Create suse_oval.py and related test files #1079

Reference: #1079

Signed-off-by: John M. Horan <johnmhoran@gmail.com>

vulnerabilities/importers/suse_oval.py

@@ -0,0 +1,70 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+
+import gzip
+import xml.etree.ElementTree as ET
+
+import requests
+from bs4 import BeautifulSoup
+
+from vulnerabilities.importer import OvalImporter
+
+
+class SuseOvalImporter(OvalImporter):
+
+    spdx_license_expression = "CC-BY-4.0"
+    license_url = "https://ftp.suse.com/pub/projects/security/oval/LICENSE"
+    base_url = "https://ftp.suse.com/pub/projects/security/oval/"
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.translations = {"less than": "<", "equals": "=", "greater than or equal": ">="}
+
+    def _fetch(self):
+        # base_url = "https://ftp.suse.com/pub/projects/security/oval/"
+        page = requests.get(self.base_url).text
+        soup = BeautifulSoup(page, "lxml")
+
+        # print(
+        #     [
+        #         self.base_url + node.get("href")
+        #         for node in soup.find_all("a")
+        #         if node.get("href").endswith(".gz")
+        #     ]
+        # )
+
+        suse_oval_files = [
+            self.base_url + node.get("href")
+            for node in soup.find_all("a")
+            if node.get("href").endswith(".gz")
+        ]
+
+        # for testfile in suse_oval_files:
+        #     print(testfile)
+
+        # Temporary test of .gz version of one of the .xml files we test in test_suse_oval.py:
+        # suse_oval_files = [
+        #     "https://ftp.suse.com/pub/projects/security/oval/opensuse.leap.micro.5.3.xml.gz"
+        # ]
+
+        # TODO: 2023-01-18 Wednesday 18:49:06.  For some reason, if I un-comment the code below, my print above stops working.  Why?
+
+        # for suse_file in suse_oval_files:
+        #     # print("suse_file = {}".format(suse_file))
+        #     # Do we want to log as ubuntu.py does?  If so, why does debian_oval.py not log?
+        #     response = requests.get(suse_file)
+        #     # print("\nresponse = {}\n".format(response))
+
+        #     extracted = gzip.decompress(response.content)
+        #     # print("\nextracted = {}\n".format(extracted))
+        #     yield (
+        #         {"type": "rpm", "namespace": "opensuse"},
+        #         ET.ElementTree(ET.fromstring(extracted.decode("utf-8"))),
+        #     )

vulnerabilities/oval_parser.py

@@ -180,7 +180,11 @@ def get_severity_from_definition(definition: OvalDefinition) -> Set[str]:
     def get_vuln_id_from_definition(definition):
         # SUSE and Ubuntu OVAL files will get cves via this loop
         for child in definition.element.iter():
-            if child.get("ref_id"):
-                return child.get("ref_id")
+            # Must also check whether 'source' field exists and value is 'CVE'
+            # TODO: what if there are multiple elements that satisfy the condition?
+            # Add to list and report as separate AdvisoryData() objects?
+            if child.get("ref_id") and child.get("source"):
+                if child.get("source") == "CVE":
+                    return child.get("ref_id")
         # Debian OVAL files will get cves via this
         return definition.getMetadata().getTitle()

vulnerabilities/tests/test_data/suse_oval/org.opensuse.CVE-2008-5679.xml

@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<oval_definitions
+	xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd"
+	xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
+	xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+  <generator>
+      <oval:product_name>Marcus OVAL Generator</oval:product_name>
+      <oval:schema_version>5.5</oval:schema_version>
+      <oval:timestamp>2009-01-14T09:08:29.480-05:00</oval:timestamp>
+  </generator>
+  <definitions>
+
+<definition id="oval:org.opensuse.security:def:2009030400" version="1" class="patch">
+ <metadata>
+ <title>CVE-2008-5679</title>
+	<affected family="unix">
+	</affected>
+	<reference ref_id="CVE-2008-5679" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5679" source="CVE"/>
+	<description>
+	The HTML parsing engine in Opera before 9.63 allows remote attackers to execute arbitrary code via crafted web pages that trigger an invalid pointer calculation and heap corruption.
+	</description>
+ </metadata>
+	<criteria operator="OR">
+		<criteria operator="AND">
+			<criteria operator="OR">
+			<criterion test_ref="oval:org.opensuse.security:tst:2009030401" comment="suse103 is installed"/>
+			<criterion test_ref="oval:org.opensuse.security:tst:2009030402" comment="suse110 is installed"/>
+			<criterion test_ref="oval:org.opensuse.security:tst:2009030403" comment="suse111 is installed"/>
+			</criteria>
+			<criterion test_ref="oval:org.opensuse.security:tst:2009030400" comment="oval:org.opensuse.security:tst:2009030400 is installed"/>
+		</criteria>
+		<criteria operator="AND">
+			<criterion test_ref="oval:org.opensuse.security:tst:2009030403" comment="suse111-debug is installed"/>
+			<criterion test_ref="oval:org.opensuse.security:tst:2009030400" comment="oval:org.opensuse.security:tst:2009030400 is installed"/>
+		</criteria>
+	</criteria>
+</definition>
+ </definitions>
+ <tests>
+	<rpminfo_test id="oval:org.opensuse.security:tst:2009030400" version="1" comment="oval:org.opensuse.security:obj:2009030400 is version oval:org.opensuse.security:ste:2009030400" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+		<object object_ref="oval:org.opensuse.security:obj:2009030400"/>
+		<state state_ref="oval:org.opensuse.security:ste:2009030400"/>
+	</rpminfo_test>
+	<rpminfo_test id="oval:org.opensuse.security:tst:2009030401" version="1" comment="oval:org.opensuse.security:obj:2009030401 is version oval:org.opensuse.security:ste:2009030401" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+		<object object_ref="oval:org.opensuse.security:obj:2009030401"/>
+		<state state_ref="oval:org.opensuse.security:ste:2009030401"/>
+	</rpminfo_test>
+	<rpminfo_test id="oval:org.opensuse.security:tst:2009030402" version="1" comment="oval:org.opensuse.security:obj:2009030401 is version oval:org.opensuse.security:ste:2009030402" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+		<object object_ref="oval:org.opensuse.security:obj:2009030401"/>
+		<state state_ref="oval:org.opensuse.security:ste:2009030402"/>
+	</rpminfo_test>
+	<rpminfo_test id="oval:org.opensuse.security:tst:2009030403" version="1" comment="oval:org.opensuse.security:obj:2009030401 is version oval:org.opensuse.security:ste:2009030403" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+		<object object_ref="oval:org.opensuse.security:obj:2009030401"/>
+		<state state_ref="oval:org.opensuse.security:ste:2009030403"/>
+	</rpminfo_test>
+ </tests>
+ <objects>
+	<rpminfo_object id="oval:org.opensuse.security:obj:2009030400" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+		<name>opera</name>
+	</rpminfo_object>
+	<rpminfo_object id="oval:org.opensuse.security:obj:2009030401" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+		<name>openSUSE-release</name>
+	</rpminfo_object>
+ </objects>
+ <states>
+  <rpminfo_state id="oval:org.opensuse.security:ste:2009030400" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+   <evr datatype="evr_string" operation="less than">0:9.63-1.1</evr>
+  </rpminfo_state>
+  <rpminfo_state id="oval:org.opensuse.security:ste:2009030401" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+   <version operation="pattern match">^10.3$</version>
+  </rpminfo_state>
+  <rpminfo_state id="oval:org.opensuse.security:ste:2009030402" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+   <version operation="pattern match">^11.0$</version>
+  </rpminfo_state>
+  <rpminfo_state id="oval:org.opensuse.security:ste:2009030403" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+   <version operation="pattern match">^11.1$</version>
+  </rpminfo_state>
+ </states>
+</oval_definitions>

vulnerabilities/tests/test_data/suse_oval/suse-oval-CVE-2008-5679-expected.json

@@ -0,0 +1,42 @@
+[
+  {
+    "aliases": [
+      "CVE-2008-5679"
+    ],
+    "summary": "\n\tThe HTML parsing engine in Opera before 9.63 allows remote attackers to execute arbitrary code via crafted web pages that trigger an invalid pointer calculation and heap corruption.\n\t",
+    "affected_packages": [
+      {
+        "package": {
+          "type": "rpm",
+          "namespace": "opensuse",
+          "name": "opera",
+          "version": null,
+          "qualifiers": null,
+          "subpath": null
+        },
+        "affected_version_range": "vers:rpm/<9.63-1.1",
+        "fixed_version": null
+      },
+      {
+        "package": {
+          "type": "rpm",
+          "namespace": "opensuse",
+          "name": "opera",
+          "version": null,
+          "qualifiers": null,
+          "subpath": null
+        },
+        "affected_version_range": "vers:rpm/<9.63-1.1",
+        "fixed_version": null
+      }
+    ],
+    "references": [
+      {
+        "reference_id": "",
+        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5679",
+        "severities": []
+      }
+    ],
+    "date_published": "2009-01-14T09:08:29.480000-05:00"
+  }
+]