|
7 | 7 | # See https://aboutcode.org for more information about nexB OSS projects. |
8 | 8 | # |
9 | 9 |
|
10 | | -import asyncio |
11 | | -from typing import List |
12 | | -from typing import Set |
| 10 | +import logging |
| 11 | +from pathlib import Path |
| 12 | +from typing import Iterable |
13 | 13 |
|
14 | 14 | from dateutil.parser import parse |
15 | 15 | from packageurl import PackageURL |
16 | 16 | from pytz import UTC |
17 | | -from univers.version_range import VersionRange |
18 | | -from univers.versions import SemverVersion |
| 17 | +from univers.version_range import GemVersionRange |
19 | 18 |
|
20 | 19 | from vulnerabilities.importer import AdvisoryData |
| 20 | +from vulnerabilities.importer import AffectedPackage |
21 | 21 | from vulnerabilities.importer import Importer |
22 | 22 | from vulnerabilities.importer import Reference |
23 | | -from vulnerabilities.package_managers import RubyVersionAPI |
| 23 | +from vulnerabilities.importer import VulnerabilitySeverity |
| 24 | +from vulnerabilities.severity_systems import SCORING_SYSTEMS |
| 25 | +from vulnerabilities.utils import build_description |
24 | 26 | from vulnerabilities.utils import load_yaml |
25 | | -from vulnerabilities.utils import nearest_patched_package |
26 | 27 |
|
| 28 | +logger = logging.getLogger(__name__) |
27 | 29 |
|
28 | | -class RubyImporter(Importer): |
29 | | - def __enter__(self): |
30 | | - super(RubyImporter, self).__enter__() |
31 | | - |
32 | | - if not getattr(self, "_added_files", None): |
33 | | - self._added_files, self._updated_files = self.file_changes( |
34 | | - recursive=True, file_ext="yml", subdir="./gems" |
35 | | - ) |
36 | 30 |
|
37 | | - self.pkg_manager_api = RubyVersionAPI() |
38 | | - self.set_api(self.collect_packages()) |
39 | | - |
40 | | - def set_api(self, packages): |
41 | | - asyncio.run(self.pkg_manager_api.load_api(packages)) |
42 | | - |
43 | | - def updated_advisories(self) -> Set[AdvisoryData]: |
44 | | - files = self._updated_files.union(self._added_files) |
45 | | - advisories = [] |
46 | | - for f in files: |
47 | | - processed_data = self.process_file(f) |
48 | | - if processed_data: |
49 | | - advisories.append(processed_data) |
50 | | - return self.batch_advisories(advisories) |
51 | | - |
52 | | - def collect_packages(self): |
53 | | - packages = set() |
54 | | - files = self._updated_files.union(self._added_files) |
55 | | - for f in files: |
56 | | - data = load_yaml(f) |
57 | | - if data.get("gem"): |
58 | | - packages.add(data["gem"]) |
59 | | - |
60 | | - return packages |
61 | | - |
62 | | - def process_file(self, path) -> List[AdvisoryData]: |
63 | | - record = load_yaml(path) |
| 31 | +class RubyImporter(Importer): |
| 32 | + license_url = "https://github.com/rubysec/ruby-advisory-db/blob/master/LICENSE.txt" |
| 33 | + spdx_license_expression = "unknown" |
| 34 | + repo_url = "git+https://github.com/rubysec/ruby-advisory-db" |
| 35 | + |
| 36 | + def advisory_data(self) -> Iterable[AdvisoryData]: |
| 37 | + self.clone(self.repo_url) |
| 38 | + base_path = Path(self.vcs_response.dest_dir) |
| 39 | + supported_subdir = ["rubies", "gems"] |
| 40 | + for subdir in supported_subdir: |
| 41 | + for file_path in base_path.glob(f"{subdir}/**/*.yml"): |
| 42 | + if file_path.name.startswith("OSVDB-"): |
| 43 | + continue |
| 44 | + raw_data = load_yaml(file_path) |
| 45 | + yield parse_ruby_advisory(raw_data, subdir) |
| 46 | + |
| 47 | + |
| 48 | +def parse_ruby_advisory(record, schema_type): |
| 49 | + """ |
| 50 | + Parse a ruby advisory file and return an AdvisoryData or None. |
| 51 | + Each advisory file contains the advisory information in YAML format. |
| 52 | + Schema: https://github.com/rubysec/ruby-advisory-db/tree/master/spec/schemas |
| 53 | + """ |
| 54 | + if schema_type == "gems": |
64 | 55 | package_name = record.get("gem") |
65 | | - if not package_name: |
66 | | - return |
67 | | - |
68 | | - if "cve" in record: |
69 | | - cve_id = "CVE-{}".format(record["cve"]) |
70 | | - else: |
71 | | - return |
72 | | - |
73 | | - publish_time = parse(record["date"]).replace(tzinfo=UTC) |
74 | | - safe_version_ranges = record.get("patched_versions", []) |
75 | | - # this case happens when the advisory contain only 'patched_versions' field |
76 | | - # and it has value None(i.e it is empty :( ). |
77 | | - if not safe_version_ranges: |
78 | | - safe_version_ranges = [] |
79 | | - safe_version_ranges += record.get("unaffected_versions", []) |
80 | | - safe_version_ranges = [i for i in safe_version_ranges if i] |
81 | | - |
82 | | - if not getattr(self, "pkg_manager_api", None): |
83 | | - self.pkg_manager_api = RubyVersionAPI() |
84 | | - all_vers = self.pkg_manager_api.get(package_name, until=publish_time).valid_versions |
85 | | - safe_versions, affected_versions = self.categorize_versions(all_vers, safe_version_ranges) |
86 | | - |
87 | | - impacted_purls = [ |
88 | | - PackageURL( |
89 | | - name=package_name, |
90 | | - type="gem", |
91 | | - version=version, |
92 | | - ) |
93 | | - for version in affected_versions |
94 | | - ] |
95 | | - |
96 | | - resolved_purls = [ |
97 | | - PackageURL( |
98 | | - name=package_name, |
99 | | - type="gem", |
100 | | - version=version, |
101 | | - ) |
102 | | - for version in safe_versions |
103 | | - ] |
| 56 | + purl = PackageURL(type="gem", name=package_name) |
104 | 57 |
|
105 | | - references = [] |
106 | | - if record.get("url"): |
107 | | - references.append(Reference(url=record.get("url"))) |
| 58 | + return AdvisoryData( |
| 59 | + aliases=get_aliases(record), |
| 60 | + summary=get_summary(record), |
| 61 | + affected_packages=get_affected_packages(record, purl), |
| 62 | + references=get_references(record), |
| 63 | + date_published=get_publish_time(record), |
| 64 | + ) |
108 | 65 |
|
| 66 | + elif schema_type == "rubies": |
| 67 | + engine = record.get("engine") # engine enum: [jruby, rbx, ruby] |
| 68 | + purl = PackageURL(type="ruby", name=engine) |
109 | 69 | return AdvisoryData( |
110 | | - summary=record.get("description", ""), |
111 | | - affected_packages=nearest_patched_package(impacted_purls, resolved_purls), |
112 | | - references=references, |
113 | | - vulnerability_id=cve_id, |
| 70 | + aliases=get_aliases(record), |
| 71 | + summary=get_summary(record), |
| 72 | + affected_packages=get_affected_packages(record, purl), |
| 73 | + references=get_references(record), |
| 74 | + date_published=get_publish_time(record), |
114 | 75 | ) |
115 | 76 |
|
116 | | - @staticmethod |
117 | | - def categorize_versions(all_versions, unaffected_version_ranges): |
118 | 77 |
|
119 | | - for id, elem in enumerate(unaffected_version_ranges): |
120 | | - unaffected_version_ranges[id] = VersionRange.from_scheme_version_spec_string( |
121 | | - "semver", elem |
| 78 | +def get_affected_packages(record, purl): |
| 79 | + safe_version_ranges = record.get("patched_versions", []) |
| 80 | + # this case happens when the advisory contain only 'patched_versions' field |
| 81 | + # and it has value None(i.e it is empty :( ). |
| 82 | + if not safe_version_ranges: |
| 83 | + safe_version_ranges = [] |
| 84 | + safe_version_ranges += record.get("unaffected_versions", []) |
| 85 | + safe_version_ranges = [i for i in safe_version_ranges if i] |
| 86 | + |
| 87 | + affected_packages = [] |
| 88 | + affected_version_ranges = [ |
| 89 | + GemVersionRange.from_native(elem).invert() for elem in safe_version_ranges |
| 90 | + ] |
| 91 | + |
| 92 | + for affected_version_range in affected_version_ranges: |
| 93 | + affected_packages.append( |
| 94 | + AffectedPackage( |
| 95 | + package=purl, |
| 96 | + affected_version_range=affected_version_range, |
122 | 97 | ) |
| 98 | + ) |
| 99 | + return affected_packages |
| 100 | + |
| 101 | + |
| 102 | +def get_aliases(record) -> [str]: |
| 103 | + aliases = [] |
| 104 | + if record.get("cve"): |
| 105 | + aliases.append("CVE-{}".format(record.get("cve"))) |
| 106 | + if record.get("osvdb"): |
| 107 | + aliases.append("OSV-{}".format(record.get("osvdb"))) |
| 108 | + if record.get("ghsa"): |
| 109 | + aliases.append("GHSA-{}".format(record.get("ghsa"))) |
| 110 | + return aliases |
| 111 | + |
| 112 | + |
| 113 | +def get_references(record) -> [Reference]: |
| 114 | + references = [] |
| 115 | + cvss_v2 = record.get("cvss_v2") |
| 116 | + cvss_v3 = record.get("cvss_v3") |
| 117 | + |
| 118 | + if record.get("url"): |
| 119 | + if not (cvss_v2 or cvss_v3): |
| 120 | + references.append(Reference(url=record.get("url"))) |
| 121 | + if cvss_v2: |
| 122 | + references.append( |
| 123 | + Reference( |
| 124 | + url=record.get("url"), |
| 125 | + severities=[ |
| 126 | + VulnerabilitySeverity(system=SCORING_SYSTEMS["cvssv2"], value=cvss_v2) |
| 127 | + ], |
| 128 | + ) |
| 129 | + ) |
| 130 | + if cvss_v3: |
| 131 | + references.append( |
| 132 | + Reference( |
| 133 | + url=record.get("url"), |
| 134 | + severities=[ |
| 135 | + VulnerabilitySeverity(system=SCORING_SYSTEMS["cvssv3"], value=cvss_v3) |
| 136 | + ], |
| 137 | + ) |
| 138 | + ) |
| 139 | + return references |
| 140 | + |
| 141 | + |
| 142 | +def get_publish_time(record): |
| 143 | + return parse(record["date"]).replace(tzinfo=UTC) |
| 144 | + |
123 | 145 |
|
124 | | - safe_versions = [] |
125 | | - vulnerable_versions = [] |
126 | | - for i in all_versions: |
127 | | - vobj = SemverVersion(i) |
128 | | - is_vulnerable = False |
129 | | - for ver_rng in unaffected_version_ranges: |
130 | | - if vobj in ver_rng: |
131 | | - safe_versions.append(i) |
132 | | - is_vulnerable = True |
133 | | - break |
134 | | - |
135 | | - if not is_vulnerable: |
136 | | - vulnerable_versions.append(i) |
137 | | - |
138 | | - return safe_versions, vulnerable_versions |
| 146 | +def get_summary(record): |
| 147 | + title = record.get("title") |
| 148 | + description = record.get("description", "") |
| 149 | + return build_description(summary=title, description=description) |
0 commit comments