Update importer and test files #971

Signed-off-by: John M. Horan <[email protected]>
aboutcode-org · Jan 3, 2023 · 749cc36 · 749cc36
1 parent cea5879
commit 749cc36
Show file tree

Hide file tree

Showing 3 changed files with 165 additions and 56 deletions.
diff --git a/vulnerabilities/importers/apache_httpd.py b/vulnerabilities/importers/apache_httpd.py
@@ -8,8 +8,10 @@
 #
 
 import asyncio
+import datetime
 import urllib
 
+import dateparser
 import requests
 from bs4 import BeautifulSoup
 from packageurl import PackageURL
@@ -71,6 +73,7 @@ def to_advisory(self, data):
                     VulnerabilitySeverity(
                         system=APACHE_HTTPD,
                         value=value,
+                        scoring_elements="",
                     )
                 )
                 break
@@ -82,47 +85,31 @@ def to_advisory(self, data):
             severities=severities,
         )
 
-        # 2022-11-17 Thursday 19:02:16.  This redraft of mine looks wrong and unnecessary -- current approach looks like what we want, since sampling suggests there are no real references in the JSON data and that there's always one value in ["impact"]["other"]
-        # reference_list = []
-        # # reference_data = data["references"]
-        # # if data["references"]["reference_data"]:
-        # if "reference_data" in data.get("references", {}):
-        #     reference = Reference(
-        #         reference_id=data["references"]["reference_data"][0]["refsource"],
-        #         url=data["references"]["reference_data"][0]["refsource"],
-        #         severities=severities,
-        #     )
-        # else:
-        #     reference = Reference(
-        #         reference_id="",
-        #         url="",
-        #         severities=severities,
-        #     )
-
         versions_data = []
         for vendor in data["affects"]["vendor"]["vendor_data"]:
             for products in vendor["product"]["product_data"]:
                 for version_data in products["version"]["version_data"]:
                     versions_data.append(version_data)
 
-        print("\n\n==> versions_data = {}\n".format(versions_data))
+        # print("\n\n==> versions_data = {}\n".format(versions_data))
         for version in versions_data:
-            print("\n\tversion = {}\n".format(version))
+            # print("\n\tversion = {}\n".format(version))
             import json
 
-            # print(json.dumps(version, indent=2))
-            print("\n\tversion = \n{}\n".format(json.dumps(version, indent=2)))
+            # print("\n\tversion = \n{}\n".format(json.dumps(version, indent=2)))
 
-        # fixed_version_ranges, affected_version_ranges = self.to_version_ranges(versions_data)
+        fixed_version_ranges, affected_version_ranges = self.to_version_ranges(versions_data)
 
         fixed_version = []
+        date_published = ""
 
         for entry in data["timeline"]:
             value = entry["value"]
             # if "released" in entry["value"]:
             if "released" in value:
                 # fixed_version.append(entry["value"])
                 fixed_version.append(value.split(" ")[0])
+                date_published = get_published_date(entry["time"])
 
         affected_packages = []
         # fixed_packages = []
@@ -165,28 +152,29 @@ def to_advisory(self, data):
             # affected_packages=nearest_patched_package(affected_packages, fixed_packages),
             affected_packages=affected_packages,
             references=[reference],
+            date_published=date_published,
         )
 
-    # def to_version_ranges(self, versions_data):
-    #     fixed_version_ranges = []
-    #     affected_version_ranges = []
-    #     for version_data in versions_data:
-    #         version_value = version_data["version_value"]
-    #         range_expression = version_data["version_affected"]
-    #         if range_expression == "<":
-    #             fixed_version_ranges.append(
-    #                 VersionRange.from_scheme_version_spec_string(
-    #                     "semver", ">={}".format(version_value)
-    #                 )
-    #             )
-    #         elif range_expression == "=" or range_expression == "?=":
-    #             affected_version_ranges.append(
-    #                 VersionRange.from_scheme_version_spec_string(
-    #                     "semver", "{}".format(version_value)
-    #                 )
-    #             )
-
-    #     return (fixed_version_ranges, affected_version_ranges)
+    def to_version_ranges(self, versions_data):
+        fixed_version_ranges = []
+        affected_version_ranges = []
+        for version_data in versions_data:
+            version_value = version_data["version_value"]
+            range_expression = version_data["version_affected"]
+            if range_expression == "<":
+                fixed_version_ranges.append(
+                    VersionRange.from_scheme_version_spec_string(
+                        "semver", ">={}".format(version_value)
+                    )
+                )
+            elif range_expression == "=" or range_expression == "?=":
+                affected_version_ranges.append(
+                    VersionRange.from_scheme_version_spec_string(
+                        "semver", "{}".format(version_value)
+                    )
+                )
+
+        return (fixed_version_ranges, affected_version_ranges)
 
 
 def fetch_links(url):
@@ -201,6 +189,20 @@ def fetch_links(url):
     return links
 
 
+# From osv.py
+# def get_published_date(raw_data):
+#     published = raw_data.get("published")
+#     return published and dateparser.parse(date_string=published)
+
+
+def get_published_date(published):
+    # return published and dateparser.parse(date_string=published)
+    # above gives result like this: "date_published": "2021-12-20T00:00:00"
+    # so does this:
+    published = datetime.datetime.strptime(published, "%Y-%m-%d")
+    return published
+
+
 ignore_tags = {
     "AGB_BEFORE_AAA_CHANGES",
     "APACHE_1_2b1",

diff --git a/vulnerabilities/tests/test_apache_httpd.py b/vulnerabilities/tests/test_apache_httpd.py
@@ -145,32 +145,33 @@ class TestApacheHTTPDImporter(TestCase):
     base_url = "https://httpd.apache.org/security/json/"
 
     def test_to_advisory_in_class(self):
-        # print("\nHello!\n")
-        with open(os.path.join(TEST_DATA, "CVE-1999-1199.json")) as f:
+        # with open(os.path.join(TEST_DATA, "CVE-1999-1199.json")) as f:
+        with open(os.path.join(TEST_DATA, "CVE-2021-44224.json")) as f:
             raw_data = json.load(f)
 
         # print("\n\nraw_data = \n{}\n".format(raw_data))
-        # print("\npretty raw_data = {}".format(json.dumps(raw_data, indent=2)))
+        print(
+            "\n\nJSON input file CVE-1999-1199.json = \n\n{}".format(json.dumps(raw_data, indent=2))
+        )
 
         advisory = ApacheHTTPDImporter.to_advisory(self, raw_data)
 
-        print("\n\nadvisory = \n{}\n".format(advisory))
+        print("\n\nJSON input file to_advisory() = \n\n{}\n".format(advisory))
 
-        print("advisory.aliases = {}\n".format(advisory.aliases))
+        # print("advisory.aliases = {}\n".format(advisory.aliases))
 
-        print("advisory.summary = {}\n".format(advisory.summary))
+        # print("advisory.summary = {}\n".format(advisory.summary))
 
-        print("advisory.affected_packages = {}\n".format(advisory.affected_packages))
+        # print("advisory.affected_packages = {}\n".format(advisory.affected_packages))
 
-        print("advisory.references = {}\n".format(advisory.references))
-        for ref in advisory.references:
-            print("\treference = {}\n".format(ref))
+        # print("advisory.references = {}\n".format(advisory.references))
+        # for ref in advisory.references:
+        #     print("\treference = {}\n".format(ref))
 
-        print("advisory.date_published = {}\n".format(advisory.date_published))
+        # print("advisory.date_published = {}\n".format(advisory.date_published))
 
-        # result = [data.to_dict() for data in advisories]
         result = advisory.to_dict()
 
-        print("result = {}\n".format(result))
+        # print("result = {}\n".format(result))
 
-        print("\npretty result = \n{}".format(json.dumps(result, indent=2)))
+        print("\nadvisory.to_dict() = \n\n{}\n".format(json.dumps(result, indent=2)))
diff --git a/vulnerabilities/tests/test_data/apache_httpd/CVE-2021-44224.json b/vulnerabilities/tests/test_data/apache_httpd/CVE-2021-44224.json
@@ -0,0 +1,106 @@
+{
+    "CVE_data_meta": {
+        "ASSIGNER": "[email protected]",
+        "ID": "CVE-2021-44224",
+        "STATE": "REVIEW",
+        "TITLE": "Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier"
+    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "Apache HTTP Server",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_affected": ">=",
+                                            "version_name": "Apache HTTP Server 2.4",
+                                            "version_value": "2.4.7"
+                                        },
+                                        {
+                                            "version_affected": "<=",
+                                            "version_name": "Apache HTTP Server 2.4",
+                                            "version_value": "2.4.51"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "Apache Software Foundation"
+                }
+            ]
+        }
+    },
+    "credit": [
+        {
+            "lang": "eng",
+            "value": "漂亮鼠"
+        },
+        {
+            "lang": "eng",
+            "value": "TengMA(@Te3t123)"
+        }
+    ],
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
+    "description": {
+        "description_data": [
+            {
+                "lang": "eng",
+                "value": "A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).\n\nThis issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included)."
+            }
+        ]
+    },
+    "generator": {
+        "engine": "Vulnogram 0.0.9"
+    },
+    "impact": [
+        {
+            "other": "moderate"
+        }
+    ],
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-476 NULL Pointer Dereference"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "refsource": "CONFIRM"
+            }
+        ]
+    },
+    "source": {
+        "discovery": "UNKNOWN"
+    },
+    "timeline": [
+        {
+            "lang": "eng",
+            "time": "2021-11-18",
+            "value": "Reported to security team"
+        },
+        {
+            "lang": "eng",
+            "time": "2021-12-14",
+            "value": "fixed by r1895955, r1896044 in 2.4.x"
+        },
+        {
+            "lang": "eng",
+            "time": "2021-12-20",
+            "value": "2.4.52 released"
+        }
+    ]
+}