Add Apache Log4j Advisories#1744

Open

NucleonGodX wants to merge 6 commits intoaboutcode-org:mainfrom

NucleonGodX:apachelog

NucleonGodX commented Jan 15, 2025

This pull request addresses issue #586 by adding an importer for Apache Log4j advisories

NucleonGodX added 2 commits

January 15, 2025 12:23


          initial push, add apachelog4importer

208a9d5

Signed-off-by: NucleonGodX <racerpro41@gmail.com>


          codestyle changes

434f637

Signed-off-by: NucleonGodX <racerpro41@gmail.com>

NucleonGodX marked this pull request as draft

January 15, 2025 06:58


          Merge branch 'main' into apachelog

baac7bd

NucleonGodX marked this pull request as ready for review

January 17, 2025 11:12

Contributor

TG1999 commented Jan 23, 2025

@NucleonGodX thanks for your contributions, can you please use pipeline structure. https://github.com/aboutcode-org/vulnerablecode/blob/main/vulnerabilities/pipelines/nvd_importer.py check this for example

pombredanne requested changes

View reviewed changes

Member

pombredanne left a comment

Thanks! In addition to use the new pipelines, here are a few comments for your consideration. We also need some tests.

vulnerabilities/importers/apache_log4j.py Outdated

		@@ -0,0 +1,252 @@
		import logging

Member

pombredanne Jan 24, 2025

Use the same header as in other files

vulnerabilities/importers/apache_log4j.py Outdated

		@@ -0,0 +1,252 @@
		import logging
		import xml.etree.ElementTree as ET

Member

pombredanne Jan 24, 2025

Consider using the cyclonedx python library to parse this, and not parsing XML yourself

vulnerabilities/importers/apache_log4j.py Outdated

+                      Parse the XML content and create AdvisoryData objects.
+                      """
+                      advisories = []
+                      version_mapping = [

Member

pombredanne Jan 24, 2025

Why use mapping? are you positively sure that these are forever all the known versions of log4j? Also this would not be a mapping, rather just a set of some versions?

Author

NucleonGodX Jan 30, 2025

I added them from https://www.cvedetails.com/version-list/45/37215/1/Apache-Log4j.html?order=0.

vulnerabilities/importers/apache_log4j.py Outdated

+                          "2.17.1",
+                      ]
+                      try:

Member

pombredanne Jan 24, 2025

Why a try/except here?

vulnerabilities/importers/apache_log4j.py Outdated

+                      ]
+                      try:
+                          root = ET.fromstring(xml_content)

Member

pombredanne Jan 24, 2025

Use the cyclonedx parser.

vulnerabilities/improvers/valid_versions.py

+              class Log4jImprover(ValidVersionImprover):
+                  importer = ApacheLog4jImporter
+                  ignorable_versions = []

Member

pombredanne Jan 24, 2025

We likely need some improver to get and expand the list of known versions

NucleonGodX added 3 commits

January 27, 2025 22:49


          suggestions applied, importer converted to pipeline

32c9345

Signed-off-by: NucleonGodX <racerpro41@gmail.com>


          clean-up

79e83d1

Signed-off-by: NucleonGodX <racerpro41@gmail.com>


          severity_systems and weaknesses updated for importer

ee6578a

Signed-off-by: NucleonGodX <racerpro41@gmail.com>

NucleonGodX requested a review from pombredanne

January 30, 2025 17:40

keshav-space reviewed

View reviewed changes

vulnerabilities/pipelines/apache_log4j_importer.py

Comment on lines +231 to +232

		unique_versions = sorted(set(versions), key=lambda x: MavenVersion(x))
		version_range_str = f"vers:maven/{('\|'.join(unique_versions))}"

Member

keshav-space Apr 25, 2025

Why not use MavenVersionRange instead?

Author

NucleonGodX May 12, 2025

oh yeah, I'll try to use that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet