Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for reference_type #1518

Merged
merged 5 commits into from
Aug 6, 2024
Merged

Add support for reference_type #1518

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7fc433f
Revert "Revert "Add support for reference_type (#1502)" (#1517)"
TG1999 Jul 22, 2024
5aa2924
Fix cargo test
ziadhany Jul 22, 2024
88f1fd9
Fix test by adding reference_type to ordering list
ziadhany Aug 1, 2024
adb883a
Merge remote-tracking branch 'origin/main' into revert-1517-revert-15…
keshav-space Aug 2, 2024
b5129d8
Regen apache_kafka test fixture
keshav-space Aug 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion vulnerabilities/api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ class VulnerabilityReferenceSerializer(serializers.ModelSerializer):

class Meta:
model = VulnerabilityReference
fields = ["reference_url", "reference_id", "scores", "url"]
fields = ["reference_url", "reference_id", "reference_type", "scores", "url"]


class BaseResourceSerializer(serializers.HyperlinkedModelSerializer):
Expand Down
10 changes: 9 additions & 1 deletion vulnerabilities/importer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ def from_dict(cls, severity: dict):
@dataclasses.dataclass(order=True)
class Reference:
reference_id: str = ""
reference_type: str = ""
url: str = ""
severities: List[VulnerabilitySeverity] = dataclasses.field(default_factory=list)

Expand All @@ -85,11 +86,17 @@ def __post_init__(self):

def normalized(self):
severities = sorted(self.severities)
return Reference(reference_id=self.reference_id, url=self.url, severities=severities)
return Reference(
reference_id=self.reference_id,
url=self.url,
severities=severities,
reference_type=self.reference_type,
)

def to_dict(self):
return {
"reference_id": self.reference_id,
"reference_type": self.reference_type,
"url": self.url,
"severities": [severity.to_dict() for severity in self.severities],
}
Expand All @@ -98,6 +105,7 @@ def to_dict(self):
def from_dict(cls, ref: dict):
return cls(
reference_id=ref["reference_id"],
reference_type=ref["reference_type"],
url=ref["url"],
severities=[
VulnerabilitySeverity.from_dict(severity) for severity in ref["severities"]
Expand Down
4 changes: 2 additions & 2 deletions vulnerabilities/importers/fireeye.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,9 +89,9 @@ def get_references(references):
"""
Return a list of Reference from a list of URL reference in md format
>>> get_references(["- http://1-4a.com/cgi-bin/alienform/af.cgi"])
[Reference(reference_id='', url='http://1-4a.com/cgi-bin/alienform/af.cgi', severities=[])]
[Reference(reference_id='', reference_type='', url='http://1-4a.com/cgi-bin/alienform/af.cgi', severities=[])]
>>> get_references(["- [Mitre CVE-2021-42712](https://www.cve.org/CVERecord?id=CVE-2021-42712)"])
[Reference(reference_id='', url='https://www.cve.org/CVERecord?id=CVE-2021-42712', severities=[])]
[Reference(reference_id='', reference_type='', url='https://www.cve.org/CVERecord?id=CVE-2021-42712', severities=[])]
"""
urls = []
for ref in references:
Expand Down
5 changes: 4 additions & 1 deletion vulnerabilities/improve_runner.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,12 +98,14 @@ def process_inferences(

reference = VulnerabilityReference.objects.get_or_none(
reference_id=ref.reference_id,
reference_type=ref.reference_type,
url=ref.url,
)

if not reference:
reference = create_valid_vulnerability_reference(
reference_id=ref.reference_id,
reference_type=ref.reference_type,
url=ref.url,
)
if not reference:
Expand Down Expand Up @@ -167,14 +169,15 @@ def process_inferences(
return inferences_processed_count


def create_valid_vulnerability_reference(url, reference_id=None):
def create_valid_vulnerability_reference(url, reference_type="", reference_id=None):
"""
Create and return a new validated VulnerabilityReference from a
``url`` and ``reference_id``.
Return None and log a warning if this is not a valid reference.
"""
reference = VulnerabilityReference(
reference_id=reference_id,
reference_type=reference_type,
url=url,
)

Expand Down
32 changes: 32 additions & 0 deletions vulnerabilities/migrations/0058_alter_vulnerabilityreference_options_and_more.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Generated by Django 4.1.13 on 2024-08-01 22:03

from django.db import migrations, models


class Migration(migrations.Migration):

dependencies = [
("vulnerabilities", "0057_kev"),
]

operations = [
migrations.AlterModelOptions(
name="vulnerabilityreference",
options={"ordering": ["reference_id", "url", "reference_type"]},
),
migrations.AddField(
model_name="vulnerabilityreference",
name="reference_type",
field=models.CharField(
blank=True,
choices=[
("advisory", "Advisory"),
("exploit", "Exploit"),
("mailing_list", "Mailing List"),
("bug", "Bug"),
("other", "Other"),
],
max_length=20,
),
),
]
18 changes: 17 additions & 1 deletion vulnerabilities/models.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -359,6 +359,22 @@ class VulnerabilityReference(models.Model):
unique=True,
)

ADVISORY = "advisory"
EXPLOIT = "exploit"
MAILING_LIST = "mailing_list"
BUG = "bug"
OTHER = "other"

REFERENCE_TYPES = [
(ADVISORY, "Advisory"),
(EXPLOIT, "Exploit"),
(MAILING_LIST, "Mailing List"),
(BUG, "Bug"),
(OTHER, "Other"),
]

reference_type = models.CharField(max_length=20, choices=REFERENCE_TYPES, blank=True)

reference_id = models.CharField(
max_length=200,
help_text="An optional reference ID, such as DSA-4465-1 when available",
Expand All @@ -368,7 +384,7 @@ class VulnerabilityReference(models.Model):
objects = VulnerabilityReferenceQuerySet.as_manager()

class Meta:
ordering = ["reference_id", "url"]
ordering = ["reference_id", "url", "reference_type"]

def __str__(self):
reference_id = f" {self.reference_id}" if self.reference_id else ""
Expand Down
8 changes: 8 additions & 0 deletions vulnerabilities/templates/vulnerability_details.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,7 @@
<thead>
<tr>
<th style="width: 250px;"> Reference id </th>
<th style="width: 250px;"> Reference type </th>
<th> URL </th>
</tr>
</thead>
Expand All @@ -254,6 +255,13 @@
{% else %}
<td></td>
{% endif %}

{% if ref.reference_type %}
<td class="wrap-strings">{{ ref.get_reference_type_display }}</td>
{% else %}
<td></td>
{% endif %}

<td class="wrap-strings"><a href="{{ ref.url }}" target="_blank">{{ ref.url }}<i
class="fa fa-external-link fa_link_custom"></i></a></td>
</tr>
Expand Down
14 changes: 14 additions & 0 deletions vulnerabilities/tests/test_api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@

from vulnerabilities.api import MinimalPackageSerializer
from vulnerabilities.api import PackageSerializer
from vulnerabilities.api import VulnerabilityReferenceSerializer
from vulnerabilities.models import Alias
from vulnerabilities.models import ApiUser
from vulnerabilities.models import Package
Expand Down Expand Up @@ -161,6 +162,9 @@ def setUp(self):
namespace="ubuntu",
qualifiers={"distro": "jessie"},
)
self.ref = VulnerabilityReference.objects.create(
reference_type="advisory", reference_id="CVE-xxx-xxx", url="https://example.com"
)
self.user = ApiUser.objects.create_api_user(username="[email protected]")
self.auth = f"Token {self.user.auth_token.key}"
self.client = APIClient(enforce_csrf_checks=True)
Expand All @@ -181,6 +185,16 @@ def test_package_serializer(self):
purls = {r["purl"] for r in response}
self.assertIn("pkg:deb/ubuntu/[email protected]?distro=jessie", purls)

def test_vulnerability_reference_serializer(self):
response = VulnerabilityReferenceSerializer(instance=self.ref).data
assert response == {
"reference_url": "https://example.com",
"reference_id": "CVE-xxx-xxx",
"reference_type": "advisory",
"scores": [],
"url": "https://example.com",
}


class APITestCaseVulnerability(TransactionTestCase):
def setUp(self):
Expand Down
1 change: 1 addition & 0 deletions vulnerabilities/tests/test_data/apache_httpd/CVE-1999-1199-apache-httpd-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"references": [
{
"reference_id": "CVE-1999-1199",
"reference_type": "",
"url": "https://httpd.apache.org/security/json/CVE-1999-1199.json",
"severities": [
{
Expand Down
1 change: 1 addition & 0 deletions vulnerabilities/tests/test_data/apache_httpd/CVE-2017-9798-apache-httpd-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"references": [
{
"reference_id": "CVE-2017-9798",
"reference_type": "",
"url": "https://httpd.apache.org/security/json/CVE-2017-9798.json",
"severities": [
{
Expand Down
1 change: 1 addition & 0 deletions vulnerabilities/tests/test_data/apache_httpd/CVE-2021-44224-apache-httpd-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"references": [
{
"reference_id": "CVE-2021-44224",
"reference_type": "",
"url": "https://httpd.apache.org/security/json/CVE-2021-44224.json",
"severities": [
{
Expand Down
1 change: 1 addition & 0 deletions vulnerabilities/tests/test_data/apache_httpd/CVE-2022-28614-apache-httpd-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"references": [
{
"reference_id": "CVE-2022-28614",
"reference_type": "",
"url": "https://httpd.apache.org/security/json/CVE-2022-28614.json",
"severities": [
{
Expand Down
2 changes: 2 additions & 0 deletions vulnerabilities/tests/test_data/apache_httpd/apache-httpd-improver-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@
"references": [
{
"reference_id": "CVE-2021-44224",
"reference_type": "",
"url": "https://httpd.apache.org/security/json/CVE-2021-44224.json",
"severities": [
{
Expand Down Expand Up @@ -91,6 +92,7 @@
"references": [
{
"reference_id": "CVE-2021-44224",
"reference_type": "",
"url": "https://httpd.apache.org/security/json/CVE-2021-44224.json",
"severities": [
{
Expand Down
Loading
Loading