Adds Samba Advisory #1802
Adds Samba Advisory #1802
Conversation
Signed-off-by: Rishi Garg <rishigarg2503@gmail.com>
Signed-off-by: Rishi Garg <rishigarg2503@gmail.com>
Signed-off-by: Rishi Garg <rishigarg2503@gmail.com>
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
keshav-space
left a comment
keshav-space
left a comment
There was a problem hiding this comment.
Thanks @Rishi-source, see feedback and suggestions below. parse_advisory_row is way too convoluted and is trying to do too many things at once. Affected version parsing is not working correctly. Also, browsing the samba package throws a Server Error (500). Make sure to run the import locally and cross validate the quality of the imported vulnerability against upstream advisory.
| if not hasattr(self, "advisory_data"): | ||
| return 0 |
There was a problem hiding this comment.
This will not be required, if fetch step fails for some reason entire pipeline would be terminated.
| cve_ids = [] | ||
| for link in cells[4].find_all("a"): | ||
| cve_id = link.get_text().strip() | ||
| if re.match(r"CVE-\d{4}-\d{4,}", cve_id): | ||
| cve_ids.append(cve_id) |
There was a problem hiding this comment.
CVE parsing is not clean it leads to 404 Client Error: Not Found for url: https://www.samba.org/samba/security/CVE-2019-19344..html
| if version_match: | ||
| affected_packages.append( | ||
| AffectedPackage( | ||
| package=base_purl, fixed_version=f"{version_match.group(1)}-fixed" | ||
| ) | ||
| ) |
There was a problem hiding this comment.
I honestly do not understand why would you put affected_version in fixed version.
And why are you mutating the original version by appending -fixed to version.
| ) | ||
| else: | ||
| affected_packages.append( | ||
| AffectedPackage(package=base_purl, fixed_version="unknown") |
There was a problem hiding this comment.
Why invent imaginary unknown fixed version?
| detailed_summary = issue_desc | ||
|
|
||
| for cve_id in cve_ids: | ||
| details = self.get_advisory_details(cve_id) |
There was a problem hiding this comment.
This will not work for generated id SAMBA-VULN-
| references=references, | ||
| affected_packages=affected_packages, | ||
| date_published=date_published, | ||
| url="https://www.samba.org/samba/history/security.html", |
There was a problem hiding this comment.
Shouldn't the url be the individual announcement like https://www.samba.org/samba/security/CVE-2023-3961.html?
| if version_match: | ||
| affected_packages.append( | ||
| AffectedPackage( | ||
| package=base_purl, fixed_version=f"{version_match.group(1)}-fixed" | ||
| ) | ||
| ) |
There was a problem hiding this comment.
Again why would you put affected_version in fixed version field.
|
Hi @keshav-space , |
| ubuntu_usn.UbuntuUSNImporter, | ||
| fireeye.FireyeImporter, | ||
| oss_fuzz.OSSFuzzImporter, | ||
| ruby.RubyImporter, |
There was a problem hiding this comment.
These lines should not be there when using pipelines
|
@Rishi-source thanks for your interest. Closing this since there has been no response to the change requested, and it has been inactive for a long time. Feel free to reopen once the PR is ready. |
4 participants
Fixes #102