From c54a7eb3da7677bfc6c878cc1ac77ecb6a557885 Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Mon, 2 Jan 2023 17:14:34 +0530 Subject: [PATCH 1/4] Migrate istio importer Signed-off-by: Tushar Goel --- vulnerabilities/importers/__init__.py | 2 + vulnerabilities/importers/istio.py | 199 +++++++++++--------------- 2 files changed, 82 insertions(+), 119 deletions(-) diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index b8329b9da..29359b922 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -16,6 +16,7 @@ from vulnerabilities.importers import github from vulnerabilities.importers import gitlab from vulnerabilities.importers import mozilla +from vulnerabilities.importers import istio from vulnerabilities.importers import nginx from vulnerabilities.importers import npm from vulnerabilities.importers import nvd @@ -47,6 +48,7 @@ apache_httpd.ApacheHTTPDImporter, mozilla.MozillaImporter, gentoo.GentooImporter, + istio.IstioImporter, ] IMPORTERS_REGISTRY = {x.qualified_name: x for x in IMPORTERS_REGISTRY} diff --git a/vulnerabilities/importers/istio.py b/vulnerabilities/importers/istio.py index 88ba731f5..9673d291d 100644 --- a/vulnerabilities/importers/istio.py +++ b/vulnerabilities/importers/istio.py @@ -6,165 +6,126 @@ # See https://github.com/nexB/vulnerablecode for support or download. # See https://aboutcode.org for more information about nexB OSS projects. # -import asyncio import re +from pathlib import Path from typing import Set import pytz import saneyaml from dateutil import parser from packageurl import PackageURL -from univers.version_range import VersionRange +from univers.version_range import GitHubVersionRange +from univers.version_range import GolangVersionRange from univers.versions import SemverVersion from vulnerabilities.importer import AdvisoryData -from vulnerabilities.importer import GitImporter +from vulnerabilities.importer import AffectedPackage +from vulnerabilities.importer import Importer from vulnerabilities.importer import Reference -from vulnerabilities.package_managers import GitHubTagsAPI -from vulnerabilities.utils import nearest_patched_package from vulnerabilities.utils import split_markdown_front_matter is_release = re.compile(r"^[\d.]+$", re.IGNORECASE).match -class IstioImporter(GitImporter): - def __enter__(self): - super(IstioImporter, self).__enter__() +class IstioImporter(Importer): + spdx_license_expression = "Apache-2.0" + license_url = "https://github.com/istio/istio.io/blob/master/LICENSE" - if not getattr(self, "_added_files", None): - self._added_files, self._updated_files = self.file_changes( - recursive=True, file_ext="md", subdir="./content/en/news/security" - ) - self.version_api = GitHubTagsAPI() - self.set_api() - - def set_api(self): - asyncio.run(self.version_api.load_api(["istio/istio"])) - - def updated_advisories(self) -> Set[AdvisoryData]: - files = self._added_files.union(self._updated_files) - advisories = [] - for f in files: + def advisory_data(self) -> Set[AdvisoryData]: + self.clone(repo_url="git+https://github.com/istio/istio.io/") + path = Path(self.vcs_response.dest_dir) + vuln = path / "content/en/news/security/" + for f in vuln.glob("**/*.md"): # Istio website has files with name starting with underscore, these contain metadata # required for rendering the website. We're not interested in these. # See also https://github.com/nexB/vulnerablecode/issues/563 + f = str(f) if f.endswith("_index.md"): continue - processed_data = self.process_file(f) - if processed_data: - advisories.extend(processed_data) - return self.batch_advisories(advisories) - - def get_pkg_versions_from_ranges(self, version_range_list, release_date): - """Takes a list of version ranges(affected) of a package - as parameter and returns a tuple of safe package versions and - vulnerable package versions""" - all_version = self.version_api.get("istio/istio", release_date).valid_versions - safe_pkg_versions = [] - vuln_pkg_versions = [] - version_ranges = [ - VersionRange.from_scheme_version_spec_string("semver", r) for r in version_range_list - ] - for version in all_version: - version_obj = SemverVersion(version) - if any([version_obj in v for v in version_ranges]): - vuln_pkg_versions.append(version) - - safe_pkg_versions = set(all_version) - set(vuln_pkg_versions) - return safe_pkg_versions, vuln_pkg_versions + yield from self.process_file(f) def process_file(self, path): - advisories = [] - data = self.get_data_from_md(path) release_date = parser.parse(data["publishdate"]).replace(tzinfo=pytz.UTC) - releases = [] - if data.get("releases"): - for release in data["releases"]: - # If it is of form "All releases prior to x" - if "All releases prior" in release: - release = release.strip() - release = release.split(" ") - releases.append("<" + release[4]) - - # Eg. 'All releases 1.5 and later' - elif "All releases" in release and "and later" in release: - release = release.split()[2].strip() - releases.append(f">={release}") - - elif "to" in release: - release = release.strip() - release = release.split(" ") - lbound = ">=" + release[0] - ubound = "<=" + release[2] - releases.append(lbound + "," + ubound) - # If it is a single release - elif is_release(release): - releases.append(release) - - data["release_ranges"] = releases - - if not data.get("cves"): - data["cves"] = [""] - - for cve_id in data["cves"]: + constraints = [] + + for release in data.get("releases") or []: + # If it is of form "All releases prior to x" + if "All releases prior" in release: + release = release.strip() + release = release.split(" ") + constraints.append( + VersionConstraint(version=SemverVersion(release[4]), comparator="<") + ) + + # Eg. 'All releases 1.5 and later' + elif "All releases" in release and "and later" in release: + release = release.split()[2].strip() + constraints.append( + VersionConstraint(version=SemverVersion(release), comparator=">") + ) + + elif "to" in release: + release = release.strip() + release = release.split(" ") + constraints.append( + VersionConstraint(version=SemverVersion(release[0]), comparator=">=") + ) + constraints.append( + VersionConstraint(version=SemverVersion(release[2]), comparator="<=") + ) + + # If it is a single release + elif is_release(release): + constraints.append( + VersionConstraint(version=SemverVersion(release), comparator="=") + ) + + for cve_id in data.get("cves") or []: if not cve_id.startswith("CVE"): cve_id = "" - safe_pkg_versions = [] - vuln_pkg_versions = [] - if not data.get("release_ranges"): data["release_ranges"] = [] - safe_pkg_versions, vuln_pkg_versions = self.get_pkg_versions_from_ranges( - data["release_ranges"], release_date - ) - affected_packages = [] - safe_purls_golang = [ - PackageURL(type="golang", name="istio", version=version) - for version in safe_pkg_versions - ] - - vuln_purls_golang = [ - PackageURL(type="golang", name="istio", version=version) - for version in vuln_pkg_versions - ] - - affected_packages.extend(nearest_patched_package(vuln_purls_golang, safe_purls_golang)) - - safe_purls_github = [ - PackageURL(type="github", name="istio", version=version) - for version in safe_pkg_versions - ] - - vuln_purls_github = [ - PackageURL(type="github", name="istio", version=version) - for version in vuln_pkg_versions - ] - - affected_packages.extend(nearest_patched_package(vuln_purls_github, safe_purls_github)) - - advisories.append( - AdvisoryData( - vulnerability_id=cve_id, - summary=data["description"], - affected_packages=affected_packages, - references=[ - Reference( - reference_id=data["title"], - url=f"https://istio.io/latest/news/security/{data['title']}/", - ) - ], + affected_packages.append( + AffectedPackage( + package=PackageURL(type="golang", name="istio"), + affected_version_range=GolangVersionRange(constraints=constraints), + ) + ) + + affected_packages.append( + AffectedPackage( + package=PackageURL(type="github", name="istio"), + affected_version_range=GitHubVersionRange(constraints=constraints), ) ) - return advisories + title = data.get("title") or "" + references = [] + if title: + references.append( + Reference( + reference_id=title, + url=f"https://istio.io/latest/news/security/{title}/", + ) + ) + + summary = data.get("description") or "" + + yield AdvisoryData( + aliases=[cve_id], + summary=summary, + affected_packages=affected_packages, + references=references, + date_published=release_date, + ) def get_data_from_md(self, path): """Return a mapping of vulnerability data extracted from an advisory.""" From e0bd42dacdb19e2ecdeb470824e2d769a1c0a00c Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Mon, 2 Jan 2023 17:56:54 +0530 Subject: [PATCH 2/4] Add tests for istio importer Signed-off-by: Tushar Goel --- vulnerabilities/importers/istio.py | 1 + vulnerabilities/tests/conftest.py | 1 - .../tests/test_data/istio/istio-expected.json | 42 ++++ vulnerabilities/tests/test_istio.py | 217 +++--------------- 4 files changed, 69 insertions(+), 192 deletions(-) create mode 100644 vulnerabilities/tests/test_data/istio/istio-expected.json diff --git a/vulnerabilities/importers/istio.py b/vulnerabilities/importers/istio.py index 9673d291d..e389e067c 100644 --- a/vulnerabilities/importers/istio.py +++ b/vulnerabilities/importers/istio.py @@ -14,6 +14,7 @@ import saneyaml from dateutil import parser from packageurl import PackageURL +from univers.version_constraint import VersionConstraint from univers.version_range import GitHubVersionRange from univers.version_range import GolangVersionRange from univers.versions import SemverVersion diff --git a/vulnerabilities/tests/conftest.py b/vulnerabilities/tests/conftest.py index 1d0684e9b..73679b26e 100644 --- a/vulnerabilities/tests/conftest.py +++ b/vulnerabilities/tests/conftest.py @@ -29,7 +29,6 @@ def no_rmtree(monkeypatch): "test_apache_tomcat.py", "test_api.py", "test_elixir_security.py", - "test_istio.py", "test_models.py", "test_msr2019.py", "test_package_managers.py", diff --git a/vulnerabilities/tests/test_data/istio/istio-expected.json b/vulnerabilities/tests/test_data/istio/istio-expected.json new file mode 100644 index 000000000..fe97ff34d --- /dev/null +++ b/vulnerabilities/tests/test_data/istio/istio-expected.json @@ -0,0 +1,42 @@ +[ + { + "aliases": [ + "CVE-2019-12243" + ], + "summary": "Incorrect access control.", + "affected_packages": [ + { + "package": { + "type": "golang", + "namespace": null, + "name": "istio", + "version": null, + "qualifiers": null, + "subpath": null + }, + "affected_version_range": "vers:golang/>=1.1.0|<=1.1.15|>=1.2.0|<=1.2.6|>=1.3.0|<=1.3.1", + "fixed_version": null + }, + { + "package": { + "type": "github", + "namespace": null, + "name": "istio", + "version": null, + "qualifiers": null, + "subpath": null + }, + "affected_version_range": "vers:github/>=1.1.0|<=1.1.15|>=1.2.0|<=1.2.6|>=1.3.0|<=1.3.1", + "fixed_version": null + } + ], + "references": [ + { + "reference_id": "ISTIO-SECURITY-2019-001", + "url": "https://istio.io/latest/news/security/ISTIO-SECURITY-2019-001/", + "severities": [] + } + ], + "date_published": "2019-05-28T00:00:00+00:00" + } +] \ No newline at end of file diff --git a/vulnerabilities/tests/test_istio.py b/vulnerabilities/tests/test_istio.py index 077e9f28d..750fa1eda 100644 --- a/vulnerabilities/tests/test_istio.py +++ b/vulnerabilities/tests/test_istio.py @@ -8,198 +8,33 @@ # import os -from collections import OrderedDict -from unittest import TestCase -from packageurl import PackageURL - -from vulnerabilities.importer import AdvisoryData -from vulnerabilities.importer import Reference from vulnerabilities.importers.istio import IstioImporter -from vulnerabilities.package_managers import GitHubTagsAPI -from vulnerabilities.package_managers import Version -from vulnerabilities.utils import AffectedPackage +from vulnerabilities.tests import util_tests BASE_DIR = os.path.dirname(os.path.abspath(__file__)) - - -class TestIstioImporter(TestCase): - @classmethod - def setUpClass(cls): - data_source_cfg = { - "repository_url": "", - } - cls.data_src = IstioImporter(1, config=data_source_cfg) - cls.data_src.version_api = GitHubTagsAPI( - { - "istio/istio": [ - Version(value="1.0.0"), - Version(value="1.1.0"), - Version(value="1.1.1"), - Version(value="1.1.17"), - Version(value="1.2.1"), - Version(value="1.2.7"), - Version(value="1.3.0"), - Version(value="1.3.1"), - Version(value="1.3.2"), - Version(value="1.9.1"), - ] - } - ) - - def test_get_data_from_md(self): - path = os.path.join(BASE_DIR, "test_data/istio/test_file.md") - actual_data = self.data_src.get_data_from_md(path) - expected_data = { - "title": "ISTIO-SECURITY-2019-001", - "subtitle": "Security Bulletin", - "description": "Incorrect access control.", - "cves": ["CVE-2019-12243"], - "cvss": "8.9", - "vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C", - "releases": ["1.1 to 1.1.15", "1.2 to 1.2.6", "1.3 to 1.3.1"], - "publishdate": "2019-05-28", - } - - assert expected_data == actual_data - - def test_process_file(self): - - path = os.path.join(BASE_DIR, "test_data/istio/test_file.md") - expected_data = [ - Advisory( - summary="Incorrect access control.", - vulnerability_id="CVE-2019-12243", - affected_packages=[ - AffectedPackage( - vulnerable_package=PackageURL( - type="golang", - name="istio", - version="1.1.0", - ), - patched_package=PackageURL( - type="golang", - name="istio", - version="1.1.17", - ), - ), - AffectedPackage( - vulnerable_package=PackageURL( - type="golang", - name="istio", - version="1.1.1", - ), - patched_package=PackageURL( - type="golang", - name="istio", - version="1.1.17", - ), - ), - AffectedPackage( - vulnerable_package=PackageURL( - type="golang", - name="istio", - version="1.2.1", - ), - patched_package=PackageURL( - type="golang", - name="istio", - version="1.2.7", - ), - ), - AffectedPackage( - vulnerable_package=PackageURL( - type="golang", - name="istio", - version="1.3.0", - ), - patched_package=PackageURL( - type="golang", - name="istio", - version="1.3.2", - ), - ), - AffectedPackage( - vulnerable_package=PackageURL( - type="golang", - name="istio", - version="1.3.1", - ), - patched_package=PackageURL( - type="golang", - name="istio", - version="1.3.2", - ), - ), - AffectedPackage( - vulnerable_package=PackageURL( - type="github", - name="istio", - version="1.1.0", - ), - patched_package=PackageURL( - type="github", - name="istio", - version="1.1.17", - ), - ), - AffectedPackage( - vulnerable_package=PackageURL( - type="github", - name="istio", - version="1.1.1", - ), - patched_package=PackageURL( - type="github", - name="istio", - version="1.1.17", - ), - ), - AffectedPackage( - vulnerable_package=PackageURL( - type="github", - name="istio", - version="1.2.1", - ), - patched_package=PackageURL( - type="github", - name="istio", - version="1.2.7", - ), - ), - AffectedPackage( - vulnerable_package=PackageURL( - type="github", - name="istio", - version="1.3.0", - ), - patched_package=PackageURL( - type="github", - name="istio", - version="1.3.2", - ), - ), - AffectedPackage( - vulnerable_package=PackageURL( - type="github", - name="istio", - version="1.3.1", - ), - patched_package=PackageURL( - type="github", - name="istio", - version="1.3.2", - ), - ), - ], - references=[ - Reference( - reference_id="ISTIO-SECURITY-2019-001", - url="https://istio.io/latest/news/security/ISTIO-SECURITY-2019-001/", - ) - ], - ) - ] - - found_data = self.data_src.process_file(path) - assert expected_data == found_data +TEST_DIR = os.path.join(BASE_DIR, "test_data/istio") + + +def test_istio_get_data_from_md(): + path = os.path.join(TEST_DIR, "test_file.md") + actual_data = IstioImporter().get_data_from_md(path) + expected_data = { + "title": "ISTIO-SECURITY-2019-001", + "subtitle": "Security Bulletin", + "description": "Incorrect access control.", + "cves": ["CVE-2019-12243"], + "cvss": "8.9", + "vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C", + "releases": ["1.1 to 1.1.15", "1.2 to 1.2.6", "1.3 to 1.3.1"], + "publishdate": "2019-05-28", + } + + assert expected_data == actual_data + + +def test_istio_process_file(): + path = os.path.join(TEST_DIR, "test_file.md") + expected_file = os.path.join(TEST_DIR, f"istio-expected.json") + result = [data.to_dict() for data in list(IstioImporter().process_file(path))] + util_tests.check_results_against_json(result, expected_file) From 704b9a9d97391cd17afd7a59b28e33f7a6652b1e Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Thu, 5 Jan 2023 12:53:29 +0530 Subject: [PATCH 3/4] Format code Signed-off-by: Tushar Goel --- vulnerabilities/importers/istio.py | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/vulnerabilities/importers/istio.py b/vulnerabilities/importers/istio.py index e389e067c..3c216dcd5 100644 --- a/vulnerabilities/importers/istio.py +++ b/vulnerabilities/importers/istio.py @@ -31,24 +31,28 @@ class IstioImporter(Importer): spdx_license_expression = "Apache-2.0" license_url = "https://github.com/istio/istio.io/blob/master/LICENSE" + repo_url = "git+https://github.com/istio/istio.io/" def advisory_data(self) -> Set[AdvisoryData]: - self.clone(repo_url="git+https://github.com/istio/istio.io/") + self.clone(self.repo_url) path = Path(self.vcs_response.dest_dir) vuln = path / "content/en/news/security/" - for f in vuln.glob("**/*.md"): + for file in vuln.glob("**/*.md"): # Istio website has files with name starting with underscore, these contain metadata # required for rendering the website. We're not interested in these. # See also https://github.com/nexB/vulnerablecode/issues/563 - f = str(f) - if f.endswith("_index.md"): + file = str(file) + if file.endswith("_index.md"): continue - yield from self.process_file(f) + yield from self.process_file(file) def process_file(self, path): data = self.get_data_from_md(path) - release_date = parser.parse(data["publishdate"]).replace(tzinfo=pytz.UTC) + published_date = data.get("publishdate") + release_date = None + if published_date: + release_date = parser.parse(published_date).replace(tzinfo=pytz.UTC) constraints = [] @@ -87,10 +91,7 @@ def process_file(self, path): for cve_id in data.get("cves") or []: if not cve_id.startswith("CVE"): - cve_id = "" - - if not data.get("release_ranges"): - data["release_ranges"] = [] + continue affected_packages = [] From a785ed60f086d6090bfd797db1c2acf294782d6f Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Tue, 10 Jan 2023 17:51:17 +0530 Subject: [PATCH 4/4] Apply suggestions from code review Signed-off-by: Tushar Goel --- CHANGELOG.rst | 1 + vulnerabilities/importers/__init__.py | 2 +- vulnerabilities/importers/istio.py | 47 ++++++++++--------- vulnerabilities/improvers/default.py | 14 +++++- .../tests/test_data/istio/istio-expected.json | 8 ++-- .../tests/test_data/istio/test_file.md | 2 +- vulnerabilities/tests/test_istio.py | 7 ++- 7 files changed, 49 insertions(+), 32 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 598540f01..1f9e4d7e8 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -7,6 +7,7 @@ Next release - We re-enabled support for the mozilla vulnerabilities advisories importer. - We re-enabled support for the gentoo vulnerabilities advisories importer. +- We re-enabled support for the istio vulnerabilities advisories importer. Version v31.1.1 diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index 29359b922..5f4957421 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -15,8 +15,8 @@ from vulnerabilities.importers import gentoo from vulnerabilities.importers import github from vulnerabilities.importers import gitlab -from vulnerabilities.importers import mozilla from vulnerabilities.importers import istio +from vulnerabilities.importers import mozilla from vulnerabilities.importers import nginx from vulnerabilities.importers import npm from vulnerabilities.importers import nvd diff --git a/vulnerabilities/importers/istio.py b/vulnerabilities/importers/istio.py index 3c216dcd5..c73f5eb31 100644 --- a/vulnerabilities/importers/istio.py +++ b/vulnerabilities/importers/istio.py @@ -59,28 +59,28 @@ def process_file(self, path): for release in data.get("releases") or []: # If it is of form "All releases prior to x" if "All releases prior" in release: - release = release.strip() - release = release.split(" ") + _, _, release = release.strip().rpartition(" ") constraints.append( - VersionConstraint(version=SemverVersion(release[4]), comparator="<") + VersionConstraint(version=SemverVersion(release), comparator="<") ) # Eg. 'All releases 1.5 and later' elif "All releases" in release and "and later" in release: - release = release.split()[2].strip() + # remove All releases from string + release = release.replace("All releases", "").strip() + # remove and later from string + release = release.replace("and later", "").strip() + if not is_release(release): + continue constraints.append( - VersionConstraint(version=SemverVersion(release), comparator=">") + VersionConstraint(version=SemverVersion(release), comparator=">=") ) + # Eg. 1.5 to 2.0 elif "to" in release: - release = release.strip() - release = release.split(" ") - constraints.append( - VersionConstraint(version=SemverVersion(release[0]), comparator=">=") - ) - constraints.append( - VersionConstraint(version=SemverVersion(release[2]), comparator="<=") - ) + lower, _, upper = release.strip().partition("to") + constraints.append(VersionConstraint(version=SemverVersion(lower), comparator=">=")) + constraints.append(VersionConstraint(version=SemverVersion(upper), comparator="<=")) # If it is a single release elif is_release(release): @@ -95,19 +95,20 @@ def process_file(self, path): affected_packages = [] - affected_packages.append( - AffectedPackage( - package=PackageURL(type="golang", name="istio"), - affected_version_range=GolangVersionRange(constraints=constraints), + if constraints: + affected_packages.append( + AffectedPackage( + package=PackageURL(type="golang", namespace="istio.io", name="istio"), + affected_version_range=GolangVersionRange(constraints=constraints), + ) ) - ) - affected_packages.append( - AffectedPackage( - package=PackageURL(type="github", name="istio"), - affected_version_range=GitHubVersionRange(constraints=constraints), + affected_packages.append( + AffectedPackage( + package=PackageURL(type="github", namespace="istio", name="istio"), + affected_version_range=GitHubVersionRange(constraints=constraints), + ) ) - ) title = data.get("title") or "" references = [] diff --git a/vulnerabilities/improvers/default.py b/vulnerabilities/improvers/default.py index 23dea75aa..5c00a28c5 100644 --- a/vulnerabilities/improvers/default.py +++ b/vulnerabilities/improvers/default.py @@ -46,15 +46,25 @@ def get_inferences(self, advisory_data: AdvisoryData) -> Iterable[Inference]: for affected_package in advisory_data.affected_packages: # To deal with multiple fixed versions in a single affected package affected_purls, fixed_purls = get_exact_purls(affected_package) - for fixed_purl in fixed_purls: + if not fixed_purls: yield Inference( aliases=advisory_data.aliases, confidence=MAX_CONFIDENCE, summary=advisory_data.summary, affected_purls=affected_purls, - fixed_purl=fixed_purl, + fixed_purl=None, references=advisory_data.references, ) + else: + for fixed_purl in fixed_purls or []: + yield Inference( + aliases=advisory_data.aliases, + confidence=MAX_CONFIDENCE, + summary=advisory_data.summary, + affected_purls=affected_purls, + fixed_purl=fixed_purl, + references=advisory_data.references, + ) else: yield Inference.from_advisory_data( diff --git a/vulnerabilities/tests/test_data/istio/istio-expected.json b/vulnerabilities/tests/test_data/istio/istio-expected.json index fe97ff34d..4f8fc62a9 100644 --- a/vulnerabilities/tests/test_data/istio/istio-expected.json +++ b/vulnerabilities/tests/test_data/istio/istio-expected.json @@ -8,25 +8,25 @@ { "package": { "type": "golang", - "namespace": null, + "namespace": "istio.io", "name": "istio", "version": null, "qualifiers": null, "subpath": null }, - "affected_version_range": "vers:golang/>=1.1.0|<=1.1.15|>=1.2.0|<=1.2.6|>=1.3.0|<=1.3.1", + "affected_version_range": "vers:golang/<0.0.9|>=1.1.0|<=1.1.15|>=1.3.0|<=1.3.1|>=1.5.0", "fixed_version": null }, { "package": { "type": "github", - "namespace": null, + "namespace": "istio", "name": "istio", "version": null, "qualifiers": null, "subpath": null }, - "affected_version_range": "vers:github/>=1.1.0|<=1.1.15|>=1.2.0|<=1.2.6|>=1.3.0|<=1.3.1", + "affected_version_range": "vers:github/<0.0.9|>=1.1.0|<=1.1.15|>=1.3.0|<=1.3.1|>=1.5.0", "fixed_version": null } ], diff --git a/vulnerabilities/tests/test_data/istio/test_file.md b/vulnerabilities/tests/test_data/istio/test_file.md index 530cb0311..e04982b0b 100644 --- a/vulnerabilities/tests/test_data/istio/test_file.md +++ b/vulnerabilities/tests/test_data/istio/test_file.md @@ -5,7 +5,7 @@ description: Incorrect access control. cves: [CVE-2019-12243] cvss: "8.9" vector: "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C" -releases: ["1.1 to 1.1.15", "1.2 to 1.2.6", "1.3 to 1.3.1"] +releases: ["All releases prior to 0.0.9","1.1 to 1.1.15","1.3 to 1.3.1", "All releases 1.5.0 and later"] publishdate: 2019-05-28 --- diff --git a/vulnerabilities/tests/test_istio.py b/vulnerabilities/tests/test_istio.py index 750fa1eda..60e222b8c 100644 --- a/vulnerabilities/tests/test_istio.py +++ b/vulnerabilities/tests/test_istio.py @@ -26,7 +26,12 @@ def test_istio_get_data_from_md(): "cves": ["CVE-2019-12243"], "cvss": "8.9", "vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C", - "releases": ["1.1 to 1.1.15", "1.2 to 1.2.6", "1.3 to 1.3.1"], + "releases": [ + "All releases prior to 0.0.9", + "1.1 to 1.1.15", + "1.3 to 1.3.1", + "All releases 1.5.0 and later", + ], "publishdate": "2019-05-28", }