Merge branch 'main' into 1079-create-suse-oval-importer #1079

Reference: #1079

Signed-off-by: John M. Horan johnmhoran@gmail.com

.gitignore

@@ -46,8 +46,14 @@ coverage.xml
 *.log
 local_settings.py
 
-# Sphinx documentation
-docs/_build/
+# Sphinx
+docs/_build
+docs/bin
+docs/build
+docs/include
+docs/Lib
+doc/pyvenv.cfg
+pyvenv.cfg
 
 # PyBuilder
 target/
@@ -103,3 +109,13 @@ Pipfile
 *.bak
 /.cache/
 /tmp/
+
+# pyenv
+/.python-version
+/man/
+/.pytest_cache/
+lib64
+tcl
+
+# Ignore Jupyter Notebook related temp files
+.ipynb_checkpoints/

.readthedocs.yml

@@ -5,12 +5,25 @@
 # Required
 version: 2
 
+# Build in latest ubuntu/python
+build:
+  os: ubuntu-22.04
+  tools:
+    python: "3.11"
+
+# Build PDF & ePub
+formats:
+  - epub
+  - pdf
+
 # Where the Sphinx conf.py file is located
 sphinx:
    configuration: docs/source/conf.py
 
-# Setting the doc build requirements
+# Setting the python version and doc build requirements
 python:
-  version: "3.7"
   install:
-    - requirements: docs/requirements.txt
+    - method: pip
+      path: .
+      extra_requirements:
+        - dev

CHANGELOG.rst

@@ -2,8 +2,108 @@ Release notes
 =============
 
 
+Version v33.6.3
+----------------
+
+- We updated RTD build configuration.
+- We added importer for OSS-Fuzz.
+- We removed vulnerabilities with empty aliases.
+- We fixed search encoding issue https://github.com/nexB/vulnerablecode/issues/1336.
+- We added middleware to ban "bytedance" user-agent.
+
+
+Version v33.6.2
+----------------
+
+- We added note about CSRF_TRUSTED_ORIGINS.
+- We added proper acknowledgements for NGI projects.
+- We added throttling for anonymous users.
+
+Version v33.6.1
+----------------
+
+- We added pagination to valid versions improver.
+
+
+Version v33.6.0
+----------------
+
+- We added support to write packages and vulnerabilities at the time of import.
+
+
+Version v33.5.0
+----------------
+
+- We fixed a text-overflow issue in the Essentials tab of the Vulnerability details template.
+- We added clickable links to the Essentials tab of the Vulnerability details template that enable
+  the user to navigate to the Fixed by packages tab and the Affected packages tab.
+- We fixed severity range issue for handling unknown scores.
+
+Version v33.4.0
+----------------
+
+- We added importer specific improvers and removed default improver
+  additionally improve recent advisories first.
+
+
+Version v33.3.0
+----------------
+
+- We filtered out the weakness that are not presented in the
+  cwe2.database before passing them into the vulnerability details view.
+
+
+Version v33.2.0
+-----------------
+
+- We fixed NVD importer to import the latest data by adding weakness
+  in unique content ID for advisories.
+
+
+Version v33.1.0
+-----------------
+
+- We have paginated the default improver and added keyboard interrupt support for import and improve processes.
+- We bumped PyYaml to 6.0.1 and saneyaml to 0.6.0 and dropped docker-compose.
+
+
+Version v33.0.0
+-----------------
+
+- We have dropped ``unresolved_vulnerabilities`` from /api/package endpoint API response.
+- We have added missing quotes for href values in template.
+- We have fixed merge functionality of AffectedPackage.
+
+
+Version v32.0.1
+-----------------
+
+- Clean imported data after import process.
+
+
+Version v32.0.0
+-----------------
+
+- We fixed Apache HTTPD and Apache Kafka importer.
+- We removed excessive network calls from Redhat importer.
+- Add documentation for version 32.0.0.
+
+
+Version v32.0.0rc4
+-------------------
+
+- We added loading of env for GitHub datasource in vulntotal.
+- We fixed import process in github importer in vulnerablecode reported here
+  https://github.com/nexB/vulnerablecode/issues/1142.
+- We added an improver to get all package versions
+  of all ecosystems for a range of affected packages.
+- We added documentation for configuring throttling rate for API endpoints.
+- We fixed kbmsr2019 importer.
+- We added support for conan advisories through gitlab importer.
+
+
 Version v32.0.0rc3
-------------
+-------------------
 
 - Add aliases to package endpoint.
 - We added Apache HTTPD improver.

README.rst

@@ -105,6 +105,7 @@ On a Debian system, use this::
     git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
     make dev envfile postgres
     make test
+    source venv/bin/activate
     ./manage.py import vulnerabilities.importers.nginx.NginxImporter
     ./manage.py improve --all
     make run
@@ -145,3 +146,20 @@ See https://creativecommons.org/licenses/by-sa/4.0/legalcode for the license tex
 See https://github.com/nexB/vulnerablecode for support or download. 
 
 See https://aboutcode.org for more information about nexB OSS projects.
+
+Acknowledgements
+^^^^^^^^^^^^^^^^
+
+This project was funded through the NGI0 PET Fund, a fund established by
+NLnet with financial support from the European Commission's Next Generation
+Internet programme, under the aegis of DG Communications Networks, Content
+and Technology under grant agreement No 825310.
+
+https://nlnet.nl/project/VulnerableCode/
+
+This project was funded through the NGI0 Discovery Fund, a fund established
+by NLnet with financial support from the European Commission's Next Generation
+Internet programme, under the aegis of DG Communications Networks, Content
+and Technology under grant agreement No 825322.
+
+https://nlnet.nl/project/vulnerabilitydatabase/

SOURCES.rst

@@ -13,7 +13,7 @@
 +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+
 |ruby            | https://github.com/rubysec/ruby-advisory-db.git                                                      |ruby gems                                           |
 +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+
-|ubuntu          | https://people.canonical.com/~ubuntu-security/oval/                                                  |ubuntu packages                                     |
+|ubuntu          |                                                                                                      |ubuntu packages                                     |
 +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+
 |retiredotnet    | https://github.com/RetireNet/Packages.git                                                            |.NET packages                                       |
 +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+

apache-2.0.LICENSE

@@ -174,3 +174,28 @@
       of your accepting any such warranty or additional liability.
 
    END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

docs/requirements.txt

@@ -1,3 +1,3 @@
 Sphinx>=3.3.1
 sphinx-rtd-theme>=0.5.0
-doc8>=0.8.1
+doc8>=0.8.1

docs/source/_static/theme_overrides.css

@@ -0,0 +1,31 @@
+/* this is the container for the pages */
+.wy-nav-content {
+    max-width: 100%;
+    padding: 0px 40px 0px 0px;
+    margin-top: 0px;
+    background-color: #fcfcfc;
+}
+
+.wy-nav-content-wrap {
+    background-color: #fcfcfc;
+    border-right: solid 1px #e8e8e8;
+}
+
+div.rst-content {
+    max-width: 1300px;
+    background-color: #fcfcfc;
+    border: 0;
+    padding: 0px 80px 10px 80px;
+    margin-left: 50px;
+}
+
+
+@media (max-width: 768px) {
+    div.rst-content {
+            max-width: 1300px;
+            background-color: #fcfcfc;
+            border: 0;
+            padding: 0px 10px 10px 10px;
+            margin-left: 0px;
+        }
+}

docs/source/api-admin.rst

@@ -0,0 +1,21 @@
+.. _api_admin:
+
+API usage administration for on-premise deployments
+====================================================
+
+Enable the API key authentication
+------------------------------------
+
+There is a setting VULNERABLECODEIO_REQUIRE_AUTHENTICATION for this. Use it this
+way::
+
+    $ VULNERABLECODEIO_REQUIRE_AUTHENTICATION=1 make run
+
+
+Create an API key-only user
+------------------------------------
+
+This can be done in the admin and from the command line::
+
+    $ ./manage.py create_api_user --email "p4@nexb.com" --first-name="Phil" --last-name "Goel"
+    User p4@nexb.com created with API key: ce8616b929d2adsddd6146346c2f26536423423491