diff --git a/vulnerabilities/importers/nginx.py b/vulnerabilities/importers/nginx.py index 0cc1cb7ed..0907b8854 100644 --- a/vulnerabilities/importers/nginx.py +++ b/vulnerabilities/importers/nginx.py @@ -51,7 +51,7 @@ def set_api(self): self.version_api = GitHubTagsAPI() asyncio.run(self.version_api.load_api(["nginx/nginx"])) - # For some reason nginx tags it's releases in the form of `release-1.2.3` + # For some reason nginx tags it's releases are in the form of `release-1.2.3` # Chop off the `release-` part here. for index, version in enumerate(self.version_api.cache["nginx/nginx"]): self.version_api.cache["nginx/nginx"][index] = version.replace("release-", "") diff --git a/vulnerabilities/tests/test_data/nginx/security_advisories.html b/vulnerabilities/tests/test_data/nginx/security_advisories.html new file mode 100644 index 000000000..58f76f064 --- /dev/null +++ b/vulnerabilities/tests/test_data/nginx/security_advisories.html @@ -0,0 +1,28 @@ + + +

+Patches are signed using one of the +PGP public keys. +

diff --git a/vulnerabilities/tests/test_data/postgresql/advisories.html b/vulnerabilities/tests/test_data/postgresql/advisories.html new file mode 100644 index 000000000..3c2a109cc --- /dev/null +++ b/vulnerabilities/tests/test_data/postgresql/advisories.html @@ -0,0 +1,231 @@ + + + + PostgreSQL: Security Information + + + +
+
+
12th November 2020: + PostgreSQL 13.1, 12.5, 11.10, 10.15, 9.6.20, & 9.5.24 Released! + +
+
+
+ +
+
+
+
+ +
+

Quick Links

+ + + +
+ +
+
+
+
+ + +

Security Information

+ +

+If you wish to report a new security vulnerability in PostgreSQL, please +send an email to +security@postgresql.org. +For reporting non-security bugs, please see the Report a Bug page. +

+ + +

Known security issues in all supported versions

+

+You can filter the view of patches to show just patches for version:
+ +13 - + +12 - + +11 - + +10 - + +9.6 - + +9.5 + +- all +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ReferenceAffectedFixedComponent & CVSS v3 Base ScoreDescription
+ CVE-2020-10733
+ Announcement
+ 		9.59.5.22packaging
+ 6.7
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H + 		Windows installer runs executables from uncontrolled directories
+ CVE-2020-1720
+ Announcement
+ 		11, 12core server
+ 3.1
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N + 		ALTER ... DEPENDS ON EXTENSION is missing authorization checks.
+ +

Unsupported versions

+

+ You can also view archived security patches for unsupported versions. Note that no further + security patches are made available for these versions as they are end of life.
+ +9.4 - + +9.3 - + +9.2 - + +9.1 - + +9.0 - + +8.4 - + +8.3 - + +8.2 - + +8.1 - + +8.0 - + +7.4 - + +7.3 + +

+ + + +

Components

+

+The following component references are used in the above table: +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ComponentDescription
core serverThis vulnerability exists in the core server product.
clientThis vulnerability exists in a client library or client application only.
contrib moduleThis vulnerability exists in a contrib module. Contrib modules are not installed by default when PostgreSQL is installed from source. They may be installed by binary packages.
client contrib moduleThis vulnerability exists in a contrib module used on the client only.
packagingThis vulnerability exists in PostgreSQL binary packaging, e.g. an installer or RPM.
+ + + +
+
+
+
+ + + + + diff --git a/vulnerabilities/tests/test_nginx.py b/vulnerabilities/tests/test_nginx.py new file mode 100644 index 000000000..91efb9f2f --- /dev/null +++ b/vulnerabilities/tests/test_nginx.py @@ -0,0 +1,187 @@ +# Copyright (c) nexB Inc. and others. All rights reserved. +# http://nexb.com and https://github.com/nexB/vulnerablecode/ +# The VulnerableCode software is licensed under the Apache License version 2.0. +# Data generated with VulnerableCode require an acknowledgment. +# +# You may not use this software except in compliance with the License. +# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +# +# When you publish or redistribute any data created with VulnerableCode or any VulnerableCode +# derivative work, you must accompany this data with the following acknowledgment: +# +# Generated with VulnerableCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES +# OR CONDITIONS OF ANY KIND, either express or implied. No content created from +# VulnerableCode should be considered or used as legal advice. Consult an Attorney +# for any legal advice. +# VulnerableCode is a free software tool from nexB Inc. and others. +# Visit https://github.com/nexB/vulnerablecode/ for support and download. + +import os +from unittest import TestCase +from unittest.mock import patch + +from packageurl import PackageURL + +from vulnerabilities.data_source import Advisory +from vulnerabilities.data_source import Reference +from vulnerabilities.importers.nginx import NginxDataSource +from vulnerabilities.package_managers import GitHubTagsAPI + +BASE_DIR = os.path.dirname(os.path.abspath(__file__)) +TEST_DATA = os.path.join(BASE_DIR, "test_data/nginx", "security_advisories.html") + + +class TestNginxDataSource(TestCase): + @classmethod + def setUpClass(cls): + with open(TEST_DATA) as f: + cls.data = f.read() + data_source_cfg = {"etags": {}} + cls.data_src = NginxDataSource(1, config=data_source_cfg) + cls.data_src.version_api = GitHubTagsAPI( + cache={"nginx/nginx": {"1.2.3", "1.7.0", "1.3.9", "0.7.52"}} + ) + + def test_to_advisories(self): + expected_data = sorted( + [ + Advisory( + summary="Stack-based buffer overflow with specially crafted request", + impacted_package_urls={ + PackageURL( + type="generic", + namespace=None, + name="nginx", + version="1.3.9", + qualifiers={}, + subpath=None, + ) + }, + resolved_package_urls={ + PackageURL( + type="generic", + namespace=None, + name="nginx", + version="1.7.0", + qualifiers={}, + subpath=None, + ) + }, + vuln_references=[], + cve_id="CVE-2013-2028", + ), + Advisory( + summary="Vulnerabilities with Windows directory aliases", + impacted_package_urls={ + PackageURL( + type="generic", + namespace=None, + name="nginx", + version="0.7.52", + qualifiers={"os": "windows"}, + subpath=None, + ), + PackageURL( + type="generic", + namespace=None, + name="nginx", + version="1.2.3", + qualifiers={"os": "windows"}, + subpath=None, + ), + }, + resolved_package_urls={ + PackageURL( + type="generic", + namespace=None, + name="nginx", + version="1.2.3", + qualifiers={}, + subpath=None, + ), + PackageURL( + type="generic", + namespace=None, + name="nginx", + version="1.3.9", + qualifiers={}, + subpath=None, + ), + PackageURL( + type="generic", + namespace=None, + name="nginx", + version="1.7.0", + qualifiers={}, + subpath=None, + ), + }, + vuln_references=[], + cve_id="CVE-2011-4963", + ), + Advisory( + summary="Vulnerabilities with invalid UTF-8 sequence on Windows", + impacted_package_urls={ + PackageURL( + type="generic", + namespace=None, + name="nginx", + version="0.7.52", + qualifiers={"os": "windows"}, + subpath=None, + ) + }, + resolved_package_urls=set(), + vuln_references=[], + cve_id="CVE-2010-2266", + ), + Advisory( + summary="An error log data are not sanitized", + impacted_package_urls=set(), + resolved_package_urls={}, + vuln_references=[], + cve_id="CVE-2009-4487", + ), + Advisory( + summary="The renegotiation vulnerability in SSL protocol", + impacted_package_urls={ + PackageURL( + type="generic", + namespace=None, + name="nginx", + version="0.7.52", + qualifiers={}, + subpath=None, + ) + }, + resolved_package_urls=set(), + vuln_references=[], + cve_id="CVE-2009-3555", + ), + Advisory( + summary="Directory traversal vulnerability", + impacted_package_urls={ + PackageURL( + type="generic", + namespace=None, + name="nginx", + version="0.7.52", + qualifiers={}, + subpath=None, + ) + }, + resolved_package_urls=set(), + vuln_references=[], + cve_id="CVE-2009-3898", + ), + ], + key=lambda adv: adv.cve_id, + ) + + found_data = sorted(self.data_src.to_advisories(self.data), key=lambda adv: adv.cve_id) + + assert expected_data == found_data diff --git a/vulnerabilities/tests/test_postgresql.py b/vulnerabilities/tests/test_postgresql.py new file mode 100644 index 000000000..b8df2aca0 --- /dev/null +++ b/vulnerabilities/tests/test_postgresql.py @@ -0,0 +1,124 @@ +# Copyright (c) nexB Inc. and others. All rights reserved. +# http://nexb.com and https://github.com/nexB/vulnerablecode/ +# The VulnerableCode software is licensed under the Apache License version 2.0. +# Data generated with VulnerableCode require an acknowledgment. +# +# You may not use this software except in compliance with the License. +# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +# +# When you publish or redistribute any data created with VulnerableCode or any VulnerableCode +# derivative work, you must accompany this data with the following acknowledgment: +# +# Generated with VulnerableCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES +# OR CONDITIONS OF ANY KIND, either express or implied. No content created from +# VulnerableCode should be considered or used as legal advice. Consult an Attorney +# for any legal advice. +# VulnerableCode is a free software tool from nexB Inc. and others. +# Visit https://github.com/nexB/vulnerablecode/ for support and download. + +import os +from unittest import TestCase +from unittest.mock import patch + +from packageurl import PackageURL + +from vulnerabilities.data_source import Advisory +from vulnerabilities.data_source import Reference +from vulnerabilities.importers.postgresql import to_advisories + + +BASE_DIR = os.path.dirname(os.path.abspath(__file__)) +TEST_DATA = os.path.join(BASE_DIR, "test_data/postgresql", "advisories.html") + + +class TestPostgreSQLDataSource(TestCase): + def test_to_advisories(self): + + with open(TEST_DATA) as f: + raw_data = f.read() + + expected_data = sorted( + [ + Advisory( + summary="Windows installer runs executables from uncontrolled directories", + impacted_package_urls=[ + PackageURL( + type="generic", + namespace=None, + name="postgresql", + version="9.5", + qualifiers={"os": "windows"}, + subpath=None, + ) + ], + resolved_package_urls=[ + PackageURL( + type="generic", + namespace=None, + name="postgresql", + version="9.5.22", + qualifiers={"os": "windows"}, + subpath=None, + ) + ], + vuln_references=[ + Reference( + url="https://www.postgresql.org/about/news/postgresql-123-118-1013-9618-and-9522-released-2038/", # nopep8 + reference_id="", + ) + ], + cve_id="CVE-2020-10733", + ), + Advisory( + summary="ALTER ... DEPENDS ON EXTENSION is missing authorization checks.", + impacted_package_urls=[ + PackageURL( + type="generic", + namespace=None, + name="postgresql", + version="11", + qualifiers={}, + subpath=None, + ), + PackageURL( + type="generic", + namespace=None, + name="postgresql", + version="12", + qualifiers={}, + subpath=None, + ), + ], + resolved_package_urls=[ + PackageURL( + type="generic", + namespace=None, + name="postgresql", + version=None, + qualifiers={}, + subpath=None, + ) + ], + vuln_references=[ + Reference( + url="https://access.redhat.com/security/cve/CVE-2020-1720", + reference_id="", + ), + Reference( + url="https://www.postgresql.org/about/news/postgresql-122-117-1012-9617-9521-and-9426-released-2011/", # nopep8 + reference_id="", + ), + ], + cve_id="CVE-2020-1720", + ), + ], + key=lambda adv: adv.cve_id, + ) + + found_data = sorted(to_advisories(raw_data), key=lambda adv: adv.cve_id) + + assert expected_data == found_data