def _load_advisories(
pkg_infos: Mapping[str, Any],
) -> List[Advisory]:
advisories = []
for fixed_vulns in pkg_infos["secfixes"].values():
if fixed_vulns is None:
continue
for vuln_ids in fixed_vulns:
vuln_ids = vuln_ids.split()
references = []
for reference_id in vuln_ids[1:]:
if reference_id.startswith("XSA"):
xsa_id = reference_id.split("-")[-1]
references.append(
Reference(
reference_id=reference_id,
url="https://xenbits.xen.org/xsa/advisory-{}.html".format(xsa_id),
)
)
elif reference_id.startswith("ZBX"):
references.append(
Reference(
reference_id=reference_id,
url="https://support.zabbix.com/browse/{}".format(reference_id),
)
)
elif reference_id.startswith("wnpa-sec"):
references.append(
Reference(
reference_id=reference_id,
url="https://www.wireshark.org/security/{}.html".format(
reference_id
),
)
)
# TODO: Handle the CVE-????-????? case
advisories.append(
Advisory(
summary="",
references=references,
vulnerability_id=vuln_ids[0] if is_cve(vuln_ids[0]) else "",
)
)
return advisories
def to_advisories(usn_db):
advisories = []
for usn in usn_db:
reference = get_usn_references(usn_db[usn]["id"])
for cve in usn_db[usn].get("cves", [""]):
# The db sometimes contains entries like
# {'cves': ['python-pgsql vulnerabilities', 'CVE-2006-2313', 'CVE-2006-2314']}
# This `if` filters entries like 'python-pgsql vulnerabilities'
if not is_cve(cve):
cve = ""
advisories.append(
Advisory(
vulnerability_id=cve,
summary="",
references=[reference],
)
)
return advisories
def to_advisories(csv_reader):
# Project KB MSR csv file has no header row
advisories = []
for row in csv_reader:
vuln_id, proj_home, fix_commit, _ = row
commit_link = proj_home + "/commit/" + fix_commit
if is_cve(vuln_id):
reference = Reference(url=commit_link)
else:
reference = Reference(url=commit_link, reference_id=vuln_id)
vuln_id = ""
advisories.append(
Advisory(
summary="",
impacted_package_urls=[],
vuln_references=[reference],
cve_id=vuln_id,
))
return advisories
def _load_advisories(
self,
pkg_infos: Mapping[str, Any],
distroversion: str,
reponame: str,
archs: Iterable[str],
) -> List[Advisory]:
advisories = []
for version, fixed_vulns in pkg_infos["secfixes"].items():
if fixed_vulns is None:
continue
resolved_purls = {
PackageURL(
name=pkg_infos["name"],
type="alpine",
version=version,
qualifiers={
"arch": arch,
"distroversion": distroversion,
"reponame": reponame
},
)
for arch in archs
}
for vuln_ids in fixed_vulns:
vuln_ids = vuln_ids.split()
references = []
for reference_id in vuln_ids[1:]:
if reference_id.startswith("XSA"):
xsa_id = reference_id.split("-")[-1]
references.append(
Reference(
reference_id=reference_id,
url=
"https://xenbits.xen.org/xsa/advisory-{}.html".
format(xsa_id),
))
elif reference_id.startswith("ZBX"):
references.append(
Reference(
reference_id=reference_id,
url="https://support.zabbix.com/browse/{}".
format(reference_id),
))
elif reference_id.startswith("wnpa-sec"):
references.append(
Reference(
reference_id=reference_id,
url="https://www.wireshark.org/security/{}.html"
.format(reference_id),
))
# TODO: Handle the CVE-????-????? case
advisories.append(
Advisory(
summary="",
impacted_package_urls=[],
resolved_package_urls=resolved_purls,
references=references,
vulnerability_id=vuln_ids[0]
if is_cve(vuln_ids[0]) else "",
))
return advisories
def __post_init__(self):
if self.vulnerability_id and not is_cve(self.vulnerability_id):
raise ValueError("CVE expected, found: {}".format(
self.vulnerability_id))