diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index 3394dd989..91dc93e76 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -42,6 +42,7 @@ from vulnerabilities.pipelines import nvd_importer from vulnerabilities.pipelines import pypa_importer from vulnerabilities.pipelines import pysec_importer +from vulnerabilities.pipelines import rockylinux_importer IMPORTERS_REGISTRY = [ alpine_linux.AlpineImporter, @@ -77,6 +78,7 @@ gitlab_importer.GitLabImporterPipeline, github_importer.GitHubAPIImporterPipeline, nvd_importer.NVDImporterPipeline, + rockylinux_importer.RockylinuxImporterPipeline, pysec_importer.PyPIImporterPipeline, ] diff --git a/vulnerabilities/improvers/__init__.py b/vulnerabilities/improvers/__init__.py index d2b4e62ec..0435cf551 100644 --- a/vulnerabilities/improvers/__init__.py +++ b/vulnerabilities/improvers/__init__.py @@ -32,6 +32,7 @@ valid_versions.RubyImprover, valid_versions.GithubOSVImprover, vulnerability_status.VulnerabilityStatusImprover, + valid_versions.RockyLinuxImprover, valid_versions.CurlImprover, flag_ghost_packages.FlagGhostPackagePipeline, enhance_with_kev.VulnerabilityKevPipeline, diff --git a/vulnerabilities/improvers/valid_versions.py b/vulnerabilities/improvers/valid_versions.py index 916f36f59..e61ffde5b 100644 --- a/vulnerabilities/improvers/valid_versions.py +++ b/vulnerabilities/improvers/valid_versions.py @@ -45,6 +45,7 @@ from vulnerabilities.pipelines.gitlab_importer import GitLabImporterPipeline from vulnerabilities.pipelines.nginx_importer import NginxImporterPipeline from vulnerabilities.pipelines.npm_importer import NpmImporterPipeline +from vulnerabilities.pipelines.rockylinux_importer import RockylinuxImporterPipeline from vulnerabilities.utils import AffectedPackage as LegacyAffectedPackage from vulnerabilities.utils import clean_nginx_git_tag from vulnerabilities.utils import get_affected_packages_by_patched_package @@ -478,6 +479,11 @@ class GithubOSVImprover(ValidVersionImprover): ignorable_versions = [] +class RockyLinuxImprover(ValidVersionImprover): + importer = RockylinuxImporterPipeline + ignorable_versions = [] + + class CurlImprover(ValidVersionImprover): importer = CurlImporter ignorable_versions = [] diff --git a/vulnerabilities/pipelines/rockylinux_importer.py b/vulnerabilities/pipelines/rockylinux_importer.py new file mode 100644 index 000000000..f1dc0268a --- /dev/null +++ b/vulnerabilities/pipelines/rockylinux_importer.py @@ -0,0 +1,277 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/nexB/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +import logging +import re +from typing import Dict +from typing import Iterable +from typing import List + +import requests +from cwe2.database import Database +from dateutil import parser as dateparser +from packageurl import PackageURL +from univers.version_range import RpmVersionRange + +from vulnerabilities import severity_systems +from vulnerabilities.importer import AdvisoryData +from vulnerabilities.importer import AffectedPackage +from vulnerabilities.importer import Reference +from vulnerabilities.importer import VulnerabilitySeverity +from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline +from vulnerabilities.rpm_utils import rpm_to_purl +from vulnerabilities.utils import get_cwe_id +from vulnerabilities.utils import requests_with_5xx_retry + +logger = logging.getLogger(__name__) +requests_session = requests_with_5xx_retry(max_retries=5, backoff_factor=1) + + +class RockylinuxImporterPipeline(VulnerableCodeBaseImporterPipeline): + pipeline_id = "rockylinux_importer" + + spdx_license_expression = "CC-BY-4.0" + license_url = "https://access.redhat.com/security/data" + importer_name = "Rockylinux Importer" + + @classmethod + def steps(cls): + return (cls.fetch, cls.collect_and_store_advisories, cls.import_new_advisories) + + def fetch(self) -> Iterable[List[Dict]]: + page_no = 0 + self.advisory_data = [] + + while True: + current_url = f"https://errata.rockylinux.org/api/v2/advisories?filters.product=&filters.fetchRelated=true&page={page_no}&limit=100" + try: + response = requests_session.get(current_url) + if response.status_code != requests.codes.ok: + logger.error(f"Failed to fetch RedHat CVE results from {current_url}") + break + cve_data = response.json().get("advisories") or [] + self.advisory_data.extend(cve_data) + except Exception as e: + logger.error(f"Failed to fetch rockylinux CVE results from {current_url} {e}") + break + if not cve_data: + break + page_no += 1 + + def advisories_count(self): + return len(self.advisory_data) + + def collect_advisories(self) -> Iterable[AdvisoryData]: + for rl_advisory in self.advisory_data: + yield to_advisory(rl_advisory) + + +class VersionParsingError(Exception): + pass + + +def to_advisory(advisory_data) -> AdvisoryData: + + """ + Convert Rockylinux advisory data into an AdvisoryData object. + + Args: + advisory_data (dict): A dictionary containing advisory information. + + Returns: + AdvisoryData: An instance of AdvisoryData with processed information. + + Example: + >>> advisory_data = { + ... "name": "RLSA-2021:4364", + ... "publishedAt": "2021-11-09T09:11:20Z", + ... "description": "The binutils packages provide a collection of binary utilities for the manipulation", + ... "affectedProducts": ["Rocky Linux 8"], + ... "rpms": { + ... "Rocky Linux 8": { + ... "nvras": [ + ... "gfs2-utils-0:3.2.0-11.el8.aarch64.rpm", + ... "gfs2-utils-0:3.2.0-11.el8.src.rpm", + ... "gfs2-utils-0:3.2.0-11.el8.x86_64.rpm", + ... "gfs2-utils-debuginfo-0:3.2.0-11.el8.aarch64.rpm", + ... "gfs2-utils-debuginfo-0:3.2.0-11.el8.x86_64.rpm", + ... "gfs2-utils-debugsource-0:3.2.0-11.el8.aarch64.rpm", + ... "gfs2-utils-debugsource-0:3.2.0-11.el8.x86_64.rpm" + ... ] + ... } + ... }, + ... "fixes": [ + ... { + ... "ticket": "1942434", + ... "sourceBy": "Red Hat", + ... "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=1942434", + ... "description": "" + ... } + ... ], + ... "cves": [ + ... { + ... "name": "CVE-2021-3487", + ... "sourceBy": "MITRE", + ... "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3487", + ... "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + ... "cvss3BaseScore": "6.5", + ... "cwe": "CWE-20->CWE-400" + ... } + ... ] + ... } + >>> advisory = to_advisory(advisory_data) + >>> advisory.aliases + 'RLSA-2021:4364' + >>> advisory.date_published.year + 2021 + >>> len(advisory.affected_packages) + 7 + >>> len(advisory.references) + 2 + >>> advisory.weaknesses + [400, 20] + """ + + aliases = advisory_data.get("name") or "" + date_published = dateparser.parse(advisory_data.get("publishedAt", "")) + + summary = advisory_data.get("description") or "" + affected_products = advisory_data.get("affectedProducts") or [] + affected_packages = [] + for products in affected_products: + rpms = advisory_data.get("rpms", {}) + packages = rpms.get(products, {}).get("nvras", []) + affected_packages.extend(packages) + processed_affected_packages: List[AffectedPackage] = [] + for rpm in affected_packages: + purl = rpm_to_purl(rpm_string=rpm.rsplit(".rpm", 1)[0] or "", namespace="rocky-linux") + if purl: + try: + affected_version_range = RpmVersionRange.from_versions(sequence=[purl.version]) + processed_affected_packages.append( + AffectedPackage( + package=PackageURL( + type=purl.type, + name=purl.name, + namespace=purl.namespace, + qualifiers=purl.qualifiers, + subpath=purl.subpath, + ), + affected_version_range=affected_version_range, + fixed_version=None, + ) + ) + except VersionParsingError as e: + logger.error(f"Failed to parse version {purl.version} for {purl} {e}") + + references = [ + Reference( + severities=[], url=fix.get("sourceLink") or "", reference_id=fix.get("ticket") or "" + ) + for fix in advisory_data["fixes"] + ] + + for ref in advisory_data.get("cves", []): + + name = ref.get("name", "") + if not isinstance(name, str): + logger.error(f"Invalid advisory type {name}") + continue + + if ref.get("sourceLink", ""): + name_upper = name.upper() + cvss_vector = ref.get("cvss3ScoringVector", "") + + if "CVE" in name_upper and cvss_vector != "UNKNOWN": + base_score = ref.get("cvss3BaseScore", "") + + if base_score and cvss_vector: + severities = [ + VulnerabilitySeverity( + system=severity_systems.CVSSV31, + value=base_score, + scoring_elements=cvss_vector, + ) + ] + else: + severities = [] + + references.append( + Reference( + severities=severities, url=ref.get("sourceLink", ""), reference_id=name + ) + ) + + return AdvisoryData( + aliases=aliases, + summary=summary, + affected_packages=processed_affected_packages, + references=references, + date_published=date_published, + weaknesses=get_cwes_from_rockylinux_advisory(advisory_data), + url=f"https://errata.rockylinux.org/{aliases}", + ) + + +def get_cwes_from_rockylinux_advisory(advisory_data) -> [int]: + """ + Extract CWE IDs from advisory data and validate them against a database. + + :param advisory_data: Dictionary containing CVE information. + :return: List of valid CWE IDs. + + >>> advisory_data = {"cves": [ + ... { + ... "name": "CVE-2022-24999", + ... "sourceBy": "MITRE", + ... "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24999", + ... "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + ... "cvss3BaseScore": "7.5", + ... "cwe": "CWE-1321" + ... }, + ... { + ... "name": "CVE-2022-3517", + ... "sourceBy": "MITRE", + ... "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3517", + ... "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + ... "cvss3BaseScore": "7.5", + ... "cwe": "CWE-400" + ... }, + ... { + ... "name": "CVE-2022-43548", + ... "sourceBy": "MITRE", + ... "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548", + ... "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + ... "cvss3BaseScore": "7.5", + ... "cwe": "CWE-20 -> CWE-400" + ... } + ... ]} + >>> get_cwes_from_rockylinux_advisory(advisory_data) + [400, 1321, 20] + >>> get_cwes_from_rockylinux_advisory({"cves": [{"name": "CVE-1234-1234","cwe": "None"}]}) + [] + """ + + cwe_ids = [] + for cve in advisory_data.get("cves", []): + cwe_pattern = r"CWE-\d+" + cwe_id_list = re.findall(cwe_pattern, cve.get("cwe", "")) + cwe_ids.extend(cwe_id_list) + weaknesses = [] + db = Database() + for cwe_string in cwe_ids: + if cwe_string: + cwe_id = get_cwe_id(cwe_string) + try: + db.get(cwe_id) + weaknesses.append(cwe_id) + except ValueError: + logger.error("Invalid CWE id") + unique_set = set(weaknesses) + return list(unique_set) diff --git a/vulnerabilities/tests/pipelines/test_rockylinux_importer_pipeline.py b/vulnerabilities/tests/pipelines/test_rockylinux_importer_pipeline.py new file mode 100644 index 000000000..cbaf7ad5a --- /dev/null +++ b/vulnerabilities/tests/pipelines/test_rockylinux_importer_pipeline.py @@ -0,0 +1,64 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/nexB/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +import os +from pathlib import Path +from unittest import TestCase +from unittest.mock import patch + +from packageurl import PackageURL + +from vulnerabilities.pipelines.rockylinux_importer import get_cwes_from_rockylinux_advisory +from vulnerabilities.pipelines.rockylinux_importer import to_advisory +from vulnerabilities.rpm_utils import rpm_to_purl +from vulnerabilities.utils import load_json + +TEST_DATA = Path(__file__).parent.parent / "test_data" / "rockylinux" + + +class TestRockylinuxImporterPipeline(TestCase): + def test_to_advisory1(self): + test1 = os.path.join(TEST_DATA, "rockylinux_test1.json") + mock_response = load_json(test1) + expected_result = load_json(os.path.join(TEST_DATA, "rockylinux_expected1.json")) + # print(f"1st is {to_advisory(mock_response).to_dict()}") + assert to_advisory(mock_response).to_dict() == expected_result + + def test_to_advisory2(self): + test2 = os.path.join(TEST_DATA, "rockylinux_test2.json") + mock_response2 = load_json(test2) + expected_result2 = load_json(os.path.join(TEST_DATA, "rockylinux_expected2.json")) + assert to_advisory(mock_response2).to_dict() == expected_result2 + # print(f"2nd is {to_advisory(mock_response2).to_dict()}") + + def test_rpm_to_purl(self): + assert rpm_to_purl("foobar", "rocky-linux") is None + assert rpm_to_purl("foo-bar-devel-0:sys76", "rocky-linux") is None + assert rpm_to_purl("cockpit-0:264.1-1.el8.aarch64", "rocky-linux") == PackageURL( + type="rpm", + namespace="rocky-linux", + name="cockpit", + version="264.1-1.el8", + qualifiers={"arch": "aarch64"}, + ) + + def test_get_cwes_from_rockylinux_advisory(self): + advisory_data = { + "cves": [ + { + "name": "CVE-2022-3140", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3140", + "cvss3ScoringVector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", + "cvss3BaseScore": "5.3", + "cwe": "CWE-88->CWE-20", + } + ] + } + assert get_cwes_from_rockylinux_advisory(advisory_data=advisory_data) == [88, 20] diff --git a/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json new file mode 100644 index 000000000..3dcee4ed7 --- /dev/null +++ b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected1.json @@ -0,0 +1,455 @@ +{ + "aliases": "RLSA-2022:2013", + "summary": "OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nSecurity Fix(es):\n\n* openssh: privilege escalation when AuthorizedKeysCommand or AuthorizedPrincipalsCommand are configured (CVE-2021-41617)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Rocky Linux 8.6 Release Notes linked from the References section.", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-askpass", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-askpass", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-askpass-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-askpass-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-cavs", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-cavs", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-cavs-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-cavs-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-clients", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-clients", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-clients-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-clients-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-debugsource", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-debugsource", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-keycat", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-keycat", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-keycat-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-keycat-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-ldap", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-ldap", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-ldap-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-ldap-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-server", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-server", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-server-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "openssh-server-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/8.0p1-13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "pam_ssh_agent_auth", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/0.10.3-7.13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "pam_ssh_agent_auth", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/0.10.3-7.13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "pam_ssh_agent_auth-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/0.10.3-7.13.el8", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "pam_ssh_agent_auth-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/0.10.3-7.13.el8", + "fixed_version": null + } + ], + "references": [ + { + "reference_id": "2008291", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2008291", + "severities": [] + }, + { + "reference_id": "2015828", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2015828", + "severities": [] + }, + { + "reference_id": "CVE-2021-41617", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41617", + "severities": [ + { + "system": "cvssv3.1", + "value": "7.0", + "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ] + } + ], + "date_published": "2022-05-10T06:45:24+00:00", + "weaknesses": [273, 546, 123], + "url": "https://errata.rockylinux.org/RLSA-2022:2013" +} diff --git a/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json new file mode 100644 index 000000000..68c5cca7c --- /dev/null +++ b/vulnerabilities/tests/test_data/rockylinux/rockylinux_expected2.json @@ -0,0 +1,149 @@ +{ + "aliases": "RLSA-2024:1494", + "summary": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 115.9.0.\n\nSecurity Fix(es):\n\n* nss: timing attack against RSA decryption (CVE-2023-5388)\n\n* Mozilla: Crash in NSS TLS method (CVE-2024-0743)\n\n* Mozilla: Leaking of encrypted email subjects to other conversations (CVE-2024-1936)\n\n* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)\n\n* Mozilla: Integer overflow could have led to out of bounds write\n(CVE-2024-2608)\n\n* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage\n(CVE-2024-2610)\n\n* Mozilla: Clickjacking vulnerability could have led to a user accidentally\ngranting permissions (CVE-2024-2611)\n\n* Mozilla: Self referencing object could have potentially led to a\nuse-after-free (CVE-2024-2612)\n\n* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and\nThunderbird 115.9 (CVE-2024-2614)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird-debugsource", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "rocky-linux", + "name": "thunderbird-debugsource", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": "vers:rpm/115.9.0-1.el8_9", + "fixed_version": null + } + ], + "references": [ + { + "reference_id": "2243644", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243644", + "severities": [] + }, + { + "reference_id": "2260012", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260012", + "severities": [] + }, + { + "reference_id": "2268171", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268171", + "severities": [] + }, + { + "reference_id": "2270660", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270660", + "severities": [] + }, + { + "reference_id": "2270661", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270661", + "severities": [] + }, + { + "reference_id": "2270663", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270663", + "severities": [] + }, + { + "reference_id": "2270664", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270664", + "severities": [] + }, + { + "reference_id": "2270665", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270665", + "severities": [] + }, + { + "reference_id": "2270666", + "reference_type": "", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270666", + "severities": [] + } + ], + "date_published": "2024-03-27T04:34:32.999941+00:00", + "weaknesses": [], + "url": "https://errata.rockylinux.org/RLSA-2024:1494" +} diff --git a/vulnerabilities/tests/test_data/rockylinux/rockylinux_test1.json b/vulnerabilities/tests/test_data/rockylinux/rockylinux_test1.json new file mode 100644 index 000000000..1cd1a772c --- /dev/null +++ b/vulnerabilities/tests/test_data/rockylinux/rockylinux_test1.json @@ -0,0 +1,82 @@ +{ + "type": "TYPE_SECURITY", + "shortCode": "RL", + "name": "RLSA-2022:2013", + "synopsis": "Moderate: openssh security, bug fix, and enhancement update", + "severity": "SEVERITY_MODERATE", + "topic": "An update is available for openssh.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", + "description": "OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server.\n\nSecurity Fix(es):\n\n* openssh: privilege escalation when AuthorizedKeysCommand or AuthorizedPrincipalsCommand are configured (CVE-2021-41617)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Rocky Linux 8.6 Release Notes linked from the References section.", + "solution": null, + "affectedProducts": [ + "Rocky Linux 8" + ], + "fixes": [ + { + "ticket": "2008291", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2008291", + "description": "" + }, + { + "ticket": "2015828", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2015828", + "description": "" + } + ], + "cves": [ + { + "name": "CVE-2021-41617", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41617", + "cvss3ScoringVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvss3BaseScore": "7.0", + "cwe": "CWE-273, CWE-123, CWE-546" + } + ], + "references": [], + "publishedAt": "2022-05-10T06:45:24Z", + "rpms": { + "Rocky Linux 8": { + "nvras": [ + "openssh-0:8.0p1-13.el8.aarch64.rpm", + "openssh-0:8.0p1-13.el8.src.rpm", + "openssh-0:8.0p1-13.el8.x86_64.rpm", + "openssh-askpass-0:8.0p1-13.el8.aarch64.rpm", + "openssh-askpass-0:8.0p1-13.el8.x86_64.rpm", + "openssh-askpass-debuginfo-0:8.0p1-13.el8.aarch64.rpm", + "openssh-askpass-debuginfo-0:8.0p1-13.el8.x86_64.rpm", + "openssh-cavs-0:8.0p1-13.el8.aarch64.rpm", + "openssh-cavs-0:8.0p1-13.el8.x86_64.rpm", + "openssh-cavs-debuginfo-0:8.0p1-13.el8.aarch64.rpm", + "openssh-cavs-debuginfo-0:8.0p1-13.el8.x86_64.rpm", + "openssh-clients-0:8.0p1-13.el8.aarch64.rpm", + "openssh-clients-0:8.0p1-13.el8.x86_64.rpm", + "openssh-clients-debuginfo-0:8.0p1-13.el8.aarch64.rpm", + "openssh-clients-debuginfo-0:8.0p1-13.el8.x86_64.rpm", + "openssh-debuginfo-0:8.0p1-13.el8.aarch64.rpm", + "openssh-debuginfo-0:8.0p1-13.el8.x86_64.rpm", + "openssh-debugsource-0:8.0p1-13.el8.aarch64.rpm", + "openssh-debugsource-0:8.0p1-13.el8.x86_64.rpm", + "openssh-keycat-0:8.0p1-13.el8.aarch64.rpm", + "openssh-keycat-0:8.0p1-13.el8.x86_64.rpm", + "openssh-keycat-debuginfo-0:8.0p1-13.el8.aarch64.rpm", + "openssh-keycat-debuginfo-0:8.0p1-13.el8.x86_64.rpm", + "openssh-ldap-0:8.0p1-13.el8.aarch64.rpm", + "openssh-ldap-0:8.0p1-13.el8.x86_64.rpm", + "openssh-ldap-debuginfo-0:8.0p1-13.el8.aarch64.rpm", + "openssh-ldap-debuginfo-0:8.0p1-13.el8.x86_64.rpm", + "openssh-server-0:8.0p1-13.el8.aarch64.rpm", + "openssh-server-0:8.0p1-13.el8.x86_64.rpm", + "openssh-server-debuginfo-0:8.0p1-13.el8.aarch64.rpm", + "openssh-server-debuginfo-0:8.0p1-13.el8.x86_64.rpm", + "pam_ssh_agent_auth-0:0.10.3-7.13.el8.aarch64.rpm", + "pam_ssh_agent_auth-0:0.10.3-7.13.el8.x86_64.rpm", + "pam_ssh_agent_auth-debuginfo-0:0.10.3-7.13.el8.aarch64.rpm", + "pam_ssh_agent_auth-debuginfo-0:0.10.3-7.13.el8.x86_64.rpm" + ] + } + }, + "rebootSuggested": false, + "buildReferences": [] +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/rockylinux/rockylinux_test2.json b/vulnerabilities/tests/test_data/rockylinux/rockylinux_test2.json new file mode 100644 index 000000000..ae257c772 --- /dev/null +++ b/vulnerabilities/tests/test_data/rockylinux/rockylinux_test2.json @@ -0,0 +1,160 @@ +{ + "type": "TYPE_SECURITY", + "shortCode": "RL", + "name": "RLSA-2024:1494", + "synopsis": "Moderate: thunderbird security update", + "severity": "SEVERITY_MODERATE", + "topic": "An update is available for thunderbird.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", + "description": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 115.9.0.\n\nSecurity Fix(es):\n\n* nss: timing attack against RSA decryption (CVE-2023-5388)\n\n* Mozilla: Crash in NSS TLS method (CVE-2024-0743)\n\n* Mozilla: Leaking of encrypted email subjects to other conversations (CVE-2024-1936)\n\n* Mozilla: JIT code failed to save return registers on Armv7-A (CVE-2024-2607)\n\n* Mozilla: Integer overflow could have led to out of bounds write\n(CVE-2024-2608)\n\n* Mozilla: Improper handling of html and body tags enabled CSP nonce leakage\n(CVE-2024-2610)\n\n* Mozilla: Clickjacking vulnerability could have led to a user accidentally\ngranting permissions (CVE-2024-2611)\n\n* Mozilla: Self referencing object could have potentially led to a\nuse-after-free (CVE-2024-2612)\n\n* Mozilla: Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and\nThunderbird 115.9 (CVE-2024-2614)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", + "solution": null, + "affectedProducts": [ + "Rocky Linux 8" + ], + "fixes": [ + { + "ticket": "2243644", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2243644", + "description": "" + }, + { + "ticket": "2260012", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2260012", + "description": "" + }, + { + "ticket": "2268171", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2268171", + "description": "" + }, + { + "ticket": "2270660", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2270660", + "description": "" + }, + { + "ticket": "2270661", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2270661", + "description": "" + }, + { + "ticket": "2270663", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2270663", + "description": "" + }, + { + "ticket": "2270664", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2270664", + "description": "" + }, + { + "ticket": "2270665", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2270665", + "description": "" + }, + { + "ticket": "2270666", + "sourceBy": "Red Hat", + "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2270666", + "description": "" + } + ], + "cves": [ + { + "name": "CVE-2023-5388", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5388", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-0743", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0743", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-1936", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1936", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-2607", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2607", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-2608", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2608", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-2610", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2610", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-2611", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2611", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-2612", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2612", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + }, + { + "name": "CVE-2024-2614", + "sourceBy": "MITRE", + "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2614", + "cvss3ScoringVector": "UNKNOWN", + "cvss3BaseScore": "UNKNOWN", + "cwe": "UNKNOWN" + } + ], + "references": [], + "publishedAt": "2024-03-27T04:34:32.999941Z", + "rpms": { + "Rocky Linux 8": { + "nvras": [ + "thunderbird-0:115.9.0-1.el8_9.aarch64.rpm", + "thunderbird-0:115.9.0-1.el8_9.src.rpm", + "thunderbird-0:115.9.0-1.el8_9.x86_64.rpm", + "thunderbird-debuginfo-0:115.9.0-1.el8_9.aarch64.rpm", + "thunderbird-debuginfo-0:115.9.0-1.el8_9.x86_64.rpm", + "thunderbird-debugsource-0:115.9.0-1.el8_9.aarch64.rpm", + "thunderbird-debugsource-0:115.9.0-1.el8_9.x86_64.rpm" + ] + } + }, + "rebootSuggested": false, + "buildReferences": [] + } \ No newline at end of file