Migrate Istio importer

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>

Author: TG1999

vulnerabilities/importers/__init__.py

@@ -47,6 +47,7 @@
     elixir_security_importer as elixir_security_importer_v2,
 )
 from vulnerabilities.pipelines.v2_importers import gitlab_importer as gitlab_importer_v2
+from vulnerabilities.pipelines.v2_importers import istio_importer as istio_importer_v2
 from vulnerabilities.pipelines.v2_importers import npm_importer as npm_importer_v2
 from vulnerabilities.pipelines.v2_importers import nvd_importer as nvd_importer_v2
 from vulnerabilities.pipelines.v2_importers import oss_fuzz as oss_fuzz_v2
@@ -69,6 +70,7 @@
         xen_importer_v2.XenImporterPipeline,
         curl_importer_v2.CurlImporterPipeline,
         oss_fuzz_v2.OSSFuzzImporterPipeline,
+        istio_importer_v2.IstioImporterPipeline,
         nvd_importer.NVDImporterPipeline,
         github_importer.GitHubAPIImporterPipeline,
         gitlab_importer.GitLabImporterPipeline,

vulnerabilities/pipelines/v2_importers/curl_importer.py

@@ -37,6 +37,7 @@ class CurlImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
     license_url = "https://curl.se/docs/copyright.html"
     repo_url = "https://github.com/curl/curl-www/"
     url = "https://curl.se/docs/vuln.json"
+    unfurl_version_ranges = True
 
     @classmethod
     def steps(cls):

vulnerabilities/pipelines/v2_importers/istio_importer.py

@@ -0,0 +1,170 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import re
+from pathlib import Path
+from typing import Iterable
+from typing import List
+
+import pytz
+import saneyaml
+from dateutil import parser
+from fetchcode.vcs import fetch_via_vcs
+from packageurl import PackageURL
+from univers.version_constraint import VersionConstraint
+from univers.version_range import GitHubVersionRange
+from univers.version_range import GolangVersionRange
+from univers.versions import SemverVersion
+
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AffectedPackage
+from vulnerabilities.importer import ReferenceV2
+from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
+from vulnerabilities.utils import get_advisory_url
+from vulnerabilities.utils import split_markdown_front_matter
+
+is_release = re.compile(r"^[\d.]+$", re.IGNORECASE).match
+
+
+class IstioImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
+    """
+    Importer for Istio.io security advisories.
+    """
+
+    pipeline_id = "istio_importer_v2"
+    spdx_license_expression = "Apache-2.0"
+    license_url = "https://github.com/istio/istio.io/blob/master/LICENSE"
+    repo_url = "git+https://github.com/istio/istio.io"
+    unfurl_version_ranges = True
+
+    @classmethod
+    def steps(cls):
+        return (
+            cls.clone,
+            cls.collect_and_store_advisories,
+            cls.clean_downloads,
+        )
+
+    def advisories_count(self) -> int:
+        base_path = Path(self.vcs_response.dest_dir)
+        advisories_dir = base_path / "content/en/news/security"
+        return sum(
+            1 for file in advisories_dir.rglob("*.md") if not file.name.endswith("_index.md")
+        )
+
+    def clone(self):
+        self.log(f"Cloning `{self.repo_url}`")
+        self.vcs_response = fetch_via_vcs(self.repo_url)
+
+    def collect_advisories(self) -> Iterable[AdvisoryData]:
+        base_path = Path(self.vcs_response.dest_dir)
+        advisories_dir = base_path / "content/en/news/security"
+
+        for md_file in advisories_dir.rglob("*.md"):
+            if md_file.name.endswith("_index.md"):
+                continue
+
+            data = self.parse_markdown(md_file)
+            advisory_url = get_advisory_url(
+                file=md_file,
+                base_path=base_path,
+                url="https://github.com/istio/istio.io/blob/master/",
+            )
+            published_date = data.get("publishdate")
+            release_date = (
+                parser.parse(published_date).replace(tzinfo=pytz.UTC) if published_date else None
+            )
+            constraints = self.get_version_constraints(data.get("releases", []))
+
+            cves = data.get("cves", [])
+
+            affected_packages = []
+            if constraints:
+                affected_packages.extend(
+                    [
+                        AffectedPackage(
+                            package=PackageURL(type="golang", namespace="istio.io", name="istio"),
+                            affected_version_range=GolangVersionRange(constraints=constraints),
+                        ),
+                        AffectedPackage(
+                            package=PackageURL(type="github", namespace="istio", name="istio"),
+                            affected_version_range=GitHubVersionRange(constraints=constraints),
+                        ),
+                    ]
+                )
+
+            title = data.get("title") or ""
+            summary = data.get("description") or ""
+            references = []
+            if title:
+                references.append(
+                    ReferenceV2(
+                        reference_id=title,
+                        url=f"https://istio.io/latest/news/security/{title}/",
+                    )
+                )
+
+            yield AdvisoryData(
+                advisory_id=title,
+                aliases=cves,
+                summary=summary,
+                affected_packages=affected_packages,
+                references_v2=references,
+                date_published=release_date,
+                url=advisory_url,
+                original_advisory_text=md_file.read_text(encoding="utf-8"),
+            )
+
+    def parse_markdown(self, path: Path) -> dict:
+        """Return a mapping of vulnerability data extracted from an advisory."""
+        text = path.read_text(encoding="utf-8")
+        front_matter, _ = split_markdown_front_matter(text)
+        return saneyaml.load(front_matter)
+
+    def get_version_constraints(self, releases: List[str]) -> List[VersionConstraint]:
+        constraints = []
+        for release in releases:
+            release = release.strip()
+
+            if "All releases prior" in release:
+                _, _, version = release.rpartition(" ")
+                constraints.append(
+                    VersionConstraint(version=SemverVersion(version), comparator="<")
+                )
+
+            elif "All releases" in release and "and later" in release:
+                version = release.replace("All releases", "").replace("and later", "").strip()
+                if is_release(version):
+                    constraints.append(
+                        VersionConstraint(version=SemverVersion(version), comparator=">=")
+                    )
+
+            elif "to" in release:
+                lower, _, upper = release.partition("to")
+                constraints.append(
+                    VersionConstraint(version=SemverVersion(lower.strip()), comparator=">=")
+                )
+                constraints.append(
+                    VersionConstraint(version=SemverVersion(upper.strip()), comparator="<=")
+                )
+
+            elif is_release(release):
+                constraints.append(
+                    VersionConstraint(version=SemverVersion(release), comparator="=")
+                )
+
+        return constraints
+
+    def clean_downloads(self):
+        if self.vcs_response:
+            self.log("Removing cloned repository")
+            self.vcs_response.delete()
+
+    def on_failure(self):
+        self.clean_downloads()

vulnerabilities/tests/pipelines/test_istio_importer_v2.py

@@ -0,0 +1,91 @@
+import tempfile
+from pathlib import Path
+from textwrap import dedent
+
+import pytest
+from packageurl import PackageURL
+from univers.version_constraint import VersionConstraint
+from univers.version_range import GitHubVersionRange
+from univers.version_range import GolangVersionRange
+from univers.versions import SemverVersion
+
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AffectedPackage
+from vulnerabilities.importer import ReferenceV2
+from vulnerabilities.pipelines.v2_importers.istio_importer import IstioImporterPipeline
+
+
+@pytest.mark.django_db
+def test_istio_advisory_parsing():
+    sample_md = dedent(
+        """\
+        ---
+        title: ISTIO-SECURITY-2019-002
+        subtitle: Security Bulletin
+        description: Denial of service affecting JWT access token parsing.
+        cves: [CVE-2019-12995]
+        cvss: "7.5"
+        vector: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C"
+        cvss_version: "3.0"
+        releases: ["1.0 to 1.0.8", "1.1 to 1.1.9", "1.2 to 1.2.1"]
+        publishdate: 2019-06-28
+        keywords: [CVE]
+        skip_seealso: true
+        aliases:
+            - /blog/2019/cve-2019-12995
+            - /news/2019/cve-2019-12995
+        ---
+
+        A bug in Istio’s JWT validation filter causes Envoy to crash...
+        """
+    )
+
+    with tempfile.TemporaryDirectory() as tmp_dir:
+        base_path = Path(tmp_dir)
+        advisory_dir = base_path / "content/en/news/security"
+        advisory_dir.mkdir(parents=True)
+        advisory_file = advisory_dir / "ISTIO-SECURITY-2019-002.md"
+        advisory_file.write_text(sample_md, encoding="utf-8")
+
+        importer = IstioImporterPipeline()
+        importer.vcs_response = type(
+            "FakeVCS", (), {"dest_dir": tmp_dir, "delete": lambda x: None}
+        )()
+
+        advisories = list(importer.collect_advisories())
+
+        assert len(advisories) == 1
+        advisory = advisories[0]
+
+        assert isinstance(advisory, AdvisoryData)
+        assert advisory.advisory_id == "ISTIO-SECURITY-2019-002"
+        assert advisory.aliases == ["CVE-2019-12995"]
+        assert advisory.summary.startswith("Denial of service affecting JWT access token")
+        assert advisory.date_published.isoformat() == "2019-06-28T00:00:00+00:00"
+        assert advisory.url.endswith("ISTIO-SECURITY-2019-002.md")
+        assert advisory.references_v2[0] == ReferenceV2(
+            reference_id="ISTIO-SECURITY-2019-002",
+            url="https://istio.io/latest/news/security/ISTIO-SECURITY-2019-002/",
+        )
+
+        expected_versions = [
+            VersionConstraint(version=SemverVersion("1.0"), comparator=">="),
+            VersionConstraint(version=SemverVersion("1.0.8"), comparator="<="),
+            VersionConstraint(version=SemverVersion("1.1"), comparator=">="),
+            VersionConstraint(version=SemverVersion("1.1.9"), comparator="<="),
+            VersionConstraint(version=SemverVersion("1.2"), comparator=">="),
+            VersionConstraint(version=SemverVersion("1.2.1"), comparator="<="),
+        ]
+
+        expected_packages = [
+            AffectedPackage(
+                package=PackageURL(type="golang", namespace="istio.io", name="istio"),
+                affected_version_range=GolangVersionRange(constraints=expected_versions),
+            ),
+            AffectedPackage(
+                package=PackageURL(type="github", namespace="istio", name="istio"),
+                affected_version_range=GitHubVersionRange(constraints=expected_versions),
+            ),
+        ]
+
+        assert advisory.affected_packages == expected_packages