From 23181798f818dc9fbba6b71795f15605bb8ad3a6 Mon Sep 17 00:00:00 2001 From: ambuj Date: Sun, 21 Jul 2024 13:59:05 +0530 Subject: [PATCH 1/6] add-rockylinux-advisories-initial-commit Signed-off-by: ambuj --- vulnerabilities/importers/rockylinux.py | 162 ++++++++++++++++++++++++ 1 file changed, 162 insertions(+) create mode 100644 vulnerabilities/importers/rockylinux.py diff --git a/vulnerabilities/importers/rockylinux.py b/vulnerabilities/importers/rockylinux.py new file mode 100644 index 000000000..a2cc1940b --- /dev/null +++ b/vulnerabilities/importers/rockylinux.py @@ -0,0 +1,162 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/nexB/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +import logging +import re +from typing import Dict +from typing import Iterable +from typing import List + +import requests +from packageurl import PackageURL +from univers.version_range import RpmVersionRange + +from vulnerabilities import severity_systems +from vulnerabilities.importer import AdvisoryData +from vulnerabilities.importer import AffectedPackage +from vulnerabilities.importer import Importer +from vulnerabilities.importer import Reference +from vulnerabilities.importer import VulnerabilitySeverity +from vulnerabilities.rpm_utils import rpm_to_purl +from vulnerabilities.utils import get_cwe_id +from vulnerabilities.utils import get_item +from vulnerabilities.utils import requests_with_5xx_retry + +logger = logging.getLogger(__name__) + +# FIXME: we should use a centralized retry +requests_session = requests_with_5xx_retry(max_retries=5, backoff_factor=1) + + +def fetch_cves() -> Iterable[List[Dict]]: + page_no = 1 + cve_data = None + while True: + current_url = f"https://access.redhat.com/hydra/rest/securitydata/cve.json?per_page=1000&page={page_no}" # nopep8 + try: + response = requests_session.get(current_url) + if response.status_code != requests.codes.ok: + logger.error(f"Failed to fetch RedHat CVE results from {current_url}") + break + cve_data = response.json() + except Exception as e: + logger.error(f"Failed to fetch RedHat CVE results from {current_url} {e}") + break + if not cve_data: + break + page_no += 1 + yield cve_data + + +def get_data_from_url(url): + try: + return requests_session.get(url).json() + except Exception as e: + logger.error(f"Failed to fetch results from {url} {e!r}") + return {} + + +class RedhatImporter(Importer): + spdx_license_expression = "CC-BY-4.0" + license_url = "https://access.redhat.com/documentation/en-us/red_hat_security_data_api/1.0/html/red_hat_security_data_api/legal-notice" + importer_name = "RedHat Importer" + + def advisory_data(self) -> Iterable[AdvisoryData]: + for redhat_cves in fetch_cves(): + for redhat_cve in redhat_cves: + yield to_advisory(redhat_cve) + + +def to_advisory(advisory_data): + affected_packages: List[AffectedPackage] = [] + for rpm in advisory_data.get("affected_packages") or []: + purl = rpm_to_purl(rpm_string=rpm, namespace="redhat") + if purl: + try: + affected_version_range = RpmVersionRange.from_versions(sequence=[purl.version]) + affected_packages.append( + AffectedPackage( + package=PackageURL( + type=purl.type, + name=purl.name, + namespace=purl.namespace, + qualifiers=purl.qualifiers, + subpath=purl.subpath, + ), + affected_version_range=affected_version_range, + fixed_version=None, + ) + ) + except Exception as e: + logger.error(f"Failed to parse version range {purl.version} for {purl} {e}") + + references = [] + bugzilla = advisory_data.get("bugzilla") + if bugzilla: + url = "https://bugzilla.redhat.com/show_bug.cgi?id={}".format(bugzilla) + references.append( + Reference( + url=url, + reference_id=bugzilla, + ) + ) + + for rh_adv in advisory_data.get("advisories") or []: + # RH provides 3 types of advisories RHSA, RHBA, RHEA. Only RHSA's contain severity score. + # See https://access.redhat.com/articles/2130961 for more details. + + if not isinstance(rh_adv, str): + logger.error(f"Invalid advisory type {rh_adv}") + continue + + if "RHSA" in rh_adv.upper(): + references.append( + Reference( + url="https://access.redhat.com/errata/{}".format(rh_adv), + reference_id=rh_adv, + ) + ) + + else: + references.append(Reference(severities=[], url=url, reference_id=rh_adv)) + + redhat_scores = [] + cvssv3_score = advisory_data.get("cvss3_score") + cvssv3_vector = advisory_data.get("cvss3_scoring_vector", "") + if cvssv3_score: + redhat_scores.append( + VulnerabilitySeverity( + system=severity_systems.CVSSV3, + value=cvssv3_score, + scoring_elements=cvssv3_vector, + ) + ) + cwe_list = [] + # cwe_string : CWE-409","CWE-121->CWE-787","(CWE-401|CWE-404)","(CWE-190|CWE-911)->CWE-416" + cwe_string = advisory_data.get("CWE") + if cwe_string: + cwe_list = list(map(get_cwe_id, re.findall("CWE-[0-9]+", cwe_string))) + + aliases = [] + alias = advisory_data.get("CVE") + if alias: + aliases.append(alias) + resource_url = advisory_data.get("resource_url") + if resource_url: + references.append(Reference(severities=redhat_scores, url=resource_url)) + return AdvisoryData( + aliases=aliases, + summary=advisory_data.get("bugzilla_description") or "", + affected_packages=affected_packages, + references=references, + weaknesses=cwe_list, + url=resource_url + if resource_url + else "https://access.redhat.com/hydra/rest/securitydata/cve.json", + ) From 2e0939fc8e7a69e4bd8b1ca8a08dc303229578f1 Mon Sep 17 00:00:00 2001 From: ambuj Date: Mon, 5 Aug 2024 19:02:04 +0530 Subject: [PATCH 2/6] add-rockylinux-advisories and tests Signed-off-by: ambuj --- vulnerabilities/importers/__init__.py | 2 + vulnerabilities/importers/rockylinux.py | 185 ++++--- vulnerabilities/improvers/__init__.py | 1 + vulnerabilities/improvers/valid_versions.py | 6 + .../rockylinux/rockylinux_expected1.json | 458 ++++++++++++++++++ .../rockylinux/rockylinux_expected2.json | 239 +++++++++ .../rockylinux/rockylinux_test1.json | 82 ++++ .../rockylinux/rockylinux_test2.json | 160 ++++++ vulnerabilities/tests/test_rockylinux.py | 64 +++ 9 files changed, 1123 insertions(+), 74 deletions(-) create mode 100644 vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json create mode 100644 vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json create mode 100644 vulnerabilities/tests/test_data/rockylinux/rockylinux_test1.json create mode 100644 vulnerabilities/tests/test_data/rockylinux/rockylinux_test2.json create mode 100644 vulnerabilities/tests/test_rockylinux.py diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index cedd8902b..7a2cd52ca 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -33,6 +33,7 @@ from vulnerabilities.importers import pysec from vulnerabilities.importers import redhat from vulnerabilities.importers import retiredotnet +from vulnerabilities.importers import rockylinux from vulnerabilities.importers import ruby from vulnerabilities.importers import suse_scores from vulnerabilities.importers import ubuntu @@ -71,6 +72,7 @@ oss_fuzz.OSSFuzzImporter, ruby.RubyImporter, github_osv.GithubOSVImporter, + rockylinux.RockyLinuxImporter, ] IMPORTERS_REGISTRY = {x.qualified_name: x for x in IMPORTERS_REGISTRY} diff --git a/vulnerabilities/importers/rockylinux.py b/vulnerabilities/importers/rockylinux.py index a2cc1940b..4f9b98923 100644 --- a/vulnerabilities/importers/rockylinux.py +++ b/vulnerabilities/importers/rockylinux.py @@ -13,7 +13,9 @@ from typing import Iterable from typing import List +import dateparser import requests +from cwe2.database import Database from packageurl import PackageURL from univers.version_range import RpmVersionRange @@ -35,52 +37,54 @@ def fetch_cves() -> Iterable[List[Dict]]: - page_no = 1 - cve_data = None + page_no = 0 + cve_data_list = [] while True: - current_url = f"https://access.redhat.com/hydra/rest/securitydata/cve.json?per_page=1000&page={page_no}" # nopep8 + current_url = f"https://errata.rockylinux.org/api/v2/advisories?filters.product=&filters.fetchRelated=true&page={page_no}&limit=100" try: response = requests_session.get(current_url) if response.status_code != requests.codes.ok: logger.error(f"Failed to fetch RedHat CVE results from {current_url}") break - cve_data = response.json() + cve_data = response.json().get("advisories") or [] + cve_data_list.extend(cve_data) except Exception as e: - logger.error(f"Failed to fetch RedHat CVE results from {current_url} {e}") + logger.error(f"Failed to fetch rockylinux CVE results from {current_url} {e}") break if not cve_data: break page_no += 1 - yield cve_data + return cve_data_list -def get_data_from_url(url): - try: - return requests_session.get(url).json() - except Exception as e: - logger.error(f"Failed to fetch results from {url} {e!r}") - return {} - - -class RedhatImporter(Importer): +class RockyLinuxImporter(Importer): spdx_license_expression = "CC-BY-4.0" - license_url = "https://access.redhat.com/documentation/en-us/red_hat_security_data_api/1.0/html/red_hat_security_data_api/legal-notice" - importer_name = "RedHat Importer" + license_url = "https://access.redhat.com/security/data" + importer_name = "Rocky Importer" def advisory_data(self) -> Iterable[AdvisoryData]: - for redhat_cves in fetch_cves(): - for redhat_cve in redhat_cves: - yield to_advisory(redhat_cve) + + for rockylinux_cve in fetch_cves(): + yield to_advisory(rockylinux_cve) def to_advisory(advisory_data): - affected_packages: List[AffectedPackage] = [] - for rpm in advisory_data.get("affected_packages") or []: - purl = rpm_to_purl(rpm_string=rpm, namespace="redhat") + aliases = advisory_data.get("name") or "" + date_published = dateparser.parse(advisory_data.get("publishedAt", "")) + + summary = advisory_data.get("description") or "" + affected_products = advisory_data.get("affectedProducts") or [] + affected_packages = [] + for products in affected_products: + packages = advisory_data["rpms"][products]["nvras"] + affected_packages.extend(packages) + processed_affected_packages: List[AffectedPackage] = [] + for rpm in affected_packages: + purl = rpm_to_purl(rpm_string=rpm.rsplit(".rpm", 1)[0] or "", namespace="rocky-linux") if purl: try: affected_version_range = RpmVersionRange.from_versions(sequence=[purl.version]) - affected_packages.append( + processed_affected_packages.append( AffectedPackage( package=PackageURL( type=purl.type, @@ -96,67 +100,100 @@ def to_advisory(advisory_data): except Exception as e: logger.error(f"Failed to parse version range {purl.version} for {purl} {e}") - references = [] - bugzilla = advisory_data.get("bugzilla") - if bugzilla: - url = "https://bugzilla.redhat.com/show_bug.cgi?id={}".format(bugzilla) - references.append( - Reference( - url=url, - reference_id=bugzilla, - ) + references = [ + Reference( + severities=[], url=fix.get("sourceLink") or "", reference_id=fix.get("ticket") or "" ) + for fix in advisory_data["fixes"] + ] - for rh_adv in advisory_data.get("advisories") or []: - # RH provides 3 types of advisories RHSA, RHBA, RHEA. Only RHSA's contain severity score. - # See https://access.redhat.com/articles/2130961 for more details. + for ref in advisory_data.get("cves") or []: - if not isinstance(rh_adv, str): - logger.error(f"Invalid advisory type {rh_adv}") + name = ref.get("name", "") + if not isinstance(name, str): + logger.error(f"Invalid advisory type {name}") continue - if "RHSA" in rh_adv.upper(): + if "CVE" in name.upper(): + severity_vector_pattern = r"CVSS:3\.1/([A-Z:/]+)" + severities = VulnerabilitySeverity( + system=severity_systems.CVSSV31, + value=ref.get("cvss3BaseScore", ""), + scoring_elements=re.findall( + severity_vector_pattern, ref.get("cvss3ScoringVector", "") + ), + ) references.append( Reference( - url="https://access.redhat.com/errata/{}".format(rh_adv), - reference_id=rh_adv, + severities=[severities], + url=ref.get("sourceLink", ""), + reference_id=name, ) ) - else: - references.append(Reference(severities=[], url=url, reference_id=rh_adv)) - - redhat_scores = [] - cvssv3_score = advisory_data.get("cvss3_score") - cvssv3_vector = advisory_data.get("cvss3_scoring_vector", "") - if cvssv3_score: - redhat_scores.append( - VulnerabilitySeverity( - system=severity_systems.CVSSV3, - value=cvssv3_score, - scoring_elements=cvssv3_vector, - ) - ) - cwe_list = [] - # cwe_string : CWE-409","CWE-121->CWE-787","(CWE-401|CWE-404)","(CWE-190|CWE-911)->CWE-416" - cwe_string = advisory_data.get("CWE") - if cwe_string: - cwe_list = list(map(get_cwe_id, re.findall("CWE-[0-9]+", cwe_string))) - - aliases = [] - alias = advisory_data.get("CVE") - if alias: - aliases.append(alias) - resource_url = advisory_data.get("resource_url") - if resource_url: - references.append(Reference(severities=redhat_scores, url=resource_url)) return AdvisoryData( aliases=aliases, - summary=advisory_data.get("bugzilla_description") or "", - affected_packages=affected_packages, + summary=summary, + affected_packages=processed_affected_packages, references=references, - weaknesses=cwe_list, - url=resource_url - if resource_url - else "https://access.redhat.com/hydra/rest/securitydata/cve.json", + date_published=date_published, + weaknesses=get_cwes_from_rockylinux_advisory(advisory_data), + url=f"https://errata.rockylinux.org/{aliases}", ) + + +def get_cwes_from_rockylinux_advisory(advisory_data) -> [int]: + """ + Extract CWE IDs from advisory data and validate them against a database. + + :param advisory_data: Dictionary containing CVE information. + :return: List of valid CWE IDs. + + >>> advisory_data = {"cves": [ + ... { + ... "name": "CVE-2022-24999", + ... "sourceBy": "MITRE", + ... "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24999", + ... "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + ... "cvss3BaseScore": "7.5", + ... "cwe": "CWE-1321" + ... }, + ... { + ... "name": "CVE-2022-3517", + ... "sourceBy": "MITRE", + ... "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + ... "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + ... "cvss3BaseScore": "7.5", + ... "cwe": "CWE-400" + ... }, + ... { + ... "name": "CVE-2022-43548", + ... "sourceBy": "MITRE", + ... "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + ... "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + ... "cvss3BaseScore": "7.5", + ... "cwe": "CWE-350" + ... } + ... ]} + >>> get_cwes_from_rockylinux_advisory(advisory_data) + [1321, 400, 350] + >>> get_cwes_from_rockylinux_advisory({"cves": [{"name": "CVE-1234-1234","cwe": "None"}]}) + [] + """ + + cwe_ids = [] + for cve in advisory_data.get("cves", []): + cwe_pattern = r"CWE-\d+" + cwe_id_list = re.findall(cwe_pattern, cve.get("cwe", "")) + cwe_ids.extend(cwe_id_list) + weaknesses = [] + db = Database() + for cwe_string in cwe_ids: + if cwe_string: + cwe_id = get_cwe_id(cwe_string) + try: + db.get(cwe_id) + weaknesses.append(cwe_id) + except Exception: + logger.error("Invalid CWE id") + return weaknesses diff --git a/vulnerabilities/improvers/__init__.py b/vulnerabilities/improvers/__init__.py index 8cc68b9a6..2a68bdea9 100644 --- a/vulnerabilities/improvers/__init__.py +++ b/vulnerabilities/improvers/__init__.py @@ -27,6 +27,7 @@ valid_versions.RubyImprover, valid_versions.GithubOSVImprover, vulnerability_status.VulnerabilityStatusImprover, + valid_versions.RockyLinuxImprover, ] IMPROVERS_REGISTRY = {x.qualified_name: x for x in IMPROVERS_REGISTRY} diff --git a/vulnerabilities/improvers/valid_versions.py b/vulnerabilities/improvers/valid_versions.py index d23508bea..13ee15408 100644 --- a/vulnerabilities/improvers/valid_versions.py +++ b/vulnerabilities/improvers/valid_versions.py @@ -38,6 +38,7 @@ from vulnerabilities.importers.nginx import NginxImporter from vulnerabilities.importers.npm import NpmImporter from vulnerabilities.importers.oss_fuzz import OSSFuzzImporter +from vulnerabilities.importers.rockylinux import RockyLinuxImporter from vulnerabilities.importers.ruby import RubyImporter from vulnerabilities.importers.ubuntu import UbuntuImporter from vulnerabilities.improver import MAX_CONFIDENCE @@ -472,3 +473,8 @@ class RubyImprover(ValidVersionImprover): class GithubOSVImprover(ValidVersionImprover): importer = GithubOSVImporter ignorable_versions = [] + + +class RockyLinuxImprover(ValidVersionImprover): + importer = RockyLinuxImporter + ignorable_versions = [] diff --git a/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json new file mode 100644 index 000000000..8b74547e3 --- /dev/null +++ b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json @@ -0,0 +1,458 @@ +{ + "aliases": "RLSA-2022:2013", + "summary": "OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nSecurity Fix(es):\n\n* openssh: privilege escalation when AuthorizedKeysCommand or AuthorizedPrincipalsCommand are configured (CVE-2021-41617)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Rocky Linux 8.6 Release Notes linked from the References section.", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-askpass", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-askpass", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-askpass-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-askpass-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-cavs", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-cavs", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-cavs-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-cavs-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-clients", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-clients", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-clients-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-clients-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-debugsource", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-debugsource", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-keycat", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-keycat", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-keycat-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-keycat-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-ldap", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-ldap", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-ldap-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-ldap-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-server", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-server", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-server-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-server-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "pam_ssh_agent_auth", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/0.10.3-7.13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "pam_ssh_agent_auth", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/0.10.3-7.13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "pam_ssh_agent_auth-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/0.10.3-7.13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "pam_ssh_agent_auth-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/0.10.3-7.13.el8", + "fixed_version": null + } + ], + "references": [ + { + "reference_id": "2008291", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2008291", + "severities": [] + }, + { + "reference_id": "2015828", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2015828", + "severities": [] + }, + { + "reference_id": "CVE-2021-41617", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41617", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.0", + "scoring_elements": [ + "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + ] + } + ] + } + ], + "date_published": "2022-05-10T06:45:24+00:00", + "weaknesses": [ + 273, + 123, + 546 + ], + "url": "https://errata.rockylinux.org/RLSA-2022:2013" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json new file mode 100644 index 000000000..c52bb354b --- /dev/null +++ b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json @@ -0,0 +1,239 @@ +{ + "aliases": "RLSA-2024:1494", + "summary": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 115.9.0.\n\nSecurity Fix(es):\n\n* nss: timing attack against RSA decryption (CVE-2023-5388)\n\n* Mozilla: Crash in NSS TLS method (CVE-2024-0743)\n\n* Mozilla: Leaking of encrypted email subjects to other conversations (CVE-2024-1936)\n\n* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)\n\n* Mozilla: Integer overflow could have led to out of bounds write\n(CVE-2024-2608)\n\n* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage\n(CVE-2024-2610)\n\n* Mozilla: Clickjacking vulnerability could have led to a user accidentally\ngranting permissions (CVE-2024-2611)\n\n* Mozilla: Self referencing object could have potentially led to a\nuse-after-free (CVE-2024-2612)\n\n* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and\nThunderbird 115.9 (CVE-2024-2614)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird-debugsource", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird-debugsource", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + } + ], + "references": [ + { + "reference_id": "2243644", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243644", + "severities": [] + }, + { + "reference_id": "2260012", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260012", + "severities": [] + }, + { + "reference_id": "2268171", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268171", + "severities": [] + }, + { + "reference_id": "2270660", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270660", + "severities": [] + }, + { + "reference_id": "2270661", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270661", + "severities": [] + }, + { + "reference_id": "2270663", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270663", + "severities": [] + }, + { + "reference_id": "2270664", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270664", + "severities": [] + }, + { + "reference_id": "2270665", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270665", + "severities": [] + }, + { + "reference_id": "2270666", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270666", + "severities": [] + }, + { + "reference_id": "CVE-2023-5388", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5388", + "severities": [ + { + "system": "cvssv3.1", + "value": "UNKNOWN", + "scoring_elements": [] + } + ] + }, + { + "reference_id": "CVE-2024-0743", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0743", + "severities": [ + { + "system": "cvssv3.1", + "value": "UNKNOWN", + "scoring_elements": [] + } + ] + }, + { + "reference_id": "CVE-2024-1936", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1936", + "severities": [ + { + "system": "cvssv3.1", + "value": "UNKNOWN", + "scoring_elements": [] + } + ] + }, + { + "reference_id": "CVE-2024-2607", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2607", + "severities": [ + { + "system": "cvssv3.1", + "value": "UNKNOWN", + "scoring_elements": [] + } + ] + }, + { + "reference_id": "CVE-2024-2608", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2608", + "severities": [ + { + "system": "cvssv3.1", + "value": "UNKNOWN", + "scoring_elements": [] + } + ] + }, + { + "reference_id": "CVE-2024-2610", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2610", + "severities": [ + { + "system": "cvssv3.1", + "value": "UNKNOWN", + "scoring_elements": [] + } + ] + }, + { + "reference_id": "CVE-2024-2611", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2611", + "severities": [ + { + "system": "cvssv3.1", + "value": "UNKNOWN", + "scoring_elements": [] + } + ] + }, + { + "reference_id": "CVE-2024-2612", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2612", + "severities": [ + { + "system": "cvssv3.1", + "value": "UNKNOWN", + "scoring_elements": [] + } + ] + }, + { + "reference_id": "CVE-2024-2614", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2614", + "severities": [ + { + "system": "cvssv3.1", + "value": "UNKNOWN", + "scoring_elements": [] + } + ] + } + ], + "date_published": "2024-03-27T04:34:32.999941+00:00", + "weaknesses": [], + "url": "https://errata.rockylinux.org/RLSA-2024:1494" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/rockylinux/rockylinux_test1.json b/vulnerabilities/tests/test_data/rockylinux/rockylinux_test1.json new file mode 100644 index 000000000..1cd1a772c --- /dev/null +++ b/vulnerabilities/tests/test_data/rockylinux/rockylinux_test1.json @@ -0,0 +1,82 @@ +{ + "type": "TYPE_SECURITY", + "shortCode": "RL", + "name": "RLSA-2022:2013", + "synopsis": "Moderate: openssh security, bug fix, and enhancement update", + "severity": "SEVERITY_MODERATE", + "topic": "An update is available for openssh.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", + "description": "OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nSecurity Fix(es):\n\n* openssh: privilege escalation when AuthorizedKeysCommand or AuthorizedPrincipalsCommand are configured (CVE-2021-41617)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Rocky Linux 8.6 Release Notes linked from the References section.", + "solution": null, + "affectedProducts": [ + "Rocky Linux 8" + ], + "fixes": [ + { + "ticket": "2008291", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2008291", + "description": "" + }, + { + "ticket": "2015828", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2015828", + "description": "" + } + ], + "cves": [ + { + "name": "CVE-2021-41617", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41617", + "cvss3ScoringVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvss3BaseScore": "7.0", + "cwe": "CWE-273, CWE-123, CWE-546" + } + ], + "references": [], + "publishedAt": "2022-05-10T06:45:24Z", + "rpms": { + "Rocky Linux 8": { + "nvras": [ + "openssh-0:8.0p1-13.el8.aarch64.rpm", + "openssh-0:8.0p1-13.el8.src.rpm", + "openssh-0:8.0p1-13.el8.x86_64.rpm", + "openssh-askpass-0:8.0p1-13.el8.aarch64.rpm", + "openssh-askpass-0:8.0p1-13.el8.x86_64.rpm", + "openssh-askpass-debuginfo-0:8.0p1-13.el8.aarch64.rpm", + "openssh-askpass-debuginfo-0:8.0p1-13.el8.x86_64.rpm", + "openssh-cavs-0:8.0p1-13.el8.aarch64.rpm", + "openssh-cavs-0:8.0p1-13.el8.x86_64.rpm", + "openssh-cavs-debuginfo-0:8.0p1-13.el8.aarch64.rpm", + "openssh-cavs-debuginfo-0:8.0p1-13.el8.x86_64.rpm", + "openssh-clients-0:8.0p1-13.el8.aarch64.rpm", + "openssh-clients-0:8.0p1-13.el8.x86_64.rpm", + "openssh-clients-debuginfo-0:8.0p1-13.el8.aarch64.rpm", + "openssh-clients-debuginfo-0:8.0p1-13.el8.x86_64.rpm", + "openssh-debuginfo-0:8.0p1-13.el8.aarch64.rpm", + "openssh-debuginfo-0:8.0p1-13.el8.x86_64.rpm", + "openssh-debugsource-0:8.0p1-13.el8.aarch64.rpm", + "openssh-debugsource-0:8.0p1-13.el8.x86_64.rpm", + "openssh-keycat-0:8.0p1-13.el8.aarch64.rpm", + "openssh-keycat-0:8.0p1-13.el8.x86_64.rpm", + "openssh-keycat-debuginfo-0:8.0p1-13.el8.aarch64.rpm", + "openssh-keycat-debuginfo-0:8.0p1-13.el8.x86_64.rpm", + "openssh-ldap-0:8.0p1-13.el8.aarch64.rpm", + "openssh-ldap-0:8.0p1-13.el8.x86_64.rpm", + "openssh-ldap-debuginfo-0:8.0p1-13.el8.aarch64.rpm", + "openssh-ldap-debuginfo-0:8.0p1-13.el8.x86_64.rpm", + "openssh-server-0:8.0p1-13.el8.aarch64.rpm", + "openssh-server-0:8.0p1-13.el8.x86_64.rpm", + "openssh-server-debuginfo-0:8.0p1-13.el8.aarch64.rpm", + "openssh-server-debuginfo-0:8.0p1-13.el8.x86_64.rpm", + "pam_ssh_agent_auth-0:0.10.3-7.13.el8.aarch64.rpm", + "pam_ssh_agent_auth-0:0.10.3-7.13.el8.x86_64.rpm", + "pam_ssh_agent_auth-debuginfo-0:0.10.3-7.13.el8.aarch64.rpm", + "pam_ssh_agent_auth-debuginfo-0:0.10.3-7.13.el8.x86_64.rpm" + ] + } + }, + "rebootSuggested": false, + "buildReferences": [] +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/rockylinux/rockylinux_test2.json b/vulnerabilities/tests/test_data/rockylinux/rockylinux_test2.json new file mode 100644 index 000000000..ae257c772 --- /dev/null +++ b/vulnerabilities/tests/test_data/rockylinux/rockylinux_test2.json @@ -0,0 +1,160 @@ +{ + "type": "TYPE_SECURITY", + "shortCode": "RL", + "name": "RLSA-2024:1494", + "synopsis": "Moderate: thunderbird security update", + "severity": "SEVERITY_MODERATE", + "topic": "An update is available for thunderbird.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", + "description": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 115.9.0.\n\nSecurity Fix(es):\n\n* nss: timing attack against RSA decryption (CVE-2023-5388)\n\n* Mozilla: Crash in NSS TLS method (CVE-2024-0743)\n\n* Mozilla: Leaking of encrypted email subjects to other conversations (CVE-2024-1936)\n\n* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)\n\n* Mozilla: Integer overflow could have led to out of bounds write\n(CVE-2024-2608)\n\n* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage\n(CVE-2024-2610)\n\n* Mozilla: Clickjacking vulnerability could have led to a user accidentally\ngranting permissions (CVE-2024-2611)\n\n* Mozilla: Self referencing object could have potentially led to a\nuse-after-free (CVE-2024-2612)\n\n* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and\nThunderbird 115.9 (CVE-2024-2614)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", + "solution": null, + "affectedProducts": [ + "Rocky Linux 8" + ], + "fixes": [ + { + "ticket": "2243644", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2243644", + "description": "" + }, + { + "ticket": "2260012", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2260012", + "description": "" + }, + { + "ticket": "2268171", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2268171", + "description": "" + }, + { + "ticket": "2270660", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2270660", + "description": "" + }, + { + "ticket": "2270661", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2270661", + "description": "" + }, + { + "ticket": "2270663", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2270663", + "description": "" + }, + { + "ticket": "2270664", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2270664", + "description": "" + }, + { + "ticket": "2270665", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2270665", + "description": "" + }, + { + "ticket": "2270666", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2270666", + "description": "" + } + ], + "cves": [ + { + "name": "CVE-2023-5388", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5388", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-0743", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0743", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-1936", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1936", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-2607", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2607", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-2608", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2608", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-2610", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2610", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-2611", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2611", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-2612", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2612", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-2614", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2614", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + } + ], + "references": [], + "publishedAt": "2024-03-27T04:34:32.999941Z", + "rpms": { + "Rocky Linux 8": { + "nvras": [ + "thunderbird-0:115.9.0-1.el8_9.aarch64.rpm", + "thunderbird-0:115.9.0-1.el8_9.src.rpm", + "thunderbird-0:115.9.0-1.el8_9.x86_64.rpm", + "thunderbird-debuginfo-0:115.9.0-1.el8_9.aarch64.rpm", + "thunderbird-debuginfo-0:115.9.0-1.el8_9.x86_64.rpm", + "thunderbird-debugsource-0:115.9.0-1.el8_9.aarch64.rpm", + "thunderbird-debugsource-0:115.9.0-1.el8_9.x86_64.rpm" + ] + } + }, + "rebootSuggested": false, + "buildReferences": [] + } \ No newline at end of file diff --git a/vulnerabilities/tests/test_rockylinux.py b/vulnerabilities/tests/test_rockylinux.py new file mode 100644 index 000000000..07d678ed8 --- /dev/null +++ b/vulnerabilities/tests/test_rockylinux.py @@ -0,0 +1,64 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/nexB/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +import json +import os +from unittest import TestCase +from unittest.mock import patch + +from packageurl import PackageURL + +from vulnerabilities.importers import rockylinux +from vulnerabilities.importers.rockylinux import get_cwes_from_rockylinux_advisory +from vulnerabilities.importers.rockylinux import to_advisory +from vulnerabilities.rpm_utils import rpm_to_purl +from vulnerabilities.utils import load_json + +BASE_DIR = os.path.dirname(os.path.abspath(__file__)) +TEST_DATA = os.path.join(BASE_DIR, "test_data", "rockylinux") + + +class TestRockyLinuxImporter(TestCase): + def test_to_advisory1(self): + test1 = os.path.join(TEST_DATA, "rockylinux_test1.json") + mock_response = load_json(test1) + expected_result = load_json(os.path.join(TEST_DATA, "rockylinux_expected1.json")) + assert to_advisory(mock_response).to_dict() == expected_result + + def test_to_advisory2(self): + test2 = os.path.join(TEST_DATA, "rockylinux_test2.json") + mock_response2 = load_json(test2) + expected_result2 = load_json(os.path.join(TEST_DATA, "rockylinux_expected2.json")) + assert to_advisory(mock_response2).to_dict() == expected_result2 + + def test_rpm_to_purl(self): + assert rockylinux.rpm_to_purl("foobar", "rocky-linux") is None + assert rockylinux.rpm_to_purl("foo-bar-devel-0:sys76", "rocky-linux") is None + assert rockylinux.rpm_to_purl("cockpit-0:264.1-1.el8.aarch64", "rocky-linux") == PackageURL( + type="rpm", + namespace="rocky-linux", + name="cockpit", + version="264.1-1.el8", + qualifiers={"arch": "aarch64"}, + ) + + def test_get_cwes_from_rockylinux_advisory(self): + advisory_data = { + "cves": [ + { + "name": "CVE-2022-3140", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3140", + "cvss3ScoringVector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", + "cvss3BaseScore": "5.3", + "cwe": "CWE-88->CWE-20", + } + ] + } + assert get_cwes_from_rockylinux_advisory(advisory_data=advisory_data) == [88, 20] From bccfb5a8320f1f474574f3ab42a6aaa5ff7e1513 Mon Sep 17 00:00:00 2001 From: ambuj Date: Tue, 20 Aug 2024 18:35:42 +0530 Subject: [PATCH 3/6] add doctest and optimize code in rockylinux importer Signed-off-by: ambuj --- vulnerabilities/importers/rockylinux.py | 59 +++++++++++++++++++++++-- 1 file changed, 55 insertions(+), 4 deletions(-) diff --git a/vulnerabilities/importers/rockylinux.py b/vulnerabilities/importers/rockylinux.py index 4f9b98923..d7573cad4 100644 --- a/vulnerabilities/importers/rockylinux.py +++ b/vulnerabilities/importers/rockylinux.py @@ -69,6 +69,52 @@ def advisory_data(self) -> Iterable[AdvisoryData]: def to_advisory(advisory_data): + + """ + Convert Rockylinux advisory data into an AdvisoryData object. + + Args: + advisory_data (dict): A dictionary containing advisory information. + + Returns: + AdvisoryData: An instance of AdvisoryData with processed information. + + Example: + >>> advisory_data = { + ... "name": "CVE-2023-1234", + ... "publishedAt": "2023-08-20T12:34:56Z", + ... "description": "A vulnerability in the system.", + ... "affectedProducts": ["product1"], + ... "rpms": { + ... "product1": { + ... "nvras": [ + ... "package-1.0-1.el8.x86_64.rpm", + ... "package-2.0-1.el8.noarch.rpm" + ... ] + ... } + ... }, + ... "fixes": [ + ... {"sourceLink": "http://example.com/fix", "ticket": "12345"} + ... ], + ... "cves": [ + ... { + ... "name": "CVE-2023-1234", + ... "cvss3BaseScore": "7.5", + ... "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + ... "sourceLink": "http://example.com/cve" + ... } + ... ] + ... } + >>> advisory = to_advisory(advisory_data) + >>> advisory.aliases + 'CVE-2023-1234' + >>> advisory.date_published.year + 2023 + >>> len(advisory.affected_packages) + 2 + >>> len(advisory.references) + 2 + """ aliases = advisory_data.get("name") or "" date_published = dateparser.parse(advisory_data.get("publishedAt", "")) @@ -76,7 +122,8 @@ def to_advisory(advisory_data): affected_products = advisory_data.get("affectedProducts") or [] affected_packages = [] for products in affected_products: - packages = advisory_data["rpms"][products]["nvras"] + rpms = advisory_data.get("rpms", {}) + packages = rpms.get(products, {}).get("nvras", []) affected_packages.extend(packages) processed_affected_packages: List[AffectedPackage] = [] for rpm in affected_packages: @@ -97,8 +144,8 @@ def to_advisory(advisory_data): fixed_version=None, ) ) - except Exception as e: - logger.error(f"Failed to parse version range {purl.version} for {purl} {e}") + except VersionParsingError as e: + logger.error(f"Failed to parse version {purl.version} for {purl} {e}") references = [ Reference( @@ -142,6 +189,10 @@ def to_advisory(advisory_data): ) +class VersionParsingError(Exception): + pass + + def get_cwes_from_rockylinux_advisory(advisory_data) -> [int]: """ Extract CWE IDs from advisory data and validate them against a database. @@ -194,6 +245,6 @@ def get_cwes_from_rockylinux_advisory(advisory_data) -> [int]: try: db.get(cwe_id) weaknesses.append(cwe_id) - except Exception: + except ValueError: logger.error("Invalid CWE id") return weaknesses From 445b29cf9c9df844a73272290fe7abc334291ee3 Mon Sep 17 00:00:00 2001 From: ambuj Date: Tue, 20 Aug 2024 18:46:11 +0530 Subject: [PATCH 4/6] correct unit test for rockylinux importer Signed-off-by: ambuj --- .../rockylinux/rockylinux_expected1.json | 3 +++ .../rockylinux/rockylinux_expected2.json | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json index 8b74547e3..bc1ba6fb2 100644 --- a/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json +++ b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json @@ -426,16 +426,19 @@ "references": [ { "reference_id": "2008291", + "reference_type": "", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2008291", "severities": [] }, { "reference_id": "2015828", + "reference_type": "", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2015828", "severities": [] }, { "reference_id": "CVE-2021-41617", + "reference_type": "", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41617", "severities": [ { diff --git a/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json index c52bb354b..51b710681 100644 --- a/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json +++ b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json @@ -90,51 +90,61 @@ "references": [ { "reference_id": "2243644", + "reference_type": "", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243644", "severities": [] }, { "reference_id": "2260012", + "reference_type": "", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260012", "severities": [] }, { "reference_id": "2268171", + "reference_type": "", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268171", "severities": [] }, { "reference_id": "2270660", + "reference_type": "", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270660", "severities": [] }, { "reference_id": "2270661", + "reference_type": "", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270661", "severities": [] }, { "reference_id": "2270663", + "reference_type": "", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270663", "severities": [] }, { "reference_id": "2270664", + "reference_type": "", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270664", "severities": [] }, { "reference_id": "2270665", + "reference_type": "", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270665", "severities": [] }, { "reference_id": "2270666", + "reference_type": "", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270666", "severities": [] }, { "reference_id": "CVE-2023-5388", + "reference_type": "", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5388", "severities": [ { @@ -146,6 +156,7 @@ }, { "reference_id": "CVE-2024-0743", + "reference_type": "", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0743", "severities": [ { @@ -157,6 +168,7 @@ }, { "reference_id": "CVE-2024-1936", + "reference_type": "", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1936", "severities": [ { @@ -168,6 +180,7 @@ }, { "reference_id": "CVE-2024-2607", + "reference_type": "", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2607", "severities": [ { @@ -179,6 +192,7 @@ }, { "reference_id": "CVE-2024-2608", + "reference_type": "", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2608", "severities": [ { @@ -190,6 +204,7 @@ }, { "reference_id": "CVE-2024-2610", + "reference_type": "", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2610", "severities": [ { @@ -201,6 +216,7 @@ }, { "reference_id": "CVE-2024-2611", + "reference_type": "", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2611", "severities": [ { @@ -212,6 +228,7 @@ }, { "reference_id": "CVE-2024-2612", + "reference_type": "", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2612", "severities": [ { @@ -223,6 +240,7 @@ }, { "reference_id": "CVE-2024-2614", + "reference_type": "", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2614", "severities": [ { From 20fd784c33d81ec8cdfcd7b6088d1e4fb939d458 Mon Sep 17 00:00:00 2001 From: ambuj Date: Thu, 10 Oct 2024 19:59:07 +0530 Subject: [PATCH 5/6] Refactor rockylinux importer - Modified the severity score collection. - Refined docstrings Signed-off-by: ambuj --- vulnerabilities/importers/rockylinux.py | 65 +- .../rockylinux/rockylinux_expected1.json | 912 +++++++++--------- .../rockylinux/rockylinux_expected2.json | 476 +++++---- 3 files changed, 711 insertions(+), 742 deletions(-) diff --git a/vulnerabilities/importers/rockylinux.py b/vulnerabilities/importers/rockylinux.py index d7573cad4..ce9ef4a99 100644 --- a/vulnerabilities/importers/rockylinux.py +++ b/vulnerabilities/importers/rockylinux.py @@ -81,40 +81,55 @@ def to_advisory(advisory_data): Example: >>> advisory_data = { - ... "name": "CVE-2023-1234", - ... "publishedAt": "2023-08-20T12:34:56Z", - ... "description": "A vulnerability in the system.", - ... "affectedProducts": ["product1"], + ... "name": "RLSA-2021:4364", + ... "publishedAt": "2021-11-09T09:11:20Z", + ... "description": "The binutils packages provide a collection of binary utilities for the manipulation", + ... "affectedProducts": ["Rocky Linux 8"], ... "rpms": { - ... "product1": { + ... "Rocky Linux 8": { ... "nvras": [ - ... "package-1.0-1.el8.x86_64.rpm", - ... "package-2.0-1.el8.noarch.rpm" + ... "gfs2-utils-0:3.2.0-11.el8.aarch64.rpm", + ... "gfs2-utils-0:3.2.0-11.el8.src.rpm", + ... "gfs2-utils-0:3.2.0-11.el8.x86_64.rpm", + ... "gfs2-utils-debuginfo-0:3.2.0-11.el8.aarch64.rpm", + ... "gfs2-utils-debuginfo-0:3.2.0-11.el8.x86_64.rpm", + ... "gfs2-utils-debugsource-0:3.2.0-11.el8.aarch64.rpm", + ... "gfs2-utils-debugsource-0:3.2.0-11.el8.x86_64.rpm" ... ] ... } ... }, ... "fixes": [ - ... {"sourceLink": "http://example.com/fix", "ticket": "12345"} + ... { + ... "ticket": "1942434", + ... "sourceBy": "Red Hat", + ... "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=1942434", + ... "description": "" + ... } ... ], ... "cves": [ ... { - ... "name": "CVE-2023-1234", - ... "cvss3BaseScore": "7.5", - ... "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - ... "sourceLink": "http://example.com/cve" + ... "name": "CVE-2021-3487", + ... "sourceBy": "MITRE", + ... "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3487", + ... "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + ... "cvss3BaseScore": "6.5", + ... "cwe": "CWE-20->CWE-400" ... } ... ] ... } >>> advisory = to_advisory(advisory_data) >>> advisory.aliases - 'CVE-2023-1234' + 'RLSA-2021:4364' >>> advisory.date_published.year - 2023 + 2021 >>> len(advisory.affected_packages) - 2 + 7 >>> len(advisory.references) 2 + >>> advisory.weaknesses + [400, 20] """ + aliases = advisory_data.get("name") or "" date_published = dateparser.parse(advisory_data.get("publishedAt", "")) @@ -162,20 +177,15 @@ def to_advisory(advisory_data): continue if "CVE" in name.upper(): - severity_vector_pattern = r"CVSS:3\.1/([A-Z:/]+)" severities = VulnerabilitySeverity( system=severity_systems.CVSSV31, value=ref.get("cvss3BaseScore", ""), - scoring_elements=re.findall( - severity_vector_pattern, ref.get("cvss3ScoringVector", "") - ), + scoring_elements=ref.get("cvss3ScoringVector", "") + if ref.get("cvss3ScoringVector", "") != "UNKNOWN" + else "", ) references.append( - Reference( - severities=[severities], - url=ref.get("sourceLink", ""), - reference_id=name, - ) + Reference(severities=[severities], url=ref.get("sourceLink", ""), reference_id=name) ) return AdvisoryData( @@ -223,11 +233,11 @@ def get_cwes_from_rockylinux_advisory(advisory_data) -> [int]: ... "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", ... "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", ... "cvss3BaseScore": "7.5", - ... "cwe": "CWE-350" + ... "cwe": "CWE-20 -> CWE-400" ... } ... ]} >>> get_cwes_from_rockylinux_advisory(advisory_data) - [1321, 400, 350] + [400, 1321, 20] >>> get_cwes_from_rockylinux_advisory({"cves": [{"name": "CVE-1234-1234","cwe": "None"}]}) [] """ @@ -247,4 +257,5 @@ def get_cwes_from_rockylinux_advisory(advisory_data) -> [int]: weaknesses.append(cwe_id) except ValueError: logger.error("Invalid CWE id") - return weaknesses + unique_set = set(weaknesses) + return list(unique_set) diff --git a/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json index bc1ba6fb2..3dcee4ed7 100644 --- a/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json +++ b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json @@ -1,461 +1,455 @@ { - "aliases": "RLSA-2022:2013", - "summary": "OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nSecurity Fix(es):\n\n* openssh: privilege escalation when AuthorizedKeysCommand or AuthorizedPrincipalsCommand are configured (CVE-2021-41617)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Rocky Linux 8.6 Release Notes linked from the References section.", - "affected_packages": [ - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh", - "version": "", - "qualifiers": "arch=src", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-askpass", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-askpass", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-askpass-debuginfo", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-askpass-debuginfo", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-cavs", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-cavs", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-cavs-debuginfo", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-cavs-debuginfo", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-clients", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-clients", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-clients-debuginfo", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-clients-debuginfo", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-debuginfo", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-debuginfo", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-debugsource", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-debugsource", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-keycat", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-keycat", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-keycat-debuginfo", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-keycat-debuginfo", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-ldap", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-ldap", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-ldap-debuginfo", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-ldap-debuginfo", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-server", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-server", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-server-debuginfo", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "openssh-server-debuginfo", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/8.0p1-13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "pam_ssh_agent_auth", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/0.10.3-7.13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "pam_ssh_agent_auth", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/0.10.3-7.13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "pam_ssh_agent_auth-debuginfo", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/0.10.3-7.13.el8", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "pam_ssh_agent_auth-debuginfo", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/0.10.3-7.13.el8", - "fixed_version": null - } - ], - "references": [ - { - "reference_id": "2008291", - "reference_type": "", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2008291", - "severities": [] - }, - { - "reference_id": "2015828", - "reference_type": "", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2015828", - "severities": [] - }, - { - "reference_id": "CVE-2021-41617", - "reference_type": "", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41617", - "severities": [ - { - "system": "cvssv3.1", - "value": "7.0", - "scoring_elements": [ - "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" - ] - } - ] + "aliases": "RLSA-2022:2013", + "summary": "OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nSecurity Fix(es):\n\n* openssh: privilege escalation when AuthorizedKeysCommand or AuthorizedPrincipalsCommand are configured (CVE-2021-41617)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Rocky Linux 8.6 Release Notes linked from the References section.", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-askpass", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-askpass", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-askpass-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-askpass-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-cavs", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-cavs", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-cavs-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-cavs-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-clients", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-clients", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-clients-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-clients-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-debugsource", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-debugsource", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-keycat", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-keycat", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-keycat-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-keycat-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-ldap", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-ldap", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-ldap-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-ldap-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-server", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-server", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-server-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-server-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "pam_ssh_agent_auth", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/0.10.3-7.13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "pam_ssh_agent_auth", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/0.10.3-7.13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "pam_ssh_agent_auth-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/0.10.3-7.13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "pam_ssh_agent_auth-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/0.10.3-7.13.el8", + "fixed_version": null + } + ], + "references": [ + { + "reference_id": "2008291", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2008291", + "severities": [] + }, + { + "reference_id": "2015828", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2015828", + "severities": [] + }, + { + "reference_id": "CVE-2021-41617", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41617", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.0", + "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" } - ], - "date_published": "2022-05-10T06:45:24+00:00", - "weaknesses": [ - 273, - 123, - 546 - ], - "url": "https://errata.rockylinux.org/RLSA-2022:2013" -} \ No newline at end of file + ] + } + ], + "date_published": "2022-05-10T06:45:24+00:00", + "weaknesses": [273, 546, 123], + "url": "https://errata.rockylinux.org/RLSA-2022:2013" +} diff --git a/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json index 51b710681..308bda6d8 100644 --- a/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json +++ b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json @@ -1,257 +1,221 @@ { - "aliases": "RLSA-2024:1494", - "summary": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 115.9.0.\n\nSecurity Fix(es):\n\n* nss: timing attack against RSA decryption (CVE-2023-5388)\n\n* Mozilla: Crash in NSS TLS method (CVE-2024-0743)\n\n* Mozilla: Leaking of encrypted email subjects to other conversations (CVE-2024-1936)\n\n* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)\n\n* Mozilla: Integer overflow could have led to out of bounds write\n(CVE-2024-2608)\n\n* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage\n(CVE-2024-2610)\n\n* Mozilla: Clickjacking vulnerability could have led to a user accidentally\ngranting permissions (CVE-2024-2611)\n\n* Mozilla: Self referencing object could have potentially led to a\nuse-after-free (CVE-2024-2612)\n\n* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and\nThunderbird 115.9 (CVE-2024-2614)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", - "affected_packages": [ - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "thunderbird", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/115.9.0-1.el8_9", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "thunderbird", - "version": "", - "qualifiers": "arch=src", - "subpath": "" - }, - "affected_version_range": "vers:rpm/115.9.0-1.el8_9", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "thunderbird", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/115.9.0-1.el8_9", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "thunderbird-debuginfo", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/115.9.0-1.el8_9", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "thunderbird-debuginfo", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/115.9.0-1.el8_9", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "thunderbird-debugsource", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/115.9.0-1.el8_9", - "fixed_version": null - }, - { - "package": { - "type": "rpm", - "namespace": "rocky-linux", - "name": "thunderbird-debugsource", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": "vers:rpm/115.9.0-1.el8_9", - "fixed_version": null - } - ], - "references": [ - { - "reference_id": "2243644", - "reference_type": "", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243644", - "severities": [] - }, - { - "reference_id": "2260012", - "reference_type": "", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260012", - "severities": [] - }, - { - "reference_id": "2268171", - "reference_type": "", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268171", - "severities": [] - }, - { - "reference_id": "2270660", - "reference_type": "", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270660", - "severities": [] - }, - { - "reference_id": "2270661", - "reference_type": "", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270661", - "severities": [] - }, - { - "reference_id": "2270663", - "reference_type": "", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270663", - "severities": [] - }, - { - "reference_id": "2270664", - "reference_type": "", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270664", - "severities": [] - }, - { - "reference_id": "2270665", - "reference_type": "", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270665", - "severities": [] - }, - { - "reference_id": "2270666", - "reference_type": "", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270666", - "severities": [] - }, - { - "reference_id": "CVE-2023-5388", - "reference_type": "", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5388", - "severities": [ - { - "system": "cvssv3.1", - "value": "UNKNOWN", - "scoring_elements": [] - } - ] - }, - { - "reference_id": "CVE-2024-0743", - "reference_type": "", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0743", - "severities": [ - { - "system": "cvssv3.1", - "value": "UNKNOWN", - "scoring_elements": [] - } - ] - }, - { - "reference_id": "CVE-2024-1936", - "reference_type": "", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1936", - "severities": [ - { - "system": "cvssv3.1", - "value": "UNKNOWN", - "scoring_elements": [] - } - ] - }, - { - "reference_id": "CVE-2024-2607", - "reference_type": "", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2607", - "severities": [ - { - "system": "cvssv3.1", - "value": "UNKNOWN", - "scoring_elements": [] - } - ] - }, - { - "reference_id": "CVE-2024-2608", - "reference_type": "", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2608", - "severities": [ - { - "system": "cvssv3.1", - "value": "UNKNOWN", - "scoring_elements": [] - } - ] - }, - { - "reference_id": "CVE-2024-2610", - "reference_type": "", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2610", - "severities": [ - { - "system": "cvssv3.1", - "value": "UNKNOWN", - "scoring_elements": [] - } - ] - }, - { - "reference_id": "CVE-2024-2611", - "reference_type": "", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2611", - "severities": [ - { - "system": "cvssv3.1", - "value": "UNKNOWN", - "scoring_elements": [] - } - ] - }, - { - "reference_id": "CVE-2024-2612", - "reference_type": "", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2612", - "severities": [ - { - "system": "cvssv3.1", - "value": "UNKNOWN", - "scoring_elements": [] - } - ] - }, - { - "reference_id": "CVE-2024-2614", - "reference_type": "", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2614", - "severities": [ - { - "system": "cvssv3.1", - "value": "UNKNOWN", - "scoring_elements": [] - } - ] - } - ], - "date_published": "2024-03-27T04:34:32.999941+00:00", - "weaknesses": [], - "url": "https://errata.rockylinux.org/RLSA-2024:1494" -} \ No newline at end of file + "aliases": "RLSA-2024:1494", + "summary": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 115.9.0.\n\nSecurity Fix(es):\n\n* nss: timing attack against RSA decryption (CVE-2023-5388)\n\n* Mozilla: Crash in NSS TLS method (CVE-2024-0743)\n\n* Mozilla: Leaking of encrypted email subjects to other conversations (CVE-2024-1936)\n\n* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)\n\n* Mozilla: Integer overflow could have led to out of bounds write\n(CVE-2024-2608)\n\n* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage\n(CVE-2024-2610)\n\n* Mozilla: Clickjacking vulnerability could have led to a user accidentally\ngranting permissions (CVE-2024-2611)\n\n* Mozilla: Self referencing object could have potentially led to a\nuse-after-free (CVE-2024-2612)\n\n* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and\nThunderbird 115.9 (CVE-2024-2614)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird-debugsource", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird-debugsource", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + } + ], + "references": [ + { + "reference_id": "2243644", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243644", + "severities": [] + }, + { + "reference_id": "2260012", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260012", + "severities": [] + }, + { + "reference_id": "2268171", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268171", + "severities": [] + }, + { + "reference_id": "2270660", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270660", + "severities": [] + }, + { + "reference_id": "2270661", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270661", + "severities": [] + }, + { + "reference_id": "2270663", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270663", + "severities": [] + }, + { + "reference_id": "2270664", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270664", + "severities": [] + }, + { + "reference_id": "2270665", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270665", + "severities": [] + }, + { + "reference_id": "2270666", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270666", + "severities": [] + }, + { + "reference_id": "CVE-2023-5388", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5388", + "severities": [ + { "system": "cvssv3.1", "value": "UNKNOWN", "scoring_elements": "" } + ] + }, + { + "reference_id": "CVE-2024-0743", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0743", + "severities": [ + { "system": "cvssv3.1", "value": "UNKNOWN", "scoring_elements": "" } + ] + }, + { + "reference_id": "CVE-2024-1936", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1936", + "severities": [ + { "system": "cvssv3.1", "value": "UNKNOWN", "scoring_elements": "" } + ] + }, + { + "reference_id": "CVE-2024-2607", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2607", + "severities": [ + { "system": "cvssv3.1", "value": "UNKNOWN", "scoring_elements": "" } + ] + }, + { + "reference_id": "CVE-2024-2608", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2608", + "severities": [ + { "system": "cvssv3.1", "value": "UNKNOWN", "scoring_elements": "" } + ] + }, + { + "reference_id": "CVE-2024-2610", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2610", + "severities": [ + { "system": "cvssv3.1", "value": "UNKNOWN", "scoring_elements": "" } + ] + }, + { + "reference_id": "CVE-2024-2611", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2611", + "severities": [ + { "system": "cvssv3.1", "value": "UNKNOWN", "scoring_elements": "" } + ] + }, + { + "reference_id": "CVE-2024-2612", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2612", + "severities": [ + { "system": "cvssv3.1", "value": "UNKNOWN", "scoring_elements": "" } + ] + }, + { + "reference_id": "CVE-2024-2614", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2614", + "severities": [ + { "system": "cvssv3.1", "value": "UNKNOWN", "scoring_elements": "" } + ] + } + ], + "date_published": "2024-03-27T04:34:32.999941+00:00", + "weaknesses": [], + "url": "https://errata.rockylinux.org/RLSA-2024:1494" +} From b0ca192659653a5dee268194004eb70544b8c183 Mon Sep 17 00:00:00 2001 From: ambuj Date: Fri, 11 Oct 2024 01:48:25 +0530 Subject: [PATCH 6/6] Apply black code formatter Signed-off-by: ambuj --- vulnerabilities/improvers/valid_versions.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vulnerabilities/improvers/valid_versions.py b/vulnerabilities/improvers/valid_versions.py index cb2f4726e..02dcb9043 100644 --- a/vulnerabilities/improvers/valid_versions.py +++ b/vulnerabilities/improvers/valid_versions.py @@ -482,7 +482,8 @@ class GithubOSVImprover(ValidVersionImprover): class RockyLinuxImprover(ValidVersionImprover): importer = RockyLinuxImporter ignorable_versions = [] - + + class CurlImprover(ValidVersionImprover): importer = CurlImporter ignorable_versions = []