testserver/api/vulnerabilities/{self.vuln1.id}", - "vulnerability_id": self.vuln1.vulnerability_id, - "summary": "test-vuln1", - "references": [], - "fixed_packages": [], - "aliases": ["CVE-2019-1234", "GMS-1234-4321"], - } - ], } def test_api_with_single_vulnerability_and_vulnerable_package(self): @@ -402,22 +392,6 @@ def test_api_with_single_vulnerability_and_vulnerable_package(self): } ], "fixing_vulnerabilities": [], - "unresolved_vulnerabilities": [ - { - "url": f"http://testserver/api/vulnerabilities/{self.vuln.id}", - "vulnerability_id": self.vuln.vulnerability_id, - "summary": "test-vuln", - "references": [], - "fixed_packages": [ - { - "url": f"http://testserver/api/packages/{self.package.id}", - "purl": "pkg:generic/nginx/test@11", - "is_vulnerable": True, - } - ], - "aliases": ["CVE-2029-1234"], - } - ], } def test_api_with_all_vulnerable_packages(self): From 439190579109841f4a7674d54a222d7cfbaae771 Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Wed, 5 Jul 2023 13:29:45 +0530 Subject: [PATCH 06/12] Add missing quotes for href values in template Signed-off-by: Tushar Goel Signed-off-by: Jan-Niclas Struewer --- vulnerabilities/templates/package_details.html | 4 ++-- vulnerabilities/templates/vulnerabilities.html | 2 +- vulnerabilities/templates/vulnerability_details.html | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/vulnerabilities/templates/package_details.html b/vulnerabilities/templates/package_details.html index 9d30c13f0..6a391d3d3 100644 --- a/vulnerabilities/templates/package_details.html +++ b/vulnerabilities/templates/package_details.html @@ -66,7 +66,7 @@ {% for alias in vulnerability.alias %} {% if alias.url %} - {{ alias }} + {{ alias }}
{% else %} {{ alias }} @@ -113,7 +113,7 @@ {% for alias in vulnerability.alias %} {% if alias.url %} - {{ alias }} + {{ alias }}
{% else %} {{ alias }} diff --git a/vulnerabilities/templates/vulnerabilities.html b/vulnerabilities/templates/vulnerabilities.html index dcca5213d..023d3f97f 100644 --- a/vulnerabilities/templates/vulnerabilities.html +++ b/vulnerabilities/templates/vulnerabilities.html @@ -48,7 +48,7 @@ {% for alias in vulnerability.alias %} {% if alias.url %} - {{ alias }} + {{ alias }} {% else %} diff --git a/vulnerabilities/templates/vulnerability_details.html b/vulnerabilities/templates/vulnerability_details.html index d7ee67bd4..d6162f211 100644 --- a/vulnerabilities/templates/vulnerability_details.html +++ b/vulnerabilities/templates/vulnerability_details.html @@ -68,7 +68,7 @@ {% for alias in aliases %} {% if alias.url %} - {{ alias }} + {{ alias }} {% else %} {{ alias }} {% endif %} From 2abb37a515efe2d8c96923f5dc9f9b8ac5f882a8 Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Wed, 5 Jul 2023 13:58:02 +0530 Subject: [PATCH 07/12] Remove ubuntu OVAL link from source Signed-off-by: Tushar Goel Signed-off-by: Jan-Niclas Struewer --- SOURCES.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SOURCES.rst b/SOURCES.rst index 8cf65d02d..bc0963a10 100644 --- a/SOURCES.rst +++ b/SOURCES.rst @@ -13,7 +13,7 @@ +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ |ruby | https://github.com/rubysec/ruby-advisory-db.git |ruby gems | +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|ubuntu | https://people.canonical.com/~ubuntu-security/oval/ |ubuntu packages | +|ubuntu | |ubuntu packages | +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ |retiredotnet | https://github.com/RetireNet/Packages.git |.NET packages | +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ From 7850234a902daab0933d58b53c741bbb3beb40c7 Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Wed, 5 Jul 2023 14:05:16 +0530 Subject: [PATCH 08/12] Add CHANGELOG for v33.0.0 Signed-off-by: Tushar Goel Signed-off-by: Jan-Niclas Struewer --- CHANGELOG.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 214fe2e4a..b9bae75cf 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,13 @@ Release notes ============= +Version v33.0.0 +----------------- + +- We have dropped ``unresolved_vulnerabilities`` from /api/package endpoint API response. +- We have added missing quotes for href values in template. + + Version v32.0.1 ----------------- From bcd1c9a08ea1994030b078a4e1fbcc6704b76bea Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Wed, 5 Jul 2023 14:27:44 +0530 Subject: [PATCH 09/12] Fix affected package merge functionality Signed-off-by: Tushar Goel Signed-off-by: Jan-Niclas Struewer --- vulnerabilities/importer.py | 2 +- .../tests/test_affected_package.py | 21 ++++++++++++++++++- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/vulnerabilities/importer.py b/vulnerabilities/importer.py index ddb26b011..cddc11231 100644 --- a/vulnerabilities/importer.py +++ b/vulnerabilities/importer.py @@ -188,7 +188,7 @@ def merge( purls.add(pkg.package) if len(purls) > 1: raise UnMergeablePackageError("Cannot merge with different purls", purls) - return purls.pop(), sorted(affected_version_ranges), sorted(fixed_versions) + return purls.pop(), list(affected_version_ranges), sorted(fixed_versions) def to_dict(self): """ diff --git a/vulnerabilities/tests/test_affected_package.py b/vulnerabilities/tests/test_affected_package.py index 7e7173d8d..2ebbcbddb 100644 --- a/vulnerabilities/tests/test_affected_package.py +++ b/vulnerabilities/tests/test_affected_package.py @@ -57,6 +57,19 @@ def test_affected_package_merge(): ), ), AffectedPackage(package=PackageURL(type="npm", name="foo"), fixed_version="2.0.0"), + AffectedPackage( + package=PackageURL(type="npm", name="foo"), + affected_version_range=GemVersionRange( + constraints=( + VersionConstraint( + comparator=">=", version=RubygemsVersion(string="10.2.0") + ), + VersionConstraint( + comparator="<=", version=RubygemsVersion(string="10.5.0") + ), + ) + ), + ), ] ) expected = ( @@ -69,7 +82,13 @@ def test_affected_package_merge(): VersionConstraint(comparator=">=", version=RubygemsVersion(string="5.2.0")), VersionConstraint(comparator="<=", version=RubygemsVersion(string="5.2.6.2")), ) - ) + ), + GemVersionRange( + constraints=( + VersionConstraint(comparator=">=", version=RubygemsVersion(string="10.2.0")), + VersionConstraint(comparator="<=", version=RubygemsVersion(string="10.5.0")), + ) + ), ], ["1.0.0", "2.0.0"], ) From 1edd4899472cc25e6ffaaaa974431ee0a409ea0c Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Wed, 5 Jul 2023 14:38:37 +0530 Subject: [PATCH 10/12] Add tests to check improver function with multiple affected version ranges Signed-off-by: Tushar Goel Signed-off-by: Jan-Niclas Struewer --- .../github_api/inference-expected.json | 62 +++++++++++++++++++ vulnerabilities/tests/test_github.py | 24 ++++++- 2 files changed, 85 insertions(+), 1 deletion(-) diff --git a/vulnerabilities/tests/test_data/github_api/inference-expected.json b/vulnerabilities/tests/test_data/github_api/inference-expected.json index a5fa58e0e..799f04bf2 100644 --- a/vulnerabilities/tests/test_data/github_api/inference-expected.json +++ b/vulnerabilities/tests/test_data/github_api/inference-expected.json @@ -424,5 +424,67 @@ } ], "weaknesses": [] + }, + { + "vulnerability_id": null, + "aliases": [ + "CVE-2022-21831", + "GHSA-w749-p3v6-hccq" + ], + "confidence": 100, + "summary": "Possible code injection vulnerability in Rails / Active Storage", + "affected_purls": [ + { + "type": "gem", + "namespace": null, + "name": "activestorage", + "version": "10.2.1", + "qualifiers": null, + "subpath": null + }, + { + "type": "gem", + "namespace": null, + "name": "activestorage", + "version": "10.2.8", + "qualifiers": null, + "subpath": null + } + ], + "fixed_purl": null, + "references": [ + { + "reference_id": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21831", + "severities": [] + }, + { + "reference_id": "", + "url": "https://github.com/rails/rails/commit/0a72f7d670e9aa77a0bb8584cb1411ddabb7546e", + "severities": [] + }, + { + "reference_id": "", + "url": "https://groups.google.com/g/rubyonrails-security/c/n-p-W1yxatI", + "severities": [] + }, + { + "reference_id": "", + "url": "https://rubysec.com/advisories/CVE-2022-21831/", + "severities": [] + }, + { + "reference_id": "GHSA-w749-p3v6-hccq", + "url": "https://github.com/advisories/GHSA-w749-p3v6-hccq", + "severities": [ + { + "system": "cvssv3.1_qr", + "value": "HIGH", + "scoring_elements": "" + } + ] + } + ], + "weaknesses": [] } ] \ No newline at end of file diff --git a/vulnerabilities/tests/test_github.py b/vulnerabilities/tests/test_github.py index 81b913451..b0c2491ed 100644 --- a/vulnerabilities/tests/test_github.py +++ b/vulnerabilities/tests/test_github.py @@ -172,6 +172,8 @@ def valid_versions(): "6.0.3.4", "6.0.3.rc1", "6.0.2.rc2", + "10.2.8", + "10.2.1", ] @@ -203,7 +205,27 @@ def test_github_improver(mock_response, regen=REGEN): ) ), fixed_version=None, - ) + ), + AffectedPackage( + package=PackageURL( + type="gem", + namespace=None, + name="activestorage", + version=None, + qualifiers={}, + subpath=None, + ), + affected_version_range=GemVersionRange( + constraints=( + VersionConstraint( + comparator=">=", version=RubygemsVersion(string="10.2.0") + ), + VersionConstraint( + comparator="<=", version=RubygemsVersion(string="10.2.8") + ), + ) + ), + ), ], references=[ Reference( From 7d1b96f58388308ba2bd7f0c0746a5ccb5fbee44 Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Wed, 5 Jul 2023 14:58:00 +0530 Subject: [PATCH 11/12] Prepare for release v33.0.0 Signed-off-by: Tushar Goel Signed-off-by: Jan-Niclas Struewer --- CHANGELOG.rst | 1 + setup.cfg | 2 +- vulnerablecode/__init__.py | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index b9bae75cf..db44248a7 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -7,6 +7,7 @@ Version v33.0.0 - We have dropped ``unresolved_vulnerabilities`` from /api/package endpoint API response. - We have added missing quotes for href values in template. +- We have fixed merge functionality of AffectedPackage. Version v32.0.1 diff --git a/setup.cfg b/setup.cfg index 67f28bcb9..9e1e2f177 100644 --- a/setup.cfg +++ b/setup.cfg @@ -1,6 +1,6 @@ [metadata] name = vulnerablecode -version = 32.0.1 +version = 33.0.0 license = Apache-2.0 AND CC-BY-SA-4.0 # description must be on ONE line https://github.com/pypa/setuptools/issues/1390 diff --git a/vulnerablecode/__init__.py b/vulnerablecode/__init__.py index 33dc85b91..f2993ee41 100644 --- a/vulnerablecode/__init__.py +++ b/vulnerablecode/__init__.py @@ -12,7 +12,7 @@ import warnings from pathlib import Path -__version__ = "32.0.1" +__version__ = "33.0.0" def command_line(): From faac7ee83b74a1f2390d022d8250c57acfba9d0e Mon Sep 17 00:00:00 2001 From: Jan-Niclas Struewer Date: Fri, 14 Jul 2023 16:27:27 +0200 Subject: [PATCH 12/12] added test case to illustrate invalid affected_version_range error Signed-off-by: Jan-Niclas Struewer --- .../tests/test_default_improver.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/vulnerabilities/tests/test_default_improver.py b/vulnerabilities/tests/test_default_improver.py index 703e985a4..f358476d6 100644 --- a/vulnerabilities/tests/test_default_improver.py +++ b/vulnerabilities/tests/test_default_improver.py @@ -17,6 +17,7 @@ from vulnerabilities.importer import Reference from vulnerabilities.improver import Inference from vulnerabilities.improvers.default import DefaultImprover +from vulnerabilities.improvers.default import get_exact_purls from vulnerabilities.tests import util_tests BASE_DIR = os.path.dirname(os.path.abspath(__file__)) @@ -136,3 +137,21 @@ def test_default_improver_with_nvd(): for data in list(default_improver.get_inferences(AdvisoryData.from_dict(advisory_data))) ] util_tests.check_results_against_json(result, expected_file) + + +def test_default_improver_invalid_version(): + pkg_dict = PackageURL( + type="rpm", + namespace="rpms", + name="python", + qualifiers={}, + subpath=None, + ).to_dict() + pkg = { + "package": pkg_dict, + "affected_version_range": "vers:apache/", # This is currently returned from vulnerabilities.importers.apache_httpd.ApacheHTTPDImporter + "fixed_version": None, + } + affected_package = AffectedPackage.from_dict(pkg) + + assert get_exact_purls(affected_package) == ([], [])