Skip to content

Commit a5e8b61

Browse files
NucleiAvNucleiAv
committed
Address Ziad review: reference_type, cpeUri refs, specific exceptions
Signed-off-by: Anmol Vats <anmolvats2003@gmail.com>
1 parent f99e00d commit a5e8b61

File tree

6 files changed

+494
-19
lines changed

6 files changed

+494
-19
lines changed

vulnerabilities/pipelines/v2_importers/alpine_security_importer.py

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ def get_branches() -> list:
4848
data = resp.json()
4949
# Branch entries have dict values; scalar values indicate non-branch keys.
5050
active = [k for k, v in data.items() if isinstance(v, dict)]
51-
except Exception as e:
51+
except (requests.RequestException, ValueError) as e:
5252
logger.error("Failed to discover branches from root API: %s", e)
5353
active = []
5454

@@ -76,7 +76,7 @@ def advisories_count(self) -> int:
7676
resp = requests.get(url, headers=ADVISORY_HEADERS, timeout=30)
7777
resp.raise_for_status()
7878
data = resp.json()
79-
except Exception as e:
79+
except (requests.RequestException, ValueError) as e:
8080
logger.error("Failed to fetch branch %s: %s", branch, e)
8181
continue
8282
count += len(data.get("items") or [])
@@ -89,7 +89,7 @@ def collect_advisories(self) -> Iterable[AdvisoryDataV2]:
8989
resp = requests.get(url, headers=ADVISORY_HEADERS, timeout=30)
9090
resp.raise_for_status()
9191
data = resp.json()
92-
except Exception as e:
92+
except (requests.RequestException, ValueError) as e:
9393
logger.error("Failed to fetch branch %s: %s", branch, e)
9494
continue
9595
for item in data.get("items") or []:
@@ -111,7 +111,17 @@ def parse_advisory(data: dict):
111111
for ref in data.get("ref") or []:
112112
ref_url = ref.get("rel") or ""
113113
if ref_url:
114-
references.append(ReferenceV2(url=ref_url))
114+
references.append(
115+
ReferenceV2(
116+
url=ref_url,
117+
reference_type=ref.get("referenceType") or "",
118+
)
119+
)
120+
for cpe_match in data.get("cpeMatch") or []:
121+
cpe_uri = cpe_match.get("cpeUri") or ""
122+
cpe_id = cpe_match.get("id") or ""
123+
if cpe_uri and cpe_id:
124+
references.append(ReferenceV2(url=cpe_id, reference_id=cpe_uri))
115125

116126
severities = []
117127
cvss3 = data.get("cvss3") or {}

vulnerabilities/tests/test_alpine_security_importer.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@
1212
from unittest.mock import MagicMock
1313
from unittest.mock import patch
1414

15+
import requests
16+
1517
from vulnerabilities.pipelines.v2_importers.alpine_security_importer import (
1618
AlpineSecurityImporterPipeline,
1719
)
@@ -107,7 +109,7 @@ def test_collect_advisories_yields_advisory(self, mock_get, mock_branches):
107109
@patch("vulnerabilities.pipelines.v2_importers.alpine_security_importer.requests.get")
108110
def test_collect_advisories_http_error_logs_and_continues(self, mock_get, mock_branches):
109111
mock_branches.return_value = ["3.19-main"]
110-
mock_get.side_effect = Exception("timeout")
112+
mock_get.side_effect = requests.RequestException("timeout")
111113
logger_name = "vulnerabilities.pipelines.v2_importers.alpine_security_importer"
112114
with self.assertLogs(logger_name, level="ERROR") as cm:
113115
advisories = list(AlpineSecurityImporterPipeline().collect_advisories())

vulnerabilities/tests/test_data/alpine_security/alpine_security_mock1.json

Lines changed: 103 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,103 @@
1-
{"@context":"https://security.alpinelinux.org/static/context.jsonld","cpeMatch":[{"@context":"https://security.alpinelinux.org/static/context.jsonld","cpeUri":"","id":"https://security.alpinelinux.org/vuln/CVE-2025-46836#cpeMatch/940449","maximumVersion":"2.10","maximumVersionOp":"<=","minimumVersion":"0","minimumVersionOp":">=","package":"https://security.alpinelinux.org/srcpkg/net-tools","type":"CPEMatch","vuln":"https://security.alpinelinux.org/vuln/CVE-2025-46836"}],"cvss3":{"score":6.6,"vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H"},"description":"net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. Inn versions up to and including 2.10, the Linux network utilities (like ifconfig) from the net-tools package do not properly validate the structure of /proc files when showing interfaces. `get_name()` in `interface.c` copies interface labels from `/proc/net/dev` into a fixed 16-byte stack buffer without bounds checking, leading to possible arbitrary code execution or crash. The known attack path does not require privilege but also does not provide privilege escalation in this scenario. A patch is available and expected to be part of version 2.20.","id":"https://security.alpinelinux.org/vuln/CVE-2025-46836","ref":[{"@context":"https://security.alpinelinux.org/static/context.jsonld","id":"https://security.alpinelinux.org/vuln/CVE-2025-46836#ref/588613","referenceType":"MISC","rel":"https://github.com/ecki/net-tools/commit/7a8f42fb20013a1493d8cae1c43436f85e656f2d","type":"Reference"},{"@context":"https://security.alpinelinux.org/static/context.jsonld","id":"https://security.alpinelinux.org/vuln/CVE-2025-46836#ref/588614","referenceType":"CONFIRM","rel":"https://github.com/ecki/net-tools/security/advisories/GHSA-pfwf-h6m3-63wf","type":"Reference"},{"@context":"https://security.alpinelinux.org/static/context.jsonld","id":"https://security.alpinelinux.org/vuln/CVE-2025-46836#ref/593944","referenceType":"af854a3a-2127-422b-91ae-364da2661108","rel":"https://lists.debian.org/debian-lts-announce/2025/05/msg00053.html","type":"Reference"}],"state":[{"@context":"https://security.alpinelinux.org/static/context.jsonld","fixed":false,"id":"https://security.alpinelinux.org/vuln/CVE-2025-46836#state/108203","packageVersion":"https://security.alpinelinux.org/srcpkg/net-tools/2.10-r3","repo":"edge-main","type":"VulnerabilityState","vuln":"https://security.alpinelinux.org/vuln/CVE-2025-46836"},{"@context":"https://security.alpinelinux.org/static/context.jsonld","fixed":false,"id":"https://security.alpinelinux.org/vuln/CVE-2025-46836#state/415014","packageVersion":"https://security.alpinelinux.org/srcpkg/net-tools/2.10-r3","repo":"3.23-main","type":"VulnerabilityState","vuln":"https://security.alpinelinux.org/vuln/CVE-2025-46836"},{"@context":"https://security.alpinelinux.org/static/context.jsonld","fixed":false,"id":"https://security.alpinelinux.org/vuln/CVE-2025-46836#state/125956","packageVersion":"https://security.alpinelinux.org/srcpkg/net-tools/2.10-r3","repo":"3.22-main","type":"VulnerabilityState","vuln":"https://security.alpinelinux.org/vuln/CVE-2025-46836"},{"@context":"https://security.alpinelinux.org/static/context.jsonld","fixed":false,"id":"https://security.alpinelinux.org/vuln/CVE-2025-46836#state/127510","packageVersion":"https://security.alpinelinux.org/srcpkg/net-tools/2.10-r3","repo":"3.21-main","type":"VulnerabilityState","vuln":"https://security.alpinelinux.org/vuln/CVE-2025-46836"},{"@context":"https://security.alpinelinux.org/static/context.jsonld","fixed":false,"id":"https://security.alpinelinux.org/vuln/CVE-2025-46836#state/127996","packageVersion":"https://security.alpinelinux.org/srcpkg/net-tools/2.10-r3","repo":"3.20-main","type":"VulnerabilityState","vuln":"https://security.alpinelinux.org/vuln/CVE-2025-46836"},{"@context":"https://security.alpinelinux.org/static/context.jsonld","fixed":false,"id":"https://security.alpinelinux.org/vuln/CVE-2025-46836#state/128449","packageVersion":"https://security.alpinelinux.org/srcpkg/net-tools/2.10-r3","repo":"3.19-main","type":"VulnerabilityState","vuln":"https://security.alpinelinux.org/vuln/CVE-2025-46836"}],"type":"Vulnerability"}
1+
{
2+
"@context": "https://security.alpinelinux.org/static/context.jsonld",
3+
"cpeMatch": [
4+
{
5+
"@context": "https://security.alpinelinux.org/static/context.jsonld",
6+
"cpeUri": "",
7+
"id": "https://security.alpinelinux.org/vuln/CVE-2025-46836#cpeMatch/940449",
8+
"maximumVersion": "2.10",
9+
"maximumVersionOp": "<=",
10+
"minimumVersion": "0",
11+
"minimumVersionOp": ">=",
12+
"package": "https://security.alpinelinux.org/srcpkg/net-tools",
13+
"type": "CPEMatch",
14+
"vuln": "https://security.alpinelinux.org/vuln/CVE-2025-46836"
15+
}
16+
],
17+
"cvss3": {
18+
"score": 6.6,
19+
"vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H"
20+
},
21+
"description": "net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. Inn versions up to and including 2.10, the Linux network utilities (like ifconfig) from the net-tools package do not properly validate the structure of /proc files when showing interfaces. `get_name()` in `interface.c` copies interface labels from `/proc/net/dev` into a fixed 16-byte stack buffer without bounds checking, leading to possible arbitrary code execution or crash. The known attack path does not require privilege but also does not provide privilege escalation in this scenario. A patch is available and expected to be part of version 2.20.",
22+
"id": "https://security.alpinelinux.org/vuln/CVE-2025-46836",
23+
"ref": [
24+
{
25+
"@context": "https://security.alpinelinux.org/static/context.jsonld",
26+
"id": "https://security.alpinelinux.org/vuln/CVE-2025-46836#ref/588613",
27+
"referenceType": "MISC",
28+
"rel": "https://github.com/ecki/net-tools/commit/7a8f42fb20013a1493d8cae1c43436f85e656f2d",
29+
"type": "Reference"
30+
},
31+
{
32+
"@context": "https://security.alpinelinux.org/static/context.jsonld",
33+
"id": "https://security.alpinelinux.org/vuln/CVE-2025-46836#ref/588614",
34+
"referenceType": "CONFIRM",
35+
"rel": "https://github.com/ecki/net-tools/security/advisories/GHSA-pfwf-h6m3-63wf",
36+
"type": "Reference"
37+
},
38+
{
39+
"@context": "https://security.alpinelinux.org/static/context.jsonld",
40+
"id": "https://security.alpinelinux.org/vuln/CVE-2025-46836#ref/593944",
41+
"referenceType": "af854a3a-2127-422b-91ae-364da2661108",
42+
"rel": "https://lists.debian.org/debian-lts-announce/2025/05/msg00053.html",
43+
"type": "Reference"
44+
}
45+
],
46+
"state": [
47+
{
48+
"@context": "https://security.alpinelinux.org/static/context.jsonld",
49+
"fixed": false,
50+
"id": "https://security.alpinelinux.org/vuln/CVE-2025-46836#state/108203",
51+
"packageVersion": "https://security.alpinelinux.org/srcpkg/net-tools/2.10-r3",
52+
"repo": "edge-main",
53+
"type": "VulnerabilityState",
54+
"vuln": "https://security.alpinelinux.org/vuln/CVE-2025-46836"
55+
},
56+
{
57+
"@context": "https://security.alpinelinux.org/static/context.jsonld",
58+
"fixed": false,
59+
"id": "https://security.alpinelinux.org/vuln/CVE-2025-46836#state/415014",
60+
"packageVersion": "https://security.alpinelinux.org/srcpkg/net-tools/2.10-r3",
61+
"repo": "3.23-main",
62+
"type": "VulnerabilityState",
63+
"vuln": "https://security.alpinelinux.org/vuln/CVE-2025-46836"
64+
},
65+
{
66+
"@context": "https://security.alpinelinux.org/static/context.jsonld",
67+
"fixed": false,
68+
"id": "https://security.alpinelinux.org/vuln/CVE-2025-46836#state/125956",
69+
"packageVersion": "https://security.alpinelinux.org/srcpkg/net-tools/2.10-r3",
70+
"repo": "3.22-main",
71+
"type": "VulnerabilityState",
72+
"vuln": "https://security.alpinelinux.org/vuln/CVE-2025-46836"
73+
},
74+
{
75+
"@context": "https://security.alpinelinux.org/static/context.jsonld",
76+
"fixed": false,
77+
"id": "https://security.alpinelinux.org/vuln/CVE-2025-46836#state/127510",
78+
"packageVersion": "https://security.alpinelinux.org/srcpkg/net-tools/2.10-r3",
79+
"repo": "3.21-main",
80+
"type": "VulnerabilityState",
81+
"vuln": "https://security.alpinelinux.org/vuln/CVE-2025-46836"
82+
},
83+
{
84+
"@context": "https://security.alpinelinux.org/static/context.jsonld",
85+
"fixed": false,
86+
"id": "https://security.alpinelinux.org/vuln/CVE-2025-46836#state/127996",
87+
"packageVersion": "https://security.alpinelinux.org/srcpkg/net-tools/2.10-r3",
88+
"repo": "3.20-main",
89+
"type": "VulnerabilityState",
90+
"vuln": "https://security.alpinelinux.org/vuln/CVE-2025-46836"
91+
},
92+
{
93+
"@context": "https://security.alpinelinux.org/static/context.jsonld",
94+
"fixed": false,
95+
"id": "https://security.alpinelinux.org/vuln/CVE-2025-46836#state/128449",
96+
"packageVersion": "https://security.alpinelinux.org/srcpkg/net-tools/2.10-r3",
97+
"repo": "3.19-main",
98+
"type": "VulnerabilityState",
99+
"vuln": "https://security.alpinelinux.org/vuln/CVE-2025-46836"
100+
}
101+
],
102+
"type": "Vulnerability"
103+
}

0 commit comments

Comments
 (0)