-
Notifications
You must be signed in to change notification settings - Fork 198
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add support for maven , go and packagist ecosystem. Import data from github advisory-database using osv format and add support for all osv ecosystems Signed-off-by: ziadhany <ziadhany2016@gmail.com>
- Loading branch information
Showing
14 changed files
with
772 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
# | ||
# Copyright (c) nexB Inc. and others. All rights reserved. | ||
# VulnerableCode is a trademark of nexB Inc. | ||
# SPDX-License-Identifier: Apache-2.0 | ||
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. | ||
# See https://github.com/nexB/vulnerablecode for support or download. | ||
# See https://aboutcode.org for more information about nexB OSS projects. | ||
# | ||
import json | ||
import logging | ||
from io import BytesIO | ||
from pathlib import Path | ||
from typing import Iterable | ||
from zipfile import ZipFile | ||
|
||
import requests | ||
|
||
from vulnerabilities.importer import AdvisoryData | ||
from vulnerabilities.importer import Importer | ||
from vulnerabilities.importers.osv import parse_advisory_data | ||
|
||
logger = logging.getLogger(__name__) | ||
|
||
|
||
class GithubOSVImporter(Importer): | ||
license_url = "https://github.com/github/advisory-database/blob/main/LICENSE.md" | ||
spdx_license_expression = "CC-BY-4.0" | ||
url = "https://codeload.github.com/github/advisory-database/zip/refs/heads/main" | ||
|
||
def advisory_data(self) -> Iterable[AdvisoryData]: | ||
response = requests.get(self.url).content | ||
with ZipFile(BytesIO(response)) as zip_file: | ||
for file_name in filter( | ||
lambda filename_list: ("github-reviewed" in Path(filename_list).parts) | ||
and Path(filename_list).suffix == ".json", | ||
zip_file.namelist(), | ||
): | ||
with zip_file.open(file_name) as f: | ||
raw_data = json.load(f) | ||
try: | ||
yield parse_advisory_data( | ||
raw_data, | ||
supported_ecosystems=[ | ||
"pypi", | ||
"npm", | ||
"maven", | ||
"go", | ||
"packagist", | ||
"hex", | ||
"gem", | ||
"nuget", | ||
], | ||
) | ||
except Exception as e: | ||
logger.error(f"Invalid file name: {file_name} - {e}") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
120 changes: 120 additions & 0 deletions
120
vulnerabilities/tests/test_data/github_osv/github_osv_expected_1.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
{ | ||
"aliases": [ | ||
"CVE-2015-8315", | ||
"GHSA-3fx5-fwvr-xrjg" | ||
], | ||
"summary": "Regular Expression Denial of Service in ms\nVersions of `ms` prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.\n\n## Proof of Concept\n```javascript\nvar ms = require('ms');\nvar genstr = function (len, chr) {\n var result = \"\";\n for (i=0; i<=len; i++) {\n result = result + chr;\n }\n\n return result;\n}\n\nms(genstr(process.argv[2], \"5\") + \" minutea\");\n\n```\n\n### Results\nShowing increase in execution time based on the input string.\n```\n$ time node ms.js 10000\n\nreal\t0m0.758s\nuser\t0m0.724s\nsys\t0m0.031s\n\n$ time node ms.js 20000\n\nreal\t0m2.580s\nuser\t0m2.494s\nsys\t0m0.047s\n\n$ time node ms.js 30000\n\nreal\t0m5.747s\nuser\t0m5.483s\nsys\t0m0.080s\n\n$ time node ms.js 80000\n\nreal\t0m41.022s\nuser\t0m38.894s\nsys\t0m0.529s\n```", | ||
"affected_packages": [ | ||
{ | ||
"package": { | ||
"type": "npm", | ||
"namespace": null, | ||
"name": "ms", | ||
"version": null, | ||
"qualifiers": null, | ||
"subpath": null | ||
}, | ||
"affected_version_range": null, | ||
"fixed_version": "0.7.1" | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"reference_id": "", | ||
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8315", | ||
"severities": [ | ||
{ | ||
"system": "cvssv3.1", | ||
"value": "7.5", | ||
"scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" | ||
}, | ||
{ | ||
"system": "generic_textual", | ||
"value": "HIGH", | ||
"scoring_elements": "" | ||
} | ||
] | ||
}, | ||
{ | ||
"reference_id": "", | ||
"url": "https://github.com/unshiftio/millisecond/", | ||
"severities": [ | ||
{ | ||
"system": "cvssv3.1", | ||
"value": "7.5", | ||
"scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" | ||
}, | ||
{ | ||
"system": "generic_textual", | ||
"value": "HIGH", | ||
"scoring_elements": "" | ||
} | ||
] | ||
}, | ||
{ | ||
"reference_id": "", | ||
"url": "https://support.f5.com/csp/article/K46337613?utm_source=f5support&utm_medium=RSS", | ||
"severities": [ | ||
{ | ||
"system": "cvssv3.1", | ||
"value": "7.5", | ||
"scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" | ||
}, | ||
{ | ||
"system": "generic_textual", | ||
"value": "HIGH", | ||
"scoring_elements": "" | ||
} | ||
] | ||
}, | ||
{ | ||
"reference_id": "", | ||
"url": "https://www.npmjs.com/advisories/46", | ||
"severities": [ | ||
{ | ||
"system": "cvssv3.1", | ||
"value": "7.5", | ||
"scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" | ||
}, | ||
{ | ||
"system": "generic_textual", | ||
"value": "HIGH", | ||
"scoring_elements": "" | ||
} | ||
] | ||
}, | ||
{ | ||
"reference_id": "", | ||
"url": "http://www.openwall.com/lists/oss-security/2016/04/20/11", | ||
"severities": [ | ||
{ | ||
"system": "cvssv3.1", | ||
"value": "7.5", | ||
"scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" | ||
}, | ||
{ | ||
"system": "generic_textual", | ||
"value": "HIGH", | ||
"scoring_elements": "" | ||
} | ||
] | ||
}, | ||
{ | ||
"reference_id": "", | ||
"url": "http://www.securityfocus.com/bid/96389", | ||
"severities": [ | ||
{ | ||
"system": "cvssv3.1", | ||
"value": "7.5", | ||
"scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" | ||
}, | ||
{ | ||
"system": "generic_textual", | ||
"value": "HIGH", | ||
"scoring_elements": "" | ||
} | ||
] | ||
} | ||
], | ||
"date_published": "2017-10-24T18:33:36+00:00" | ||
} |
Oops, something went wrong.