Skip to content

Handle vulnerabilities which don't have any vulnerability ids #259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 21 commits into from
Feb 23, 2021
Merged

Handle vulnerabilities which don't have any vulnerability ids #259

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
b38f783
:zap: Change Vulnerability model to use custom id
sbs2001 Sep 26, 2020
6358d3d
:hammer: Refactor codebase to use new Vulnerability model
sbs2001 Sep 26, 2020
a796bc9
:tada: Add `push` management command
sbs2001 Sep 26, 2020
d7badc6
:building_construction: Add option to whether create custom vulcodes …
sbs2001 Sep 27, 2020
1c649ea
:heavy_plus_sign: Add a VulCode importer
sbs2001 Sep 27, 2020
c944101
Sync with main branch and fix latest tests.
sbs2001 Dec 17, 2020
2f2a02e
Rebase to latest main
sbs2001 Feb 3, 2021
fe47444
Remove the push command
sbs2001 Feb 5, 2021
3bbbd62
Remove the importer for vulcodes
sbs2001 Feb 5, 2021
0e0ac77
Remove vulcode creation option
sbs2001 Feb 5, 2021
c475323
Fix tests for import_runner
sbs2001 Feb 5, 2021
ea03013
Disabble safetydb importer
sbs2001 Feb 10, 2021
fa84677
Add comments to explain logic of assigning vulcoids
sbs2001 Feb 10, 2021
2ffbfbb
Change field names in Vulnerability Model and Advisory dataclass
sbs2001 Feb 10, 2021
d74603e
Update migration script
sbs2001 Feb 10, 2021
ea267f3
Move VULCOID generation to Vulnerability model
sbs2001 Feb 11, 2021
46b21c8
Add tests for Vulnerability model's save method
sbs2001 Feb 12, 2021
0ab075b
Use microsecond in vulcoids
sbs2001 Feb 18, 2021
d93887e
Rebase and resolve confilcts
sbs2001 Feb 18, 2021
e94d2a0
Use full microsecond in VULCOID
sbs2001 Feb 22, 2021
e48fa44
Make review changes (Final Polish ;) )
sbs2001 Feb 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,4 @@ zipp==0.6.0
requests==2.23.0
toml==0.10.2
PyYAML==5.3.1
freezegun==1.1.0
12 changes: 5 additions & 7 deletions vulnerabilities/api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,6 @@ class Meta:


class HyperLinkedVulnerabilitySerializer(serializers.HyperlinkedModelSerializer):
vulnerability_id = serializers.CharField(source="cve_id")

class Meta:
model = Vulnerability
Expand Down Expand Up @@ -177,7 +176,6 @@ def bulk_search(self, request):


class VulnerabilityFilterSet(filters.FilterSet):
vulnerability_id = filters.CharFilter(field_name="cve_id")

class Meta:
model = Vulnerability
Expand Down Expand Up @@ -208,13 +206,13 @@ def bulk_search(self, request):
},
)

for cve_id in request.data["vulnerabilities"]:
filter_list.append(cve_id)
for vulnerability_id in request.data["vulnerabilities"]:
filter_list.append(vulnerability_id)
# This handles the case when the said cve doesnt exist in db
response[cve_id] = {}
res = Vulnerability.objects.filter(cve_id__in=filter_list)
response[vulnerability_id] = {}
res = Vulnerability.objects.filter(vulnerability_id__in=filter_list)
for vuln in res:
response[vuln.cve_id] = MinimalVulnerabilitySerializer(
response[vuln.vulnerability_id] = MinimalVulnerabilitySerializer(
vuln, context={"request": request}
).data
return Response(response)
14 changes: 6 additions & 8 deletions vulnerabilities/data_source.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,14 +81,14 @@ class Advisory:
impacted_package_urls: Iterable[PackageURL]
resolved_package_urls: Iterable[PackageURL] = dataclasses.field(default_factory=list)
vuln_references: List[Reference] = dataclasses.field(default_factory=list)
cve_id: Optional[str] = None
vulnerability_id: Optional[str] = None

def __hash__(self):
s = "{}{}{}{}".format(
self.summary,
"".join(sorted([str(p) for p in self.impacted_package_urls])),
"".join(sorted([str(p) for p in self.resolved_package_urls])),
self.cve_id,
''.join(sorted([str(p) for p in self.impacted_package_urls])),
''.join(sorted([str(p) for p in self.resolved_package_urls])),
self.vulnerability_id,
)
return hash(s)

Expand Down Expand Up @@ -539,8 +539,6 @@ def get_data_from_xml_doc(self, xml_doc: ET.ElementTree, pkg_metadata={}) -> Lis
summary=description,
impacted_package_urls=affected_purls,
resolved_package_urls=safe_purls,
cve_id=vuln_id,
vuln_references=references,
)
)
vulnerability_id=vuln_id,
vuln_references=references))
return all_adv
6 changes: 3 additions & 3 deletions vulnerabilities/fixtures/debian.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"model": "vulnerabilities.vulnerability",
"pk": 1,
"fields": {
"cve_id": "CVE-2014-8242",
"vulnerability_id": "CVE-2014-8242",
"summary": ""

}
Expand All @@ -12,7 +12,7 @@
"model": "vulnerabilities.vulnerability",
"pk": 2,
"fields": {
"cve_id": "CVE-2009-1382",
"vulnerability_id": "CVE-2009-1382",
"summary": ""

}
Expand All @@ -21,7 +21,7 @@
"model": "vulnerabilities.vulnerability",
"pk": 3,
"fields": {
"cve_id": "CVE-2009-2459",
"vulnerability_id": "CVE-2009-2459",
"summary": ""

}
Expand Down
356 changes: 178 additions & 178 deletions vulnerabilities/fixtures/openssl.json
View file
Open in desktop

Large diffs are not rendered by default.

46 changes: 22 additions & 24 deletions vulnerabilities/import_runner.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,12 +153,23 @@ def process_advisories(data_source: DataSource) -> None:
existing_ref = get_vuln_pkg_refs(vuln, pkg)
if not existing_ref:
bulk_create_vuln_pkg_refs.add(pkg_vuln_ref)
# A vulnerability-package relationship does not exist already
# if either the vulnerability or the package is just created.

else:
# This handles conflicts between existing data and obtained data
if existing_ref[0].is_vulnerable != pkg_vuln_ref.is_vulnerable:
handle_conflicts([existing_ref[0], pkg_vuln_ref.to_model_object()])
existing_ref.delete()
# insert only if it there is no existing vulnerability-package relationship. # nopep8
existing_ref = get_vuln_pkg_refs(vuln, pkg)
if not existing_ref:
bulk_create_vuln_pkg_refs.add(pkg_vuln_ref)

else:
# This handles conflicts between existing data and obtained data
if existing_ref[0].is_vulnerable != pkg_vuln_ref.is_vulnerable:
handle_conflicts(
[existing_ref[0], pkg_vuln_ref.to_model_object()]
)
existing_ref.delete()

except Exception:
# TODO: store error but continue
logger.error(
Expand Down Expand Up @@ -223,26 +234,13 @@ def _get_or_create_vulnerability(
advisory: Advisory,
) -> Tuple[models.Vulnerability, bool]:

if advisory.cve_id:
query_kwargs = {"cve_id": advisory.cve_id}
elif advisory.summary:
query_kwargs = {"summary": advisory.summary}
else:
return models.Vulnerability.objects.create(), True

try:
vuln, created = models.Vulnerability.objects.get_or_create(**query_kwargs)
# Eventually we only want to keep summary from NVD and ignore other descriptions.
if advisory.summary and vuln.summary != advisory.summary:
vuln.summary = advisory.summary
vuln.save()
return vuln, created

except Exception:
logger.error(
f"Failed to _get_or_create_vulnerability: {query_kwargs!r}:\n" + traceback.format_exc()
)
raise
vuln, created = models.Vulnerability.objects.get_or_create(vulnerability_id=advisory.vulnerability_id) # nopep8
# Eventually we only want to keep summary from NVD and ignore other descriptions.
if advisory.summary and vuln.summary != advisory.summary:
vuln.summary = advisory.summary
vuln.save()

return vuln, created


def _get_or_create_package(p: PackageURL) -> Tuple[models.Package, bool]:
Expand Down
20 changes: 10 additions & 10 deletions vulnerabilities/importer_yielder.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,16 +58,16 @@
'debian_tracker_url': 'https://security-tracker.debian.org/tracker/data/json'
},
},
# {
# 'name': 'safetydb',
# 'license': 'cc-by-nc-4.0',
# 'last_run': None,
# 'data_source': 'SafetyDbDataSource',
# 'data_source_cfg': {
# 'url': 'https://raw.githubusercontent.com/pyupio/safety-db/master/data/insecure_full.json', # nopep8
# 'etags': {}
# },
# },
{
'name': 'safetydb',
'license': 'cc-by-nc-4.0',
'last_run': None,
'data_source': 'SafetyDbDataSource',
'data_source_cfg': {
'url': 'https://raw.githubusercontent.com/pyupio/safety-db/master/data/insecure_full.json', # nopep8
'etags': {}
},
},
{
'name': 'npm',
'license': 'mit',
Expand Down
1 change: 1 addition & 0 deletions vulnerabilities/importers/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,3 +47,4 @@
from vulnerabilities.importers.suse_scores import SUSESeverityScoreDataSource
from vulnerabilities.importers.ubuntu import UbuntuDataSource
from vulnerabilities.importers.ubuntu_usn import UbuntuUSNDataSource
from vulnerabilities.importers.apache_tomcat import ApacheTomcatDataSource
2 changes: 1 addition & 1 deletion vulnerabilities/importers/alpine_linux.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@ def _load_advisories(
impacted_package_urls=[],
resolved_package_urls=resolved_purls,
vuln_references=references,
cve_id=vuln_ids[0].upper() if vuln_ids[0] != "CVE-????-?????" else None,
vulnerability_id=vuln_ids[0] if vuln_ids[0] != "CVE-????-?????" else None,
)
)

Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/apache_kafka.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ def to_advisory(self, advisory_page):

advisories.append(
Advisory(
cve_id=cve_id,
vulnerability_id=cve_id,
summary=cve_description_paragraph.text,
impacted_package_urls=affected_packages,
resolved_package_urls=fixed_packages,
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/apache_tomcat.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ def to_advisories(self, apache_tomcat_advisory_html):
summary="",
impacted_package_urls=affected_packages,
resolved_package_urls=fixed_package,
cve_id=cve_id,
vulnerability_id=cve_id,
vuln_references=references,
)
)
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/archlinux.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ def _parse(self, record) -> List[Advisory]:

advisories.append(
Advisory(
cve_id=cve_id,
vulnerability_id=cve_id,
summary="",
impacted_package_urls=impacted_purls,
resolved_package_urls=resolved_purls,
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/debian.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ def _parse(self, pkg_name: str, records: Mapping[str, Any]) -> List[Advisory]:

advisories.append(
Advisory(
cve_id=cve_id,
vulnerability_id=cve_id,
summary=record.get("description", ""),
impacted_package_urls=impacted_purls,
resolved_package_urls=resolved_purls,
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/elixir_security.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,6 @@ def process_file(self, path):
summary=yaml_file["description"],
impacted_package_urls=vuln_purls,
resolved_package_urls=safe_purls,
cve_id=cve_id,
vulnerability_id=cve_id,
vuln_references=vuln_references,
)
2 changes: 1 addition & 1 deletion vulnerabilities/importers/gentoo.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ def process_file(self, file):
# this way, but there seems no alternative.
for cve in xml_data["cves"]:
advisory = Advisory(
cve_id=cve,
vulnerability_id=cve,
summary=xml_data["description"],
impacted_package_urls=xml_data["affected_purls"],
resolved_package_urls=xml_data["unaffected_purls"],
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/github.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,7 +229,7 @@ def process_response(self) -> List[Advisory]:
for cve_id in cve_ids:
adv_list.append(
Advisory(
cve_id=cve_id,
vulnerability_id=cve_id,
summary=vuln_desc,
impacted_package_urls=affected_purls,
resolved_package_urls=unaffected_purls,
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/kaybee.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ def yaml_file_to_advisory(yaml_path):
references.append(Reference(url=f"{commit['repository']}/{commit['id']}"))

return Advisory(
cve_id=vuln_id,
vulnerability_id=vuln_id,
summary=summary,
impacted_package_urls=impacted_packages,
resolved_package_urls=resolved_packages,
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/nginx.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ def to_advisories(self, data):

advisories.append(
Advisory(
cve_id=cve_id,
vulnerability_id=cve_id,
summary=summary,
impacted_package_urls=vulnerable_packages,
resolved_package_urls=fixed_packages,
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/npm.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ def process_file(self, file) -> List[Advisory]:
advisories.append(
Advisory(
summary=record.get("overview", ""),
cve_id=cve_id,
vulnerability_id=cve_id,
impacted_package_urls=impacted_purls,
resolved_package_urls=resolved_purls,
vuln_references=vuln_reference,
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/nvd.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ def to_advisories(self, nvd_data):
)
summary = self.extract_summary(cve_item)
yield Advisory(
cve_id=cve_id, summary=summary, vuln_references=references, impacted_package_urls=[]
vulnerability_id=cve_id, summary=summary, vuln_references=references, impacted_package_urls=[] # nopep8
)

@staticmethod
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/openssl.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ def to_advisories(xml_response: str) -> Set[Advisory]:
}

advisory = Advisory(
cve_id=cve_id,
vulnerability_id=cve_id,
summary=summary,
impacted_package_urls=vuln_purls,
resolved_package_urls=safe_purls,
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/postgresql.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ def to_advisories(data):

advisories.append(
Advisory(
cve_id=cve_id,
vulnerability_id=cve_id,
summary=summary,
vuln_references=references,
impacted_package_urls=affected_packages,
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/redhat.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ def to_advisory(advisory_data):

return Advisory(
summary=advisory_data["bugzilla_description"],
cve_id=advisory_data["CVE"],
vulnerability_id=advisory_data["CVE"],
impacted_package_urls=affected_purls,
vuln_references=references,
)
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/retiredotnet.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,5 +99,5 @@ def process_file(self, path) -> List[Advisory]:
summary=json_doc['description'],
impacted_package_urls=affected_purls,
resolved_package_urls=fixed_purls,
cve_id=vuln_id,
vulnerability_id=vuln_id,
vuln_references=vuln_reference)
5 changes: 2 additions & 3 deletions vulnerabilities/importers/ruby.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,7 @@ def collect_packages(self):

def process_file(self, path) -> List[Advisory]:
record = load_yaml(path)
package_name = record.get(
'gem')
package_name = record.get('gem')

if not package_name:
return
Expand Down Expand Up @@ -131,7 +130,7 @@ def process_file(self, path) -> List[Advisory]:
impacted_package_urls=impacted_purls,
resolved_package_urls=resolved_purls,
vuln_references=references,
cve_id=cve_id
vulnerability_id=cve_id
)

@staticmethod
Expand Down
2 changes: 1 addition & 1 deletion vulnerabilities/importers/rust.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ def _load_advisory(self, path: str) -> Optional[Advisory]:
summary=advisory.get("description", ""),
impacted_package_urls=impacted_purls,
resolved_package_urls=resolved_purls,
cve_id=cve_id,
vulnerability_id=cve_id,
vuln_references=references,
)

Expand Down
Loading