Skip to content

Make sure vulnerability id is_cve or is_vulcoid #389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sbs2001 merged 3 commits into from
Mar 22, 2021
Merged

Make sure vulnerability id is_cve or is_vulcoid #389

sbs2001 merged 3 commits into from
Mar 22, 2021

Conversation

@Hritik14
Copy link
Collaborator

@Hritik14 Hritik14 commented Mar 18, 2021

This makes sure that vulnerability id supplied in alpine_linux importer
is either a cve, vulcoid or empty so as to stand on the definition of
vulnerability id.
It could be possible to introduce a validator at the model level for the
same as well using these functions.
I would propose that we create a validators class where we would keep some custom validators which could be used inside the models to keep the database protected against invalid input. One such validator for vulnerability id would look like the following

    def vulnerability_id_validator(id: str):
        if id != "" and not (DataSource.is_cve(id) or DataSource.is_vulcoid(id)):
            raise ValidationError("{}: not a valid cve or volcoid".format(id))

Signed-off-by: Hritik Vijay hritikxx8@gmail.com

@Hritik14
Make sure vulnerability id is_cve or is_vulcoid
1b06423 
This makes sure that vulnerability id supplied in alpine_linux importer
is either a cve, vulcoid or empty so as to stand on the definition of
vulnerability id.
It could be possible to introduce a validator at the model level for the
same as well using these functions

Signed-off-by: Hritik Vijay <hritikxx8@gmail.com>
@sbs2001
Copy link
Collaborator

sbs2001 commented Mar 19, 2021

@Hritik14 detecting these when we are at last step, ie during model creation won't be as effective as detection on creation of Advisory instances.

I would rather add the validation to the Advisory dataclass. Doing lot of work then failing is lot worse then failing before doing much in this case ;)

sbs2001
sbs2001 requested changes Mar 19, 2021
View reviewed changes
vulnerabilities/data_source.py Outdated
Comment on lines 231 to 250
@staticmethod
def is_cve(id: str):
c = id.split("-")
if len(c) == 3 and c[0].lower() == "cve" and c[1].isdigit() and c[2].isdigit():
return True
return False

@staticmethod
def is_vulcoid(id: str):
c = id.split("-")
if (
len(c) == 4
and c[0].lower() == "vulcoid"
and c[1].isdigit()
and c[2].isdigit()
and c[3].isdigit()
):
return True
return False

Copy link
Collaborator

@sbs2001 sbs2001 Mar 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are not required. is-cve is duplicated we already a method for doing that validation at https://github.com/nexB/vulnerablecode/blob/3d66b4e82ee31422ab907d3388f739b768ffd2ac/vulnerabilities/helpers.py#L81

is_vulcoid is not needed since vulcoids are not assigned manually. The advisories without vulnerability id are assigned vulcoid, see https://github.com/nexB/vulnerablecode/blob/3d66b4e82ee31422ab907d3388f739b768ffd2ac/vulnerabilities/models.py#L65

vulnerabilities/importers/alpine_linux.py Outdated
references=references,
vulnerability_id=vuln_ids[0] if vuln_ids[0] != "CVE-????-?????" else "",
vulnerability_id=vuln_ids[0]
if self.is_cve(vuln_ids[0]) or self.is_vulcoid(vuln_ids[0])
Copy link
Collaborator

@sbs2001 sbs2001 Mar 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As said above, validate for only cve using the helper

Hritik14 and others added 2 commits March 19, 2021 16:15
@Hritik14 Hritik14 requested a review from sbs2001 March 19, 2021 10:53
@Hritik14
Copy link
Collaborator Author

Hritik14 commented Mar 19, 2021

I've applied the requested changes. Please review. Also, I think it would be better to squash and merge the PR to avoid intermediate commits.

@sbs2001
Copy link
Collaborator

sbs2001 commented Mar 22, 2021

LGTM ! could you squash and force push the commits from your side ?

@Hritik14
Copy link
Collaborator Author

Hritik14 commented Mar 22, 2021

I would do it but it would just mess up the git history (I'm not really in favor of --force). If you could squash like it's shown here I guess it would be lot easier https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/merging-a-pull-request

sbs2001
sbs2001 approved these changes Mar 22, 2021
View reviewed changes
Copy link
Collaborator

@sbs2001 sbs2001 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Hritik14 merging this

@sbs2001 sbs2001 merged commit c689e9d into aboutcode-org:main Mar 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sbs2001 sbs2001 sbs2001 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Hritik14 @sbs2001