Skip to content

Commit

Permalink
Begin postgresql.py migration aboutcode-org#969
Browse files Browse the repository at this point in the history 
Reference: aboutcode-org#969

Signed-off-by: John M. Horan <[email protected]>
  • Loading branch information
@johnmhoran @TG1999
johnmhoran authored and TG1999 committed Nov 21, 2022
1 parent bf49673 commit b5c94bd
Show file tree
Hide file tree
Showing 2 changed files with 261 additions and 24 deletions.
91 changes: 71 additions & 20 deletions vulnerabilities/importers/postgresql.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,27 @@
from bs4 import BeautifulSoup
from packageurl import PackageURL

# is there a univers versionrange? a version?
from univers.version_range import GenericVersionRange
from univers.versions import GenericVersion

from vulnerabilities import severity_systems

# add AffectedPackage
from vulnerabilities.importer import AdvisoryData
from vulnerabilities.importer import AffectedPackage
from vulnerabilities.importer import Importer
from vulnerabilities.importer import Reference
from vulnerabilities.importer import VulnerabilitySeverity

# we no longer use nearest_patched_package, do we?
from vulnerabilities.utils import nearest_patched_package


class PostgreSQLImporter(Importer):

root_url = "https://www.postgresql.org/support/security/"
# need spdx_license_expression and license_url

def updated_advisories(self):
advisories = []
Expand Down Expand Up @@ -54,26 +64,64 @@ def to_advisories(data):
if "windows" in summary.lower():
pkg_qualifiers = {"os": "windows"}

affected_packages = [
PackageURL(
type="generic",
name="postgresql",
version=version.strip(),
qualifiers=pkg_qualifiers,
# affected_packages = [
# PackageURL(
# type="generic",
# name="postgresql",
# version=version.strip(),
# qualifiers=pkg_qualifiers,
# )
# for version in affected_col.text.split(",")
# ]

# fixed_packages = [
# PackageURL(
# type="generic",
# name="postgresql",
# version=version.strip(),
# qualifiers=pkg_qualifiers,
# )
# for version in fixed_col.text.split(",")
# # why the "if version" here but not in affected_packages?
# # aren't we assuming (can we assume?) there are an equal number of versions in affect_packages and fixed_packages?
# if version
# ]

# This will replace the affected_packages and fixed_packages lists above. ============
affected_packages = []
affected_version_list = affected_col.text.split(",")
fixed_version_list = fixed_col.text.split(",")
package_count = len(affected_version_list)

while package_count > 0:
summary = summary

affected = affected_version_list[0]
affected_version_list.pop(0)
# Do we need "if affected else None"?
affected_version_range = (
GenericVersionRange.from_versions([affected]) if affected else None
)
for version in affected_col.text.split(",")
]

fixed_packages = [
PackageURL(
type="generic",
name="postgresql",
version=version.strip(),
qualifiers=pkg_qualifiers,

fixed = fixed_version_list[0]
fixed_version_list.pop(0)
# Do we need "if affected else None"?
fixed_version = GenericVersion(fixed) if fixed else None

package_count -= 1

affected_package = AffectedPackage(
package=PackageURL(
name="postgresql",
type="generic",
namespace="postgresql",
),
affected_version_range=affected_version_range,
fixed_version=fixed_version,
)
for version in fixed_col.text.split(",")
if version
]
affected_packages.append(affected_package)

# end of initial draft insert ===================================

try:
cve_id = ref_col.select("nobr")[0].text
Expand Down Expand Up @@ -105,10 +153,13 @@ def to_advisories(data):

advisories.append(
AdvisoryData(
vulnerability_id=cve_id,
# 10/26/2022 Wednesday 6:40:01 PM. Throws error (terminal points to test data): TypeError: __init__() got an unexpected keyword argument 'vulnerability_id'
# vulnerability_id=cve_id,
aliases=[cve_id],
summary=summary,
references=references,
affected_packages=nearest_patched_package(affected_packages, fixed_packages),
# affected_packages=nearest_patched_package(affected_packages, fixed_packages),
affected_packages=affected_packages,
)
)

Expand Down
194 changes: 190 additions & 4 deletions vulnerabilities/tests/test_postgresql.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,9 @@ def test_to_advisories(self):
expected_advisories = [
AdvisoryData(
summary="ALTER ... DEPENDS ON EXTENSION is missing authorization checks.more details",
vulnerability_id="CVE-2020-1720",
# 10/26/2022 Wednesday 6:40:01 PM. Throws error: TypeError: __init__() got an unexpected keyword argument 'vulnerability_id'
# vulnerability_id="CVE-2020-1720",
aliases=["CVE-2020-1720"],
affected_packages=[
AffectedPackage(
vulnerable_package=PackageURL(
Expand Down Expand Up @@ -103,7 +105,9 @@ def test_to_advisories(self):
),
AdvisoryData(
summary="Windows installer runs executables from uncontrolled directoriesmore details",
vulnerability_id="CVE-2020-10733",
# 10/26/2022 Wednesday 6:40:01 PM. Throws error: TypeError: __init__() got an unexpected keyword argument 'vulnerability_id'
# vulnerability_id="CVE-2020-10733",
aliases=["CVE-2020-10733"],
affected_packages=[
AffectedPackage(
vulnerable_package=PackageURL(
Expand Down Expand Up @@ -184,6 +188,188 @@ def test_to_advisories(self):

found_advisories = to_advisories(raw_data)

found_advisories = list(map(AdvisoryData.normalized, found_advisories))
expected_advisories = list(map(AdvisoryData.normalized, expected_advisories))
# 10/26/2022 Wednesday 7:07:13 PM. Throws error: AttributeError: type object 'AdvisoryData' has no attribute 'normalized'
# found_advisories = list(map(AdvisoryData.normalized, found_advisories))
found_advisories = list(map(AdvisoryData, found_advisories))
# expected_advisories = list(map(AdvisoryData.normalized, expected_advisories))
expected_advisories = list(map(AdvisoryData, expected_advisories))
assert sorted(found_advisories) == sorted(expected_advisories)

# 10/27/2022 Thursday 6:40:04 PM. This is intended to be an updated test -- but I have barely started to work on it!
# Focusing instead on postgresql.py for now.
def test_to_advisories_updated(self):

with open(TEST_DATA) as f:
raw_data = f.read()

expected_advisories = [
AdvisoryData(
summary="ALTER ... DEPENDS ON EXTENSION is missing authorization checks.more details",
# 10/26/2022 Wednesday 6:40:01 PM. Throws error: TypeError: __init__() got an unexpected keyword argument 'vulnerability_id'
# vulnerability_id="CVE-2020-1720",
aliases=["CVE-2020-1720"],
affected_packages=[
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="10",
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="10.12",
),
),
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="11",
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="11.7",
),
),
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="12",
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="12.2",
),
),
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="9.6",
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="9.6.17",
),
),
],
references=[
Reference(
reference_id="",
url="https://www.postgresql.org/about/news/postgresql-122-117-1012-9617-9521-and-9426-released-2011/",
),
Reference(
reference_id="",
url="https://www.postgresql.org/support/security/CVE-2020-1720/",
severities=[
VulnerabilitySeverity(
system=severity_systems.CVSSV3,
value="3.1",
),
VulnerabilitySeverity(
system=severity_systems.CVSSV3_VECTOR,
value=["AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"],
),
],
),
],
),
AdvisoryData(
summary="Windows installer runs executables from uncontrolled directoriesmore details",
# 10/26/2022 Wednesday 6:40:01 PM. Throws error: TypeError: __init__() got an unexpected keyword argument 'vulnerability_id'
# vulnerability_id="CVE-2020-10733",
aliases=["CVE-2020-10733"],
affected_packages=[
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="10",
qualifiers={"os": "windows"},
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="10.13",
qualifiers={"os": "windows"},
),
),
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="11",
qualifiers={"os": "windows"},
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="11.8",
qualifiers={"os": "windows"},
),
),
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="12",
qualifiers={"os": "windows"},
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="12.3",
qualifiers={"os": "windows"},
),
),
AffectedPackage(
vulnerable_package=PackageURL(
type="generic",
name="postgresql",
version="9.6",
qualifiers={"os": "windows"},
),
patched_package=PackageURL(
type="generic",
name="postgresql",
version="9.6.18",
qualifiers={"os": "windows"},
),
),
],
references=[
Reference(
reference_id="",
url="https://www.postgresql.org/about/news/postgresql-123-118-1013-9618-and-9522-released-2038/",
),
Reference(
reference_id="",
url="https://www.postgresql.org/support/security/CVE-2020-10733/",
severities=[
VulnerabilitySeverity(
system=severity_systems.CVSSV3,
value="6.7",
),
VulnerabilitySeverity(
system=severity_systems.CVSSV3_VECTOR,
value=["AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"],
),
],
),
],
),
]

found_advisories = to_advisories(raw_data)

# 10/26/2022 Wednesday 7:07:13 PM. Throws error: AttributeError: type object 'AdvisoryData' has no attribute 'normalized'
# found_advisories = list(map(AdvisoryData.normalized, found_advisories))
# found_advisories = list(map(AdvisoryData, found_advisories))
# expected_advisories = list(map(AdvisoryData.normalized, expected_advisories))
# expected_advisories = list(map(AdvisoryData, expected_advisories))
assert sorted(found_advisories) == sorted(expected_advisories)

0 comments on commit b5c94bd

Please sign in to comment.