Skip to content

Commit 81b5338

Browse files
sbs2001sbs2001
committed
✅ Add tests for NVD importer
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
1 parent b80e2ef commit 81b5338

4 files changed

Lines changed: 499 additions & 4 deletions

File tree

vulnerabilities/importer_yielder.py

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -135,6 +135,15 @@
135135
'data_source': 'RedhatDataSource',
136136
'data_source_cfg': {},
137137
},
138+
{
139+
'name': 'nvd',
140+
'license': '',
141+
'last_run': None,
142+
'data_source': 'NVDDataSource',
143+
'data_source_cfg': {
144+
'etags': {},
145+
},
146+
},
138147
{
139148
'name': 'gentoo',
140149
'license': '',

vulnerabilities/importers/nvd.py

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,18 +20,18 @@
2020
# VulnerableCode is a free software code scanning tool from nexB Inc. and others.
2121
# Visit https://github.com/nexB/vulnerablecode/ for support and download.
2222

23+
import dataclasses
2324
import gzip
2425
import json
25-
import dataclasses
2626
from dateutil import parser as dateparser
2727
from datetime import date
2828

2929
import requests
3030

31-
from vulnerabilities.data_source import DataSource
32-
from vulnerabilities.data_source import Reference
3331
from vulnerabilities.data_source import Advisory
32+
from vulnerabilities.data_source import DataSource
3433
from vulnerabilities.data_source import DataSourceConfiguration
34+
from vulnerabilities.data_source import Reference
3535

3636

3737
@dataclasses.dataclass
@@ -47,11 +47,14 @@ class NVDDataSource(DataSource):
4747
CONFIG_CLASS = NVDDataSourceConfiguration
4848

4949
def updated_advisories(self):
50-
years = [1]
5150
current_year = date.today().year
5251
# NVD json feeds start from 2002.
5352
for year in range(2002, current_year + 1):
5453
download_url = BASE_URL.format(year)
54+
# Etags are like hashes of web responses. We maintain
55+
# (url, etag) mappings in the DB. `create_etag` creates
56+
# (url, etag) pair. If a (url, etag) already exists then the code
57+
# skips processing the response further to avoid duplicate work
5558
if self.create_etag(download_url):
5659
data = self.fetch(download_url)
5760
yield self.to_advisories(data)

vulnerabilities/tests/test_data/nvd/nvd_test.json

Lines changed: 269 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,269 @@
1+
{
2+
"CVE_data_type": "CVE",
3+
"CVE_data_format": "MITRE",
4+
"CVE_data_version": "4.0",
5+
"CVE_data_numberOfCVEs": "4758",
6+
"CVE_data_timestamp": "2020-07-29T09:05Z",
7+
"CVE_Items": [
8+
{
9+
"cve": {
10+
"data_type": "CVE",
11+
"data_format": "MITRE",
12+
"data_version": "4.0",
13+
"CVE_data_meta": {
14+
"ID": "CVE-2005-4895",
15+
"ASSIGNER": "cve@mitre.org"
16+
},
17+
"problemtype": {
18+
"problemtype_data": [
19+
{
20+
"description": [
21+
{
22+
"lang": "en",
23+
"value": "CWE-189"
24+
}
25+
]
26+
}
27+
]
28+
},
29+
"references": {
30+
"reference_data": [
31+
{
32+
"url": "http://code.google.com/p/gperftools/source/browse/tags/perftools-0.4/ChangeLog",
33+
"name": "http://code.google.com/p/gperftools/source/browse/tags/perftools-0.4/ChangeLog",
34+
"refsource": "CONFIRM",
35+
"tags": []
36+
},
37+
{
38+
"url": "http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/",
39+
"name": "http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/",
40+
"refsource": "MISC",
41+
"tags": []
42+
}
43+
]
44+
},
45+
"description": {
46+
"description_data": [
47+
{
48+
"lang": "en",
49+
"value": "Multiple integer overflows in TCMalloc (tcmalloc.cc) in gperftools before 0.4 make it easier for context-dependent attackers to perform memory-related attacks such as buffer overflows via a large size value, which causes less memory to be allocated than expected."
50+
}
51+
]
52+
}
53+
},
54+
"configurations": {
55+
"CVE_data_version": "4.0",
56+
"nodes": [
57+
{
58+
"operator": "OR",
59+
"cpe_match": [
60+
{
61+
"vulnerable": true,
62+
"cpe23Uri": "cpe:2.3:a:csilvers:gperftools:0.1:*:*:*:*:*:*:*"
63+
},
64+
{
65+
"vulnerable": true,
66+
"cpe23Uri": "cpe:2.3:a:csilvers:gperftools:0.2:*:*:*:*:*:*:*"
67+
},
68+
{
69+
"vulnerable": true,
70+
"cpe23Uri": "cpe:2.3:a:csilvers:gperftools:*:*:*:*:*:*:*:*",
71+
"versionEndIncluding": "0.3"
72+
}
73+
]
74+
}
75+
]
76+
},
77+
"impact": {
78+
"baseMetricV2": {
79+
"cvssV2": {
80+
"version": "2.0",
81+
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
82+
"accessVector": "NETWORK",
83+
"accessComplexity": "LOW",
84+
"authentication": "NONE",
85+
"confidentialityImpact": "NONE",
86+
"integrityImpact": "NONE",
87+
"availabilityImpact": "PARTIAL",
88+
"baseScore": 5.0
89+
},
90+
"severity": "MEDIUM",
91+
"exploitabilityScore": 10.0,
92+
"impactScore": 2.9,
93+
"obtainAllPrivilege": false,
94+
"obtainUserPrivilege": false,
95+
"obtainOtherPrivilege": false,
96+
"userInteractionRequired": false
97+
}
98+
},
99+
"publishedDate": "2012-07-25T19:55Z",
100+
"lastModifiedDate": "2012-08-09T04:00Z"
101+
},
102+
{
103+
"cve": {
104+
"data_type": "CVE",
105+
"data_format": "MITRE",
106+
"data_version": "4.0",
107+
"CVE_data_meta": {
108+
"ID": "CVE-2005-4900",
109+
"ASSIGNER": "cve@mitre.org"
110+
},
111+
"problemtype": {
112+
"problemtype_data": [
113+
{
114+
"description": [
115+
{
116+
"lang": "en",
117+
"value": "CWE-326"
118+
}
119+
]
120+
}
121+
]
122+
},
123+
"references": {
124+
"reference_data": [
125+
{
126+
"url": "http://ia.cr/2007/474",
127+
"name": "2007",
128+
"refsource": "MISC",
129+
"tags": [
130+
"Third Party Advisory"
131+
]
132+
},
133+
{
134+
"url": "http://shattered.io/",
135+
"name": "http://shattered.io/",
136+
"refsource": "MISC",
137+
"tags": []
138+
},
139+
{
140+
"url": "http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1",
141+
"name": "http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1",
142+
"refsource": "MISC",
143+
"tags": []
144+
},
145+
{
146+
"url": "http://www.securityfocus.com/bid/12577",
147+
"name": "exceedsDBexceedsDBexceedsDBexceedsDBexceedsDBexceedsDB",
148+
"refsource": "BID",
149+
"tags": []
150+
},
151+
{
152+
"url": "https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/",
153+
"name": "https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/",
154+
"refsource": "MISC",
155+
"tags": []
156+
},
157+
{
158+
"url": "https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html",
159+
"name": "https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html",
160+
"refsource": "MISC",
161+
"tags": [
162+
"Third Party Advisory"
163+
]
164+
},
165+
{
166+
"url": "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html",
167+
"name": "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html",
168+
"refsource": "MISC",
169+
"tags": []
170+
},
171+
{
172+
"url": "https://sites.google.com/site/itstheshappening",
173+
"name": "https://sites.google.com/site/itstheshappening",
174+
"refsource": "MISC",
175+
"tags": [
176+
"Third Party Advisory"
177+
]
178+
},
179+
{
180+
"url": "https://www.schneier.com/blog/archives/2005/02/sha1_broken.html",
181+
"name": "https://www.schneier.com/blog/archives/2005/02/sha1_broken.html",
182+
"refsource": "MISC",
183+
"tags": [
184+
"Third Party Advisory"
185+
]
186+
},
187+
{
188+
"url": "https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html",
189+
"name": "https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html",
190+
"refsource": "MISC",
191+
"tags": [
192+
"Third Party Advisory"
193+
]
194+
}
195+
]
196+
},
197+
"description": {
198+
"description_data": [
199+
{
200+
"lang": "en",
201+
"value": "SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation."
202+
},
203+
{
204+
"lang": "en",
205+
"value": "SHA-1 is likely present in a large number of products across the entire IT sector. The applicability statement for this CVE will be updated when specific products are identified, as time and resources permit."
206+
}
207+
]
208+
}
209+
},
210+
"configurations": {
211+
"CVE_data_version": "4.0",
212+
"nodes": [
213+
{
214+
"operator": "OR",
215+
"cpe_match": [
216+
{
217+
"vulnerable": true,
218+
"cpe23Uri": "cpe:2.3:h:google:chrome:*:*:*:*:*:*:*:*",
219+
"versionEndIncluding": "47.0.2526.111"
220+
}
221+
]
222+
}
223+
]
224+
},
225+
"impact": {
226+
"baseMetricV3": {
227+
"cvssV3": {
228+
"version": "3.0",
229+
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
230+
"attackVector": "NETWORK",
231+
"attackComplexity": "HIGH",
232+
"privilegesRequired": "NONE",
233+
"userInteraction": "NONE",
234+
"scope": "UNCHANGED",
235+
"confidentialityImpact": "HIGH",
236+
"integrityImpact": "NONE",
237+
"availabilityImpact": "NONE",
238+
"baseScore": 5.9,
239+
"baseSeverity": "MEDIUM"
240+
},
241+
"exploitabilityScore": 2.2,
242+
"impactScore": 3.6
243+
},
244+
"baseMetricV2": {
245+
"cvssV2": {
246+
"version": "2.0",
247+
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
248+
"accessVector": "NETWORK",
249+
"accessComplexity": "MEDIUM",
250+
"authentication": "NONE",
251+
"confidentialityImpact": "PARTIAL",
252+
"integrityImpact": "NONE",
253+
"availabilityImpact": "NONE",
254+
"baseScore": 4.3
255+
},
256+
"severity": "MEDIUM",
257+
"exploitabilityScore": 8.6,
258+
"impactScore": 2.9,
259+
"obtainAllPrivilege": false,
260+
"obtainUserPrivilege": false,
261+
"obtainOtherPrivilege": false,
262+
"userInteractionRequired": false
263+
}
264+
},
265+
"publishedDate": "2016-10-14T16:59Z",
266+
"lastModifiedDate": "2018-05-30T01:29Z"
267+
}
268+
]
269+
}

0 commit comments

Comments
 (0)