Skip to content

Commit

Permalink
Use semver in apache httpd importer
Browse files Browse the repository at this point in the history
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
  • Loading branch information
sbs2001 committed Aug 25, 2021
1 parent 85cb602 commit bd1dfe5
Show file tree
Hide file tree
Showing 3 changed files with 79 additions and 9 deletions.
80 changes: 75 additions & 5 deletions vulnerabilities/importers/apache_httpd.py
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
import requests
from bs4 import BeautifulSoup
from packageurl import PackageURL
from univers.versions import MavenVersion
from univers.versions import SemverVersion
from univers.version_specifier import VersionSpecifier

from vulnerabilities.data_source import Advisory
Expand All @@ -53,6 +53,12 @@ class ApacheHTTPDDataSource(DataSource):
def set_api(self):
self.version_api = GitHubTagsAPI()
asyncio.run(self.version_api.load_api(["apache/httpd"]))
self.version_api.cache["apache/httpd"] = set(
filter(
lambda version: version.value not in ignore_tags,
self.version_api.cache["apache/httpd"],
)
)

def updated_advisories(self):
links = fetch_links(self.base_url)
Expand Down Expand Up @@ -106,7 +112,7 @@ def to_advisory(self, data):
[
PackageURL(type="apache", name="httpd", version=version)
for version in self.version_api.get("apache/httpd").valid_versions
if MavenVersion(version) in version_range
if SemverVersion(version) in version_range
]
)

Expand All @@ -115,7 +121,7 @@ def to_advisory(self, data):
[
PackageURL(type="apache", name="httpd", version=version)
for version in self.version_api.get("apache/httpd").valid_versions
if MavenVersion(version) in version_range
if SemverVersion(version) in version_range
]
)

Expand All @@ -135,13 +141,13 @@ def to_version_ranges(self, versions_data):
if range_expression == "<":
fixed_version_ranges.append(
VersionSpecifier.from_scheme_version_spec_string(
"maven", ">={}".format(version_value)
"semver", ">={}".format(version_value)
)
)
elif range_expression == "=" or range_expression == "?=":
affected_version_ranges.append(
VersionSpecifier.from_scheme_version_spec_string(
"maven", "{}".format(version_value)
"semver", "{}".format(version_value)
)
)

Expand All @@ -158,3 +164,67 @@ def fetch_links(url):
continue
links.append(urllib.parse.urljoin(url, link))
return links


ignore_tags = {
"AGB_BEFORE_AAA_CHANGES",
"APACHE_1_2b1",
"APACHE_1_2b10",
"APACHE_1_2b11",
"APACHE_1_2b2",
"APACHE_1_2b3",
"APACHE_1_2b4",
"APACHE_1_2b5",
"APACHE_1_2b6",
"APACHE_1_2b7",
"APACHE_1_2b8",
"APACHE_1_2b9",
"APACHE_1_3_PRE_NT",
"APACHE_1_3a1",
"APACHE_1_3b1",
"APACHE_1_3b2",
"APACHE_1_3b3",
"APACHE_1_3b5",
"APACHE_1_3b6",
"APACHE_1_3b7",
"APACHE_2_0_2001_02_09",
"APACHE_2_0_52_WROWE_RC1",
"APACHE_2_0_ALPHA",
"APACHE_2_0_ALPHA_2",
"APACHE_2_0_ALPHA_3",
"APACHE_2_0_ALPHA_4",
"APACHE_2_0_ALPHA_5",
"APACHE_2_0_ALPHA_6",
"APACHE_2_0_ALPHA_7",
"APACHE_2_0_ALPHA_8",
"APACHE_2_0_ALPHA_9",
"APACHE_2_0_BETA_CANDIDATE_1",
"APACHE_BIG_SYMBOL_RENAME_POST",
"APACHE_BIG_SYMBOL_RENAME_PRE",
"CHANGES",
"HTTPD_LDAP_1_0_0",
"INITIAL",
"MOD_SSL_2_8_3",
"PCRE_3_9",
"POST_APR_SPLIT",
"PRE_APR_CHANGES",
"STRIKER_2_0_51_RC1",
"STRIKER_2_0_51_RC2",
"STRIKER_2_1_0_RC1",
"WROWE_2_0_43_PRE1",
"apache-1_3-merge-1-post",
"apache-1_3-merge-1-pre",
"apache-1_3-merge-2-post",
"apache-1_3-merge-2-pre",
"apache-apr-merge-3",
"apache-doc-split-01",
"dg_last_1_2_doc_merge",
"djg-apache-nspr-07",
"djg_nspr_split",
"moving_to_httpd_module",
"mpm-3",
"mpm-merge-1",
"mpm-merge-2",
"post_ajp_proxy",
"pre_ajp_proxy",
}
2 changes: 1 addition & 1 deletion vulnerabilities/package_managers.py
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ class VersionResponse:


class VersionAPI:
def __init__(self, cache: Mapping[str, Set[str]] = None):
def __init__(self, cache: Mapping[str, Set[Version]] = None):
self.cache = cache or {}

def get(self, package_name, until=None) -> Set[str]:
Expand Down
6 changes: 3 additions & 3 deletions vulnerabilities/tests/test_apache_httpd.py
Original file line number Diff line number Diff line change
Expand Up @@ -69,13 +69,13 @@ def test_to_version_ranges(self):

# Check fixed packages
assert [
VersionSpecifier.from_scheme_version_spec_string("maven", ">=1.3.2")
VersionSpecifier.from_scheme_version_spec_string("semver", ">=1.3.2")
] == fixed_version_ranges

# Check vulnerable packages
assert [
VersionSpecifier.from_scheme_version_spec_string("maven", "==1.3.0"),
VersionSpecifier.from_scheme_version_spec_string("maven", "==1.3.1"),
VersionSpecifier.from_scheme_version_spec_string("semver", "==1.3.0"),
VersionSpecifier.from_scheme_version_spec_string("semver", "==1.3.1"),
] == affected_version_ranges

def test_to_advisory(self):
Expand Down

0 comments on commit bd1dfe5

Please sign in to comment.