Skip to content

Commit

Permalink
Merge remote-tracking branch 'keshav-space/oss_index_datasource' into…
Browse files Browse the repository at this point in the history 
… vulntotal-clean
  • Loading branch information
@pombredanne
pombredanne committed Nov 19, 2022
2 parents 97c2f79 + e639b5e commit b18b2ed
Show file tree
Hide file tree
Showing 4 changed files with 361 additions and 0 deletions.
110 changes: 110 additions & 0 deletions vulntotal/datasources/oss_index.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
#
# Copyright (c) nexB Inc. and others. All rights reserved.
# http://nexb.com and https://github.com/nexB/vulnerablecode/
# The VulnTotal software is licensed under the Apache License version 2.0.
# Data generated with VulnTotal require an acknowledgment.
#
# You may not use this software except in compliance with the License.
# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# When you publish or redistribute any data created with VulnTotal or any VulnTotal
# derivative work, you must accompany this data with the following acknowledgment:
#
# Generated with VulnTotal and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
# VulnTotal should be considered or used as legal advice. Consult an Attorney
# for any legal advice.
# VulnTotal is a free software tool from nexB Inc. and others.
# Visit https://github.com/nexB/vulnerablecode/ for support and download.

import json
import logging
import os
from typing import Iterable

import requests

from vulntotal.validator import DataSource
from vulntotal.validator import VendorData

logger = logging.getLogger(__name__)


class OSSDataSource(DataSource):
spdx_license_expression = "TODO"
license_url = "TODO"
api_unauthenticated = "https://ossindex.sonatype.org/api/v3/component-report"
api_authenticated = "https://ossindex.sonatype.org/api/v3/authorized/component-report"

def fetch_json_response(self, coordinates):
username = os.environ.get("OSS_USERNAME", None)
token = os.environ.get("OSS_TOKEN", None)
auth = None
url = self.api_unauthenticated
if username and token:
auth = (username, token)
url = self.api_authenticated
response = requests.post(url, auth=auth, json={"coordinates": coordinates})

if response.status_code == 200:
return response.json()
elif response.status_code == 401:
logger.error("Invalid credentials")
elif response.status_code == 429:
msg = (
"Too many requests"
if auth
else "Too many requests: add OSS_USERNAME and OSS_TOKEN in .env file"
)
logger.error(msg)
else:
logger.error(f"unknown status code: {response.status_code} while fetching: {url}")

def datasource_advisory(self, purl) -> Iterable[VendorData]:
if purl.type not in self.supported_ecosystem():
logger.error("Unsupported PURL")
return

response = self.fetch_json_response([str(purl)])
if response:
self._raw_dump.append(response)
return parse_advisory(response)

@classmethod
def supported_ecosystem(cls):
return {
"cargo": "cargo",
"cocoapods": "cocoapods",
"composer": "composer",
"conan": "conan",
"conda": "conda",
"cran": "cran",
"golang": "golang",
"maven": "maven",
"npm": "npm",
"nuget": "nuget",
"pypi": "pypi",
"rpm": "rpm",
"gem": "gem",
"swift": "swift",
}


def parse_advisory(component) -> Iterable[VendorData]:
response = component[0]
if response["vulnerabilities"]:
for vuln in response["vulnerabilities"]:
aliases = [vuln["id"]]
affected_versions = []
fixed_versions = []
if "versionRanges" in vuln:
affected_versions.extend(vuln["versionRanges"])
yield VendorData(
aliases=aliases,
affected_versions=affected_versions,
fixed_versions=fixed_versions,
)
143 changes: 143 additions & 0 deletions vulntotal/tests/test_data/oss_index/advisory.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
[
{
"coordinates":"pkg:golang/github.com/cloudflare/[email protected]",
"reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/cloudflare/[email protected]?utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
"vulnerabilities":[
{
"id":"CVE-2021-3907",
"displayName":"CVE-2021-3907",
"title":"[CVE-2021-3907] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"description":"OctoRPKI does not escape a URI with a filename containing \"..\", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.",
"cvssScore":9.8,
"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe":"CWE-22",
"cve":"CVE-2021-3907",
"reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3907?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
"externalReferences":[
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3907",
"https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
]
},
{
"id":"CVE-2021-3761",
"displayName":"CVE-2021-3761",
"title":"[CVE-2021-3761] CWE-787: Out-of-bounds Write",
"description":"Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP \"MaxLength\" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as \"RPKI invalid\". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues.",
"cvssScore":7.5,
"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe":"CWE-787",
"cve":"CVE-2021-3761",
"reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3761?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
"externalReferences":[
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3761",
"https://github.com/cloudflare/cfrpki/pull/90",
"https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9",
"https://github.com/CVEProject/cvelist/commit/8f3edcdf139aa823e1f17aa15b337ab92436ebf7"
]
},
{
"id":"CVE-2021-3908",
"displayName":"CVE-2021-3908",
"title":"[CVE-2021-3908] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
"description":"OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.",
"cvssScore":7.5,
"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe":"CWE-400",
"cve":"CVE-2021-3908",
"reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3908?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
"externalReferences":[
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3908",
"https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
]
},
{
"id":"CVE-2021-3909",
"displayName":"CVE-2021-3909",
"title":"[CVE-2021-3909] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
"description":"OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.",
"cvssScore":7.5,
"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe":"CWE-400",
"cve":"CVE-2021-3909",
"reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3909?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
"externalReferences":[
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3909",
"https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"
]
},
{
"id":"CVE-2021-3910",
"displayName":"CVE-2021-3910",
"title":"[CVE-2021-3910] CWE-20: Improper Input Validation",
"description":"OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\\0) character).",
"cvssScore":7.5,
"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe":"CWE-20",
"cve":"CVE-2021-3910",
"reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3910?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
"externalReferences":[
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3910",
"https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j"
]
},
{
"id":"CVE-2021-3978",
"displayName":"CVE-2021-3978",
"title":"[CVE-2021-3978] CWE-281: Improper Preservation of Permissions",
"description":"github.com/cloudflare/cfrpki - Improper Preservation of Permissions",
"cvssScore":7.4,
"cvssVector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"cwe":"CWE-281",
"cve":"CVE-2021-3978",
"reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3978?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
"externalReferences":[
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3978",
"https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85"
]
},
{
"id":"CVE-2021-3911",
"displayName":"CVE-2021-3911",
"title":"[CVE-2021-3911] CWE-252: Unchecked Return Value",
"description":"If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.",
"cvssScore":6.5,
"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"cwe":"CWE-252",
"cve":"CVE-2021-3911",
"reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3911?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
"externalReferences":[
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3911",
"https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22"
]
},
{
"id":"CVE-2021-3912",
"displayName":"CVE-2021-3912",
"title":"[CVE-2021-3912] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
"description":"OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).",
"cvssScore":6.5,
"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"cwe":"CWE-400",
"cve":"CVE-2021-3912",
"reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3912?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
"externalReferences":[
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3912",
"https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
]
},
{
"id":"sonatype-2022-0972",
"displayName":"sonatype-2022-0972",
"title":"1 vulnerability found",
"description":"1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account",
"cvssScore":6.5,
"cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"cwe":"CWE-699",
"reference":"https://ossindex.sonatype.org/vulnerability/sonatype-2022-0972",
"externalReferences":[

]
}
]
}
]
65 changes: 65 additions & 0 deletions vulntotal/tests/test_data/oss_index/parse_advisory-expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
[
{
"affected_versions": [],
"fixed_versions": [],
"aliases": [
"CVE-2021-3907"
]
},
{
"affected_versions": [],
"fixed_versions": [],
"aliases": [
"CVE-2021-3761"
]
},
{
"affected_versions": [],
"fixed_versions": [],
"aliases": [
"CVE-2021-3908"
]
},
{
"affected_versions": [],
"fixed_versions": [],
"aliases": [
"CVE-2021-3909"
]
},
{
"affected_versions": [],
"fixed_versions": [],
"aliases": [
"CVE-2021-3910"
]
},
{
"affected_versions": [],
"fixed_versions": [],
"aliases": [
"CVE-2021-3978"
]
},
{
"affected_versions": [],
"fixed_versions": [],
"aliases": [
"CVE-2021-3911"
]
},
{
"affected_versions": [],
"fixed_versions": [],
"aliases": [
"CVE-2021-3912"
]
},
{
"affected_versions": [],
"fixed_versions": [],
"aliases": [
"sonatype-2022-0972"
]
}
]
43 changes: 43 additions & 0 deletions vulntotal/tests/test_oss_index.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
#
# Copyright (c) nexB Inc. and others. All rights reserved.
# http://nexb.com and https://github.com/nexB/vulnerablecode/
# The VulnTotal software is licensed under the Apache License version 2.0.
# Data generated with VulnTotal require an acknowledgment.
#
# You may not use this software except in compliance with the License.
# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# When you publish or redistribute any data created with VulnTotal or any VulnTotal
# derivative work, you must accompany this data with the following acknowledgment:
#
# Generated with VulnTotal and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
# VulnTotal should be considered or used as legal advice. Consult an Attorney
# for any legal advice.
# VulnTotal is a free software tool from nexB Inc. and others.
# Visit https://github.com/nexB/vulnerablecode/ for support and download.

import json
from pathlib import Path

from commoncode import testcase
from packageurl import PackageURL

from vulnerabilities.tests import util_tests
from vulntotal.datasources import oss_index


class TestDeps(testcase.FileBasedTesting):
test_data_dir = str(Path(__file__).resolve().parent / "test_data" / "oss_index")

def test_parse_advisory(self):
advisory_file = self.get_test_loc("advisory.json")
with open(advisory_file) as f:
advisory = json.load(f)
results = [adv.to_dict() for adv in oss_index.parse_advisory(advisory)]
expected_file = self.get_test_loc("parse_advisory-expected.json", must_exist=False)
util_tests.check_results_against_json(results, expected_file)

0 comments on commit b18b2ed

Please sign in to comment.