Skip to content

Commit

Permalink
Add support for reference_type (#1518)
Browse files Browse the repository at this point in the history 
* Revert "Revert "Add support for reference_type (#1502)" (#1517)"

This reverts commit 6727786.

Signed-off-by: ziadhany <[email protected]>

* Fix cargo test

Signed-off-by: ziadhany <[email protected]>

* Fix test by adding reference_type to ordering list

Signed-off-by: ziadhany <[email protected]>

* Regen apache_kafka test fixture

Signed-off-by: Keshav Priyadarshi <[email protected]>

---------

Signed-off-by: ziadhany <[email protected]>
Signed-off-by: Keshav Priyadarshi <[email protected]>
Co-authored-by: ziadhany <[email protected]>
Co-authored-by: Keshav Priyadarshi <[email protected]>
  • Loading branch information
@TG1999 @ziadhany @keshav-space
3 people authored Aug 6, 2024
1 parent 574d06e commit 84a35db
Show file tree
Hide file tree
Showing 98 changed files with 5,707 additions and 1,458 deletions.
2 changes: 1 addition & 1 deletion vulnerabilities/api.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ class VulnerabilityReferenceSerializer(serializers.ModelSerializer):

class Meta:
model = VulnerabilityReference
fields = ["reference_url", "reference_id", "scores", "url"]
fields = ["reference_url", "reference_id", "reference_type", "scores", "url"]


class BaseResourceSerializer(serializers.HyperlinkedModelSerializer):
Expand Down
10 changes: 9 additions & 1 deletion vulnerabilities/importer.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ def from_dict(cls, severity: dict):
@dataclasses.dataclass(order=True)
class Reference:
reference_id: str = ""
reference_type: str = ""
url: str = ""
severities: List[VulnerabilitySeverity] = dataclasses.field(default_factory=list)

Expand All @@ -85,11 +86,17 @@ def __post_init__(self):

def normalized(self):
severities = sorted(self.severities)
return Reference(reference_id=self.reference_id, url=self.url, severities=severities)
return Reference(
reference_id=self.reference_id,
url=self.url,
severities=severities,
reference_type=self.reference_type,
)

def to_dict(self):
return {
"reference_id": self.reference_id,
"reference_type": self.reference_type,
"url": self.url,
"severities": [severity.to_dict() for severity in self.severities],
}
Expand All @@ -98,6 +105,7 @@ def to_dict(self):
def from_dict(cls, ref: dict):
return cls(
reference_id=ref["reference_id"],
reference_type=ref["reference_type"],
url=ref["url"],
severities=[
VulnerabilitySeverity.from_dict(severity) for severity in ref["severities"]
Expand Down
4 changes: 2 additions & 2 deletions vulnerabilities/importers/fireeye.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,9 +89,9 @@ def get_references(references):
"""
Return a list of Reference from a list of URL reference in md format
>>> get_references(["- http://1-4a.com/cgi-bin/alienform/af.cgi"])
[Reference(reference_id='', url='http://1-4a.com/cgi-bin/alienform/af.cgi', severities=[])]
[Reference(reference_id='', reference_type='', url='http://1-4a.com/cgi-bin/alienform/af.cgi', severities=[])]
>>> get_references(["- [Mitre CVE-2021-42712](https://www.cve.org/CVERecord?id=CVE-2021-42712)"])
[Reference(reference_id='', url='https://www.cve.org/CVERecord?id=CVE-2021-42712', severities=[])]
[Reference(reference_id='', reference_type='', url='https://www.cve.org/CVERecord?id=CVE-2021-42712', severities=[])]
"""
urls = []
for ref in references:
Expand Down
5 changes: 4 additions & 1 deletion vulnerabilities/improve_runner.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,12 +98,14 @@ def process_inferences(

reference = VulnerabilityReference.objects.get_or_none(
reference_id=ref.reference_id,
reference_type=ref.reference_type,
url=ref.url,
)

if not reference:
reference = create_valid_vulnerability_reference(
reference_id=ref.reference_id,
reference_type=ref.reference_type,
url=ref.url,
)
if not reference:
Expand Down Expand Up @@ -167,14 +169,15 @@ def process_inferences(
return inferences_processed_count


def create_valid_vulnerability_reference(url, reference_id=None):
def create_valid_vulnerability_reference(url, reference_type="", reference_id=None):
"""
Create and return a new validated VulnerabilityReference from a
``url`` and ``reference_id``.
Return None and log a warning if this is not a valid reference.
"""
reference = VulnerabilityReference(
reference_id=reference_id,
reference_type=reference_type,
url=url,
)

Expand Down
32 changes: 32 additions & 0 deletions vulnerabilities/migrations/0058_alter_vulnerabilityreference_options_and_more.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Generated by Django 4.1.13 on 2024-08-01 22:03

from django.db import migrations, models


class Migration(migrations.Migration):

dependencies = [
("vulnerabilities", "0057_kev"),
]

operations = [
migrations.AlterModelOptions(
name="vulnerabilityreference",
options={"ordering": ["reference_id", "url", "reference_type"]},
),
migrations.AddField(
model_name="vulnerabilityreference",
name="reference_type",
field=models.CharField(
blank=True,
choices=[
("advisory", "Advisory"),
("exploit", "Exploit"),
("mailing_list", "Mailing List"),
("bug", "Bug"),
("other", "Other"),
],
max_length=20,
),
),
]
18 changes: 17 additions & 1 deletion vulnerabilities/models.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -359,6 +359,22 @@ class VulnerabilityReference(models.Model):
unique=True,
)

ADVISORY = "advisory"
EXPLOIT = "exploit"
MAILING_LIST = "mailing_list"
BUG = "bug"
OTHER = "other"

REFERENCE_TYPES = [
(ADVISORY, "Advisory"),
(EXPLOIT, "Exploit"),
(MAILING_LIST, "Mailing List"),
(BUG, "Bug"),
(OTHER, "Other"),
]

reference_type = models.CharField(max_length=20, choices=REFERENCE_TYPES, blank=True)

reference_id = models.CharField(
max_length=200,
help_text="An optional reference ID, such as DSA-4465-1 when available",
Expand All @@ -368,7 +384,7 @@ class VulnerabilityReference(models.Model):
objects = VulnerabilityReferenceQuerySet.as_manager()

class Meta:
ordering = ["reference_id", "url"]
ordering = ["reference_id", "url", "reference_type"]

def __str__(self):
reference_id = f" {self.reference_id}" if self.reference_id else ""
Expand Down
8 changes: 8 additions & 0 deletions vulnerabilities/templates/vulnerability_details.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,7 @@
<thead>
<tr>
<th style="width: 250px;"> Reference id </th>
<th style="width: 250px;"> Reference type </th>
<th> URL </th>
</tr>
</thead>
Expand All @@ -254,6 +255,13 @@
{% else %}
<td></td>
{% endif %}

{% if ref.reference_type %}
<td class="wrap-strings">{{ ref.get_reference_type_display }}</td>
{% else %}
<td></td>
{% endif %}

<td class="wrap-strings"><a href="{{ ref.url }}" target="_blank">{{ ref.url }}<i
class="fa fa-external-link fa_link_custom"></i></a></td>
</tr>
Expand Down
14 changes: 14 additions & 0 deletions vulnerabilities/tests/test_api.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@

from vulnerabilities.api import MinimalPackageSerializer
from vulnerabilities.api import PackageSerializer
from vulnerabilities.api import VulnerabilityReferenceSerializer
from vulnerabilities.models import Alias
from vulnerabilities.models import ApiUser
from vulnerabilities.models import Package
Expand Down Expand Up @@ -161,6 +162,9 @@ def setUp(self):
namespace="ubuntu",
qualifiers={"distro": "jessie"},
)
self.ref = VulnerabilityReference.objects.create(
reference_type="advisory", reference_id="CVE-xxx-xxx", url="https://example.com"
)
self.user = ApiUser.objects.create_api_user(username="[email protected]")
self.auth = f"Token {self.user.auth_token.key}"
self.client = APIClient(enforce_csrf_checks=True)
Expand All @@ -181,6 +185,16 @@ def test_package_serializer(self):
purls = {r["purl"] for r in response}
self.assertIn("pkg:deb/ubuntu/[email protected]?distro=jessie", purls)

def test_vulnerability_reference_serializer(self):
response = VulnerabilityReferenceSerializer(instance=self.ref).data
assert response == {
"reference_url": "https://example.com",
"reference_id": "CVE-xxx-xxx",
"reference_type": "advisory",
"scores": [],
"url": "https://example.com",
}


class APITestCaseVulnerability(TransactionTestCase):
def setUp(self):
Expand Down
1 change: 1 addition & 0 deletions vulnerabilities/tests/test_data/apache_httpd/CVE-1999-1199-apache-httpd-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"references": [
{
"reference_id": "CVE-1999-1199",
"reference_type": "",
"url": "https://httpd.apache.org/security/json/CVE-1999-1199.json",
"severities": [
{
Expand Down
1 change: 1 addition & 0 deletions vulnerabilities/tests/test_data/apache_httpd/CVE-2017-9798-apache-httpd-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"references": [
{
"reference_id": "CVE-2017-9798",
"reference_type": "",
"url": "https://httpd.apache.org/security/json/CVE-2017-9798.json",
"severities": [
{
Expand Down
1 change: 1 addition & 0 deletions vulnerabilities/tests/test_data/apache_httpd/CVE-2021-44224-apache-httpd-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"references": [
{
"reference_id": "CVE-2021-44224",
"reference_type": "",
"url": "https://httpd.apache.org/security/json/CVE-2021-44224.json",
"severities": [
{
Expand Down
1 change: 1 addition & 0 deletions vulnerabilities/tests/test_data/apache_httpd/CVE-2022-28614-apache-httpd-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"references": [
{
"reference_id": "CVE-2022-28614",
"reference_type": "",
"url": "https://httpd.apache.org/security/json/CVE-2022-28614.json",
"severities": [
{
Expand Down
2 changes: 2 additions & 0 deletions vulnerabilities/tests/test_data/apache_httpd/apache-httpd-improver-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@
"references": [
{
"reference_id": "CVE-2021-44224",
"reference_type": "",
"url": "https://httpd.apache.org/security/json/CVE-2021-44224.json",
"severities": [
{
Expand Down Expand Up @@ -91,6 +92,7 @@
"references": [
{
"reference_id": "CVE-2021-44224",
"reference_type": "",
"url": "https://httpd.apache.org/security/json/CVE-2021-44224.json",
"severities": [
{
Expand Down
Loading

0 comments on commit 84a35db

Please sign in to comment.