Exemple #1
0
    def _load_advisories(
        pkg_infos: Mapping[str, Any],
    ) -> List[Advisory]:

        advisories = []

        for fixed_vulns in pkg_infos["secfixes"].values():

            if fixed_vulns is None:
                continue

            for vuln_ids in fixed_vulns:
                vuln_ids = vuln_ids.split()
                references = []
                for reference_id in vuln_ids[1:]:

                    if reference_id.startswith("XSA"):
                        xsa_id = reference_id.split("-")[-1]
                        references.append(
                            Reference(
                                reference_id=reference_id,
                                url="https://xenbits.xen.org/xsa/advisory-{}.html".format(xsa_id),
                            )
                        )

                    elif reference_id.startswith("ZBX"):
                        references.append(
                            Reference(
                                reference_id=reference_id,
                                url="https://support.zabbix.com/browse/{}".format(reference_id),
                            )
                        )

                    elif reference_id.startswith("wnpa-sec"):
                        references.append(
                            Reference(
                                reference_id=reference_id,
                                url="https://www.wireshark.org/security/{}.html".format(
                                    reference_id
                                ),
                            )
                        )

                # TODO: Handle the CVE-????-????? case
                advisories.append(
                    Advisory(
                        summary="",
                        references=references,
                        vulnerability_id=vuln_ids[0] if is_cve(vuln_ids[0]) else "",
                    )
                )

        return advisories
Exemple #2
0
    def to_advisories(usn_db):
        advisories = []
        for usn in usn_db:
            reference = get_usn_references(usn_db[usn]["id"])
            for cve in usn_db[usn].get("cves", [""]):
                # The db sometimes contains entries like
                # {'cves': ['python-pgsql vulnerabilities', 'CVE-2006-2313', 'CVE-2006-2314']}
                # This `if` filters entries like 'python-pgsql vulnerabilities'
                if not is_cve(cve):
                    cve = ""

                advisories.append(
                    Advisory(
                        vulnerability_id=cve,
                        summary="",
                        references=[reference],
                    )
                )

        return advisories
Exemple #3
0
    def to_advisories(csv_reader):
        # Project KB MSR csv file has no header row
        advisories = []
        for row in csv_reader:
            vuln_id, proj_home, fix_commit, _ = row
            commit_link = proj_home + "/commit/" + fix_commit

            if is_cve(vuln_id):
                reference = Reference(url=commit_link)

            else:
                reference = Reference(url=commit_link, reference_id=vuln_id)
                vuln_id = ""

            advisories.append(
                Advisory(
                    summary="",
                    impacted_package_urls=[],
                    vuln_references=[reference],
                    cve_id=vuln_id,
                ))

        return advisories
    def _load_advisories(
        self,
        pkg_infos: Mapping[str, Any],
        distroversion: str,
        reponame: str,
        archs: Iterable[str],
    ) -> List[Advisory]:

        advisories = []

        for version, fixed_vulns in pkg_infos["secfixes"].items():

            if fixed_vulns is None:
                continue

            resolved_purls = {
                PackageURL(
                    name=pkg_infos["name"],
                    type="alpine",
                    version=version,
                    qualifiers={
                        "arch": arch,
                        "distroversion": distroversion,
                        "reponame": reponame
                    },
                )
                for arch in archs
            }

            for vuln_ids in fixed_vulns:
                vuln_ids = vuln_ids.split()
                references = []
                for reference_id in vuln_ids[1:]:

                    if reference_id.startswith("XSA"):
                        xsa_id = reference_id.split("-")[-1]
                        references.append(
                            Reference(
                                reference_id=reference_id,
                                url=
                                "https://xenbits.xen.org/xsa/advisory-{}.html".
                                format(xsa_id),
                            ))

                    elif reference_id.startswith("ZBX"):
                        references.append(
                            Reference(
                                reference_id=reference_id,
                                url="https://support.zabbix.com/browse/{}".
                                format(reference_id),
                            ))

                    elif reference_id.startswith("wnpa-sec"):
                        references.append(
                            Reference(
                                reference_id=reference_id,
                                url="https://www.wireshark.org/security/{}.html"
                                .format(reference_id),
                            ))

                # TODO: Handle the CVE-????-????? case
                advisories.append(
                    Advisory(
                        summary="",
                        impacted_package_urls=[],
                        resolved_package_urls=resolved_purls,
                        references=references,
                        vulnerability_id=vuln_ids[0]
                        if is_cve(vuln_ids[0]) else "",
                    ))

        return advisories
 def __post_init__(self):
     if self.vulnerability_id and not is_cve(self.vulnerability_id):
         raise ValueError("CVE expected, found: {}".format(
             self.vulnerability_id))