From 4a5f3206663e16c0686739fa83fca2978e6818b6 Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Fri, 13 May 2022 23:35:24 +0530 Subject: [PATCH] Migrate redhat importer Fix severities in UI Signed-off-by: Tushar Goel --- vulnerabilities/importers/__init__.py | 2 + vulnerabilities/importers/redhat.py | 146 +++++---- vulnerabilities/rpm_utils.py | 117 +++++++ vulnerabilities/templates/vulnerability.html | 2 +- vulnerabilities/tests/conftest.py | 1 - .../test_data/redhat/RHSA-2022:1437.json | 300 ++++++++++++++++++ .../test_data/redhat/RHSA-2022:1439.json | 256 +++++++++++++++ .../test_data/redhat/bugzilla-2075788.json | 176 ++++++++++ .../test_data/redhat/bugzilla-2077736.json | 201 ++++++++++++ .../test_data/redhat/redhat-expected.json | 245 ++++++++++++++ .../tests/test_data/redhat/redhat-input.json | 49 +++ vulnerabilities/tests/test_redhat_importer.py | 153 +++------ 12 files changed, 1464 insertions(+), 184 deletions(-) create mode 100644 vulnerabilities/rpm_utils.py create mode 100644 vulnerabilities/tests/test_data/redhat/RHSA-2022:1437.json create mode 100644 vulnerabilities/tests/test_data/redhat/RHSA-2022:1439.json create mode 100644 vulnerabilities/tests/test_data/redhat/bugzilla-2075788.json create mode 100644 vulnerabilities/tests/test_data/redhat/bugzilla-2077736.json create mode 100644 vulnerabilities/tests/test_data/redhat/redhat-expected.json create mode 100644 vulnerabilities/tests/test_data/redhat/redhat-input.json diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index b9c6d184b..4c4d9924f 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -24,6 +24,7 @@ from vulnerabilities.importers import nginx from vulnerabilities.importers import nvd from vulnerabilities.importers import openssl +from vulnerabilities.importers import redhat IMPORTERS_REGISTRY = [ nginx.NginxImporter, @@ -31,6 +32,7 @@ github.GitHubAPIImporter, nvd.NVDImporter, openssl.OpensslImporter, + redhat.RedhatImporter, ] IMPORTERS_REGISTRY = {x.qualified_name: x for x in IMPORTERS_REGISTRY} diff --git a/vulnerabilities/importers/redhat.py b/vulnerabilities/importers/redhat.py index bba7d28c2..c2bc52844 100644 --- a/vulnerabilities/importers/redhat.py +++ b/vulnerabilities/importers/redhat.py @@ -20,81 +20,99 @@ # VulnerableCode is a free software code from nexB Inc. and others. # Visit https://github.com/nexB/vulnerablecode/ for support and download. +import logging +from typing import Dict +from typing import Iterable +from typing import List + import requests from packageurl import PackageURL +from univers.version_range import RpmVersionRange from vulnerabilities import severity_systems -from vulnerabilities.helpers import nearest_patched_package +from vulnerabilities.helpers import get_item from vulnerabilities.helpers import requests_with_5xx_retry from vulnerabilities.importer import AdvisoryData +from vulnerabilities.importer import AffectedPackage from vulnerabilities.importer import Importer from vulnerabilities.importer import Reference from vulnerabilities.importer import VulnerabilitySeverity +from vulnerabilities.rpm_utils import rpm_to_purl - -class RedhatImporter(Importer): - def __enter__(self): - - self.redhat_cves = fetch() - - def updated_advisories(self): - processed_advisories = list(map(to_advisory, self.redhat_cves)) - return self.batch_advisories(processed_advisories) - +logger = logging.getLogger(__name__) requests_session = requests_with_5xx_retry(max_retries=5, backoff_factor=1) -def fetch(): - """ - Return a list of CVE data mappings fetched from the RedHat API. - See: - https://access.redhat.com/documentation/en-us/red_hat_security_data_api/1.0/html/red_hat_security_data_api/index - """ - cves = [] +def fetch_list_of_cves() -> Iterable[List[Dict]]: page_no = 1 - url_template = "https://access.redhat.com/hydra/rest/securitydata/cve.json?per_page=10000&page={}" # nopep8 - cve_data = None while True: - current_url = url_template.format(page_no) + current_url = f"https://access.redhat.com/hydra/rest/securitydata/cve.json?per_page=10000&page={page_no}" # nopep8 try: - print(f"Fetching: {current_url}") response = requests_session.get(current_url) if response.status_code != requests.codes.ok: - # TODO: log me - print(f"Failed to fetch results from {current_url}") + logger.error(f"Failed to fetch results from {current_url}") break cve_data = response.json() except Exception as e: - # TODO: log me - msg = f"Failed to fetch results from {current_url}:\n{e}" - print(msg) + logger.error(f"Failed to fetch results from {current_url} {e}") break - if not cve_data: break - cves.extend(cve_data) page_no += 1 + yield cve_data + + +def get_bugzilla_data(bugzilla): + return requests_session.get(f"https://bugzilla.redhat.com/rest/bug/{bugzilla}").json() - return cves + +def get_rhsa_data(rh_adv): + return requests_session.get( + f"https://access.redhat.com/hydra/rest/securitydata/cvrf/{rh_adv}.json" + ).json() + + +class RedhatImporter(Importer): + + spdx_license_expression = "CC-BY-4.0" + license_url = "https://access.redhat.com/documentation/en-us/red_hat_security_data_api/1.0/html/red_hat_security_data_api/legal-notice" + + def advisory_data(self) -> Iterable[AdvisoryData]: + for list_of_redhat_cves in fetch_list_of_cves(): + for redhat_cve in list_of_redhat_cves: + yield to_advisory(redhat_cve) def to_advisory(advisory_data): - affected_purls = [] - if advisory_data.get("affected_packages"): - for rpm in advisory_data["affected_packages"]: - purl = rpm_to_purl(rpm) - if purl: - affected_purls.append(purl) + affected_packages: List[AffectedPackage] = [] + for rpm in advisory_data.get("affected_packages") or []: + purl = rpm_to_purl(rpm_string=rpm, namespace="redhat") + if purl: + try: + affected_version_range = RpmVersionRange.from_versions(sequence=[purl.version]) + affected_packages.append( + AffectedPackage( + package=PackageURL( + type=purl.type, + name=purl.name, + namespace=purl.namespace, + qualifiers=purl.qualifiers, + subpath=purl.subpath, + ), + affected_version_range=affected_version_range, + fixed_version=None, + ) + ) + except Exception as e: + logger.error(f"Failed to parse version range {purl.version} for {purl} {e}") references = [] bugzilla = advisory_data.get("bugzilla") if bugzilla: url = "https://bugzilla.redhat.com/show_bug.cgi?id={}".format(bugzilla) - bugzilla_data = requests_session.get( - f"https://bugzilla.redhat.com/rest/bug/{bugzilla}" - ).json() + bugzilla_data = get_bugzilla_data(bugzilla) if ( bugzilla_data.get("bugs") and len(bugzilla_data["bugs"]) @@ -114,25 +132,28 @@ def to_advisory(advisory_data): ) ) - for rh_adv in advisory_data["advisories"]: + for rh_adv in advisory_data.get("advisories") or []: # RH provides 3 types of advisories RHSA, RHBA, RHEA. Only RHSA's contain severity score. # See https://access.redhat.com/articles/2130961 for more details. + if not isinstance(rh_adv, str): + logger.error(f"Invalid advisory type {rh_adv}") + continue + if "RHSA" in rh_adv.upper(): - rhsa_data = requests_session.get( - f"https://access.redhat.com/hydra/rest/securitydata/cvrf/{rh_adv}.json" - ).json() # nopep8 + rhsa_data = get_rhsa_data(rh_adv) rhsa_aggregate_severities = [] if rhsa_data.get("cvrfdoc"): # not all RHSA errata have a corresponding CVRF document - value = rhsa_data["cvrfdoc"]["aggregate_severity"] - rhsa_aggregate_severities.append( - VulnerabilitySeverity( - system=severity_systems.REDHAT_AGGREGATE, - value=value, + value = get_item(rhsa_data, "cvrfdoc", "aggregate_severity") + if value: + rhsa_aggregate_severities.append( + VulnerabilitySeverity( + system=severity_systems.REDHAT_AGGREGATE, + value=value, + ) ) - ) references.append( Reference( @@ -164,27 +185,14 @@ def to_advisory(advisory_data): ) ) + aliases = [] + alias = advisory_data.get("CVE") + if alias: + aliases.append(alias) references.append(Reference(severities=redhat_scores, url=advisory_data["resource_url"])) return AdvisoryData( - vulnerability_id=advisory_data["CVE"], - summary=advisory_data["bugzilla_description"], - affected_packages=nearest_patched_package(affected_purls, []), + aliases=aliases, + summary=advisory_data.get("bugzilla_description") or "", + affected_packages=affected_packages, references=references, ) - - -def rpm_to_purl(rpm_string): - # FIXME: there is code in scancode to handle RPM conversion AND this should - # be all be part of the packageurl library - - # FIXME: the comment below is not correct, this is the Epoch in the RPM version and not redhat specific - # Red Hat uses `-:0` instead of just `-` to separate - # package name and version - components = rpm_string.split("-0:") - if len(components) != 2: - return - - name, version = components - - if version[0].isdigit(): - return PackageURL(namespace="redhat", name=name, type="rpm", version=version) diff --git a/vulnerabilities/rpm_utils.py b/vulnerabilities/rpm_utils.py new file mode 100644 index 000000000..c77ea7c1a --- /dev/null +++ b/vulnerabilities/rpm_utils.py @@ -0,0 +1,117 @@ +# Copyright (c) nexB Inc. and others. All rights reserved. +# http://nexb.com and https://github.com/nexB/vulnerablecode/ +# The VulnerableCode software is licensed under the Apache License version 2.0. +# Data generated with VulnerableCode require an acknowledgment. +# +# You may not use this software except in compliance with the License. +# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. +# +# When you publish or redistribute any data created with VulnerableCode or any VulnerableCode +# derivative work, you must accompany this data with the following acknowledgment: +# +# Generated with VulnerableCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES +# OR CONDITIONS OF ANY KIND, either express or implied. No content created from +# VulnerableCode should be considered or used as legal advice. Consult an Attorney +# for any legal advice. +# VulnerableCode is a free software code from nexB Inc. and others. +# Visit https://github.com/nexB/vulnerablecode/ for support and download. + +import logging +import re +from collections import namedtuple + +from packageurl import PackageURL + +logger = logging.getLogger(__name__) + +# This code has been vendored from scancode. + +# https://github.com/nexB/scancode-toolkit/blob/16ae20a343c5332114edac34c7b6fcf2fb6bca74/src/packagedcode/rpm.py#L91 +class EVR(namedtuple("EVR", "epoch version release")): + """ + The RPM Epoch, Version, Release tuple. + """ + + def __new__(self, version, release=None, epoch=None): + """ + note: the sort order of the named tuple is the sort order. + But for creation we put the rarely used epoch last with a default to None. + """ + if not isinstance(epoch, int): + if epoch and epoch.strip(): + logger.error("Invalid epoch: must be a number or empty.") + return None + if not version: + logger.error("Version is required: {}".format(repr(version))) + return None + + return super().__new__(EVR, epoch, version, release) + + def __str__(self, *args, **kwargs): + return self.to_string() + + def to_string(self): + if self.release: + vr = f"{self.version}-{self.release}" + else: + vr = self.version + + if self.epoch: + vr = ":".join([str(self.epoch), vr]) + return vr + + +# https://github.com/nexB/scancode-toolkit/blob/16ae20a343c5332114edac34c7b6fcf2fb6bca74/src/packagedcode/nevra.py#L36 +def from_name(rpm_string): + """ + Return an (E, N, V, R, A) tuple given a file name, by splitting + [e:]name-version-release.arch into the four possible subcomponents. + Default epoch, version, release and arch to None if not specified. + Accepts RPM names with and without extensions + """ + parse_nevra = re.compile("^" "(.*)" "-" "([^-]*)" "-" "([^-]*)" "\\." "([^.]*)" "$").match + m = parse_nevra(rpm_string) + if not m: + return None + n, v, r, a = m.groups() + if ":" not in v: + return None, n, v, r, a + e, v = v.split(":", 1) + if e.isdigit(): + e = int(e) + return (e, n, v, r, a) + + +def rpm_to_purl(rpm_string, namespace): + # FIXME: there is code in scancode to handle RPM conversion AND this should + # be all be part of the packageurl library + + # FIXME: the comment below is not correct, this is the Epoch in the RPM version and not redhat specific + # Red Hat uses `-:0` instead of just `-` to separate + # package name and version + + # https://github.com/nexB/scancode-toolkit/blob/16ae20a343c5332114edac34c7b6fcf2fb6bca74/src/packagedcode/rpm.py#L310 + + envra = from_name(rpm_string) + + if not envra: + logger.error(f"Invalid RPM name can't get envra: {rpm_string}") + return None + sepoch, sname, sversion, srel, sarch = envra + + evr = EVR(sversion, srel, sepoch) + if not evr: + logger.error(f"Invalid RPM name can't get evr: {rpm_string}") + return None + src_evr = evr.to_string() + src_qualifiers = {} + if sarch: + src_qualifiers["arch"] = sarch + + return PackageURL( + type="rpm", namespace=namespace, name=sname, version=src_evr, qualifiers=src_qualifiers + ) diff --git a/vulnerabilities/templates/vulnerability.html b/vulnerabilities/templates/vulnerability.html index 2b197278d..a8930bcc2 100644 --- a/vulnerabilities/templates/vulnerability.html +++ b/vulnerabilities/templates/vulnerability.html @@ -66,7 +66,7 @@

Severity

Found At {% for ref in object_list %} - {% for obj in ref.scores %} + {% for obj in ref.severities %} {{obj.scoring_system}} diff --git a/vulnerabilities/tests/conftest.py b/vulnerabilities/tests/conftest.py index 2d0830978..e46767723 100644 --- a/vulnerabilities/tests/conftest.py +++ b/vulnerabilities/tests/conftest.py @@ -57,7 +57,6 @@ def no_rmtree(monkeypatch): "test_npm.py", "test_package_managers.py", "test_postgresql.py", - "test_redhat_importer.py", "test_retiredotnet.py", "test_ruby.py", "test_rust.py", diff --git a/vulnerabilities/tests/test_data/redhat/RHSA-2022:1437.json b/vulnerabilities/tests/test_data/redhat/RHSA-2022:1437.json new file mode 100644 index 000000000..7d2f90515 --- /dev/null +++ b/vulnerabilities/tests/test_data/redhat/RHSA-2022:1437.json @@ -0,0 +1,300 @@ +{ + "cvrfdoc": { + "document_title": "Red Hat Security Advisory: OpenJDK 17.0.3 security update for Windows Builds", + "document_distribution": "Copyright © 2022 Red Hat, Inc. All rights reserved.", + "document_references": { + "reference": [ + { + "description": "https://access.redhat.com/errata/RHSA-2022:1437", + "type": "Self", + "url": "https://access.redhat.com/errata/RHSA-2022:1437" + }, + { + "description": "https://access.redhat.com/security/updates/classification/#important", + "type": "External", + "url": "https://access.redhat.com/security/updates/classification/#important" + } + ] + }, + "aggregate_severity": "Important", + "document_tracking": { + "initial_release_date": "2022-04-28T19:03:00Z", + "identification": { + "id": "RHSA-2022:1437" + }, + "revision_history": { + "revision": { + "date": "2022-04-28T19:03:00Z", + "number": 1, + "description": "Current version" + } + }, + "generator": { + "date": "2022-04-28T22:41:00Z", + "engine": "Red Hat SDEngine 3.4.5" + }, + "current_release_date": "2022-04-28T19:03:00Z", + "version": 1, + "status": "Final" + }, + "document_publisher": { + "issuing_authority": "Red Hat Product Security", + "contact_details": "secalert@redhat.com", + "type": "Vendor" + }, + "vulnerability": [ + { + "notes": { + "note": "OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)" + }, + "cve": "CVE-2022-21426", + "references": { + "reference": [ + { + "description": "CVE-2022-21426", + "url": "https://access.redhat.com/security/cve/CVE-2022-21426" + }, + { + "description": "bz#2075788: CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2075788" + } + ] + }, + "release_date": "2022-04-19T20:00:00Z", + "involvements": { + "involvement": { + "party": "Vendor", + "status": "Completed" + } + }, + "remediations": { + "remediation": { + "description": "Before applying this update, make sure all previously-released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/documentation/en-us/openjdk/17/html/installing_and_using_openjdk_17_for_windows/index", + "type": "Vendor Fix", + "url": "https://access.redhat.com/errata/RHSA-2022:1437" + } + }, + "threats": { + "threat": { + "description": "Moderate", + "type": "Impact" + } + }, + "discovery_date": "2022-04-08T00:00:00Z", + "ordinal": 1 + }, + { + "notes": { + "note": "OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)" + }, + "cve": "CVE-2022-21434", + "references": { + "reference": [ + { + "description": "CVE-2022-21434", + "url": "https://access.redhat.com/security/cve/CVE-2022-21434" + }, + { + "description": "bz#2075836: CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2075836" + } + ] + }, + "release_date": "2022-04-19T20:00:00Z", + "involvements": { + "involvement": { + "party": "Vendor", + "status": "Completed" + } + }, + "remediations": { + "remediation": { + "description": "Before applying this update, make sure all previously-released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/documentation/en-us/openjdk/17/html/installing_and_using_openjdk_17_for_windows/index", + "type": "Vendor Fix", + "url": "https://access.redhat.com/errata/RHSA-2022:1437" + } + }, + "threats": { + "threat": { + "description": "Moderate", + "type": "Impact" + } + }, + "discovery_date": "2022-04-08T00:00:00Z", + "ordinal": 2 + }, + { + "notes": { + "note": "OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)" + }, + "cve": "CVE-2022-21443", + "references": { + "reference": [ + { + "description": "CVE-2022-21443", + "url": "https://access.redhat.com/security/cve/CVE-2022-21443" + }, + { + "description": "bz#2075793: CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2075793" + } + ] + }, + "release_date": "2022-04-19T20:00:00Z", + "involvements": { + "involvement": { + "party": "Vendor", + "status": "Completed" + } + }, + "remediations": { + "remediation": { + "description": "Before applying this update, make sure all previously-released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/documentation/en-us/openjdk/17/html/installing_and_using_openjdk_17_for_windows/index", + "type": "Vendor Fix", + "url": "https://access.redhat.com/errata/RHSA-2022:1437" + } + }, + "threats": { + "threat": { + "description": "Moderate", + "type": "Impact" + } + }, + "discovery_date": "2022-04-08T00:00:00Z", + "ordinal": 3 + }, + { + "notes": { + "note": "OpenJDK: Improper ECDSA signature verification (Libraries, 8277233)" + }, + "cve": "CVE-2022-21449", + "references": { + "reference": [ + { + "description": "https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/", + "url": "https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/" + }, + { + "description": "CVE-2022-21449", + "url": "https://access.redhat.com/security/cve/CVE-2022-21449" + }, + { + "description": "bz#2075821: CVE-2022-21449 OpenJDK: Improper ECDSA signature verification (Libraries, 8277233)", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2075821" + } + ] + }, + "release_date": "2022-04-19T20:00:00Z", + "involvements": { + "involvement": { + "party": "Vendor", + "status": "Completed" + } + }, + "remediations": { + "remediation": { + "description": "Before applying this update, make sure all previously-released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/documentation/en-us/openjdk/17/html/installing_and_using_openjdk_17_for_windows/index", + "type": "Vendor Fix", + "url": "https://access.redhat.com/errata/RHSA-2022:1437" + } + }, + "threats": { + "threat": { + "description": "Important", + "type": "Impact" + } + }, + "discovery_date": "2022-04-08T00:00:00Z", + "ordinal": 4 + }, + { + "notes": { + "note": "OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)" + }, + "cve": "CVE-2022-21476", + "references": { + "reference": [ + { + "description": "CVE-2022-21476", + "url": "https://access.redhat.com/security/cve/CVE-2022-21476" + }, + { + "description": "bz#2075842: CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2075842" + } + ] + }, + "release_date": "2022-04-19T20:00:00Z", + "involvements": { + "involvement": { + "party": "Vendor", + "status": "Completed" + } + }, + "remediations": { + "remediation": { + "description": "Before applying this update, make sure all previously-released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/documentation/en-us/openjdk/17/html/installing_and_using_openjdk_17_for_windows/index", + "type": "Vendor Fix", + "url": "https://access.redhat.com/errata/RHSA-2022:1437" + } + }, + "threats": { + "threat": { + "description": "Important", + "type": "Impact" + } + }, + "discovery_date": "2022-04-08T00:00:00Z", + "ordinal": 5 + }, + { + "notes": { + "note": "OpenJDK: URI parsing inconsistencies (JNDI, 8278972)" + }, + "cve": "CVE-2022-21496", + "references": { + "reference": [ + { + "description": "CVE-2022-21496", + "url": "https://access.redhat.com/security/cve/CVE-2022-21496" + }, + { + "description": "bz#2075849: CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2075849" + } + ] + }, + "release_date": "2022-04-19T20:00:00Z", + "involvements": { + "involvement": { + "party": "Vendor", + "status": "Completed" + } + }, + "remediations": { + "remediation": { + "description": "Before applying this update, make sure all previously-released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/documentation/en-us/openjdk/17/html/installing_and_using_openjdk_17_for_windows/index", + "type": "Vendor Fix", + "url": "https://access.redhat.com/errata/RHSA-2022:1437" + } + }, + "threats": { + "threat": { + "description": "Moderate", + "type": "Impact" + } + }, + "discovery_date": "2022-04-08T00:00:00Z", + "ordinal": 6 + } + ], + "document_notes": { + "note": [ + "The Red Hat build of OpenJDK 17 (java-17-openjdk) is now available for Windows.\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", + "The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.\nThis release of the Red Hat build of OpenJDK 17 (17.0.3) for portable Linux\nserves as a replacement for the Red Hat build of OpenJDK 17 (17.0.2) and\nincludes security and bug fixes, and enhancements. For further information,\nrefer to the release notes linked to in the References section.\nSecurity Fix(es):\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\n* OpenJDK: Improper ECDSA signature verification (Libraries, 8277233) (CVE-2022-21449)\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", + "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original." + ] + }, + "document_type": "Security Advisory" + } +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/redhat/RHSA-2022:1439.json b/vulnerabilities/tests/test_data/redhat/RHSA-2022:1439.json new file mode 100644 index 000000000..337780185 --- /dev/null +++ b/vulnerabilities/tests/test_data/redhat/RHSA-2022:1439.json @@ -0,0 +1,256 @@ +{ + "cvrfdoc": { + "document_title": "Red Hat Security Advisory: OpenJDK 11.0.15 security update for Windows Builds", + "document_distribution": "Copyright © 2022 Red Hat, Inc. All rights reserved.", + "document_references": { + "reference": [ + { + "description": "https://access.redhat.com/errata/RHSA-2022:1439", + "type": "Self", + "url": "https://access.redhat.com/errata/RHSA-2022:1439" + }, + { + "description": "https://access.redhat.com/security/updates/classification/#important", + "type": "External", + "url": "https://access.redhat.com/security/updates/classification/#important" + } + ] + }, + "aggregate_severity": "Important", + "document_tracking": { + "initial_release_date": "2022-04-28T18:59:00Z", + "identification": { + "id": "RHSA-2022:1439" + }, + "revision_history": { + "revision": { + "date": "2022-04-28T18:59:00Z", + "number": 1, + "description": "Current version" + } + }, + "generator": { + "date": "2022-04-28T22:41:00Z", + "engine": "Red Hat SDEngine 3.4.5" + }, + "current_release_date": "2022-04-28T18:59:00Z", + "version": 1, + "status": "Final" + }, + "document_publisher": { + "issuing_authority": "Red Hat Product Security", + "contact_details": "secalert@redhat.com", + "type": "Vendor" + }, + "vulnerability": [ + { + "notes": { + "note": "OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)" + }, + "cve": "CVE-2022-21426", + "references": { + "reference": [ + { + "description": "CVE-2022-21426", + "url": "https://access.redhat.com/security/cve/CVE-2022-21426" + }, + { + "description": "bz#2075788: CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2075788" + } + ] + }, + "release_date": "2022-04-19T20:00:00Z", + "involvements": { + "involvement": { + "party": "Vendor", + "status": "Completed" + } + }, + "remediations": { + "remediation": { + "description": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/documentation/en-us/openjdk/11/html/installing_and_using_openjdk_11_for_windows/index", + "type": "Vendor Fix", + "url": "https://access.redhat.com/errata/RHSA-2022:1439" + } + }, + "threats": { + "threat": { + "description": "Moderate", + "type": "Impact" + } + }, + "discovery_date": "2022-04-08T00:00:00Z", + "ordinal": 1 + }, + { + "notes": { + "note": "OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)" + }, + "cve": "CVE-2022-21434", + "references": { + "reference": [ + { + "description": "CVE-2022-21434", + "url": "https://access.redhat.com/security/cve/CVE-2022-21434" + }, + { + "description": "bz#2075836: CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2075836" + } + ] + }, + "release_date": "2022-04-19T20:00:00Z", + "involvements": { + "involvement": { + "party": "Vendor", + "status": "Completed" + } + }, + "remediations": { + "remediation": { + "description": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/documentation/en-us/openjdk/11/html/installing_and_using_openjdk_11_for_windows/index", + "type": "Vendor Fix", + "url": "https://access.redhat.com/errata/RHSA-2022:1439" + } + }, + "threats": { + "threat": { + "description": "Moderate", + "type": "Impact" + } + }, + "discovery_date": "2022-04-08T00:00:00Z", + "ordinal": 2 + }, + { + "notes": { + "note": "OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)" + }, + "cve": "CVE-2022-21443", + "references": { + "reference": [ + { + "description": "CVE-2022-21443", + "url": "https://access.redhat.com/security/cve/CVE-2022-21443" + }, + { + "description": "bz#2075793: CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2075793" + } + ] + }, + "release_date": "2022-04-19T20:00:00Z", + "involvements": { + "involvement": { + "party": "Vendor", + "status": "Completed" + } + }, + "remediations": { + "remediation": { + "description": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/documentation/en-us/openjdk/11/html/installing_and_using_openjdk_11_for_windows/index", + "type": "Vendor Fix", + "url": "https://access.redhat.com/errata/RHSA-2022:1439" + } + }, + "threats": { + "threat": { + "description": "Moderate", + "type": "Impact" + } + }, + "discovery_date": "2022-04-08T00:00:00Z", + "ordinal": 3 + }, + { + "notes": { + "note": "OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)" + }, + "cve": "CVE-2022-21476", + "references": { + "reference": [ + { + "description": "CVE-2022-21476", + "url": "https://access.redhat.com/security/cve/CVE-2022-21476" + }, + { + "description": "bz#2075842: CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2075842" + } + ] + }, + "release_date": "2022-04-19T20:00:00Z", + "involvements": { + "involvement": { + "party": "Vendor", + "status": "Completed" + } + }, + "remediations": { + "remediation": { + "description": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/documentation/en-us/openjdk/11/html/installing_and_using_openjdk_11_for_windows/index", + "type": "Vendor Fix", + "url": "https://access.redhat.com/errata/RHSA-2022:1439" + } + }, + "threats": { + "threat": { + "description": "Important", + "type": "Impact" + } + }, + "discovery_date": "2022-04-08T00:00:00Z", + "ordinal": 4 + }, + { + "notes": { + "note": "OpenJDK: URI parsing inconsistencies (JNDI, 8278972)" + }, + "cve": "CVE-2022-21496", + "references": { + "reference": [ + { + "description": "CVE-2022-21496", + "url": "https://access.redhat.com/security/cve/CVE-2022-21496" + }, + { + "description": "bz#2075849: CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2075849" + } + ] + }, + "release_date": "2022-04-19T20:00:00Z", + "involvements": { + "involvement": { + "party": "Vendor", + "status": "Completed" + } + }, + "remediations": { + "remediation": { + "description": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/documentation/en-us/openjdk/11/html/installing_and_using_openjdk_11_for_windows/index", + "type": "Vendor Fix", + "url": "https://access.redhat.com/errata/RHSA-2022:1439" + } + }, + "threats": { + "threat": { + "description": "Moderate", + "type": "Impact" + } + }, + "discovery_date": "2022-04-08T00:00:00Z", + "ordinal": 5 + } + ], + "document_notes": { + "note": [ + "The Red Hat Build of OpenJDK 11 (java-11-openjdk) is now available for Windows.\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", + "The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.\nThis release of the Red Hat build of OpenJDK 11 (11.0.15) for Windows serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.14) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\nSecurity Fix(es):\n* OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) (CVE-2022-21426)\n* OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) (CVE-2022-21443)\n* OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)\n* OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008) (CVE-2022-21476)\n* OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", + "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original." + ] + }, + "document_type": "Security Advisory" + } +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/redhat/bugzilla-2075788.json b/vulnerabilities/tests/test_data/redhat/bugzilla-2075788.json new file mode 100644 index 000000000..82247d0a2 --- /dev/null +++ b/vulnerabilities/tests/test_data/redhat/bugzilla-2075788.json @@ -0,0 +1,176 @@ +{ + "bugs" : [ + { + "alias" : [ + "CVE-2022-21426" + ], + "assigned_to" : "Red Hat Product Security", + "assigned_to_detail" : { + "email" : "security-response-team", + "id" : 164808, + "name" : "security-response-team", + "real_name" : "Red Hat Product Security" + }, + "blocks" : [ + 2073424 + ], + "cc" : [ + "Andrew John Hughes", + "Chess Hazlett", + "dfitzmau", + "Jonathan Dowland", + "Jonathan Christison", + "jiri vanek", + "Nicole Baratta", + "Mario Torre", + "Paramvir jindal", + "Red Hat Product Security", + "Sangeeta Raghu Punnadi" + ], + "cc_detail" : [ + { + "email" : "ahughes", + "id" : 271596, + "name" : "ahughes", + "real_name" : "Andrew John Hughes" + }, + { + "email" : "chazlett", + "id" : 353328, + "name" : "chazlett", + "real_name" : "Chess Hazlett" + }, + { + "email" : "dfitzmau", + "id" : 443232, + "name" : "dfitzmau", + "real_name" : "" + }, + { + "email" : "jdowland", + "id" : 378860, + "name" : "jdowland", + "real_name" : "Jonathan Dowland" + }, + { + "email" : "jochrist", + "id" : 378104, + "name" : "jochrist", + "real_name" : "Jonathan Christison" + }, + { + "email" : "jvanek", + "id" : 301543, + "name" : "jvanek", + "real_name" : "jiri vanek" + }, + { + "email" : "nengard", + "id" : 399494, + "name" : "nengard", + "real_name" : "Nicole Baratta" + }, + { + "email" : "neugens", + "id" : 327997, + "name" : "neugens", + "real_name" : "Mario Torre" + }, + { + "email" : "pjindal", + "id" : 360071, + "name" : "pjindal", + "real_name" : "Paramvir jindal" + }, + { + "email" : "security-response-team", + "id" : 164808, + "name" : "security-response-team", + "real_name" : "Red Hat Product Security" + }, + { + "email" : "sraghupu", + "id" : 442010, + "name" : "sraghupu", + "real_name" : "Sangeeta Raghu Punnadi" + } + ], + "cf_clone_of" : null, + "cf_doc_type" : "If docs needed, set a value", + "cf_environment" : "", + "cf_fixed_in" : "", + "cf_last_closed" : "2022-04-28T23:15:16Z", + "cf_release_notes" : "", + "classification" : "Other", + "component" : [ + "vulnerability" + ], + "creation_time" : "2022-04-15T10:50:05Z", + "creator" : "Mauro Matteo Cascella", + "creator_detail" : { + "email" : "mcascell", + "id" : 441861, + "name" : "mcascell", + "real_name" : "Mauro Matteo Cascella" + }, + "deadline" : null, + "depends_on" : [ + 2073577, + 2073578, + 2073579, + 2073593, + 2073594, + 2073595, + 2074646, + 2074649, + 2074650, + 2073575, + 2073576, + 2073587, + 2073589, + 2073590, + 2073591, + 2073592, + 2073601, + 2074639, + 2074641, + 2074642, + 2074643, + 2074644, + 2074645 + ], + "docs_contact" : "", + "dupe_of" : null, + "groups" : [], + "id" : 2075788, + "is_cc_accessible" : true, + "is_confirmed" : true, + "is_creator_accessible" : true, + "is_open" : false, + "keywords" : [ + "Security" + ], + "last_change_time" : "2022-05-09T14:02:55Z", + "op_sys" : "Linux", + "platform" : "All", + "priority" : "medium", + "product" : "Security Response", + "qa_contact" : "", + "resolution" : "ERRATA", + "see_also" : [], + "severity" : "medium", + "status" : "CLOSED", + "summary" : "CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)", + "target_milestone" : "---", + "target_release" : [ + "---" + ], + "url" : "", + "version" : [ + "unspecified" + ], + "whiteboard" : "" + } + ], + "faults" : [] +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/redhat/bugzilla-2077736.json b/vulnerabilities/tests/test_data/redhat/bugzilla-2077736.json new file mode 100644 index 000000000..136a5fe10 --- /dev/null +++ b/vulnerabilities/tests/test_data/redhat/bugzilla-2077736.json @@ -0,0 +1,201 @@ +{ + "bugs" : [ + { + "alias" : [ + "CVE-2022-24272" + ], + "assigned_to" : "Red Hat Product Security", + "assigned_to_detail" : { + "email" : "security-response-team", + "id" : 164808, + "name" : "security-response-team", + "real_name" : "Red Hat Product Security" + }, + "blocks" : [ + 2077737 + ], + "cc" : [ + "amctagga", + "Brad Buckingham", + "Barnaby Court", + "Bryan Kearney", + "Bryan Totty", + "Eric Helms", + "Eran Tamir", + "Justin Sherrill", + "Lukas Zapletal", + "Marek Hulan", + "Mike McCune", + "mark yarborough", + "Nimrod Becker", + "Nikos Moumoulidis", + "OpenShift Container Storage bugs", + "orabin", + "Patrick Creech", + "Robin Chan" + ], + "cc_detail" : [ + { + "email" : "amctagga", + "id" : 449751, + "name" : "amctagga", + "real_name" : "" + }, + { + "email" : "bbuckingham", + "id" : 261736, + "name" : "bbuckingham", + "real_name" : "Brad Buckingham" + }, + { + "email" : "bcourt", + "id" : 355916, + "name" : "bcourt", + "real_name" : "Barnaby Court" + }, + { + "email" : "bkearney", + "id" : 196330, + "name" : "bkearney", + "real_name" : "Bryan Kearney" + }, + { + "email" : "btotty", + "id" : 335894, + "name" : "btotty", + "real_name" : "Bryan Totty" + }, + { + "email" : "ehelms", + "id" : 314605, + "name" : "ehelms", + "real_name" : "Eric Helms" + }, + { + "email" : "etamir", + "id" : 433931, + "name" : "etamir", + "real_name" : "Eran Tamir" + }, + { + "email" : "jsherril", + "id" : 179073, + "name" : "jsherril", + "real_name" : "Justin Sherrill" + }, + { + "email" : "lzap", + "id" : 303294, + "name" : "lzap", + "real_name" : "Lukas Zapletal" + }, + { + "email" : "mhulan", + "id" : 342559, + "name" : "mhulan", + "real_name" : "Marek Hulan" + }, + { + "email" : "mmccune", + "id" : 161152, + "name" : "mmccune", + "real_name" : "Mike McCune" + }, + { + "email" : "myarboro", + "id" : 209117, + "name" : "myarboro", + "real_name" : "mark yarborough" + }, + { + "email" : "nbecker", + "id" : 434785, + "name" : "nbecker", + "real_name" : "Nimrod Becker" + }, + { + "email" : "nmoumoul", + "id" : 414156, + "name" : "nmoumoul", + "real_name" : "Nikos Moumoulidis" + }, + { + "email" : "ocs-bugs", + "id" : 436653, + "name" : "ocs-bugs", + "real_name" : "OpenShift Container Storage bugs" + }, + { + "email" : "orabin", + "id" : 368399, + "name" : "orabin", + "real_name" : "" + }, + { + "email" : "pcreech", + "id" : 390536, + "name" : "pcreech", + "real_name" : "Patrick Creech" + }, + { + "email" : "rchan", + "id" : 412819, + "name" : "rchan", + "real_name" : "Robin Chan" + } + ], + "cf_clone_of" : null, + "cf_doc_type" : "If docs needed, set a value", + "cf_environment" : "", + "cf_fixed_in" : "", + "cf_last_closed" : "2022-05-09T20:15:38Z", + "cf_release_notes" : "", + "classification" : "Other", + "component" : [ + "vulnerability" + ], + "creation_time" : "2022-04-22T04:42:53Z", + "creator" : "Sandipan Roy", + "creator_detail" : { + "email" : "saroy", + "id" : 464724, + "name" : "saroy", + "real_name" : "Sandipan Roy" + }, + "deadline" : null, + "depends_on" : [], + "docs_contact" : "", + "dupe_of" : null, + "groups" : [], + "id" : 2077736, + "is_cc_accessible" : true, + "is_confirmed" : true, + "is_creator_accessible" : true, + "is_open" : false, + "keywords" : [ + "Security" + ], + "last_change_time" : "2022-05-09T20:15:38Z", + "op_sys" : "Linux", + "platform" : "All", + "priority" : "medium", + "product" : "Security Response", + "qa_contact" : "", + "resolution" : "WONTFIX", + "see_also" : [], + "severity" : "medium", + "status" : "CLOSED", + "summary" : "CVE-2022-24272 mongodb: authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database", + "target_milestone" : "---", + "target_release" : [ + "---" + ], + "url" : "", + "version" : [ + "unspecified" + ], + "whiteboard" : "" + } + ], + "faults" : [] + } \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/redhat/redhat-expected.json b/vulnerabilities/tests/test_data/redhat/redhat-expected.json new file mode 100644 index 000000000..34ffbffcb --- /dev/null +++ b/vulnerabilities/tests/test_data/redhat/redhat-expected.json @@ -0,0 +1,245 @@ +[ + { + "aliases": [ + "CVE-2022-24272" + ], + "summary": "CVE-2022-24272 mongodb: authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database", + "affected_packages": [], + "references": [ + { + "reference_id": 2077736, + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2077736", + "severities": [ + { + "system": "rhbs", + "value": "medium" + } + ] + }, + { + "reference_id": "", + "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24272.json", + "severities": [ + { + "system": "cvssv3", + "value": 6.3 + }, + { + "system": "cvssv3_vector", + "value": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N" + } + ] + } + ], + "date_published": null + }, + { + "aliases": [ + "CVE-2022-21426" + ], + "summary": "CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "redhat", + "name": "java-11-openjdk", + "version": null, + "qualifiers": { + "arch": "el8_1" + }, + "subpath": null + }, + "affected_version_range": "vers:rpm/1:11.0.15.0.9-2", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "redhat", + "name": "java-11-openjdk", + "version": null, + "qualifiers": { + "arch": "el8_2" + }, + "subpath": null + }, + "affected_version_range": "vers:rpm/1:11.0.15.0.9-2", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "redhat", + "name": "java-11-openjdk", + "version": null, + "qualifiers": { + "arch": "el7_9" + }, + "subpath": null + }, + "affected_version_range": "vers:rpm/1:11.0.15.0.9-2", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "redhat", + "name": "java-11-openjdk", + "version": null, + "qualifiers": { + "arch": "el8_5" + }, + "subpath": null + }, + "affected_version_range": "vers:rpm/1:11.0.15.0.9-2", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "redhat", + "name": "java-1.8.0-openjdk", + "version": null, + "qualifiers": { + "arch": "el8_5" + }, + "subpath": null + }, + "affected_version_range": "vers:rpm/1:1.8.0.332.b09-1", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "redhat", + "name": "java-11-openjdk", + "version": null, + "qualifiers": { + "arch": "el8_4" + }, + "subpath": null + }, + "affected_version_range": "vers:rpm/1:11.0.15.0.9-2", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "redhat", + "name": "java-1.8.0-openjdk", + "version": null, + "qualifiers": { + "arch": "el7_9" + }, + "subpath": null + }, + "affected_version_range": "vers:rpm/1:1.8.0.332.b09-1", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "redhat", + "name": "java-1.8.0-openjdk", + "version": null, + "qualifiers": { + "arch": "el8_1" + }, + "subpath": null + }, + "affected_version_range": "vers:rpm/1:1.8.0.332.b09-1", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "redhat", + "name": "java-1.8.0-openjdk", + "version": null, + "qualifiers": { + "arch": "el8_2" + }, + "subpath": null + }, + "affected_version_range": "vers:rpm/1:1.8.0.332.b09-1", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "redhat", + "name": "java-17-openjdk", + "version": null, + "qualifiers": { + "arch": "el8_5" + }, + "subpath": null + }, + "affected_version_range": "vers:rpm/1:17.0.3.0.6-2", + "fixed_version": null + }, + { + "package": { + "type": "rpm", + "namespace": "redhat", + "name": "java-1.8.0-openjdk", + "version": null, + "qualifiers": { + "arch": "el8_4" + }, + "subpath": null + }, + "affected_version_range": "vers:rpm/1:1.8.0.332.b09-1", + "fixed_version": null + } + ], + "references": [ + { + "reference_id": 2075788, + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2075788", + "severities": [ + { + "system": "rhbs", + "value": "medium" + } + ] + }, + { + "reference_id": "RHSA-2022:1439", + "url": "https://access.redhat.com/errata/RHSA-2022:1439", + "severities": [ + { + "system": "rhas", + "value": "Important" + } + ] + }, + { + "reference_id": "RHSA-2022:1437", + "url": "https://access.redhat.com/errata/RHSA-2022:1437", + "severities": [ + { + "system": "rhas", + "value": "Important" + } + ] + }, + { + "reference_id": "", + "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21426.json", + "severities": [ + { + "system": "cvssv3", + "value": 5.3 + }, + { + "system": "cvssv3_vector", + "value": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ] + } + ], + "date_published": null + } +] \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/redhat/redhat-input.json b/vulnerabilities/tests/test_data/redhat/redhat-input.json new file mode 100644 index 000000000..7e85278d9 --- /dev/null +++ b/vulnerabilities/tests/test_data/redhat/redhat-input.json @@ -0,0 +1,49 @@ +[ + { + "CVE": "CVE-2022-24272", + "severity": "moderate", + "public_date": "2022-04-21T00:00:00Z", + "advisories": [], + "bugzilla": 2077736, + "bugzilla_description": "CVE-2022-24272 mongodb: authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database", + "cvss_score": null, + "cvss_scoring_vector": null, + "CWE": null, + "affected_packages": [], + "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24272.json", + "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", + "cvss3_score": 6.3 + }, + { + "CVE": "CVE-2022-21426", + "severity": "moderate", + "public_date": "2022-04-19T20:00:00Z", + "advisories": [ + "RHSA-2022:1439", + "RHSA-2022:1437" + ], + "bugzilla": 2075788, + "bugzilla_description": "CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)", + "cvss_score": null, + "cvss_scoring_vector": null, + "CWE": "CWE-400", + "affected_packages": [ + "java-11-openjdk-1:11.0.15.0.9-2.el8_1", + "java-11-openjdk-1:11.0.15.0.9-2.el8_2", + "java-11-openjdk-1:11.0.15.0.9-2.el7_9", + "Windows", + "java-11-openjdk-1:11.0.15.0.9-2.el8_5", + "java-1.8.0-openjdk-1:1.8.0.332.b09-1.el8_5", + "java-11-openjdk-1:11.0.15.0.9-2.el8_4", + "java-1.8.0-openjdk-1:1.8.0.332.b09-1.el7_9", + "java-1.8.0-openjdk-1:1.8.0.332.b09-1.el8_1", + "java-1.8.0-openjdk-1:1.8.0.332.b09-1.el8_2", + "Linux", + "java-17-openjdk-1:17.0.3.0.6-2.el8_5", + "java-1.8.0-openjdk-1:1.8.0.332.b09-1.el8_4" + ], + "resource_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21426.json", + "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvss3_score": 5.3 + } +] \ No newline at end of file diff --git a/vulnerabilities/tests/test_redhat_importer.py b/vulnerabilities/tests/test_redhat_importer.py index caff9b3d6..005214fed 100644 --- a/vulnerabilities/tests/test_redhat_importer.py +++ b/vulnerabilities/tests/test_redhat_importer.py @@ -17,130 +17,57 @@ # OR CONDITIONS OF ANY KIND, either express or implied. No content created from # VulnerableCode should be considered or used as legal advice. Consult an Attorney # for any legal advice. -# VulnerableCode is a free software code scanning tool from nexB Inc. and others. +# VulnerableCode is a free software code from nexB Inc. and others. # Visit https://github.com/nexB/vulnerablecode/ for support and download. import json import os -import unittest +from unittest.mock import patch from packageurl import PackageURL -import vulnerabilities.importers.redhat as redhat -from vulnerabilities import severity_systems -from vulnerabilities.helpers import AffectedPackage -from vulnerabilities.importer import AdvisoryData -from vulnerabilities.importer import Reference -from vulnerabilities.importer import VulnerabilitySeverity +from vulnerabilities.importers import redhat +from vulnerabilities.tests import util_tests BASE_DIR = os.path.dirname(os.path.abspath(__file__)) -TEST_DATA = os.path.join(BASE_DIR, "test_data/", "redhat.json") +TEST_DATA = os.path.join(BASE_DIR, "test_data", "redhat") -def load_test_data(): - with open(TEST_DATA) as f: - return json.load(f) +def test_rpm_to_purl(): + assert redhat.rpm_to_purl("foobar", "redhat") is None + assert redhat.rpm_to_purl("foo-bar-devel-0:sys76", "redhat") is None + assert redhat.rpm_to_purl("kernel-0:2.6.32-754.el6", "redhat") == PackageURL( + type="rpm", + namespace="redhat", + name="kernel", + version="2.6.32-754", + qualifiers={"arch": "el6"}, + ) -class TestRedhat(unittest.TestCase): - def test_rpm_to_purl(self): +@patch("vulnerabilities.importers.redhat.fetch_list_of_cves") +@patch("vulnerabilities.importers.redhat.get_rhsa_data") +@patch("vulnerabilities.importers.redhat.get_bugzilla_data") +def test_redhat_importer(bugzilla, rhsa, fetcher): + redhat_importer = redhat.RedhatImporter() + response_file = os.path.join(TEST_DATA, f"redhat-input.json") - assert redhat.rpm_to_purl("foobar") is None - assert redhat.rpm_to_purl("foo-bar-devel-0:sys76") is None - assert redhat.rpm_to_purl("kernel-0:2.6.32-754.el6") == PackageURL( - type="rpm", - namespace="redhat", - name="kernel", - version="2.6.32-754.el6", - ) - - def test_to_advisory(self): - data = load_test_data() - expected_advisories = [ - AdvisoryData( - summary="CVE-2016-9401 bash: popd controlled free", - vulnerability_id="CVE-2016-9401", - affected_packages=[ - AffectedPackage( - vulnerable_package=PackageURL( - type="rpm", - namespace="redhat", - name="bash", - version="4.1.2-48.el6", - ), - patched_package=None, - ), - AffectedPackage( - vulnerable_package=PackageURL( - type="rpm", - namespace="redhat", - name="bash", - version="4.2.46-28.el7", - ), - patched_package=None, - ), - ], - references=[ - Reference( - reference_id="", - url="https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9401.json", - severities=[ - VulnerabilitySeverity( - system=severity_systems.CVSSV3, - value="3.3", - ), - VulnerabilitySeverity( - system=severity_systems.CVSSV3_VECTOR, - value="CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", - ), - ], - ), - Reference( - reference_id="1396383", - url="https://bugzilla.redhat.com/show_bug.cgi?id=1396383", - severities=[ - VulnerabilitySeverity( - system=severity_systems.REDHAT_BUGZILLA, - value=2.0, - ) - ], - ), - Reference( - reference_id="RHSA-2017:0725", - url="https://access.redhat.com/errata/RHSA-2017:0725", - severities=[ - VulnerabilitySeverity( - system=severity_systems.REDHAT_AGGREGATE, - value=2.2, - ) - ], - ), - Reference( - reference_id="RHSA-2017:1931", - url="https://access.redhat.com/errata/RHSA-2017:1931", - severities=[ - VulnerabilitySeverity( - system=severity_systems.REDHAT_AGGREGATE, - value=2.2, - ) - ], - ), - ], - ) - ] - found_advisories = [] - mock_resp = unittest.mock.MagicMock() - mock_resp.json = lambda: { - "bugs": [{"severity": 2.0}], - "cvrfdoc": {"aggregate_severity": 2.2}, - } - for adv in data: - with unittest.mock.patch( - "vulnerabilities.importers.redhat.requests_session.get", return_value=mock_resp - ): - adv = redhat.to_advisory(adv) - found_advisories.append(adv) - - found_advisories = list(map(AdvisoryData.normalized, found_advisories)) - expected_advisories = list(map(AdvisoryData.normalized, expected_advisories)) - assert sorted(found_advisories) == sorted(expected_advisories) + with open(response_file) as f: + fetcher.return_value = [json.load(f)] + bugzilla_2075788_response_file = os.path.join(TEST_DATA, f"bugzilla-2075788.json") + bugzilla_2077736_response_file = os.path.join(TEST_DATA, f"bugzilla-2077736.json") + bugzilla.side_effect = [ + json.load(open(bugzilla_2075788_response_file)), + json.load(open(bugzilla_2077736_response_file)), + ] + rhsa_1437 = os.path.join(TEST_DATA, f"RHSA-2022:1437.json") + rhsa_1439 = os.path.join(TEST_DATA, f"RHSA-2022:1439.json") + rhsa.side_effect = [ + json.load(open(rhsa_1437)), + json.load(open(rhsa_1439)), + ] + print(fetcher.return_value) + expected_file = os.path.join(TEST_DATA, f"redhat-expected.json") + imported_data = list(redhat_importer.advisory_data()) + result = [data.to_dict() for data in imported_data] + util_tests.check_results_against_json(result, expected_file)