Collect suse scores

SOURCES.rst

@@ -45,3 +45,5 @@
 +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+
 |elixir_security | https://github.com/dependabot/elixir-security-advisories                                             |hex packages                                        |
 +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+
+|suse_scores     | https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml                                |vulnerability severity scores by SUSE               |
++----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+

vulnerabilities/helpers.py

@@ -27,6 +27,8 @@
 import requests
 import toml
 
+# TODO add logging here
+
 
 def load_yaml(path):
     with open(path) as f:
@@ -43,6 +45,11 @@ def load_toml(path):
         return toml.load(f)
 
 
+def fetch_yaml(url):
+    response = requests.get(url)
+    return yaml.safe_load(response.content)
+
+
 def create_etag(data_src, url, etag_key):
     """
     Etags are like hashes of web responses. For a data source `data_src`,

vulnerabilities/importer_yielder.py

@@ -115,6 +115,13 @@
             'etags': {},
         },
     },
+    {
+        'name': 'suse_scores',
+        'license': '',
+        'last_run': None,
+        'data_source': 'SUSESeverityScoreDataSource',
+        'data_source_cfg': {}
+    },
     {
         'name': 'debian_oval',
         'license': '',

vulnerabilities/importers/__init__.py

@@ -23,6 +23,8 @@
 
 from vulnerabilities.importers.alpine_linux import AlpineDataSource
 from vulnerabilities.importers.apache_httpd import ApacheHTTPDDataSource
+from vulnerabilities.importers.apache_kafka import ApacheKafkaDataSource
+from vulnerabilities.importers.apache_tomcat import ApacheTomcatDataSource
 from vulnerabilities.importers.archlinux import ArchlinuxDataSource
 from vulnerabilities.importers.debian import DebianDataSource
 from vulnerabilities.importers.debian_oval import DebianOvalDataSource
@@ -42,7 +44,6 @@
 from vulnerabilities.importers.rust import RustDataSource
 from vulnerabilities.importers.safety_db import SafetyDbDataSource
 from vulnerabilities.importers.suse_backports import SUSEBackportsDataSource
+from vulnerabilities.importers.suse_scores import SUSESeverityScoreDataSource
 from vulnerabilities.importers.ubuntu import UbuntuDataSource
 from vulnerabilities.importers.ubuntu_usn import UbuntuUSNDataSource
-from vulnerabilities.importers.apache_tomcat import ApacheTomcatDataSource
-from vulnerabilities.importers.apache_kafka import ApacheKafkaDataSource

vulnerabilities/importers/suse_scores.py

@@ -0,0 +1,94 @@
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# http://nexb.com and https://github.com/nexB/vulnerablecode/
+# The VulnerableCode software is licensed under the Apache License version 2.0.
+# Data generated with VulnerableCode require an acknowledgment.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# When you publish or redistribute any data created with VulnerableCode or any VulnerableCode
+# derivative work, you must accompany this data with the following acknowledgment:
+#
+#  Generated with VulnerableCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+#  OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+#  VulnerableCode should be considered or used as legal advice. Consult an Attorney
+#  for any legal advice.
+#  VulnerableCode is a free software tool from nexB Inc. and others.
+#  Visit https://github.com/nexB/vulnerablecode/ for support and download.
+
+from vulnerabilities.data_source import Advisory
+from vulnerabilities.data_source import DataSource
+from vulnerabilities.data_source import Reference
+from vulnerabilities.data_source import VulnerabilitySeverity
+from vulnerabilities.helpers import fetch_yaml
+from vulnerabilities.severity_systems import scoring_systems
+
+URL = "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"
+
+
+class SUSESeverityScoreDataSource(DataSource):
+
+    def updated_advisories(self):
+        advisories = []
+        score_data = fetch_yaml(URL)
+        advisories.append(self.to_advisory(score_data))
+        return advisories
+
+    @staticmethod
+    def to_advisory(score_data):
+        advisories = []
+        for cve_id in score_data:
+            severities = []
+            for cvss_score in score_data[cve_id]["cvss"]:
+                score = None
+                vector = None
+                if cvss_score["version"] == 2.0:
+                    score = VulnerabilitySeverity(
+                        system=scoring_systems["cvssv2"],
+                        value=str(cvss_score["score"])
+                    )
+                    vector = VulnerabilitySeverity(
+                        system=scoring_systems["cvssv2_vector"],
+                        value=str(cvss_score["vector"])
+                    )
+
+                elif cvss_score["version"] == 3:
+                    score = VulnerabilitySeverity(
+                        system=scoring_systems["cvssv3"],
+                        value=str(cvss_score["score"])
+                    )
+                    vector = VulnerabilitySeverity(
+                        system=scoring_systems["cvssv3_vector"],
+                        value=str(cvss_score["vector"])
+                    )
+
+                elif cvss_score["version"] == 3.1:
+                    score = VulnerabilitySeverity(
+                        system=scoring_systems["cvssv3.1"],
+                        value=str(cvss_score["score"])
+                    )
+                    vector = VulnerabilitySeverity(
+                        system=scoring_systems["cvssv3.1_vector"],
+                        value=str(cvss_score["vector"])
+                    )
+
+                severities.extend([score, vector])
+
+            advisories.append(
+                Advisory(
+                    cve_id=cve_id,
+                    summary="",
+                    impacted_package_urls=[],
+                    vuln_references=[
+                        Reference(
+                            url=URL,
+                            severities=severities
+                        )
+                    ]
+                )
+            )
+        return advisories

vulnerabilities/severity_systems.py

@@ -48,6 +48,18 @@ def as_score(self, value):
         url="https://www.first.org/cvss/v3-0/",
         notes="cvssv3 vector, used to get additional info about nature and severity of vulnerability",  # nopep8
     ),
+    "cvssv3.1": ScoringSystem(
+        identifier="cvssv3.1",
+        name="CVSSv3.1 Base Score",
+        url="https://www.first.org/cvss/v3-1/",
+        notes="cvssv3.1 base score",
+    ),
+    "cvssv3.1_vector": ScoringSystem(
+        identifier="cvssv3.1_vector",
+        name="CVSSv3.1 Vector",
+        url="https://www.first.org/cvss/v3-1/",
+        notes="cvssv3.1 vector, used to get additional info about nature and severity of vulnerability",  # nopep8
+    ),
     "rhbs": ScoringSystem(
         identifier="rhbs",
         name="RedHat Bugzilla severity",

vulnerabilities/tests/test_data/suse_scores/suse-cvss-scores.yaml

@@ -0,0 +1,14 @@
+---
+CVE-2004-0230:
+  cvss:
+    - version: 2.0
+      score: 4.3
+      vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
+    - version: 3.1
+      score: 3.7
+      vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
+CVE-2003-1605:
+  cvss:
+    - version: 3
+      score: 8.6
+      vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

vulnerabilities/tests/test_suse_scores.py

@@ -0,0 +1,126 @@
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# http://nexb.com and https://github.com/nexB/vulnerablecode/
+# The VulnerableCode software is licensed under the Apache License version 2.0.
+# Data generated with VulnerableCode require an acknowledgment.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# When you publish or redistribute any data created with VulnerableCode or any VulnerableCode
+# derivative work, you must accompany this data with the following acknowledgment:
+#
+#  Generated with VulnerableCode and provided on an 'AS IS' BASIS, WITHOUT WARRANTIES
+#  OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+#  VulnerableCode should be considered or used as legal advice. Consult an Attorney
+#  for any legal advice.
+#  VulnerableCode is a free software from nexB Inc. and others.
+#  Visit https://github.com/nexB/vulnerablecode/ for support and download.
+
+import os
+from unittest import TestCase
+
+from vulnerabilities.data_source import Advisory
+from vulnerabilities.data_source import Reference
+from vulnerabilities.data_source import VulnerabilitySeverity
+from vulnerabilities.importers.suse_scores import SUSESeverityScoreDataSource
+from vulnerabilities.helpers import load_yaml
+from vulnerabilities.severity_systems import ScoringSystem
+
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+TEST_DATA = os.path.join(BASE_DIR, "test_data/suse_scores", "suse-cvss-scores.yaml")
+
+
+class TestSUSESeverityScoreDataSource(TestCase):
+    def test_to_advisory(self):
+        raw_data = load_yaml(TEST_DATA)
+        expected_data = [
+            Advisory(
+                summary="",
+                impacted_package_urls=[],
+                resolved_package_urls=[],
+                vuln_references=[
+                    Reference(
+                        reference_id="",
+                        url="https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml",
+                        severities=[
+                            VulnerabilitySeverity(
+                                system=ScoringSystem(
+                                    identifier="cvssv2",
+                                    name="CVSSv2 Base Score",
+                                    url="https://www.first.org/cvss/v2/",
+                                    notes="cvssv2 base score",
+                                ),
+                                value="4.3",
+                            ),
+                            VulnerabilitySeverity(
+                                system=ScoringSystem(
+                                    identifier="cvssv2_vector",
+                                    name="CVSSv2 Vector",
+                                    url="https://www.first.org/cvss/v2/",
+                                    notes="cvssv2 vector, used to get additional info about nature and severity of vulnerability",  # nopep8
+                                ),
+                                value="AV:N/AC:M/Au:N/C:N/I:N/A:P",
+                            ),
+                            VulnerabilitySeverity(
+                                system=ScoringSystem(
+                                    identifier="cvssv3.1",
+                                    name="CVSSv3.1 Base Score",
+                                    url="https://www.first.org/cvss/v3-1/",
+                                    notes="cvssv3.1 base score",
+                                ),
+                                value="3.7",
+                            ),
+                            VulnerabilitySeverity(
+                                system=ScoringSystem(
+                                    identifier="cvssv3.1_vector",
+                                    name="CVSSv3.1 Vector",
+                                    url="https://www.first.org/cvss/v3-1/",
+                                    notes="cvssv3.1 vector, used to get additional info about nature and severity of vulnerability",  # nopep8
+                                ),
+                                value="CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
+                            ),
+                        ],
+                    )
+                ],
+                cve_id="CVE-2004-0230",
+            ),
+            Advisory(
+                summary="",
+                impacted_package_urls=[],
+                resolved_package_urls=[],
+                vuln_references=[
+                    Reference(
+                        reference_id="",
+                        url="https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml",
+                        severities=[
+                            VulnerabilitySeverity(
+                                system=ScoringSystem(
+                                    identifier="cvssv3",
+                                    name="CVSSv3 Base Score",
+                                    url="https://www.first.org/cvss/v3-0/",
+                                    notes="cvssv3 base score",
+                                ),
+                                value="8.6",
+                            ),
+                            VulnerabilitySeverity(
+                                system=ScoringSystem(
+                                    identifier="cvssv3_vector",
+                                    name="CVSSv3 Vector",
+                                    url="https://www.first.org/cvss/v3-0/",
+                                    notes="cvssv3 vector, used to get additional info about nature and severity of vulnerability",  # nopep8
+                                ),
+                                value="CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
+                            ),
+                        ],
+                    )
+                ],
+                cve_id="CVE-2003-1605",
+            ),
+        ]
+
+        found_data = SUSESeverityScoreDataSource.to_advisory(raw_data)
+        assert expected_data == found_data