Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: move debian parser from vulnerability dict to dataclass #645

Closed
wants to merge 3 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 33 additions & 26 deletions src/vunnel/providers/debian/parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@

from vunnel.result import SQLiteReader
from vunnel.utils import http, vulnerability
from vunnel.utils.vulnerability import FixedIn, Vulnerability

DSAFixedInTuple = namedtuple("DSAFixedInTuple", ["dsa", "link", "distro", "pkg", "ver"])
DSACollection = namedtuple("DSACollection", ["cves", "nocves"])
Expand Down Expand Up @@ -269,7 +270,7 @@ def _normalize_json(self, ns_cve_dsalist=None): # noqa: PLR0912,PLR0915,C901
if ns_cve_dsalist is None:
ns_cve_dsalist = {}

vuln_records = {}
vuln_records: dict[str, dict[str, dict[str, Vulnerability]]] = {}

for pkg in data:
for vid in data[pkg]:
Expand Down Expand Up @@ -310,15 +311,20 @@ def _normalize_json(self, ns_cve_dsalist=None): # noqa: PLR0912,PLR0915,C901
if complete:
if vid not in vuln_records[relno]:
# create a new record
vuln_records[relno][vid] = copy.deepcopy(vulnerability.vulnerability_element)
# and populate the static information about the new vuln record
vuln_records[relno][vid] = {
"Vulnerability": Vulnerability(
Name=str(vid),
NamespaceName="debian:" + str(relno),
Description=vulnerability_data.get("description", ""),
Link="https://security-tracker.debian.org/tracker/" + str(vid),
Severity="Unknown",
CVSS=[],
FixedIn=[],
),
}
vuln_record = vuln_records[relno][vid]

# populate the static information about the new vuln record
vuln_record["Vulnerability"]["Description"] = vulnerability_data.get("description", "")
vuln_record["Vulnerability"]["Name"] = str(vid)
vuln_record["Vulnerability"]["NamespaceName"] = "debian:" + str(relno)
vuln_record["Vulnerability"]["Link"] = "https://security-tracker.debian.org/tracker/" + str(vid)
vuln_record["Vulnerability"]["Severity"] = "Unknown"
else:
vuln_record = vuln_records[relno][vid]

Expand Down Expand Up @@ -349,9 +355,9 @@ def _normalize_json(self, ns_cve_dsalist=None): # noqa: PLR0912,PLR0915,C901
if (
sev
and vulnerability.severity_order[sev]
> vulnerability.severity_order[vuln_record["Vulnerability"]["Severity"]]
> vulnerability.severity_order[vuln_record["Vulnerability"].Severity]
):
vuln_record["Vulnerability"]["Severity"] = sev
vuln_record["Vulnerability"].Severity = sev

# add fixedIn
skip_fixedin = False
Expand All @@ -375,8 +381,8 @@ def _normalize_json(self, ns_cve_dsalist=None): # noqa: PLR0912,PLR0915,C901

if not skip_fixedin:
# collect metrics for vendor advisory
met_ns = vuln_record["Vulnerability"]["NamespaceName"]
met_sev = vuln_record["Vulnerability"]["Severity"]
met_ns = vuln_record["Vulnerability"].NamespaceName
met_sev = vuln_record["Vulnerability"].Severity

if met_ns not in adv_mets:
adv_mets[met_ns] = {
Expand Down Expand Up @@ -422,18 +428,14 @@ def _normalize_json(self, ns_cve_dsalist=None): # noqa: PLR0912,PLR0915,C901
] += 1

# append fixed in record to vulnerability
vuln_record["Vulnerability"]["FixedIn"].append(fixed_el)
if "Module" not in fixed_el:
fixed_el["Module"] = None
vuln_record["Vulnerability"].FixedIn.append(FixedIn(**fixed_el))

# strip out any top level that is not set
final_record = {"Vulnerability": {}}
for k in vuln_record["Vulnerability"]:
if vuln_record["Vulnerability"][k]:
final_record["Vulnerability"][k] = copy.deepcopy(vuln_record["Vulnerability"][k])

# retlists[relno].append(final_record)

except Exception:
self.logger.exception(f"ignoring error parsing vuln: {vid}, pkg: {pkg}, rel: {rel}")
except Exception as e:
self.logger.exception(
f"ignoring error ({e.__class__.__name__}) parsing vuln: {vid}, pkg: {pkg}, rel: {rel}",
)

self.logger.debug(f"metrics for advisory information: {orjson.dumps(adv_mets).decode('utf-8')}")

Expand Down Expand Up @@ -477,7 +479,9 @@ def process_result(file_path: str) -> None:
legacy_records[relno] = {}

records += 1
legacy_records[relno][vid] = envelope.item
envelope.item["Vulnerability"].setdefault("CVSS", [])
envelope.item["Vulnerability"].setdefault("FixedIn", [])
legacy_records[relno][vid] = {"Vulnerability": Vulnerability(**envelope.item["Vulnerability"])}

self.logger.debug(f"legacy dataset {file_path} contains {len(releases)} releases with {records} records")

Expand Down Expand Up @@ -505,8 +509,11 @@ def process_file(contents: list[dict[str, Any]]) -> None:
del cvss_metadata["Vectors"]
record["Vulnerability"]["Metadata"]["NVD"]["CVSSv2"] = cvss_metadata

# default required fields for dataclass
record["Vulnerability"].setdefault("FixedIn", [])
record["Vulnerability"].setdefault("CVSS", [])
# write the record back
legacy_records[relno][vid] = record
legacy_records[relno][vid] = Vulnerability(**record["Vulnerability"])

# read every json file in the legacy directory
for root, _dirs, files in os.walk(self.legacy_records_path):
Expand Down Expand Up @@ -548,7 +555,7 @@ def get(self):
self.logger.info(
f"clearing severity on {vid}, see https://github.com/anchore/grype-db/issues/108#issuecomment-1796301073",
)
vuln_record["Vulnerability"]["Severity"] = "Unknown"
vuln_record["Vulnerability"].Severity = "Unknown"
yield relno, vid, vuln_record
else:
yield from ()
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2005-3111","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"debian:10","FixedIn":[{"Name":"backupninja","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"0.8-2","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Link":"https://security-tracker.debian.org/tracker/CVE-2005-3111","Description":"The handler code for backupninja 0.8 and earlier creates temporary files with predictable filenames, which allows local users to modify arbitrary files via a symlink attack.","Metadata":{},"Name":"CVE-2005-3111","CVSS":[]}}}
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2005-3111","item":{"Vulnerability":{"Name":"CVE-2005-3111","NamespaceName":"debian:10","Description":"The handler code for backupninja 0.8 and earlier creates temporary files with predictable filenames, which allows local users to modify arbitrary files via a symlink attack.","Severity":"Medium","Link":"https://security-tracker.debian.org/tracker/CVE-2005-3111","CVSS":[],"FixedIn":[{"Name":"backupninja","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"0.8-2","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2007-2383","item":{"Vulnerability":{"Severity":"Negligible","NamespaceName":"debian:10","FixedIn":[],"Link":"https://security-tracker.debian.org/tracker/CVE-2007-2383","Description":"The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka \"JavaScript Hijacking.\"","Metadata":{},"Name":"CVE-2007-2383","CVSS":[]}}}
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2007-2383","item":{"Vulnerability":{"Name":"CVE-2007-2383","NamespaceName":"debian:10","Description":"The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka \"JavaScript Hijacking.\"","Severity":"Negligible","Link":"https://security-tracker.debian.org/tracker/CVE-2007-2383","CVSS":[],"FixedIn":[],"Metadata":{}}}}
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2008-7220","item":{"Vulnerability":{"Severity":"High","NamespaceName":"debian:10","FixedIn":[{"Name":"prototypejs","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"1.6.0.2-1","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Link":"https://security-tracker.debian.org/tracker/CVE-2008-7220","Description":"Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make \"cross-site ajax requests\" via unknown vectors.","Metadata":{},"Name":"CVE-2008-7220","CVSS":[]}}}
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2008-7220","item":{"Vulnerability":{"Name":"CVE-2008-7220","NamespaceName":"debian:10","Description":"Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make \"cross-site ajax requests\" via unknown vectors.","Severity":"High","Link":"https://security-tracker.debian.org/tracker/CVE-2008-7220","CVSS":[],"FixedIn":[{"Name":"prototypejs","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"1.6.0.2-1","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2013-1444","item":{"Vulnerability":{"Severity":"Low","NamespaceName":"debian:10","FixedIn":[{"Name":"txt2man","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"1.5.5-4.1","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Link":"https://security-tracker.debian.org/tracker/CVE-2013-1444","Description":"A certain Debian patch for txt2man 1.5.5, as used in txt2man 1.5.5-2, 1.5.5-4, and others, allows local users to overwrite arbitrary files via a symlink attack on /tmp/2222.","Metadata":{},"Name":"CVE-2013-1444","CVSS":[]}}}
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2013-1444","item":{"Vulnerability":{"Name":"CVE-2013-1444","NamespaceName":"debian:10","Description":"A certain Debian patch for txt2man 1.5.5, as used in txt2man 1.5.5-2, 1.5.5-4, and others, allows local users to overwrite arbitrary files via a symlink attack on /tmp/2222.","Severity":"Low","Link":"https://security-tracker.debian.org/tracker/CVE-2013-1444","CVSS":[],"FixedIn":[{"Name":"txt2man","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"1.5.5-4.1","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2022-0456","item":{"Vulnerability":{"Severity":"Negligible","NamespaceName":"debian:10","FixedIn":[{"Name":"chromium","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"None","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Link":"https://security-tracker.debian.org/tracker/CVE-2022-0456","Description":"","Metadata":{},"Name":"CVE-2022-0456","CVSS":[]}}}
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2022-0456","item":{"Vulnerability":{"Name":"CVE-2022-0456","NamespaceName":"debian:10","Description":"","Severity":"Negligible","Link":"https://security-tracker.debian.org/tracker/CVE-2022-0456","CVSS":[],"FixedIn":[{"Name":"chromium","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"None","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:11/cve-2022-0456","item":{"Vulnerability":{"Severity":"Unknown","NamespaceName":"debian:11","FixedIn":[{"Name":"chromium","NamespaceName":"debian:11","VersionFormat":"dpkg","Version":"98.0.4758.80-1~deb11u1","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Link":"https://security-tracker.debian.org/tracker/CVE-2022-0456","Description":"","Metadata":{},"Name":"CVE-2022-0456","CVSS":[]}}}
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:11/cve-2022-0456","item":{"Vulnerability":{"Name":"CVE-2022-0456","NamespaceName":"debian:11","Description":"","Severity":"Unknown","Link":"https://security-tracker.debian.org/tracker/CVE-2022-0456","CVSS":[],"FixedIn":[{"Name":"chromium","NamespaceName":"debian:11","VersionFormat":"dpkg","Version":"98.0.4758.80-1~deb11u1","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:12/cve-2022-0456","item":{"Vulnerability":{"Severity":"Unknown","NamespaceName":"debian:12","FixedIn":[{"Name":"chromium","NamespaceName":"debian:12","VersionFormat":"dpkg","Version":"98.0.4758.80-1","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Link":"https://security-tracker.debian.org/tracker/CVE-2022-0456","Description":"","Metadata":{},"Name":"CVE-2022-0456","CVSS":[]}}}
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:12/cve-2022-0456","item":{"Vulnerability":{"Name":"CVE-2022-0456","NamespaceName":"debian:12","Description":"","Severity":"Unknown","Link":"https://security-tracker.debian.org/tracker/CVE-2022-0456","CVSS":[],"FixedIn":[{"Name":"chromium","NamespaceName":"debian:12","VersionFormat":"dpkg","Version":"98.0.4758.80-1","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:8/cve-2005-3111","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"debian:8","FixedIn":[{"Name":"backupninja","NamespaceName":"debian:8","VersionFormat":"dpkg","Version":"0.8-2","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Link":"https://security-tracker.debian.org/tracker/CVE-2005-3111","Description":"The handler code for backupninja 0.8 and earlier creates temporary files with predictable filenames, which allows local users to modify arbitrary files via a symlink attack.","Metadata":{},"Name":"CVE-2005-3111","CVSS":[]}}}
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:8/cve-2005-3111","item":{"Vulnerability":{"Name":"CVE-2005-3111","NamespaceName":"debian:8","Description":"The handler code for backupninja 0.8 and earlier creates temporary files with predictable filenames, which allows local users to modify arbitrary files via a symlink attack.","Severity":"Medium","Link":"https://security-tracker.debian.org/tracker/CVE-2005-3111","CVSS":[],"FixedIn":[{"Name":"backupninja","NamespaceName":"debian:8","VersionFormat":"dpkg","Version":"0.8-2","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:8/cve-2007-2383","item":{"Vulnerability":{"Severity":"Negligible","NamespaceName":"debian:8","FixedIn":[],"Link":"https://security-tracker.debian.org/tracker/CVE-2007-2383","Description":"The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka \"JavaScript Hijacking.\"","Metadata":{},"Name":"CVE-2007-2383","CVSS":[]}}}
{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:8/cve-2007-2383","item":{"Vulnerability":{"Name":"CVE-2007-2383","NamespaceName":"debian:8","Description":"The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka \"JavaScript Hijacking.\"","Severity":"Negligible","Link":"https://security-tracker.debian.org/tracker/CVE-2007-2383","CVSS":[],"FixedIn":[],"Metadata":{}}}}
Loading
Loading