Convert Red Hat CSAF VEX files to OSV database format #89
Conversation
nvtnlucie
requested review from
gnaponie,
qixiang,
staticf0x,
FernandesMF and
querti
as code owners
|
@nvtnlucie I'd suggest to add the new package in a new directory, for example wdyt? |
nvtnlucie
force-pushed
the
cve-to-osv-script
branch
from
86adf93 to
ef335b1
Compare
|
Yes, that looks much better, its updated 👍 |
|
Red Hat just started to publish the data to osv.dev, we may need to change our plan on this, I've added the information to the jira issue. |
|
@qixiang FIY: I added rest of the code into this PR. If you run |
nvtnlucie
force-pushed
the
cve-to-osv-script
branch
from
e55de7a to
56e84e6
Compare
nvtnlucie
force-pushed
the
cve-to-osv-script
branch
from
56e84e6 to
fc9b0c4
Compare
|
Update: I added the remaining code needed for the script. Its divided into two parts, @qixiang @FernandesMF @querti @gnaponie , please take a look when you have some time, and don't be scared of the length as a lot of LoC are there because of object definitions and test objects. |
sorry @nvtnlucie , I haven't got a chance to play with this tool, I should be able to focus on this Thu or Fri, or if this looks good to @querti, we can merge it first and then continue to improve it. |
|
I don't have any objections to merging it, but I'm not the right person to determine if it satisfies all the requirements for RPM CVEs. |
|
Its ok, I can keep it open for a little longer. But if you would want to use some feature from this @querti , feel free to merge and use it. |
This script largely builds on top of PR #89 with some necessary modifications and additions. The finalized script downloads and extracts the upstream OSV database and generates additional files for container and RPM vulnerabilities. Few modifications to the original scripts were necessary: - Add a retry mechanism for getting the CSAF VEX files. Transient networking errors were common during testing and retries shold resolve them. - Add internal ID (_id) to the OSV schema and set it to a random string. Every object in the nedb database must have this property. - Split how the affectedList is generated between RPMs and containers. - Duplicate affectedList entries for containers to also have registry registry.access.redhat.com. This is necessary because the CSAF VEX data only tracks images with registry.redhat.io. This script is expected to be run periodically by a cronjob and regenerate the DB files onto a persistent volume. Add the new script to the mintmaker container, so that the cronjob can use the same image. WARNING: The script now gets the list of advisories from changes.csv. This is incorrect and should be changed to releases.csv when it becomes available. The current state is for testing purposes only.
Red Hat publishes vulnerability data in CSAF VEX format. To facilitate easier consumption of this data by Renovate, this PR converts these CSAF VEX files into OSV database format. The script takes an url as input (from https://security.access.redhat.com/data/csaf/v2/advisories/2024/), and outputs a .nedb file containing osv vulnerability data (with the same fields as https://github.com/renovatebot/osv-offline/releases , except in the scope of this task the file contains vulnerabilities from one advisory only). There is a
main()function used to demonstrate how it works, which will be deleted once CWFHEALTH-3440 is implemented. These outputs were tested to validate against https://raw.githubusercontent.com/ossf/osv-schema/main/validation/schema.json .The script also ignores everything which is not a rpm dependency. I am not sure about the name (or placement) of this module yet, I am accepting suggestions :).
Closes CWFHEALTH-3757.