-
Notifications
You must be signed in to change notification settings - Fork 198
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
- Loading branch information
Showing
9 changed files
with
148 additions
and
76 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
# | ||
# Copyright (c) nexB Inc. and others. All rights reserved. | ||
# VulnerableCode is a trademark of nexB Inc. | ||
# SPDX-License-Identifier: Apache-2.0 | ||
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. | ||
# See https://github.com/nexB/vulnerablecode for support or download. | ||
# See https://aboutcode.org for more information about nexB OSS projects. | ||
# | ||
|
||
import urllib.parse | ||
from typing import Iterable | ||
|
||
from django.db.models import Q | ||
from django.db.models.query import QuerySet | ||
|
||
from vulnerabilities.importer import AdvisoryData | ||
from vulnerabilities.importers.nvd import NVDImporter | ||
from vulnerabilities.improver import Improver | ||
from vulnerabilities.improver import Inference | ||
from vulnerabilities.models import Advisory | ||
from vulnerabilities.models import Alias | ||
from vulnerabilities.models import Vulnerability | ||
from vulnerabilities.models import VulnerabilityStatusType | ||
from vulnerabilities.utils import fetch_response | ||
from vulnerabilities.utils import get_item | ||
|
||
NVD_API_URL = "https://cveawg.mitre.org/api/cve/" | ||
|
||
|
||
class VulnerabilityStatusImprover(Improver): | ||
""" | ||
Generate a translation of Advisory data - returned by the importers - into | ||
full confidence inferences. These are basic database relationships for | ||
unstructured data present in the Advisory model without any other | ||
information source. | ||
""" | ||
|
||
@property | ||
def interesting_advisories(self) -> QuerySet: | ||
return Advisory.objects.filter(Q(created_by=NVDImporter.qualified_name)).paginated() | ||
|
||
def get_inferences(self, advisory_data: AdvisoryData) -> Iterable[Inference]: | ||
if not advisory_data: | ||
return [] | ||
aliases = advisory_data.aliases | ||
aliases = Alias.objects.filter(alias__in=aliases) | ||
vulnerabilities = Vulnerability.objects.filter(aliases__in=aliases).distinct() | ||
|
||
cve_id = None | ||
|
||
for alias in aliases: | ||
if alias.startswith("CVE"): | ||
cve_id = alias | ||
|
||
if not cve_id: | ||
return [] | ||
|
||
for vuln in vulnerabilities: | ||
status = get_status_from_api(cve_id=cve_id) | ||
if not status: | ||
status = VulnerabilityStatusType.PUBLISHED | ||
vuln.status = status | ||
vuln.save() | ||
return [] | ||
|
||
|
||
def get_status_from_api(cve_id): | ||
url = urllib.parse.urljoin(NVD_API_URL, cve_id) | ||
try: | ||
response = fetch_response(url=url) | ||
except Exception as e: | ||
return | ||
response = response.json() | ||
cve_state = get_item(response, "cveMetaData", "state") | ||
tags = get_item(response, "containers", "cna", "tags") | ||
if "disputed" in tags: | ||
return VulnerabilityStatusType.DISPUTED | ||
if cve_state == "REJECTED": | ||
return VulnerabilityStatusType.REJECTED | ||
return VulnerabilityStatusType.PUBLISHED |
23 changes: 0 additions & 23 deletions
23
vulnerabilities/migrations/0040_advisory_is_rejected_vulnerability_is_rejected.py
This file was deleted.
Oops, something went wrong.
21 changes: 21 additions & 0 deletions
21
vulnerabilities/migrations/0041_advisory_status_vulnerability_status.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Generated by Django 4.1.7 on 2023-09-29 05:26 | ||
|
||
from django.db import migrations, models | ||
|
||
|
||
class Migration(migrations.Migration): | ||
|
||
dependencies = [ | ||
("vulnerabilities", "0040_remove_advisory_date_improved_advisory_date_imported"), | ||
] | ||
|
||
operations = [ | ||
migrations.AddField( | ||
model_name="vulnerability", | ||
name="status", | ||
field=models.IntegerField( | ||
choices=[(1, "published"), (2, "reserved"), (3, "disputed"), (4, "rejected")], | ||
default=1, | ||
), | ||
), | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
30 changes: 30 additions & 0 deletions
30
vulnerabilities/templates/0040_advisory_status_vulnerability_status.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
# Generated by Django 4.1.7 on 2023-09-21 12:20 | ||
|
||
from django.db import migrations | ||
from django.db import models | ||
|
||
|
||
class Migration(migrations.Migration): | ||
|
||
dependencies = [ | ||
("vulnerabilities", "0039_alter_vulnerabilityseverity_scoring_system"), | ||
] | ||
|
||
operations = [ | ||
migrations.AddField( | ||
model_name="advisory", | ||
name="status", | ||
field=models.IntegerField( | ||
choices=[(1, "published"), (2, "reserved"), (3, "disputed"), (4, "rejected")], | ||
default=1, | ||
), | ||
), | ||
migrations.AddField( | ||
model_name="vulnerability", | ||
name="status", | ||
field=models.IntegerField( | ||
choices=[(1, "published"), (2, "reserved"), (3, "disputed"), (4, "rejected")], | ||
default=1, | ||
), | ||
), | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters