Add V2 Importer for Tuxcare

Samk1710 · Samk1710 · commit 0bb18b58d151 · 2026-01-05T02:11:18.000+05:30
Signed-off-by: Sampurna Pyne &lt;sampurnapyne1710@gmail.com&gt;
diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py
@@ -65,6 +65,7 @@
 from vulnerabilities.pipelines.v2_importers import ruby_importer as ruby_importer_v2
 from vulnerabilities.pipelines.v2_importers import vulnrichment_importer as vulnrichment_importer_v2
 from vulnerabilities.pipelines.v2_importers import xen_importer as xen_importer_v2
+from vulnerabilities.pipelines.v2_importers import tuxcare_importer as tuxcare_importer_v2
 from vulnerabilities.utils import create_registry
 
 IMPORTERS_REGISTRY = create_registry(
@@ -90,6 +91,7 @@
         ruby_importer_v2.RubyImporterPipeline,
         epss_importer_v2.EPSSImporterPipeline,
         mattermost_importer_v2.MattermostImporterPipeline,
+        tuxcare_importer_v2.TuxCareImporterPipeline,
         nvd_importer.NVDImporterPipeline,
         github_importer.GitHubAPIImporterPipeline,
         gitlab_importer.GitLabImporterPipeline,
diff --git a/vulnerabilities/pipelines/v2_importers/tuxcare_importer.py b/vulnerabilities/pipelines/v2_importers/tuxcare_importer.py
@@ -0,0 +1,114 @@
+import json
+import logging
+from typing import Iterable
+
+from dateutil import parser as date_parser
+from django.utils import timezone
+from packageurl import PackageURL
+from univers.version_range import GenericVersionRange
+
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AffectedPackageV2
+from vulnerabilities.importer import ReferenceV2
+from vulnerabilities.importer import VulnerabilitySeverity
+from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
+from vulnerabilities.severity_systems import GENERIC
+from vulnerabilities.utils import fetch_response
+
+logger = logging.getLogger(__name__)
+
+
+class TuxCareImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
+    pipeline_id = "tuxcare_importer_v2"
+    spdx_license_expression = "Apache-2.0"
+    license_url = "https://tuxcare.com/legal"
+    url = "https://cve.tuxcare.com/els/download-json?orderBy=updated-desc"
+
+    @classmethod
+    def steps(cls):
+        return (cls.collect_and_store_advisories,)
+
+    def advisories_count(self) -> int:
+        response = fetch_response(self.url)
+        data = response.json() if response else []
+        return len(data)
+
+    def collect_advisories(self) -> Iterable[AdvisoryData]:
+        response = fetch_response(self.url)
+        if not response:
+            return
+
+        data = response.json()
+        if not data:
+            return
+
+        for record in data:
+            cve_id = record.get("cve", "").strip()
+            if not cve_id or not cve_id.startswith("CVE-"):
+                continue
+
+            os_name = record.get("os_name", "").strip()
+            project_name = record.get("project_name", "").strip()
+            version = record.get("version", "").strip()
+            score = record.get("score", "").strip()
+            severity = record.get("severity", "").strip()
+            status = record.get("status", "").strip()
+            last_updated = record.get("last_updated", "").strip()
+
+            safe_os = os_name.replace(" ", "_") if os_name else "unknown"
+            advisory_id = f"TUXCARE-{cve_id}-{safe_os}-{project_name}"
+
+            summary = f"TuxCare advisory for {cve_id}"
+            if project_name:
+                summary += f" in {project_name}"
+            if os_name:
+                summary += f" on {os_name}"
+
+            affected_packages = []
+            if project_name:
+                purl = PackageURL(type="generic", name=project_name)
+                
+                affected_version_range = None
+                if version:
+                    try:
+                        affected_version_range = GenericVersionRange.from_versions([version])
+                    except Exception:
+                        pass
+
+                affected_packages.append(
+                    AffectedPackageV2(
+                        package=purl,
+                        affected_version_range=affected_version_range,
+                    )
+                )
+
+            severities = []
+            if severity and score:
+                severities.append(
+                    VulnerabilitySeverity(
+                        system=GENERIC,
+                        value=f"{severity} ({score})",
+                        scoring_elements=f"score={score},severity={severity}",
+                    )
+                )
+
+            date_published = None
+            if last_updated:
+                try:
+                    date_published = date_parser.parse(last_updated)
+                    if timezone.is_naive(date_published):
+                        date_published = timezone.make_aware(date_published, timezone=timezone.utc)
+                except Exception:
+                    pass
+
+            yield AdvisoryData(
+                advisory_id=advisory_id,
+                aliases=[cve_id],
+                summary=summary,
+                affected_packages=affected_packages,
+                references_v2=[ReferenceV2(url="https://cve.tuxcare.com/")],
+                severities=severities,
+                date_published=date_published,
+                url="https://cve.tuxcare.com/",
+                original_advisory_text=json.dumps(record, indent=2, ensure_ascii=False),
+            )
diff --git a/vulnerabilities/tests/pipelines/v2_importers/test_tuxcare_importer_v2.py b/vulnerabilities/tests/pipelines/v2_importers/test_tuxcare_importer_v2.py
@@ -0,0 +1,48 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import json
+from pathlib import Path
+from unittest import TestCase
+from unittest.mock import Mock
+from unittest.mock import patch
+
+from vulnerabilities.pipelines.v2_importers.tuxcare_importer import TuxCareImporterPipeline
+from vulnerabilities.tests import util_tests
+
+TEST_DATA = Path(__file__).parent.parent.parent / "test_data" / "tuxcare"
+
+
+class TestTuxCareImporterPipeline(TestCase):
+    @patch("vulnerabilities.pipelines.v2_importers.tuxcare_importer.fetch_response")
+    def test_collect_advisories(self, mock_fetch):
+        """Test collecting and parsing advisories from test data"""
+        sample_path = TEST_DATA / "data.json"
+        sample_data = json.loads(sample_path.read_text(encoding="utf-8"))
+
+        mock_fetch.return_value = Mock(json=lambda: sample_data)
+
+        pipeline = TuxCareImporterPipeline()
+        advisories = [data.to_dict() for data in list(pipeline.collect_advisories())]
+
+        expected_file = TEST_DATA / "expected.json"
+        util_tests.check_results_against_json(advisories, expected_file)
+
+    @patch("vulnerabilities.pipelines.v2_importers.tuxcare_importer.fetch_response")
+    def test_advisories_count(self, mock_fetch):
+        """Test counting advisories"""
+        sample_path = TEST_DATA / "data.json"
+        sample_data = json.loads(sample_path.read_text(encoding="utf-8"))
+
+        mock_fetch.return_value = Mock(json=lambda: sample_data)
+
+        pipeline = TuxCareImporterPipeline()
+        count = pipeline.advisories_count()
+
+        assert count == 5
diff --git a/vulnerabilities/tests/test_data/tuxcare/data.json b/vulnerabilities/tests/test_data/tuxcare/data.json
@@ -0,0 +1,52 @@
+[
+  {
+    "cve": "CVE-2023-52922",
+    "os_name": "CloudLinux 7 ELS",
+    "project_name": "squid",
+    "version": "3.5.20",
+    "score": "7.8",
+    "severity": "HIGH",
+    "status": "In Testing",
+    "last_updated": "2025-12-23 10:08:36.423446"
+  },
+  {
+    "cve": "CVE-2023-52922",
+    "os_name": "Oracle Linux 7 ELS",
+    "project_name": "squid",
+    "version": "3.5.20",
+    "score": "7.8",
+    "severity": "HIGH",
+    "status": "In Testing",
+    "last_updated": "2025-12-23 10:08:35.944749"
+  },
+  {
+    "cve": "CVE-2023-48161",
+    "os_name": "RHEL 7 ELS",
+    "project_name": "java-11-openjdk",
+    "version": "11.0.23",
+    "score": "7.1",
+    "severity": "HIGH",
+    "status": "In Progress",
+    "last_updated": "2025-12-23 08:55:12.096092"
+  },
+  {
+    "cve": "CVE-2024-21147",
+    "os_name": "RHEL 7 ELS",
+    "project_name": "java-11-openjdk",
+    "version": "11.0.23",
+    "score": "7.4",
+    "severity": "HIGH",
+    "status": "In Progress",
+    "last_updated": "2025-12-23 08:55:07.139188"
+  },
+  {
+    "cve": "CVE-2025-21587",
+    "os_name": "RHEL 7 ELS",
+    "project_name": "java-11-openjdk",
+    "version": "11.0.23",
+    "score": "7.4",
+    "severity": "HIGH",
+    "status": "In Progress",
+    "last_updated": "2025-12-23 08:55:06.706873"
+  }
+]
diff --git a/vulnerabilities/tests/test_data/tuxcare/expected.json b/vulnerabilities/tests/test_data/tuxcare/expected.json
@@ -0,0 +1,102 @@
+[
+  {
+    "advisory_id": "TUXCARE-CVE-2023-52922-CloudLinux_7_ELS-squid",
+    "aliases": ["CVE-2023-52922"],
+    "summary": "TuxCare advisory for CVE-2023-52922 in squid on CloudLinux 7 ELS",
+    "affected_packages": [
+      {
+        "package": {"type": "generic", "namespace": "", "name": "squid", "version": "", "qualifiers": "", "subpath": ""},
+        "affected_version_range": "vers:generic/3.5.20",
+        "fixed_version_range": null,
+        "introduced_by_commit_patches": [],
+        "fixed_by_commit_patches": []
+      }
+    ],
+    "references_v2": [{"reference_id": "", "reference_type": "", "url": "https://cve.tuxcare.com/"}],
+    "patches": [],
+    "severities": [{"system": "generic_textual", "value": "HIGH (7.8)", "scoring_elements": "score=7.8,severity=HIGH"}],
+    "date_published": "2025-12-23T10:08:36.423446+00:00",
+    "weaknesses": [],
+    "url": "https://cve.tuxcare.com/"
+  },
+  {
+    "advisory_id": "TUXCARE-CVE-2023-52922-Oracle_Linux_7_ELS-squid",
+    "aliases": ["CVE-2023-52922"],
+    "summary": "TuxCare advisory for CVE-2023-52922 in squid on Oracle Linux 7 ELS",
+    "affected_packages": [
+      {
+        "package": {"type": "generic", "namespace": "", "name": "squid", "version": "", "qualifiers": "", "subpath": ""},
+        "affected_version_range": "vers:generic/3.5.20",
+        "fixed_version_range": null,
+        "introduced_by_commit_patches": [],
+        "fixed_by_commit_patches": []
+      }
+    ],
+    "references_v2": [{"reference_id": "", "reference_type": "", "url": "https://cve.tuxcare.com/"}],
+    "patches": [],
+    "severities": [{"system": "generic_textual", "value": "HIGH (7.8)", "scoring_elements": "score=7.8,severity=HIGH"}],
+    "date_published": "2025-12-23T10:08:35.944749+00:00",
+    "weaknesses": [],
+    "url": "https://cve.tuxcare.com/"
+  },
+  {
+    "advisory_id": "TUXCARE-CVE-2023-48161-RHEL_7_ELS-java-11-openjdk",
+    "aliases": ["CVE-2023-48161"],
+    "summary": "TuxCare advisory for CVE-2023-48161 in java-11-openjdk on RHEL 7 ELS",
+    "affected_packages": [
+      {
+        "package": {"type": "generic", "namespace": "", "name": "java-11-openjdk", "version": "", "qualifiers": "", "subpath": ""},
+        "affected_version_range": "vers:generic/11.0.23",
+        "fixed_version_range": null,
+        "introduced_by_commit_patches": [],
+        "fixed_by_commit_patches": []
+      }
+    ],
+    "references_v2": [{"reference_id": "", "reference_type": "", "url": "https://cve.tuxcare.com/"}],
+    "patches": [],
+    "severities": [{"system": "generic_textual", "value": "HIGH (7.1)", "scoring_elements": "score=7.1,severity=HIGH"}],
+    "date_published": "2025-12-23T08:55:12.096092+00:00",
+    "weaknesses": [],
+    "url": "https://cve.tuxcare.com/"
+  },
+  {
+    "advisory_id": "TUXCARE-CVE-2024-21147-RHEL_7_ELS-java-11-openjdk",
+    "aliases": ["CVE-2024-21147"],
+    "summary": "TuxCare advisory for CVE-2024-21147 in java-11-openjdk on RHEL 7 ELS",
+    "affected_packages": [
+      {
+        "package": {"type": "generic", "namespace": "", "name": "java-11-openjdk", "version": "", "qualifiers": "", "subpath": ""},
+        "affected_version_range": "vers:generic/11.0.23",
+        "fixed_version_range": null,
+        "introduced_by_commit_patches": [],
+        "fixed_by_commit_patches": []
+      }
+    ],
+    "references_v2": [{"reference_id": "", "reference_type": "", "url": "https://cve.tuxcare.com/"}],
+    "patches": [],
+    "severities": [{"system": "generic_textual", "value": "HIGH (7.4)", "scoring_elements": "score=7.4,severity=HIGH"}],
+    "date_published": "2025-12-23T08:55:07.139188+00:00",
+    "weaknesses": [],
+    "url": "https://cve.tuxcare.com/"
+  },
+  {
+    "advisory_id": "TUXCARE-CVE-2025-21587-RHEL_7_ELS-java-11-openjdk",
+    "aliases": ["CVE-2025-21587"],
+    "summary": "TuxCare advisory for CVE-2025-21587 in java-11-openjdk on RHEL 7 ELS",
+    "affected_packages": [
+      {
+        "package": {"type": "generic", "namespace": "", "name": "java-11-openjdk", "version": "", "qualifiers": "", "subpath": ""},
+        "affected_version_range": "vers:generic/11.0.23",
+        "fixed_version_range": null,
+        "introduced_by_commit_patches": [],
+        "fixed_by_commit_patches": []
+      }
+    ],
+    "references_v2": [{"reference_id": "", "reference_type": "", "url": "https://cve.tuxcare.com/"}],
+    "patches": [],
+    "severities": [{"system": "generic_textual", "value": "HIGH (7.4)", "scoring_elements": "score=7.4,severity=HIGH"}],
+    "date_published": "2025-12-23T08:55:06.706873+00:00",
+    "weaknesses": [],
+    "url": "https://cve.tuxcare.com/"
+  }
+]
