Add Apache HTTPD advisory importer #261
Conversation
sbs2001
changed the title
|
Fixes #99 |
Signed-off-by: Shivam Sandbhor <[email protected]>
sbs2001
force-pushed
the
apache_httpd
branch
from
bc94350
to
4b89ef1
Compare
|
|
||
| if info.tag == "fixed": | ||
| resolved_packages.append( | ||
| PackageURL(name="httpd", version=info.attrib["version"], type="generic") |
There was a problem hiding this comment.
that's a nit but I prefer putting args in their original order, e.g. type first.
There was a problem hiding this comment.
Also we may want to have something more distinctive:
- what about a namespace or
apacheorapache.org? - or/and a qualifier for
download_url? - or if there are more than just httpd, we could create an
apachetype for all Apache Foundation projects? after all they (all Apache projects) share many characteristics that would make them Package URL-type worthy
See https://svn.apache.org/repos/asf/comdev/projects.apache.org/trunk/data/projects.xml for instance
There was a problem hiding this comment.
Adding the namespaces, and qualifiers seems fine.
About creating apache type, that I don't think is a good idea because that would end up creating ambiguity in case an apache package is packaged, eg apache-httpd.rpm. What would then be package type of apache-httpd.rpm ?
There was a problem hiding this comment.
What would then be package type of apache-httpd.rpm ?
That's always an rpm type then.
The rationale is the format of packaging and metadata determines the type
There was a problem hiding this comment.
Using type=apache name=httpd, version=x
| # Visit https://github.com/nexB/vulnerablecode/ for support and download. | ||
|
|
||
| from dataclasses import dataclass | ||
| import xml.etree.ElementTree as ET |
There was a problem hiding this comment.
What's the benefit of a shorter ET import?
IMHO for readability and clarity I would use from import xml.etree import ElementTree instead
There was a problem hiding this comment.
What's the benefit of a shorter ET import?
Nothing.
IMHO for readability and clarity I would use from import xml.etree import ElementTree instead
That works.
FWIW using the alias ET is a common practice. The docs used it https://docs.python.org/3/library/xml.etree.elementtree.html .
| return [] | ||
|
|
||
| def create_etag(self, url): | ||
| etag = requests.head(url).headers.get("ETag") |
There was a problem hiding this comment.
Just FYI, at some point of time, we should review together the etag story and why this is used in parallel of https://github.com/nexB/vulnerablecode/pull/261/files#diff-941e9f048d96b3af4998962020f96430R105 and not with it?
I would like to make sure that I grok the caching approach alright.
There was a problem hiding this comment.
Sure thing.
The gist of it is: create_tag uses a HEADER request to just fetch the etag. If this etag matches with old etag we stop the process because the data hasn't changed. Otherwise use https://github.com/nexB/vulnerablecode/pull/261/files#diff-941e9f048d96b3af4998962020f96430R105 which is just normal download.
|
|
||
| if info.tag == "affects" or info.tag == "maybeaffects": | ||
| impacted_packages.append( | ||
| PackageURL(name="httpd", version=info.attrib["version"], type="generic") |
There was a problem hiding this comment.
Same nit as above wrt. args order and Apache.
Signed-off-by: Shivam Sandbhor <[email protected]>
Signed-off-by: Shivam Sandbhor [email protected]