Create almalinux importer pipeline

Signed-off-by: ambuj <kulshreshthaak.12@gmail.com>

Author: ambuj-1211

vulnerabilities/importers/__init__.py

@@ -7,7 +7,6 @@
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
 
-from vulnerabilities.importers import almalinux
 from vulnerabilities.importers import alpine_linux
 from vulnerabilities.importers import apache_httpd
 from vulnerabilities.importers import apache_kafka
@@ -36,6 +35,7 @@
 from vulnerabilities.importers import vulnrichment
 from vulnerabilities.importers import xen
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline
+from vulnerabilities.pipelines import almalinux_importer
 from vulnerabilities.pipelines import github_importer
 from vulnerabilities.pipelines import gitlab_importer
 from vulnerabilities.pipelines import nginx_importer
@@ -69,7 +69,6 @@
     oss_fuzz.OSSFuzzImporter,
     ruby.RubyImporter,
     github_osv.GithubOSVImporter,
-    almalinux.AlmaImporter,
     curl.CurlImporter,
     epss.EPSSImporter,
     vulnrichment.VulnrichImporter,
@@ -80,6 +79,7 @@
     github_importer.GitHubAPIImporterPipeline,
     nvd_importer.NVDImporterPipeline,
     pysec_importer.PyPIImporterPipeline,
+    almalinux_importer.AlmalinuxImporterPipeline,
 ]
 
 IMPORTERS_REGISTRY = {

vulnerabilities/importers/almalinux.py

@@ -41,6 +41,8 @@
     "go": "golang",
     "hex": "hex",
     "cargo": "cargo",
+    "almalinux:8": "rpm",
+    "almalinux:9": "rpm",
 }
 
 
@@ -213,6 +215,8 @@ def get_affected_purl(affected_pkg, raw_id):
             namespace = ""
             if purl_type == "maven":
                 namespace, _, name = name.partition(":")
+            if ecosys == "almalinux:8" or ecosys == "almalinux:9":
+                namespace = "almalinux"
 
             purl = PackageURL(type=purl_type, namespace=namespace, name=name)
         else:

vulnerabilities/importers/osv.py

@@ -24,7 +24,6 @@
 from vulnerabilities.importer import AffectedPackage
 from vulnerabilities.importer import Importer
 from vulnerabilities.importer import UnMergeablePackageError
-from vulnerabilities.importers.almalinux import AlmaImporter
 from vulnerabilities.importers.apache_httpd import ApacheHTTPDImporter
 from vulnerabilities.importers.apache_kafka import ApacheKafkaImporter
 from vulnerabilities.importers.apache_tomcat import ApacheTomcatImporter
@@ -42,6 +41,7 @@
 from vulnerabilities.improver import Inference
 from vulnerabilities.models import Advisory
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline
+from vulnerabilities.pipelines.almalinux_importer import AlmalinuxImporterPipeline
 from vulnerabilities.pipelines.github_importer import GitHubAPIImporterPipeline
 from vulnerabilities.pipelines.gitlab_importer import GitLabImporterPipeline
 from vulnerabilities.pipelines.nginx_importer import NginxImporterPipeline
@@ -477,10 +477,13 @@ class RubyImprover(ValidVersionImprover):
 class GithubOSVImprover(ValidVersionImprover):
     importer = GithubOSVImporter
     ignorable_versions = []
-    
+
+
 class AlmaImprover(ValidVersionImprover):
-    importer = AlmaImporter
-    
+    importer = AlmalinuxImporterPipeline
+    ignorable_versions = []
+
+
 class CurlImprover(ValidVersionImprover):
     importer = CurlImporter
     ignorable_versions = []

vulnerabilities/improvers/valid_versions.py

@@ -0,0 +1,68 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+import json
+import logging
+from pathlib import Path
+from typing import Iterable
+
+from fetchcode.vcs import fetch_via_vcs
+
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importers.osv import parse_advisory_data
+from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline
+from vulnerabilities.utils import get_advisory_url
+
+logger = logging.getLogger(__name__)
+
+
+class AlmalinuxImporterPipeline(VulnerableCodeBaseImporterPipeline):
+    """Collect Almalinux advisories."""
+
+    pipeline_id = "almalinux_importer"
+    spdx_license_expression = "MIT"
+    license_url = "https://github.com/AlmaLinux/osv-database/blob/master/LICENSE"
+    importer_name = "Almalinux Importer"
+    repo_url = "https://github.com/AlmaLinux/osv-database"
+
+    @classmethod
+    def steps(cls):
+        return (
+            cls.clone,
+            cls.collect_and_store_advisories,
+            cls.import_new_advisories,
+            cls.clean_downloads,
+        )
+
+    def clone(self):
+        self.log(f"Cloning `{self.repo_url}")
+        self.vcs_response = fetch_via_vcs(self.repo_url)
+
+    def advisories_count(self):
+        vuln_directory = Path(self.vcs_response.dest_dir) / "tree" / "master" / "advisories"
+        return sum(1 for _ in vuln_directory.rglob("*.json"))
+
+    def collect_advisories(self) -> Iterable[AdvisoryData]:
+        base_path = Path(self.vcs_response.dest_dir)
+        vuln_directory = base_path / "tree" / "master" / "advisories"
+        for file in vuln_directory.rglob("*.json"):
+            advisory_url = get_advisory_url(
+                file=file,
+                base_path=base_path,
+                url="https://github.com/AlmaLinux/osv-database/blob/master",
+            )
+            with open(file) as f:
+                raw_data = json.load(f)
+            yield parse_advisory_data(
+                raw_data=raw_data, supported_ecosystems="rpm", advisory_url=advisory_url
+            )
+
+    def clean_downloads(self):
+        if self.vcs_response:
+            self.log(f"Removing cloned repository")
+            self.vcs_response.delete()