Merge branch 'main' into dependabot/pip/gitpython-3.1.30

Author: TG1999

vulnerabilities/importers/__init__.py

@@ -31,6 +31,8 @@
 from vulnerabilities.importers import retiredotnet
 from vulnerabilities.importers import suse_scores
 from vulnerabilities.importers import ubuntu
+from vulnerabilities.importers import ubuntu_usn
+from vulnerabilities.importers import xen
 
 IMPORTERS_REGISTRY = [
     nginx.NginxImporter,
@@ -57,6 +59,8 @@
     suse_scores.SUSESeverityScoreImporter,
     elixir_security.ElixirSecurityImporter,
     apache_tomcat.ApacheTomcatImporter,
+    xen.XenImporter,
+    ubuntu_usn.UbuntuUSNImporter,
 ]
 
 IMPORTERS_REGISTRY = {x.qualified_name: x for x in IMPORTERS_REGISTRY}

vulnerabilities/importers/istio.py

@@ -6,13 +6,20 @@
 # See https://github.com/nexB/vulnerablecode for support or download.
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
+import logging
 import re
+from datetime import datetime
 from pathlib import Path
+from typing import Iterable
+from typing import List
+from typing import Mapping
+from typing import Optional
 from typing import Set
 
 import pytz
 import saneyaml
 from dateutil import parser
+from django.db.models.query import QuerySet
 from packageurl import PackageURL
 from univers.version_constraint import VersionConstraint
 from univers.version_range import GitHubVersionRange
@@ -23,10 +30,22 @@
 from vulnerabilities.importer import AffectedPackage
 from vulnerabilities.importer import Importer
 from vulnerabilities.importer import Reference
+from vulnerabilities.importer import UnMergeablePackageError
+from vulnerabilities.improver import Improver
+from vulnerabilities.improver import Inference
+from vulnerabilities.models import Advisory
+from vulnerabilities.package_managers import GitHubTagsAPI
+from vulnerabilities.package_managers import VersionAPI
+from vulnerabilities.utils import AffectedPackage as LegacyAffectedPackage
+from vulnerabilities.utils import get_affected_packages_by_patched_package
+from vulnerabilities.utils import nearest_patched_package
+from vulnerabilities.utils import resolve_version_range
 from vulnerabilities.utils import split_markdown_front_matter
 
 is_release = re.compile(r"^[\d.]+$", re.IGNORECASE).match
 
+logger = logging.getLogger(__name__)
+
 
 class IstioImporter(Importer):
     spdx_license_expression = "Apache-2.0"
@@ -136,3 +155,70 @@ def get_data_from_md(self, path):
         with open(path) as f:
             front_matter, _ = split_markdown_front_matter(f.read())
             return saneyaml.load(front_matter)
+
+
+class IstioImprover(Improver):
+    def __init__(self) -> None:
+        self.versions_fetcher_by_purl: Mapping[str, VersionAPI] = {}
+        self.vesions_by_purl = {}
+
+    @property
+    def interesting_advisories(self) -> QuerySet:
+        return Advisory.objects.filter(created_by=IstioImporter.qualified_name)
+
+    def get_package_versions(
+        self, package_url: PackageURL, until: Optional[datetime] = None
+    ) -> List[str]:
+        """
+        Return a list of `valid_versions` for the `package_url`
+        """
+        api_name = "istio/istio"
+        versions_fetcher = GitHubTagsAPI()
+        return versions_fetcher.get_until(package_name=api_name, until=until).valid_versions
+
+    def get_inferences(self, advisory_data: AdvisoryData) -> Iterable[Inference]:
+        """
+        Yield Inferences for the given advisory data
+        """
+        if not advisory_data.affected_packages:
+            return
+        for affected_package in advisory_data.affected_packages:
+            purl = affected_package.package
+            affected_version_range = affected_package.affected_version_range
+            pkg_type = purl.type
+            pkg_namespace = purl.namespace
+            pkg_name = purl.name
+            if not self.vesions_by_purl.get("istio/istio"):
+                valid_versions = self.get_package_versions(
+                    package_url=purl, until=advisory_data.date_published
+                )
+                self.vesions_by_purl["istio/istio"] = valid_versions
+            valid_versions = self.vesions_by_purl["istio/istio"]
+            aff_vers, unaff_vers = resolve_version_range(
+                affected_version_range=affected_version_range,
+                package_versions=valid_versions,
+            )
+            affected_purls = [
+                PackageURL(type=pkg_type, namespace=pkg_namespace, name=pkg_name, version=version)
+                for version in aff_vers
+            ]
+
+            unaffected_purls = [
+                PackageURL(type=pkg_type, namespace=pkg_namespace, name=pkg_name, version=version)
+                for version in unaff_vers
+            ]
+
+            affected_packages: List[LegacyAffectedPackage] = nearest_patched_package(
+                vulnerable_packages=affected_purls, resolved_packages=unaffected_purls
+            )
+
+            for (
+                fixed_package,
+                affected_packages,
+            ) in get_affected_packages_by_patched_package(affected_packages).items():
+                yield Inference.from_advisory_data(
+                    advisory_data,
+                    confidence=100,  # We are getting all valid versions to get this inference
+                    affected_purls=affected_packages,
+                    fixed_purl=fixed_package,
+                )

vulnerabilities/importers/safety_db.py

@@ -19,8 +19,48 @@
 
 
 class UbuntuImporter(OvalImporter):
-    spdx_license_expression = "GPL"
-    license_url = "https://ubuntu.com/legal/terms"
+    spdx_license_expression = "LicenseRef-scancode-other-permissive"
+    notice = """
+    From: Seth Arnold <seth.arnold@canonical.com>
+    Date: Wed, Jan 25, 2023 at 2:02 AM
+    Subject: Re: [ubuntu-hardened] Usage of Ubuntu Security Data in VulnerableCode
+    To: Tushar Goel <tushar.goel.dav@gmail.com>
+    Cc: <ubuntu-hardened@lists.ubuntu.com>, Philippe Ombredanne <pombredanne@nexb.com>, jmhoran@nexb.com <jmhoran@nexb.com>
+    
+    
+    On Wed, Jan 11, 2023 at 06:27:38PM +0530, Tushar Goel wrote:
+    > We would like to integrate the Ubuntu usn data[1][2] and
+    > Ubuntu security data (OVAL format)[3] in vulnerablecode[4]
+    > which is a FOSS db of FOSS vulnerability data. We were not
+    > able to know under which license this security data comes.
+    > We would be grateful to have your acknowledgement over usage of
+    > the ubuntu security data in vulnerablecode and have
+    > some kind of licensing declaration from your side.
+    
+    Hello Tushar, we do not have an explicit license on this data.
+    
+    We share our data with the intention that others will use it. Please
+    feel free to use it for the general furtherance of security.
+    
+    Much of the data that's contained within our databases is sourced from
+    third parties, who also shared their data with the intention that others
+    will use it. I'm not sure what it would look like to try to put a license
+    on data that is crowd-sourced from thousands of contributors. (If you were
+    to start such a project today, it'd probably be one of the first things to
+    formalize. But when CVE was started two decades ago, the primary goal was
+    sharing knowledge and simplifying the vulnerability remediation process,
+    and licensing the data was, as far as I can remember, not considered.
+    Sharing was the goal.)
+    
+    I will ask that vulnerablecode 'be nice' to our infrastructure that
+    hosts the databases -- some automated uses of our infrastructure by
+    vulnerability scanner tools has lead to significant load and engineering
+    effort. In general, please prefer a small handful of systems updating
+    mirrors roughly twice a day rather than thousands of hosts pulling
+    data hourly.
+    
+    Thanks
+    """
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)