Update Clamav to work with the new model

Signed-off-by: ziad hany <ziadhany2016@gmail.com>

Author: ziadhany

vulnerabilities/improvers/__init__.py

@@ -19,7 +19,7 @@
 from vulnerabilities.pipelines import flag_ghost_packages
 from vulnerabilities.pipelines import populate_vulnerability_summary_pipeline
 from vulnerabilities.pipelines import remove_duplicate_advisories
-from vulnerabilities.pipelines.v2_improvers import clamv_rules
+from vulnerabilities.pipelines.v2_improvers import clamav_rules
 from vulnerabilities.pipelines.v2_improvers import compute_advisory_todo as compute_advisory_todo_v2
 from vulnerabilities.pipelines.v2_improvers import compute_package_risk as compute_package_risk_v2
 from vulnerabilities.pipelines.v2_improvers import (
@@ -71,6 +71,6 @@
         compute_advisory_todo_v2.ComputeToDo,
         unfurl_version_range_v2.UnfurlVersionRangePipeline,
         compute_advisory_todo.ComputeToDo,
-        clamv_rules.ClamVRulesImproverPipeline,
+        clamav_rules.ClamVRulesImproverPipeline,
     ]
 )

vulnerabilities/models.py

@@ -3416,29 +3416,43 @@ class Meta:
         unique_together = ("commit_hash", "vcs_url")
 
 
-class AdvisoryDetectionRule(models.Model):
-    """"""
+class DetectionRuleTypes(models.TextChoices):
+    """Defines the supported formats for security detection rules."""
 
-    RULE_TYPES = [
-        ("yara", "YARA"),
-        ("sigma", "Sigma Detection Rule"),
-        ("clamav", "ClamAV Signature"),
-    ]
+    YARA = "yara", "Yara"
+    YARA_X = "yara-x", "Yara-X"
+    SIGMA = "sigma", "Sigma"
+    CLAMAV = "clamav", "CLAMAV"
+    SURICATA = "suricata", "Suricata"
 
-    advisory = models.ForeignKey(
-        AdvisoryV2,
-        related_name="detection_rules",
-        on_delete=models.SET_NULL,
+
+class DetectionRule(models.Model):
+    """
+    A Detection Rule is code used to identify malicious activity or security threats.
+    """
+
+    rule_type = models.CharField(
+        max_length=50,
+        choices=DetectionRuleTypes.choices,
+        help_text="The type of the detection rule content (e.g., YARA, Sigma).",
+    )
+
+    source_url = models.URLField(
+        max_length=1024, help_text="URL to the original source or reference for this rule."
+    )
+
+    rule_metadata = models.JSONField(
         null=True,
         blank=True,
+        help_text="Additional structured data such as tags, or author information.",
     )
 
-    rule_text = models.TextField(help_text="Full text of the detection rule, script, or signature.")
-
-    rule_type = models.CharField(max_length=100, choices=RULE_TYPES, blank=True)
+    rule_text = models.TextField(help_text="The content of the detection signature.")
 
-    source_url = models.URLField(
+    advisory = models.ForeignKey(
+        AdvisoryV2,
+        related_name="detection_rules",
+        on_delete=models.SET_NULL,
         null=True,
         blank=True,
-        help_text="URL or reference to the source of the rule (vendor feed, GitHub repo, etc.).",
     )

…es/pipelines/v2_improvers/clamv_rules.py …s/pipelines/v2_improvers/clamav_rules.pyvulnerabilities/pipelines/v2_improvers/clamv_rules.py renamed to vulnerabilities/pipelines/v2_improvers/clamav_rules.py vulnerabilities/pipelines/v2_improvers/clamv_rules.py renamed to vulnerabilities/pipelines/v2_improvers/clamav_rules.py

@@ -19,7 +19,8 @@
 import requests
 
 from vulnerabilities.models import AdvisoryAlias
-from vulnerabilities.models import AdvisoryDetectionRule
+from vulnerabilities.models import DetectionRule
+from vulnerabilities.models import DetectionRuleTypes
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 from vulnerabilities.utils import find_all_cve
 
@@ -107,7 +108,7 @@ class ClamVRulesImproverPipeline(VulnerableCodeBaseImporterPipelineV2):
 
     pipeline_id = "clamv_rules"
     MAIN_DATABASE_URL = "https://database.clamav.net/main.cvd"
-    license_url = ""
+    license_url = "https://github.com/Cisco-Talos/clamav/blob/c73755d3fc130b0c60ccf4e8f8d28c62fc58c95b/README.md#licensing"
     license_expression = "GNU GENERAL PUBLIC LICENSE"
 
     @classmethod
@@ -153,37 +154,41 @@ def extract_database(self):
 
     def collect_and_store_advisories(self):
         """Parse .ndb and .hdb files and store rules in the DB."""
-        rules = {}
-        for entry in parse_hdb_file(self.extract_cvd_dir / "main.hdb") + parse_ndb_file(
+
+        for rule_entry in parse_hdb_file(self.extract_cvd_dir / "main.hdb") + parse_ndb_file(
             self.extract_cvd_dir / "main.ndb"
         ):
-            name = entry.get("name", "")
-            cve = extract_cve_id(name)
-            if cve:
-                rules[cve] = entry
-
-        rules_added = 0
-        for cve_id, rule_text in rules.items():
-            advisories = set()
-            try:
-                if alias := AdvisoryAlias.objects.get(alias=cve_id):
-                    for adv in alias.advisories.all():
-                        advisories.add(adv)
-            except AdvisoryAlias.DoesNotExist:
-                self.log(f"Advisory {cve_id} not found.")
-                continue
-
-            for advisory in advisories:
-                AdvisoryDetectionRule.objects.update_or_create(
-                    advisory=advisory,
-                    rule_type="clamav",
+            name = rule_entry.get("name", "")
+            cve_id = extract_cve_id(name)
+            found_advisories = set()
+
+            if cve_id:
+                try:
+                    if alias := AdvisoryAlias.objects.get(alias=cve_id):
+                        for adv in alias.advisories.all():
+                            found_advisories.add(adv)
+                except AdvisoryAlias.DoesNotExist:
+                    self.log(f"Advisory {cve_id} not found.")
+
+            for adv in found_advisories:
+                DetectionRule.objects.update_or_create(
+                    rule_text=str(rule_entry),
+                    rule_type=DetectionRuleTypes.CLAMAV,
+                    advisory=adv,
                     defaults={
-                        "rule_text": str(rule_text),
+                        "source_url": self.MAIN_DATABASE_URL,
                     },
                 )
 
-                rules_added += 1
-        self.log(f"Successfully added/updated {rules_added} rules for advisories.")
+            if not found_advisories:
+                DetectionRule.objects.update_or_create(
+                    rule_text=str(rule_entry),
+                    rule_type=DetectionRuleTypes.CLAMAV,
+                    advisory=None,
+                    defaults={
+                        "source_url": self.MAIN_DATABASE_URL,
+                    },
+                )
 
     def clean_downloads(self):
         """Clean up downloaded files."""

vulnerabilities/tests/pipelines/v2_improvers/test_clamv_rules.py

@@ -15,18 +15,18 @@
 import pytest
 
 from vulnerabilities.models import AdvisoryAlias
-from vulnerabilities.models import AdvisoryDetectionRule
 from vulnerabilities.models import AdvisoryV2
-from vulnerabilities.pipelines.v2_improvers.clamv_rules import ClamVRulesImproverPipeline
+from vulnerabilities.models import DetectionRule
+from vulnerabilities.pipelines.v2_improvers.clamav_rules import ClamVRulesImproverPipeline
 
 BASE_DIR = Path(__file__).resolve().parent
-TEST_REPO_DIR = (BASE_DIR / "../../test_data/clamv").resolve()
+TEST_REPO_DIR = (BASE_DIR / "../../test_data/clamav").resolve()
 
 
 @pytest.mark.django_db
-@mock.patch("vulnerabilities.pipelines.v2_improvers.clamv_rules.extract_cvd")
-@mock.patch("vulnerabilities.pipelines.v2_improvers.clamv_rules.requests.get")
-def test_clamv_rules_db_improver(mock_requests_get, mock_extract_cvd):
+@mock.patch("vulnerabilities.pipelines.v2_improvers.clamav_rules.extract_cvd")
+@mock.patch("vulnerabilities.pipelines.v2_improvers.clamav_rules.requests.get")
+def test_clamav_rules_db_improver(mock_requests_get, mock_extract_cvd):
     mock_resp = MagicMock()
     mock_resp.iter_content.return_value = [b"fake data"]
     mock_resp.raise_for_status.return_value = None
@@ -70,6 +70,82 @@ def test_clamv_rules_db_improver(mock_requests_get, mock_extract_cvd):
     improver = ClamVRulesImproverPipeline()
     improver.execute()
 
-    assert AdvisoryDetectionRule.objects.count() == 3
-    first_rule = AdvisoryDetectionRule.objects.first()
-    assert first_rule.rule_type == "clamav"
+    assert DetectionRule.objects.count() == 14
+    assert DetectionRule.objects.get(advisory=adv1)
+    assert DetectionRule.objects.get(advisory=adv2)
+    assert DetectionRule.objects.get(advisory=adv3)
+    assert [
+        (detection_rule.rule_type, detection_rule.rule_text, detection_rule.source_url)
+        for detection_rule in DetectionRule.objects.all()
+    ] == [
+        (
+            "clamav",
+            "{'hash': 'af9a2ce339b3a314cd8ce31f4e2489a5', 'file_size': '149420', 'name': 'Archive.Malware.Agent-7116646-0', 'line_num': 1}",
+            "https://database.clamav.net/main.cvd",
+        ),
+        (
+            "clamav",
+            "{'hash': 'ab51de8588946f1332d53dd53bac8056', 'file_size': '48580', 'name': 'Html.Malware.Agent-7116647-0', 'line_num': 2}",
+            "https://database.clamav.net/main.cvd",
+        ),
+        (
+            "clamav",
+            "{'hash': '3f70569ac131833698c3d1c20e0123ca', 'file_size': '676', 'name': 'Html.Malware.Agent-7116648-0', 'line_num': 3}",
+            "https://database.clamav.net/main.cvd",
+        ),
+        (
+            "clamav",
+            "{'hash': 'df6634d021a6df4d17f005e507beac88', 'file_size': '6268', 'name': 'Win.Exploit.CVE_2019_1199-7116649-2', 'line_num': 4}",
+            "https://database.clamav.net/main.cvd",
+        ),
+        (
+            "clamav",
+            "{'hash': '27ebcd8c72e6e3c7f4a64dc68b95dd8a', 'file_size': '173248', 'name': 'Html.Malware.Agent-7116650-0', 'line_num': 5}",
+            "https://database.clamav.net/main.cvd",
+        ),
+        (
+            "clamav",
+            "{'hash': '8745d432f7027e65178e92b2239bef25', 'file_size': '384634', 'name': 'Archive.Malware.Agent-7116651-0', 'line_num': 6}",
+            "https://database.clamav.net/main.cvd",
+        ),
+        (
+            "clamav",
+            "{'hash': '63d1a25066c121253febc907850b1852', 'file_size': '50185', 'name': 'Html.Malware.Agent-7116652-0', 'line_num': 7}",
+            "https://database.clamav.net/main.cvd",
+        ),
+        (
+            "clamav",
+            "{'hash': '92233ed6889cd0ba7bf632e3f45fc950', 'file_size': '97134', 'name': 'Html.Malware.Agent-7116653-0', 'line_num': 8}",
+            "https://database.clamav.net/main.cvd",
+        ),
+        (
+            "clamav",
+            "{'name': 'Win.Exploit.CVE_2020_0720-7578647-1', 'target_type': '1', 'offset': '*', 'hex_signature': '240C1400000068E8214000660F1344241C897C2414C744241805000000E80EFEFFFF83C4048D44240C50FF1544204000', 'line_num': 1}",
+            "https://database.clamav.net/main.cvd",
+        ),
+        (
+            "clamav",
+            "{'name': 'Win.Exploit.CVE_2020_0731-7583553-0', 'target_type': '1', 'offset': '*', 'hex_signature': '83C4088B55F0526AF48B45FC50FF15D4C146008945E46A006A006A108B4D', 'line_num': 2}",
+            "https://database.clamav.net/main.cvd",
+        ),
+        (
+            "clamav",
+            "{'name': 'Win.Exploit.CVE_2020_0722-7583689-1', 'target_type': '1', 'offset': '*', 'hex_signature': '488B555033C9FF15A1F100004889057AB10000488B0D73B10000FF1575F10000EB86', 'line_num': 3}",
+            "https://database.clamav.net/main.cvd",
+        ),
+        (
+            "clamav",
+            "{'name': 'Win.Ransomware.MailTo-7586723-0', 'target_type': '1', 'offset': '*', 'hex_signature': '496e746572666163345c7b62313936623238372d626162342d313031612d623639632d3030616130303334316430377d*4c616d616e74696e652e537469636b7950617373776f7264', 'line_num': 4}",
+            "https://database.clamav.net/main.cvd",
+        ),
+        (
+            "clamav",
+            "{'name': 'Win.Trojan.Emotet-7587729-1', 'target_type': '1', 'offset': '*', 'hex_signature': '565053e801000000cc5889c3402d00e016002dacb00b1005a3b00b10803bcc7519c60300bb00100000682ece177a680f9067565350e80a00000083c000894424085b58c35589e5505351568b75088b4d0cc1e9028b45108b5d1485c9740a3106011e83c60449ebf25e595b58c9c21000', 'line_num': 5}",
+            "https://database.clamav.net/main.cvd",
+        ),
+        (
+            "clamav",
+            "{'name': 'Win.Trojan.Hoplight-7587747-0', 'target_type': '1', 'offset': '*', 'hex_signature': '4e6574776f726b20554450205472616365204d616e6167656d656e742053657276696365*6d646e6574757365*554450547263537663', 'line_num': 6}",
+            "https://database.clamav.net/main.cvd",
+        ),
+    ]