Skip to content

Commit

Permalink
Address review comments
Browse files Browse the repository at this point in the history 
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
  • Loading branch information
@TG1999
TG1999 committed Jan 9, 2023
1 parent 3b29651 commit d5c07d0
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 79 deletions.
119 changes: 64 additions & 55 deletions vulnerabilities/importers/gentoo.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,10 @@
class GentooImporter(Importer):
repo_url = "git+https://anongit.gentoo.org/git/data/glsa.git"
spdx_license_expression = "CC-BY-SA-4.0"
license_url = "https://anongit.gentoo.org/"
# the license notice is at this url https://anongit.gentoo.org/ says:
# The contents of this document, unless otherwise expressly stated, are licensed
# under the [CC-BY-SA-4.0](https://creativecommons.org/licenses/by-sa/4.0/) license.
license_url = "https://creativecommons.org/licenses/by-sa/4.0/"

def advisory_data(self) -> Iterable[AdvisoryData]:
try:
Expand All @@ -42,12 +45,12 @@ def advisory_data(self) -> Iterable[AdvisoryData]:
def process_file(self, file):
cves = []
summary = ""
vuln_reference = []
vuln_references = []
xml_root = ET.parse(file).getroot()
id = xml_root.attrib.get("id")
if id:
glsa = "GLSA-" + id
vuln_reference = [
vuln_references = [
Reference(
reference_id=glsa,
url=f"https://security.gentoo.org/glsa/{id}",
Expand All @@ -70,7 +73,7 @@ def process_file(self, file):
yield AdvisoryData(
aliases=[cve],
summary=summary,
references=vuln_reference,
references=vuln_references,
affected_packages=affected_packages,
)

Expand All @@ -87,57 +90,63 @@ def cves_from_reference(reference):

@staticmethod
def affected_and_safe_purls(affected_elem):
constraints = []
for pkg in affected_elem:
name = pkg.attrib.get("name")
if not name:
continue
pkg_ns, _, pkg_name = name.rpartition("/")
purl = PackageURL(type="ebuild", name=pkg_name, namespace=pkg_ns)
safe_versions, affected_versions = GentooImporter.get_safe_and_affected_versions(pkg)

for version in safe_versions:
constraints.append(
VersionConstraint(version=GentooVersion(version), comparator="=").invert()
)

for version in affected_versions:
constraints.append(
VersionConstraint(version=GentooVersion(version), comparator="=")
)

if not constraints:
continue

yield AffectedPackage(
package=purl, affected_version_range=EbuildVersionRange(constraints=constraints)
)

@staticmethod
def get_safe_and_affected_versions(pkg):
# TODO : Revisit why we are skipping some versions in gentoo importer
skip_versions = {"1.3*", "7.3*", "7.4*"}
safe_versions = set()
affected_versions = set()
skip_versions = {"1.3*", "7.3*", "7.4*"}
for pkg in affected_elem:
for info in pkg:
if info.text in skip_versions:
for info in pkg:
if info.text in skip_versions:
continue

if info.attrib.get("range"):
if len(info.attrib.get("range")) > 2:
continue
name = pkg.attrib.get("name")
if name:
(
pkg_ns,
pkg_name,
) = name.split("/")
purl = PackageURL(type="ebuild", name=pkg_name, namespace=pkg_ns)

if info.attrib.get("range"):
if len(info.attrib.get("range")) > 2:
continue

if info.tag == "unaffected":
# quick hack, to know whether this
# version lies in this range, 'e' stands for
# equal, which is paired with 'greater' or 'less'.
# All possible values of info.attrib['range'] =
# {'gt', 'lt', 'rle', 'rge', 'rgt', 'le', 'ge', 'eq'}, out of
# which ('rle', 'rge', 'rgt') are ignored, because they compare
# 'release' not the 'version'.

if "e" in info.attrib["range"]:
safe_versions.add(info.text)
else:
affected_versions.add(info.text)

elif info.tag == "vulnerable":
if "e" in info.attrib["range"]:
affected_versions.add(info.text)
else:
safe_versions.add(info.text)

constraints = []

for version in safe_versions:
constraints.append(
VersionConstraint(version=GentooVersion(version), comparator="=").invert()
)

for version in affected_versions:
constraints.append(
VersionConstraint(version=GentooVersion(version), comparator="=")
)

yield AffectedPackage(
package=purl, affected_version_range=EbuildVersionRange(constraints=constraints)
)

if info.tag == "unaffected":
# quick hack, to know whether this
# version lies in this range, 'e' stands for
# equal, which is paired with 'greater' or 'less'.
# All possible values of info.attrib['range'] =
# {'gt', 'lt', 'rle', 'rge', 'rgt', 'le', 'ge', 'eq'}, out of
# which ('rle', 'rge', 'rgt') are ignored, because they compare
# 'release' not the 'version'.
if "e" in info.attrib["range"]:
safe_versions.add(info.text)
else:
affected_versions.add(info.text)

elif info.tag == "vulnerable":
if "e" in info.attrib["range"]:
affected_versions.add(info.text)
else:
safe_versions.add(info.text)

return safe_versions, affected_versions
24 changes: 0 additions & 24 deletions vulnerabilities/tests/test_data/gentoo/gentoo-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,30 +5,6 @@
],
"summary": "A command injection vulnerability in Subversion may allow remote\n attackers to execute arbitrary code.\n ",
"affected_packages": [
{
"package": {
"type": "ebuild",
"namespace": "dev-vcs",
"name": "subversion",
"version": null,
"qualifiers": null,
"subpath": null
},
"affected_version_range": "vers:ebuild/!=1.9.7",
"fixed_version": null
},
{
"package": {
"type": "ebuild",
"namespace": "dev-vcs",
"name": "subversion",
"version": null,
"qualifiers": null,
"subpath": null
},
"affected_version_range": "vers:ebuild/!=1.9.7",
"fixed_version": null
},
{
"package": {
"type": "ebuild",
Expand Down

0 comments on commit d5c07d0

Please sign in to comment.