-
Notifications
You must be signed in to change notification settings - Fork 203
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Create suse_oval.py and related test files #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Explore OvalParser() parsing process #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Commit latest parsing changes #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Update tests #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Add note re loop through list of aliases #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Work on alias/CVE loop #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Add OVAL parsing test #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Refactor OVAL-relared code, fix failing tests #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Delete unneeded large XML files #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Filter for name-affected.xml files, check CVE prefixes #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Refactor OvalParser(), add and update tests #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Refactor tests and test files, freeze Black version #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Create suse_oval.py and related test files #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Explore OvalParser() parsing process #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Commit latest parsing changes #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Update tests #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Add note re loop through list of aliases #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Work on alias/CVE loop #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Add OVAL parsing test #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Refactor OVAL-relared code, fix failing tests #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Delete unneeded large XML files #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Filter for name-affected.xml files, check CVE prefixes #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Refactor OvalParser(), add and update tests #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Refactor tests and test files, freeze Black version #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Update setup.cfg * Replace 'list()' with 'sorted()' #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Modify OvalElement class __lt__ method and create test #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Add 'url' field to expected JSON test output #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> * Update __lt__ method and related test #1079 Reference: #1079 Signed-off-by: John M. Horan <johnmhoran@gmail.com> --------- Signed-off-by: John M. Horan <johnmhoran@gmail.com> Signed-off-by: John M. Horan johnmhoran@gmail.com Co-authored-by: Tushar Goel <34160672+TG1999@users.noreply.github.com>
- Loading branch information
1 parent
5932722
commit 02e3fae
Showing
10 changed files
with
587 additions
and
68 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
# | ||
# Copyright (c) nexB Inc. and others. All rights reserved. | ||
# VulnerableCode is a trademark of nexB Inc. | ||
# SPDX-License-Identifier: Apache-2.0 | ||
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. | ||
# See https://github.com/nexB/vulnerablecode for support or download. | ||
# See https://aboutcode.org for more information about nexB OSS projects. | ||
# | ||
|
||
|
||
import gzip | ||
import xml.etree.ElementTree as ET | ||
|
||
import requests | ||
from bs4 import BeautifulSoup | ||
|
||
from vulnerabilities.importer import OvalImporter | ||
|
||
|
||
class SuseOvalImporter(OvalImporter): | ||
spdx_license_expression = "CC-BY-4.0" | ||
license_url = "https://ftp.suse.com/pub/projects/security/oval/LICENSE" | ||
base_url = "https://ftp.suse.com/pub/projects/security/oval/" | ||
|
||
def __init__(self, *args, **kwargs): | ||
super().__init__(*args, **kwargs) | ||
self.translations = {"less than": "<", "equals": "=", "greater than or equal": ">="} | ||
|
||
def _fetch(self): | ||
page = requests.get(self.base_url).text | ||
soup = BeautifulSoup(page, "lxml") | ||
|
||
suse_oval_files = [ | ||
self.base_url + node.get("href") | ||
for node in soup.find_all("a") | ||
if node.get("href").endswith(".gz") | ||
] | ||
|
||
for suse_file in filter(suse_oval_files): | ||
response = requests.get(suse_file) | ||
|
||
extracted = gzip.decompress(response.content) | ||
yield ( | ||
{"type": "rpm", "namespace": "opensuse"}, | ||
ET.ElementTree(ET.fromstring(extracted.decode("utf-8"))), | ||
) | ||
|
||
|
||
def filter(suse_oval_files): | ||
""" | ||
Filter to exclude "name.xml" when we also have "name-affected.xml", e.g., | ||
"opensuse.leap.15.3.xml.gz" vs. "opensuse.leap.15.3-affected.xml.gz". See | ||
https://ftp.suse.com/pub/projects/security/oval/README: "name-affected.xml" includes | ||
"fixed security issues and the analyzed issues both affecting and NOT affecting SUSE" and | ||
"name.xml" includes "fixed security issues and the analyzed issues NOT affecting SUSE." | ||
""" | ||
affected_files = [ | ||
affected_file for affected_file in suse_oval_files if "-affected" in affected_file | ||
] | ||
|
||
trimmed_affected_files = [ | ||
affected_file.replace("-affected", "") for affected_file in affected_files | ||
] | ||
|
||
filtered_suse_oval_files = [ | ||
gz_file for gz_file in suse_oval_files if gz_file not in trimmed_affected_files | ||
] | ||
|
||
return filtered_suse_oval_files |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
42 changes: 42 additions & 0 deletions
42
vulnerabilities/tests/test_data/suse_oval/mock-definitions-only.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd" | ||
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" | ||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" | ||
xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | ||
<definitions> | ||
<definition id="oval:org.opensuse.security:def:2009030400" version="1" class="patch"> | ||
<metadata> | ||
<title>CVE-2008-5679</title> | ||
<affected family="unix"> | ||
</affected> | ||
<reference ref_id="CVE-2008-5679" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5679" source="CVE"/> | ||
<description> | ||
The HTML parsing engine in Opera before 9.63 allows remote attackers to execute arbitrary code via crafted web pages that trigger an invalid pointer calculation and heap corruption. | ||
</description> | ||
</metadata> | ||
</definition> | ||
<definition id="oval:org.opensuse.security:def:2009030400" version="1" class="patch"> | ||
<metadata> | ||
<title>foobar-CVE-1234-5678</title> | ||
<affected family="unix"> | ||
</affected> | ||
<reference ref_id="foobar-CVE-1234-5678" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=foobar-CVE-1234-5678" source="CVE"/> | ||
<description> | ||
Blah blah blah. | ||
</description> | ||
</metadata> | ||
</definition> | ||
<definition id="oval:org.opensuse.security:def:2009030400" version="1" class="patch"> | ||
<metadata> | ||
<title>nonesuchCVE-1111-2222</title> | ||
<affected family="unix"> | ||
</affected> | ||
<reference ref_id="nonesuchCVE-1111-2222" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=nonesuchCVE-1111-2222" source="CVE"/> | ||
<description> | ||
Blah blah blah. | ||
</description> | ||
</metadata> | ||
</definition> | ||
</definitions> | ||
</oval_definitions> |
Oops, something went wrong.