From 20a750a80ec83c3c2f4311046aa287fa03145a2a Mon Sep 17 00:00:00 2001 From: ambuj Date: Tue, 27 Aug 2024 06:22:12 +0530 Subject: [PATCH 1/3] add-amazon-linux-advisories-initial-commit Signed-off-by: ambuj --- vulnerabilities/importers/amazon_linux.py | 219 ++++++++++++++++++ vulnerabilities/tests/test_amazon_linux.py | 33 +++ .../amazon_linux_advisory_test1.html | 130 +++++++++++ .../amazon_linux/amazon_linux_expected1.json | 0 4 files changed, 382 insertions(+) create mode 100644 vulnerabilities/importers/amazon_linux.py create mode 100644 vulnerabilities/tests/test_amazon_linux.py create mode 100644 vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test1.html create mode 100644 vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected1.json diff --git a/vulnerabilities/importers/amazon_linux.py b/vulnerabilities/importers/amazon_linux.py new file mode 100644 index 000000000..94e58afa5 --- /dev/null +++ b/vulnerabilities/importers/amazon_linux.py @@ -0,0 +1,219 @@ +# +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/nexB/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +import logging +from datetime import datetime +from typing import Any +from typing import Iterable +from typing import List +from typing import Mapping +from typing import Optional +from urllib.parse import urljoin + +import pytz +from bs4 import BeautifulSoup +from packageurl import PackageURL +from univers.version_range import RpmVersionRange + +from vulnerabilities.importer import AdvisoryData +from vulnerabilities.importer import AffectedPackage +from vulnerabilities.importer import Importer +from vulnerabilities.importer import Reference +from vulnerabilities.importer import VulnerabilitySeverity +from vulnerabilities.references import WireSharkReference +from vulnerabilities.references import XsaReference +from vulnerabilities.references import ZbxReference +from vulnerabilities.severity_systems import SCORING_SYSTEMS +from vulnerabilities.utils import fetch_response +from vulnerabilities.utils import is_cve + +LOGGER = logging.getLogger(__name__) +BASE_URL = "https://alas.aws.amazon.com/" +other_url = "https://explore.alas.aws.amazon.com/{cve_id.json}" # use this in the url in code to get details for the specific cve. + + +class AmazonLinuxImporter(Importer): + spdx_license_expression = "CC BY 4.0" # check if this is correct + license_url = " " # todo + + importer_name = "Amazon Linux Importer" + + def advisory_data(self) -> Iterable[AdvisoryData]: + amazon_linux_1_url = BASE_URL + "/index.html" + amazon_linux_2_url = BASE_URL + "/alas2.html" + amazon_linux_2023_url = BASE_URL + "/alas2023.html" + amazonlinux_advisories_pages = [ + amazon_linux_1_url, + amazon_linux_2_url, + amazon_linux_2023_url, + ] + alas_dict = {} + for amazonlinux_advisories_page in amazonlinux_advisories_pages: + alas_dict.update(fetch_alas_id_and_advisory_links(amazonlinux_advisories_page)) + + for alas_id, alas_url in alas_dict.items(): + # It iterates through alas_dict to get alas ids and alas url + if alas_id and alas_url: + alas_advisory_page_content = fetch_response(alas_url).content + yield process_advisory_data(alas_id, alas_advisory_page_content, alas_url) + + +def fetch_alas_id_and_advisory_links(page_url: str) -> dict[str, str]: + """ + Return a dictionary where 'ALAS' entries are the keys and + their corresponding advisory page links are the values. + """ + + page_response_content = fetch_response(page_url).content + # Parse the HTML content + soup = BeautifulSoup(page_response_content, "html.parser") + alas_dict = {} + + if page_url == "https://alas.aws.amazon.com/index.html": + # Find all relevant ALAS links and their IDs + for row in soup.find_all("tr", id=True): + alas_id = row["id"] + link_tag = row.find("a", href=True) + if link_tag: + full_url = "https://alas.aws.amazon.com/" + link_tag["href"] + alas_dict[alas_id] = full_url + + elif page_url == "https://alas.aws.amazon.com/alas2.html": + # Find all relevant ALAS links and their IDs + for row in soup.find_all("tr", id=True): + alas_id = row["id"] + link_tag = row.find("a", href=True) + if link_tag: + full_url = "https://alas.aws.amazon.com/AL2" + link_tag["href"] + alas_dict[alas_id] = full_url + + else: + # Find all relevant ALAS links and their IDs + for row in soup.find_all("tr", id=True): + alas_id = row["id"] + link_tag = row.find("a", href=True) + if link_tag: + full_url = "https://alas.aws.amazon.com/AL2023/" + link_tag["href"] + alas_dict[alas_id] = full_url + return alas_dict + + +def process_advisory_data(alas_id, alas_advisory_page_content, alas_url) -> Optional[AdvisoryData]: + + soup = BeautifulSoup(alas_advisory_page_content, "html.parser") + aliases = [] + aliases.append(alas_id) + + # Find the advisory release date + release_date_span = next( + ( + span + for span in soup.find_all("span", class_="alas-info") + if "Advisory Release Date:" in span.get_text(strip=True) + ), + None, + ) + + release_date = ( + release_date_span.get_text(strip=True).split(":", 1)[1].strip() + if release_date_span + else None + ) + date_published = get_date_published(release_date) + + # Extract Issue Overview (all points of issue overviews texts) + issue_overview = [] + for p in soup.find("div", id="issue_overview").find_all("p"): + issue_overview.append(p.text.strip()) + summary = create_summary(issue_overview) + + # Extract Affected Packages (list of strings) + processed_affected_packages = [] + affected_packages_section = soup.find("div", id="affected_packages") + if affected_packages_section: + affected_packages = affected_packages_section.find_all("p") + affected_packages = [pkg.text.strip() for pkg in affected_packages] + + # getting new packages + new_packages_div = soup.find("div", id="new_packages") + + # Extract the text elements between
tags within this div + if new_packages_div: + new_packages_list = [ + element.strip() for element in new_packages_div.pre.stripped_strings if element.strip() + ] + else: + new_packages_list = [] + + for package in affected_packages: + purl = PackageURL(type="rpm", namespace="alas.aws.amazon", name=package) + # fixed_version = get_fixed_versions(new_packages_list) + processed_affected_packages.append( + AffectedPackage(package=purl, affected_version_range=None, fixed_version=None) + ) + + cve_list = [] + for link in soup.find("div", id="references").find_all("a", href=True): + if "CVE-" in link.text: + cve_list.append((link.text.strip(), "https://alas.aws.amazon.com" + link["href"])) + + references: List[Reference] = [] + for cve_id, cve_url in cve_list: + cve_json_url = f"https://explore.alas.aws.amazon.com/{cve_id}" + response = fetch_response(cve_json_url) + + # Parse the JSON data + cve_info = response.json() + severity_scores = cve_info.get("scores", []) + severity = [] + for score in severity_scores: + severity.append( + VulnerabilitySeverity( + system=SCORING_SYSTEMS[score.get("type", "").lower()], + value=score.get("score", ""), + scoring_elements=score.get("vector", ""), + ) + ) + references.append(Reference(reference_id=cve_id, url=cve_url, severities=severity)) + + url = alas_url + + return AdvisoryData( + aliases=aliases, + date_published=date_published, + summary=summary, + references=references, + affected_packages=processed_affected_packages, + url=url, + ) + + +def get_date_published(release_date_string): + + # Parse the date and time + date_part = release_date_string[:16] + time_zone = release_date_string[17:] + + # Convert to datetime object (naive) + naive_date = datetime.strptime(date_part, "%Y-%m-%d %H:%M") + + # Convert to aware datetime by adding the Pacific time zone + timezone = pytz.timezone("America/Los_Angeles") + date_published = timezone.localize(naive_date) + return date_published + + +def create_summary(summary_point: List): + summary = ". ".join(summary_point) + + # Add a period at the end if the final sentence doesn't end with one + if not summary.endswith("."): + summary += "." + return summary diff --git a/vulnerabilities/tests/test_amazon_linux.py b/vulnerabilities/tests/test_amazon_linux.py new file mode 100644 index 000000000..c5707b0e6 --- /dev/null +++ b/vulnerabilities/tests/test_amazon_linux.py @@ -0,0 +1,33 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/nexB/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# +import json +import os +from unittest import TestCase + +from bs4 import BeautifulSoup + +from vulnerabilities.importers.amazon_linux import process_advisory_data +from vulnerabilities.tests import util_tests + +BASE_DIR = os.path.dirname(os.path.abspath(__file__)) +TEST_DATA = os.path.join(BASE_DIR, "test_data/amazon_linux") + + +class TestAmazonLinuxImporter(TestCase): + def test_process_advisory_data1(self): + with open( + os.path.join(TEST_DATA, "amazon_linux_advisory_test1.html"), "r", encoding="utf-8" + ) as file: + html_content = file.read() + result = process_advisory_data( + "ALAS-2024-1943", html_content, "https://test-url.com/ALAS-2024-1943.html" + ).to_dict() + # expected_file = os.path.join(TEST_DATA, "github_osv_expected_1.json") + print(f"Output is {result}") + # util_tests.check_results_against_json(result, expected_file) diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test1.html b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test1.html new file mode 100644 index 000000000..682dd3cf8 --- /dev/null +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test1.html @@ -0,0 +1,130 @@ + + + + + + ALAS-2024-1943 + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+

ALAS-2024-1943

+
+ +
+
+ + Amazon Linux 1 Security Advisory: ALAS-2024-1943 +
+ Advisory Release Date: 2024-07-03 21:01 Pacific
+ Advisory Updated Date: 2024-07-08 17:04 Pacific
+ +
+ Severity: + + + + + + Important
+
+ + + +
+
+ Issue Overview: +

In the Linux kernel, the following vulnerability has been resolved:

x86/kvm: Disable kvmclock on all CPUs on shutdown (CVE-2021-47110)

+
+ +
+
+ Affected Packages: +
+

kernel

+
+ +
+
+ Issue Correction: +
Run yum update kernel to update your system.
+
+
+ New Packages:
i686:
    kernel-debuginfo-4.14.348-187.565.amzn1.i686
    kernel-devel-4.14.348-187.565.amzn1.i686
    kernel-tools-devel-4.14.348-187.565.amzn1.i686
    kernel-headers-4.14.348-187.565.amzn1.i686
    perf-debuginfo-4.14.348-187.565.amzn1.i686
    kernel-debuginfo-common-i686-4.14.348-187.565.amzn1.i686
    kernel-tools-4.14.348-187.565.amzn1.i686
    perf-4.14.348-187.565.amzn1.i686
    kernel-4.14.348-187.565.amzn1.i686
    kernel-tools-debuginfo-4.14.348-187.565.amzn1.i686

src:
    kernel-4.14.348-187.565.amzn1.src

x86_64:
    kernel-devel-4.14.348-187.565.amzn1.x86_64
    kernel-tools-debuginfo-4.14.348-187.565.amzn1.x86_64
    kernel-4.14.348-187.565.amzn1.x86_64
    kernel-headers-4.14.348-187.565.amzn1.x86_64
    kernel-tools-4.14.348-187.565.amzn1.x86_64
    kernel-tools-devel-4.14.348-187.565.amzn1.x86_64
    kernel-debuginfo-common-x86_64-4.14.348-187.565.amzn1.x86_64
    perf-4.14.348-187.565.amzn1.x86_64
    kernel-debuginfo-4.14.348-187.565.amzn1.x86_64
    perf-debuginfo-4.14.348-187.565.amzn1.x86_64

+
+
+

Additional References

+

+ Red Hat: CVE-2021-47110

+

+ Mitre: CVE-2021-47110

+
+
+
+
+ + + + \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected1.json b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected1.json new file mode 100644 index 000000000..e69de29bb From d148c12edde9d9fc17fc4b7a1b081b1882fb722b Mon Sep 17 00:00:00 2001 From: ambuj Date: Sun, 1 Sep 2024 04:40:32 +0530 Subject: [PATCH 2/3] add tests for amazon-linux Signed-off-by: ambuj --- vulnerabilities/importers/__init__.py | 2 + vulnerabilities/importers/amazon_linux.py | 97 ++++-- vulnerabilities/improvers/__init__.py | 1 + vulnerabilities/improvers/valid_versions.py | 6 + vulnerabilities/tests/test_amazon_linux.py | 30 +- .../amazon_linux_advisory_test2.html | 137 ++++++++ .../amazon_linux_advisory_test3.html | 130 +++++++ .../amazon_linux/amazon_linux_expected1.json | 290 ++++++++++++++++ .../amazon_linux/amazon_linux_expected2.json | 324 ++++++++++++++++++ .../amazon_linux/amazon_linux_expected3.json | 79 +++++ 10 files changed, 1071 insertions(+), 25 deletions(-) create mode 100644 vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test2.html create mode 100644 vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test3.html create mode 100644 vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected2.json create mode 100644 vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected3.json diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index a1475b715..e8ef3bebb 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -8,6 +8,7 @@ # from vulnerabilities.importers import alpine_linux +from vulnerabilities.importers import amazon_linux from vulnerabilities.importers import apache_httpd from vulnerabilities.importers import apache_kafka from vulnerabilities.importers import apache_tomcat @@ -75,6 +76,7 @@ github_osv.GithubOSVImporter, epss.EPSSImporter, vulnrichment.VulnrichImporter, + amazon_linux.AmazonLinuxImporter, ] IMPORTERS_REGISTRY = {x.qualified_name: x for x in IMPORTERS_REGISTRY} diff --git a/vulnerabilities/importers/amazon_linux.py b/vulnerabilities/importers/amazon_linux.py index 94e58afa5..310c92f99 100644 --- a/vulnerabilities/importers/amazon_linux.py +++ b/vulnerabilities/importers/amazon_linux.py @@ -13,35 +13,30 @@ from typing import Any from typing import Iterable from typing import List -from typing import Mapping from typing import Optional -from urllib.parse import urljoin import pytz from bs4 import BeautifulSoup from packageurl import PackageURL -from univers.version_range import RpmVersionRange +from univers.versions import RpmVersion from vulnerabilities.importer import AdvisoryData from vulnerabilities.importer import AffectedPackage from vulnerabilities.importer import Importer from vulnerabilities.importer import Reference from vulnerabilities.importer import VulnerabilitySeverity -from vulnerabilities.references import WireSharkReference -from vulnerabilities.references import XsaReference -from vulnerabilities.references import ZbxReference +from vulnerabilities.rpm_utils import rpm_to_purl from vulnerabilities.severity_systems import SCORING_SYSTEMS from vulnerabilities.utils import fetch_response from vulnerabilities.utils import is_cve LOGGER = logging.getLogger(__name__) BASE_URL = "https://alas.aws.amazon.com/" -other_url = "https://explore.alas.aws.amazon.com/{cve_id.json}" # use this in the url in code to get details for the specific cve. class AmazonLinuxImporter(Importer): - spdx_license_expression = "CC BY 4.0" # check if this is correct - license_url = " " # todo + spdx_license_expression = "CC BY 4.0" + license_url = " " # TODO importer_name = "Amazon Linux Importer" @@ -107,6 +102,18 @@ def fetch_alas_id_and_advisory_links(page_url: str) -> dict[str, str]: def process_advisory_data(alas_id, alas_advisory_page_content, alas_url) -> Optional[AdvisoryData]: + """ + Processes an Amazon Linux Security Advisory HTML page to extract relevant data and return it in a structured format. + + Args: + alas_id (str): The unique identifier for the Amazon Linux Security Advisory (e.g., "ALAS-2024-2628"). + alas_advisory_page_content (str): The HTML content of the advisory page. + alas_url (str): The URL of the advisory page. + + Returns: + Optional[AdvisoryData]: An object containing the processed advisory data, or None if the necessary data couldn't be extracted. + """ + soup = BeautifulSoup(alas_advisory_page_content, "html.parser") aliases = [] aliases.append(alas_id) @@ -131,8 +138,18 @@ def process_advisory_data(alas_id, alas_advisory_page_content, alas_url) -> Opti # Extract Issue Overview (all points of issue overviews texts) issue_overview = [] for p in soup.find("div", id="issue_overview").find_all("p"): - issue_overview.append(p.text.strip()) - summary = create_summary(issue_overview) + # Replace
tags with a newline, then split the text + text_parts = p.decode_contents().split("
") + + # Clean and append each part + for part in text_parts: + clean_text = part.strip() + if clean_text: # Avoid adding empty strings + issue_overview.append(clean_text) + # Filter out any blank entries from the list + issue_overview_filtered = [item for item in issue_overview if item] + + summary = create_summary(issue_overview_filtered) # Extract Affected Packages (list of strings) processed_affected_packages = [] @@ -152,12 +169,33 @@ def process_advisory_data(alas_id, alas_advisory_page_content, alas_url) -> Opti else: new_packages_list = [] - for package in affected_packages: - purl = PackageURL(type="rpm", namespace="alas.aws.amazon", name=package) - # fixed_version = get_fixed_versions(new_packages_list) - processed_affected_packages.append( - AffectedPackage(package=purl, affected_version_range=None, fixed_version=None) - ) + exclude_items = ["i686:", "noarch:", "src:", "x86_64:", "aarch64:"] + filtered_new_packages_list = [ + package for package in new_packages_list if package not in exclude_items + ] + + # new packages are the fixed packages + for new_package in filtered_new_packages_list: + new_package_purl = rpm_to_purl(new_package, "alas.aws.amazon") + if new_package_purl: + try: + processed_affected_packages.append( + AffectedPackage( + package=PackageURL( + type="rpm", + namespace="alas.aws.amazon", + name=new_package_purl.name, + qualifiers=new_package_purl.qualifiers, + subpath=new_package_purl.subpath, + ), + affected_version_range=None, + fixed_version=RpmVersion(new_package_purl.version), + ) + ) + except ValueError as e: + logging.error( + f"Invalid RPM version '{new_package_purl.version}' for package '{new_package_purl.name}': {e}" + ) cve_list = [] for link in soup.find("div", id="references").find_all("a", href=True): @@ -166,7 +204,8 @@ def process_advisory_data(alas_id, alas_advisory_page_content, alas_url) -> Opti references: List[Reference] = [] for cve_id, cve_url in cve_list: - cve_json_url = f"https://explore.alas.aws.amazon.com/{cve_id}" + aliases.append(cve_id) + cve_json_url = f"https://explore.alas.aws.amazon.com/{cve_id}.json" response = fetch_response(cve_json_url) # Parse the JSON data @@ -183,6 +222,20 @@ def process_advisory_data(alas_id, alas_advisory_page_content, alas_url) -> Opti ) references.append(Reference(reference_id=cve_id, url=cve_url, severities=severity)) + additional_references = [] + # Find all

tags within the links-container div + links_container = soup.find("div", class_="links-container") + if links_container: + p_tags = links_container.find_all("p") + for p_tag in p_tags: + a_tag = p_tag.find("a") + if a_tag: + cve_id = a_tag.get_text(strip=True) # Extract the CVE ID text + url = a_tag["href"] # Extract the URL from href attribute + additional_references.append((cve_id, url)) + for cve_id, ref_link in additional_references: + references.append(Reference(reference_id=cve_id, url=ref_link, severities=[])) + url = alas_url return AdvisoryData( @@ -198,8 +251,11 @@ def process_advisory_data(alas_id, alas_advisory_page_content, alas_url) -> Opti def get_date_published(release_date_string): # Parse the date and time - date_part = release_date_string[:16] - time_zone = release_date_string[17:] + if release_date_string: + date_part = release_date_string[:16] + time_zone = release_date_string[17:] + else: + return None # Convert to datetime object (naive) naive_date = datetime.strptime(date_part, "%Y-%m-%d %H:%M") @@ -212,7 +268,6 @@ def get_date_published(release_date_string): def create_summary(summary_point: List): summary = ". ".join(summary_point) - # Add a period at the end if the final sentence doesn't end with one if not summary.endswith("."): summary += "." diff --git a/vulnerabilities/improvers/__init__.py b/vulnerabilities/improvers/__init__.py index b84cbdbb1..2578d8c51 100644 --- a/vulnerabilities/improvers/__init__.py +++ b/vulnerabilities/improvers/__init__.py @@ -31,6 +31,7 @@ vulnerability_status.VulnerabilityStatusImprover, vulnerability_kev.VulnerabilityKevImprover, flag_ghost_packages.FlagGhostPackagePipeline, + valid_versions.AmazonLinuxImprover, ] IMPROVERS_REGISTRY = {x.qualified_name: x for x in IMPROVERS_REGISTRY} diff --git a/vulnerabilities/improvers/valid_versions.py b/vulnerabilities/improvers/valid_versions.py index d23508bea..ca82b5ec1 100644 --- a/vulnerabilities/improvers/valid_versions.py +++ b/vulnerabilities/improvers/valid_versions.py @@ -25,6 +25,7 @@ from vulnerabilities.importer import AffectedPackage from vulnerabilities.importer import Importer from vulnerabilities.importer import UnMergeablePackageError +from vulnerabilities.importers.amazon_linux import AmazonLinuxImporter from vulnerabilities.importers.apache_httpd import ApacheHTTPDImporter from vulnerabilities.importers.apache_kafka import ApacheKafkaImporter from vulnerabilities.importers.apache_tomcat import ApacheTomcatImporter @@ -472,3 +473,8 @@ class RubyImprover(ValidVersionImprover): class GithubOSVImprover(ValidVersionImprover): importer = GithubOSVImporter ignorable_versions = [] + + +class AmazonLinuxImprover(ValidVersionImprover): + importer = AmazonLinuxImporter + ignorable_versions = [] diff --git a/vulnerabilities/tests/test_amazon_linux.py b/vulnerabilities/tests/test_amazon_linux.py index c5707b0e6..ce179d5ff 100644 --- a/vulnerabilities/tests/test_amazon_linux.py +++ b/vulnerabilities/tests/test_amazon_linux.py @@ -6,6 +6,7 @@ # See https://github.com/nexB/vulnerablecode for support or download. # See https://aboutcode.org for more information about nexB OSS projects. # + import json import os from unittest import TestCase @@ -26,8 +27,29 @@ def test_process_advisory_data1(self): ) as file: html_content = file.read() result = process_advisory_data( - "ALAS-2024-1943", html_content, "https://test-url.com/ALAS-2024-1943.html" + "ALAS-2024-1943", html_content, "https://alas.aws.amazon.com/ALAS-2024-1943.html" + ).to_dict() + expected_file = os.path.join(TEST_DATA, "amazon_linux_expected1.json") + util_tests.check_results_against_json(result, expected_file) + + def test_process_advisory_data2(self): + with open( + os.path.join(TEST_DATA, "amazon_linux_advisory_test2.html"), "r", encoding="utf-8" + ) as file: + html_content = file.read() + result = process_advisory_data( + "ALAS-2024-2628", html_content, "https://alas.aws.amazon.com/AL2/ALAS-2024-2628.html" + ).to_dict() + expected_file = os.path.join(TEST_DATA, "amazon_linux_expected2.json") + util_tests.check_results_against_json(result, expected_file) + + def test_process_advisory_data3(self): + with open( + os.path.join(TEST_DATA, "amazon_linux_advisory_test3.html"), "r", encoding="utf-8" + ) as file: + html_content = file.read() + result = process_advisory_data( + "ALAS-2024-676", html_content, "https://alas.aws.amazon.com/AL2023/ALAS-2024-676.html" ).to_dict() - # expected_file = os.path.join(TEST_DATA, "github_osv_expected_1.json") - print(f"Output is {result}") - # util_tests.check_results_against_json(result, expected_file) + expected_file = os.path.join(TEST_DATA, "amazon_linux_expected3.json") + util_tests.check_results_against_json(result, expected_file) diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test2.html b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test2.html new file mode 100644 index 000000000..55c2cd50d --- /dev/null +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test2.html @@ -0,0 +1,137 @@ + + + + + + ALAS-2024-2628 + + + + + + + + + + + + + + + +

+
+ +
+
+
+
+

ALAS-2024-2628

+
+ +
+
+ + Amazon Linux 2 Security Advisory: ALAS-2024-2628 +
+ Advisory Release Date: 2024-08-14 19:06 Pacific
+ Advisory Updated Date: 2024-08-20 16:40 Pacific
+ +
+ Severity: + + + + + + Low
+
+ + + +
+
+ Issue Overview: +

A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions. (CVE-2021-25317)

+
+ +
+
+ Affected Packages: +
+

cups

+
+
+ Note: +

+ This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section + for the difference between AL2 Core and AL2 Extras advisories. +

+
+ +
+
+ Issue Correction: +
Run yum update cups to update your system.
+
+
+ New Packages:
aarch64:
    cups-1.6.3-51.amzn2.0.5.aarch64
    cups-client-1.6.3-51.amzn2.0.5.aarch64
    cups-devel-1.6.3-51.amzn2.0.5.aarch64
    cups-libs-1.6.3-51.amzn2.0.5.aarch64
    cups-lpd-1.6.3-51.amzn2.0.5.aarch64
    cups-ipptool-1.6.3-51.amzn2.0.5.aarch64
    cups-debuginfo-1.6.3-51.amzn2.0.5.aarch64

i686:
    cups-1.6.3-51.amzn2.0.5.i686
    cups-client-1.6.3-51.amzn2.0.5.i686
    cups-devel-1.6.3-51.amzn2.0.5.i686
    cups-libs-1.6.3-51.amzn2.0.5.i686
    cups-lpd-1.6.3-51.amzn2.0.5.i686
    cups-ipptool-1.6.3-51.amzn2.0.5.i686
    cups-debuginfo-1.6.3-51.amzn2.0.5.i686

noarch:
    cups-filesystem-1.6.3-51.amzn2.0.5.noarch

src:
    cups-1.6.3-51.amzn2.0.5.src

x86_64:
    cups-1.6.3-51.amzn2.0.5.x86_64
    cups-client-1.6.3-51.amzn2.0.5.x86_64
    cups-devel-1.6.3-51.amzn2.0.5.x86_64
    cups-libs-1.6.3-51.amzn2.0.5.x86_64
    cups-lpd-1.6.3-51.amzn2.0.5.x86_64
    cups-ipptool-1.6.3-51.amzn2.0.5.x86_64
    cups-debuginfo-1.6.3-51.amzn2.0.5.x86_64

+
+
+

Additional References

+

+ Red Hat: CVE-2021-25317

+

+ Mitre: CVE-2021-25317

+
+
+
+
+ + + + \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test3.html b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test3.html new file mode 100644 index 000000000..37055d13c --- /dev/null +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test3.html @@ -0,0 +1,130 @@ + + + + + + ALAS-2024-676 + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+

ALAS-2024-676

+
+ +
+
+ + Amazon Linux 2023 Security Advisory: ALAS-2024-676 +
+ Advisory Release Date: 2024-08-01 04:06 Pacific
+ Advisory Updated Date: 2024-08-06 15:00 Pacific
+ +
+ Severity: + + + + + + Important
+
+ + + +
+
+ Issue Overview: +

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. (CVE-2024-6345)

+
+ +
+
+ Affected Packages: +
+

python-setuptools

+
+ +
+
+ Issue Correction: +
Run dnf update python-setuptools --releasever 2023.5.20240805 to update your system.
+
+
+ New Packages:
noarch:
    python3-setuptools-wheel-59.6.0-2.amzn2023.0.5.noarch
    python3-setuptools-59.6.0-2.amzn2023.0.5.noarch

src:
    python-setuptools-59.6.0-2.amzn2023.0.5.src

+
+
+

Additional References

+

+ Red Hat: CVE-2024-6345

+

+ Mitre: CVE-2024-6345

+
+
+
+
+ + + + \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected1.json b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected1.json index e69de29bb..2e09284aa 100644 --- a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected1.json +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected1.json @@ -0,0 +1,290 @@ +{ + "aliases": [ + "ALAS-2024-1943", + "CVE-2021-47110" + ], + "summary": "In the Linux kernel, the following vulnerability has been resolved:. x86/kvm: Disable kvmclock on all CPUs on shutdown (CVE-2021-47110).", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-debuginfo", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-devel", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools-devel", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-headers", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "perf-debuginfo", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-debuginfo-common-i686", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "perf", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools-debuginfo", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-devel", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-headers", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools-devel", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-debuginfo-common-x86_64", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "perf", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "perf-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + } + ], + "references": [ + { + "reference_id": "CVE-2021-47110", + "reference_type": "", + "url": "https://alas.aws.amazon.com/cve/html/CVE-2021-47110.html", + "severities": [ + { + "system": "cvssv3", + "value": "7.1", + "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" + } + ] + }, + { + "reference_id": "CVE-2021-47110", + "reference_type": "", + "url": "https://access.redhat.com/security/cve/CVE-2021-47110", + "severities": [] + }, + { + "reference_id": "CVE-2021-47110", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47110", + "severities": [] + } + ], + "date_published": "2024-07-03T21:01:00-07:00", + "weaknesses": [], + "url": "https://alas.aws.amazon.com/ALAS-2024-1943.html" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected2.json b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected2.json new file mode 100644 index 000000000..49d284360 --- /dev/null +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected2.json @@ -0,0 +1,324 @@ +{ + "aliases": [ + "ALAS-2024-2628", + "CVE-2021-25317" + ], + "summary": "A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions. (CVE-2021-25317).", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-client", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-devel", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-libs", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-lpd", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-ipptool", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-client", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-devel", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-libs", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-lpd", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-ipptool", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-debuginfo", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-filesystem", + "version": "", + "qualifiers": "arch=noarch", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-client", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-devel", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-libs", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-lpd", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-ipptool", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + } + ], + "references": [ + { + "reference_id": "CVE-2021-25317", + "reference_type": "", + "url": "https://alas.aws.amazon.com/cve/html/CVE-2021-25317.html", + "severities": [ + { + "system": "cvssv3", + "value": "3.3", + "scoring_elements": "NVD: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + { + "system": "cvssv3", + "value": "3.3", + "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + { + "system": "cvssv2", + "value": "2.1", + "scoring_elements": "AV:L/AC:L/Au:N/C:N/I:P/A:N" + } + ] + }, + { + "reference_id": "CVE-2021-25317", + "reference_type": "", + "url": "https://access.redhat.com/security/cve/CVE-2021-25317", + "severities": [] + }, + { + "reference_id": "CVE-2021-25317", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25317", + "severities": [] + } + ], + "date_published": "2024-08-14T19:06:00-07:00", + "weaknesses": [], + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2628.html" +} \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected3.json b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected3.json new file mode 100644 index 000000000..3750acfb8 --- /dev/null +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected3.json @@ -0,0 +1,79 @@ +{ + "aliases": [ + "ALAS-2024-676", + "CVE-2024-6345" + ], + "summary": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. (CVE-2024-6345).", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "python3-setuptools-wheel", + "version": "", + "qualifiers": "arch=noarch", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "59.6.0-2.amzn2023.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "python3-setuptools", + "version": "", + "qualifiers": "arch=noarch", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "59.6.0-2.amzn2023.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "python-setuptools", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "59.6.0-2.amzn2023.0.5" + } + ], + "references": [ + { + "reference_id": "CVE-2024-6345", + "reference_type": "", + "url": "https://alas.aws.amazon.com/cve/html/CVE-2024-6345.html", + "severities": [ + { + "system": "cvssv3", + "value": "8.8", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "system": "cvssv3", + "value": "8.8", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ] + }, + { + "reference_id": "CVE-2024-6345", + "reference_type": "", + "url": "https://access.redhat.com/security/cve/CVE-2024-6345", + "severities": [] + }, + { + "reference_id": "CVE-2024-6345", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6345", + "severities": [] + } + ], + "date_published": "2024-08-01T04:06:00-07:00", + "weaknesses": [], + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-676.html" +} \ No newline at end of file From 77b77568498b2757fe7b0b48e076624cc83d8898 Mon Sep 17 00:00:00 2001 From: ambuj Date: Thu, 8 May 2025 00:33:55 +0530 Subject: [PATCH 3/3] Create amazon linux importer pipeline Signed-off-by: ambuj --- vulnerabilities/importers/__init__.py | 5 +- vulnerabilities/improvers/valid_versions.py | 5 +- .../amazon_linux_importer.py} | 62 +- .../test_amazon_linux_importer_pipeline.py} | 10 +- .../amazon_linux/amazon_linux_expected1.json | 572 ++++++++-------- .../amazon_linux/amazon_linux_expected2.json | 631 +++++++++--------- .../amazon_linux/amazon_linux_expected3.json | 145 ++-- 7 files changed, 729 insertions(+), 701 deletions(-) rename vulnerabilities/{importers/amazon_linux.py => pipelines/amazon_linux_importer.py} (84%) rename vulnerabilities/tests/{test_amazon_linux.py => pipelines/test_amazon_linux_importer_pipeline.py} (89%) diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py index 71b8f5e24..ce32a3a08 100644 --- a/vulnerabilities/importers/__init__.py +++ b/vulnerabilities/importers/__init__.py @@ -7,8 +7,6 @@ # See https://aboutcode.org for more information about nexB OSS projects. # -from vulnerabilities.importers import alpine_linux -from vulnerabilities.importers import amazon_linux from vulnerabilities.importers import apache_httpd from vulnerabilities.importers import apache_kafka from vulnerabilities.importers import apache_tomcat @@ -37,6 +35,7 @@ from vulnerabilities.importers import xen from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline from vulnerabilities.pipelines import alpine_linux_importer +from vulnerabilities.pipelines import amazon_linux_importer from vulnerabilities.pipelines import github_importer from vulnerabilities.pipelines import gitlab_importer from vulnerabilities.pipelines import nginx_importer @@ -72,7 +71,7 @@ curl.CurlImporter, epss.EPSSImporter, vulnrichment.VulnrichImporter, - amazon_linux.AmazonLinuxImporter, + amazon_linux_importer.AmazonLinuxImporterPipeline, pypa_importer.PyPaImporterPipeline, npm_importer.NpmImporterPipeline, nginx_importer.NginxImporterPipeline, diff --git a/vulnerabilities/improvers/valid_versions.py b/vulnerabilities/improvers/valid_versions.py index 0e9a705ea..57d2ee89c 100644 --- a/vulnerabilities/improvers/valid_versions.py +++ b/vulnerabilities/improvers/valid_versions.py @@ -24,7 +24,6 @@ from vulnerabilities.importer import AffectedPackage from vulnerabilities.importer import Importer from vulnerabilities.importer import UnMergeablePackageError -from vulnerabilities.importers.amazon_linux import AmazonLinuxImporter from vulnerabilities.importers.apache_httpd import ApacheHTTPDImporter from vulnerabilities.importers.apache_kafka import ApacheKafkaImporter from vulnerabilities.importers.apache_tomcat import ApacheTomcatImporter @@ -42,6 +41,7 @@ from vulnerabilities.improver import Inference from vulnerabilities.models import Advisory from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline +from vulnerabilities.pipelines.amazon_linux_importer import AmazonLinuxImporterPipeline from vulnerabilities.pipelines.github_importer import GitHubAPIImporterPipeline from vulnerabilities.pipelines.gitlab_importer import GitLabImporterPipeline from vulnerabilities.pipelines.nginx_importer import NginxImporterPipeline @@ -480,9 +480,10 @@ class GithubOSVImprover(ValidVersionImprover): class AmazonLinuxImprover(ValidVersionImprover): - importer = AmazonLinuxImporter + importer = AmazonLinuxImporterPipeline ignorable_versions = [] + class CurlImprover(ValidVersionImprover): importer = CurlImporter ignorable_versions = [] diff --git a/vulnerabilities/importers/amazon_linux.py b/vulnerabilities/pipelines/amazon_linux_importer.py similarity index 84% rename from vulnerabilities/importers/amazon_linux.py rename to vulnerabilities/pipelines/amazon_linux_importer.py index 310c92f99..ef8dd9434 100644 --- a/vulnerabilities/importers/amazon_linux.py +++ b/vulnerabilities/pipelines/amazon_linux_importer.py @@ -16,6 +16,7 @@ from typing import Optional import pytz +import requests from bs4 import BeautifulSoup from packageurl import PackageURL from univers.versions import RpmVersion @@ -25,25 +26,37 @@ from vulnerabilities.importer import Importer from vulnerabilities.importer import Reference from vulnerabilities.importer import VulnerabilitySeverity +from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline from vulnerabilities.rpm_utils import rpm_to_purl from vulnerabilities.severity_systems import SCORING_SYSTEMS from vulnerabilities.utils import fetch_response from vulnerabilities.utils import is_cve LOGGER = logging.getLogger(__name__) -BASE_URL = "https://alas.aws.amazon.com/" -class AmazonLinuxImporter(Importer): - spdx_license_expression = "CC BY 4.0" - license_url = " " # TODO +class AmazonLinuxImporterPipeline(VulnerableCodeBaseImporterPipeline): + """Imports Amazon Linux security advisories""" + pipeline_id = "amazon_linux_importer" + BASE_URL = "https://alas.aws.amazon.com/" + spdx_license_expression = "CC BY 4.0" + license_url = "Unknown" importer_name = "Amazon Linux Importer" - def advisory_data(self) -> Iterable[AdvisoryData]: - amazon_linux_1_url = BASE_URL + "/index.html" - amazon_linux_2_url = BASE_URL + "/alas2.html" - amazon_linux_2023_url = BASE_URL + "/alas2023.html" + @classmethod + def steps(cls): + return ( + cls.fetch, + cls.collect_and_store_advisories, + cls.import_new_advisories, + ) + + def fetch(self): + self.log(f"Fetch `{self.BASE_URL}`") + amazon_linux_1_url = self.BASE_URL + "/index.html" + amazon_linux_2_url = self.BASE_URL + "/alas2.html" + amazon_linux_2023_url = self.BASE_URL + "/alas2023.html" amazonlinux_advisories_pages = [ amazon_linux_1_url, amazon_linux_2_url, @@ -52,18 +65,40 @@ def advisory_data(self) -> Iterable[AdvisoryData]: alas_dict = {} for amazonlinux_advisories_page in amazonlinux_advisories_pages: alas_dict.update(fetch_alas_id_and_advisory_links(amazonlinux_advisories_page)) + self.advisory_data = alas_dict + # self.advisory_data = requests.get(self.url).text + + def advisories_count(self): + return len(self.advisory_data) + + def collect_advisories(self) -> Iterable[AdvisoryData]: + """ + Yield AdvisoryData from nginx security advisories HTML + web page. + """ - for alas_id, alas_url in alas_dict.items(): + for alas_id, alas_url in self.advisory_data.items(): # It iterates through alas_dict to get alas ids and alas url - if alas_id and alas_url: - alas_advisory_page_content = fetch_response(alas_url).content - yield process_advisory_data(alas_id, alas_advisory_page_content, alas_url) + if not (alas_id and alas_url): + continue + try: + # Fetch the advisory page content + response = fetch_response(alas_url) + alas_advisory_page_content = response.content + + except Exception as e: + # Log the error and continue to the next item + LOGGER.error(f"Failed to fetch advisory {alas_id} from {alas_url}: {str(e)}") + continue + + # Process and yield data if successful + yield process_advisory_data(alas_id, alas_advisory_page_content, alas_url) def fetch_alas_id_and_advisory_links(page_url: str) -> dict[str, str]: """ Return a dictionary where 'ALAS' entries are the keys and - their corresponding advisory page links are the values. + their corresponding advisory page link strings are the values. """ page_response_content = fetch_response(page_url).content @@ -253,7 +288,6 @@ def get_date_published(release_date_string): # Parse the date and time if release_date_string: date_part = release_date_string[:16] - time_zone = release_date_string[17:] else: return None diff --git a/vulnerabilities/tests/test_amazon_linux.py b/vulnerabilities/tests/pipelines/test_amazon_linux_importer_pipeline.py similarity index 89% rename from vulnerabilities/tests/test_amazon_linux.py rename to vulnerabilities/tests/pipelines/test_amazon_linux_importer_pipeline.py index ce179d5ff..5caaae68a 100644 --- a/vulnerabilities/tests/test_amazon_linux.py +++ b/vulnerabilities/tests/pipelines/test_amazon_linux_importer_pipeline.py @@ -7,17 +7,14 @@ # See https://aboutcode.org for more information about nexB OSS projects. # -import json import os +from pathlib import Path from unittest import TestCase -from bs4 import BeautifulSoup - -from vulnerabilities.importers.amazon_linux import process_advisory_data +from vulnerabilities.pipelines.amazon_linux_importer import process_advisory_data from vulnerabilities.tests import util_tests -BASE_DIR = os.path.dirname(os.path.abspath(__file__)) -TEST_DATA = os.path.join(BASE_DIR, "test_data/amazon_linux") +TEST_DATA = Path(__file__).parent.parent / "test_data" / "amazon_linux" class TestAmazonLinuxImporter(TestCase): @@ -30,6 +27,7 @@ def test_process_advisory_data1(self): "ALAS-2024-1943", html_content, "https://alas.aws.amazon.com/ALAS-2024-1943.html" ).to_dict() expected_file = os.path.join(TEST_DATA, "amazon_linux_expected1.json") + # print(f"The result is {result}") util_tests.check_results_against_json(result, expected_file) def test_process_advisory_data2(self): diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected1.json b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected1.json index 2e09284aa..c4db15b1c 100644 --- a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected1.json +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected1.json @@ -1,290 +1,292 @@ { - "aliases": [ - "ALAS-2024-1943", - "CVE-2021-47110" - ], - "summary": "In the Linux kernel, the following vulnerability has been resolved:. x86/kvm: Disable kvmclock on all CPUs on shutdown (CVE-2021-47110).", - "affected_packages": [ + "aliases": ["ALAS-2024-1943", "CVE-2021-47110"], + "summary": "In the Linux kernel, the following vulnerability has been resolved:. x86/kvm: Disable kvmclock on all CPUs on shutdown (CVE-2021-47110).", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-debuginfo", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-devel", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools-devel", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-headers", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "perf-debuginfo", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-debuginfo-common-i686", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "perf", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools-debuginfo", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-devel", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-headers", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-tools-devel", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-debuginfo-common-x86_64", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "perf", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "kernel-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "perf-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "4.14.348-187.565.amzn1" + } + ], + "references": [ + { + "reference_id": "CVE-2021-47110", + "reference_type": "", + "url": "https://alas.aws.amazon.com/cve/html/CVE-2021-47110.html", + "severities": [ { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel-debuginfo", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" + "system": "cvssv3", + "value": "7.1", + "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" }, { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel-devel", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel-tools-devel", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel-headers", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "perf-debuginfo", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel-debuginfo-common-i686", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel-tools", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "perf", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel-tools-debuginfo", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel", - "version": "", - "qualifiers": "arch=src", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel-devel", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel-tools-debuginfo", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel-headers", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel-tools", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel-tools-devel", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel-debuginfo-common-x86_64", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "perf", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "kernel-debuginfo", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "perf-debuginfo", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "4.14.348-187.565.amzn1" - } - ], - "references": [ - { - "reference_id": "CVE-2021-47110", - "reference_type": "", - "url": "https://alas.aws.amazon.com/cve/html/CVE-2021-47110.html", - "severities": [ - { - "system": "cvssv3", - "value": "7.1", - "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" - } - ] - }, - { - "reference_id": "CVE-2021-47110", - "reference_type": "", - "url": "https://access.redhat.com/security/cve/CVE-2021-47110", - "severities": [] - }, - { - "reference_id": "CVE-2021-47110", - "reference_type": "", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47110", - "severities": [] + "system": "cvssv3", + "value": "7.1", + "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" } - ], - "date_published": "2024-07-03T21:01:00-07:00", - "weaknesses": [], - "url": "https://alas.aws.amazon.com/ALAS-2024-1943.html" -} \ No newline at end of file + ] + }, + { + "reference_id": "CVE-2021-47110", + "reference_type": "", + "url": "https://access.redhat.com/security/cve/CVE-2021-47110", + "severities": [] + }, + { + "reference_id": "CVE-2021-47110", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47110", + "severities": [] + } + ], + "date_published": "2024-07-03T21:01:00-07:00", + "weaknesses": [], + "url": "https://alas.aws.amazon.com/ALAS-2024-1943.html" +} diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected2.json b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected2.json index 49d284360..e25848c0c 100644 --- a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected2.json +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected2.json @@ -1,324 +1,321 @@ { - "aliases": [ - "ALAS-2024-2628", - "CVE-2021-25317" - ], - "summary": "A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions. (CVE-2021-25317).", - "affected_packages": [ + "aliases": ["ALAS-2024-2628", "CVE-2021-25317"], + "summary": "A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions. (CVE-2021-25317).", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-client", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-devel", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-libs", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-lpd", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-ipptool", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-debuginfo", + "version": "", + "qualifiers": "arch=aarch64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-client", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-devel", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-libs", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-lpd", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-ipptool", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-debuginfo", + "version": "", + "qualifiers": "arch=i686", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-filesystem", + "version": "", + "qualifiers": "arch=noarch", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-client", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-devel", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-libs", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-lpd", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-ipptool", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "cups-debuginfo", + "version": "", + "qualifiers": "arch=x86_64", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "1.6.3-51.amzn2.0.5" + } + ], + "references": [ + { + "reference_id": "CVE-2021-25317", + "reference_type": "", + "url": "https://alas.aws.amazon.com/cve/html/CVE-2021-25317.html", + "severities": [ { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" + "system": "cvssv2", + "value": "2.1", + "scoring_elements": "AV:L/AC:L/Au:N/C:N/I:P/A:N" }, { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-client", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" + "system": "cvssv3", + "value": "3.3", + "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-devel", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-libs", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-lpd", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-ipptool", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-debuginfo", - "version": "", - "qualifiers": "arch=aarch64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-client", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-devel", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-libs", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-lpd", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-ipptool", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-debuginfo", - "version": "", - "qualifiers": "arch=i686", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-filesystem", - "version": "", - "qualifiers": "arch=noarch", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups", - "version": "", - "qualifiers": "arch=src", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-client", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-devel", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-libs", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-lpd", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-ipptool", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "cups-debuginfo", - "version": "", - "qualifiers": "arch=x86_64", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "1.6.3-51.amzn2.0.5" - } - ], - "references": [ - { - "reference_id": "CVE-2021-25317", - "reference_type": "", - "url": "https://alas.aws.amazon.com/cve/html/CVE-2021-25317.html", - "severities": [ - { - "system": "cvssv3", - "value": "3.3", - "scoring_elements": "NVD: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - }, - { - "system": "cvssv3", - "value": "3.3", - "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - }, - { - "system": "cvssv2", - "value": "2.1", - "scoring_elements": "AV:L/AC:L/Au:N/C:N/I:P/A:N" - } - ] - }, - { - "reference_id": "CVE-2021-25317", - "reference_type": "", - "url": "https://access.redhat.com/security/cve/CVE-2021-25317", - "severities": [] - }, - { - "reference_id": "CVE-2021-25317", - "reference_type": "", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25317", - "severities": [] + "system": "cvssv3", + "value": "3.3", + "scoring_elements": "NVD: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } - ], - "date_published": "2024-08-14T19:06:00-07:00", - "weaknesses": [], - "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2628.html" -} \ No newline at end of file + ] + }, + { + "reference_id": "CVE-2021-25317", + "reference_type": "", + "url": "https://access.redhat.com/security/cve/CVE-2021-25317", + "severities": [] + }, + { + "reference_id": "CVE-2021-25317", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25317", + "severities": [] + } + ], + "date_published": "2024-08-14T19:06:00-07:00", + "weaknesses": [], + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2628.html" +} diff --git a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected3.json b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected3.json index 3750acfb8..48bcbfdff 100644 --- a/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected3.json +++ b/vulnerabilities/tests/test_data/amazon_linux/amazon_linux_expected3.json @@ -1,79 +1,76 @@ { - "aliases": [ - "ALAS-2024-676", - "CVE-2024-6345" - ], - "summary": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. (CVE-2024-6345).", - "affected_packages": [ + "aliases": ["ALAS-2024-676", "CVE-2024-6345"], + "summary": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. (CVE-2024-6345).", + "affected_packages": [ + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "python3-setuptools-wheel", + "version": "", + "qualifiers": "arch=noarch", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "59.6.0-2.amzn2023.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "python3-setuptools", + "version": "", + "qualifiers": "arch=noarch", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "59.6.0-2.amzn2023.0.5" + }, + { + "package": { + "type": "rpm", + "namespace": "alas.aws.amazon", + "name": "python-setuptools", + "version": "", + "qualifiers": "arch=src", + "subpath": "" + }, + "affected_version_range": null, + "fixed_version": "59.6.0-2.amzn2023.0.5" + } + ], + "references": [ + { + "reference_id": "CVE-2024-6345", + "reference_type": "", + "url": "https://alas.aws.amazon.com/cve/html/CVE-2024-6345.html", + "severities": [ { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "python3-setuptools-wheel", - "version": "", - "qualifiers": "arch=noarch", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "59.6.0-2.amzn2023.0.5" + "system": "cvssv3", + "value": "8.8", + "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "python3-setuptools", - "version": "", - "qualifiers": "arch=noarch", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "59.6.0-2.amzn2023.0.5" - }, - { - "package": { - "type": "rpm", - "namespace": "alas.aws.amazon", - "name": "python-setuptools", - "version": "", - "qualifiers": "arch=src", - "subpath": "" - }, - "affected_version_range": null, - "fixed_version": "59.6.0-2.amzn2023.0.5" - } - ], - "references": [ - { - "reference_id": "CVE-2024-6345", - "reference_type": "", - "url": "https://alas.aws.amazon.com/cve/html/CVE-2024-6345.html", - "severities": [ - { - "system": "cvssv3", - "value": "8.8", - "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - }, - { - "system": "cvssv3", - "value": "8.8", - "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" - } - ] - }, - { - "reference_id": "CVE-2024-6345", - "reference_type": "", - "url": "https://access.redhat.com/security/cve/CVE-2024-6345", - "severities": [] - }, - { - "reference_id": "CVE-2024-6345", - "reference_type": "", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6345", - "severities": [] + "system": "cvssv3", + "value": "8.8", + "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } - ], - "date_published": "2024-08-01T04:06:00-07:00", - "weaknesses": [], - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-676.html" -} \ No newline at end of file + ] + }, + { + "reference_id": "CVE-2024-6345", + "reference_type": "", + "url": "https://access.redhat.com/security/cve/CVE-2024-6345", + "severities": [] + }, + { + "reference_id": "CVE-2024-6345", + "reference_type": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6345", + "severities": [] + } + ], + "date_published": "2024-08-01T04:06:00-07:00", + "weaknesses": [], + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-676.html" +}