aboutcode-org · ambuj-1211 · Jun 22, 2024 · Jun 24, 2024 · Jun 25, 2024 · Jul 2, 2024
diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py
@@ -7,6 +7,7 @@
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
 
+from vulnerabilities.importers import almalinux
 from vulnerabilities.importers import alpine_linux
 from vulnerabilities.importers import apache_httpd
 from vulnerabilities.importers import apache_kafka
@@ -71,6 +72,7 @@
     oss_fuzz.OSSFuzzImporter,
     ruby.RubyImporter,
     github_osv.GithubOSVImporter,
+    almalinux.AlmaImporter,
 ]
 
 IMPORTERS_REGISTRY = {x.qualified_name: x for x in IMPORTERS_REGISTRY}
diff --git a/vulnerabilities/importers/almalinux.py b/vulnerabilities/importers/almalinux.py
@@ -0,0 +1,183 @@
+#
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import json
+import logging
+from pathlib import Path
+from typing import Any
+from typing import Iterable
+from typing import List
+from typing import Optional
+
+from packageurl import PackageURL
+from univers.version_range import RANGE_CLASS_BY_SCHEMES
+from univers.version_range import RpmVersionRange
+from univers.versions import InvalidVersion
+from univers.versions import RpmVersion
+from univers.versions import Version
+
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AffectedPackage
+from vulnerabilities.importer import Importer
+from vulnerabilities.importers.osv import extract_fixed_versions
+from vulnerabilities.importers.osv import get_published_date
+from vulnerabilities.importers.osv import get_references
+from vulnerabilities.importers.osv import get_severities
+
+# from vulnerabilities.importers.osv import parse_advisory_data
+from vulnerabilities.utils import build_description
+from vulnerabilities.utils import dedupe
+from vulnerabilities.utils import get_advisory_url
+from vulnerabilities.utils import get_cwe_id
+
+logger = logging.getLogger(__name__)
+BASE_URL = "https://github.com/AlmaLinux/osv-database"
+
+
+class AlmaImporter(Importer):
+    spdx_license_expression = "MIT License"
+    license_url = "https://github.com/AlmaLinux/osv-database/blob/master/LICENSE"
+    importer_name = "Alma Linux Importer"
+
+    # for creating purl type is rpm namespace is almalinux names 1:2324:el8
+
+    def advisory_data(self) -> Iterable[AdvisoryData]:
+        supported_ecosystems = ["almalinux:8", "almalinux:9"]
+        try:
+            self.clone(repo_url=self.BASE_URL)
+            base_path = Path(self.vcs_response.dest_dir)
+            advisory_dirs = base_path / "tree/master/advisories"
+            # Iterate throught the directories in the repo and get the .json files
+            for file in advisory_dirs.glob("**/*.json"):
+                advisory_url = get_advisory_url(
+                    file=file,
+                    base_path=base_path,
+                    url="https://github.com/AlmaLinux/osv-database/blob/master",
+                )
+                with open(file) as f:
+                    raw_data = json.load(f)
+                yield parse_advisory_data(raw_data, supported_ecosystems, advisory_url)
+        finally:
+            if self.vcs_response:
+                self.vcs_response.delete()
+
+
+"""Make follwoing changes:
+    alias- done
+    summary - done
+    affected packages - work
+    references - work
+    date published - done
+    weaknesses - work
+    url - done
+"""
+
+
+def parse_advisory_data(raw_data, supported_ecosystems, advisory_url) -> Optional[AdvisoryData]:
+    raw_id = raw_data.get("id") or ""
+    summary = raw_data.get("summary") or ""
+    details = raw_data.get("details") or ""
+    summary = build_description(summary=summary, description=details)
+    aliases = raw_data.get("aliases") or []
+    if raw_id:
+        aliases.append(raw_id)
+        aliases = dedupe(original=aliases)
+    date_published = get_published_date(raw_data=raw_data)
+    severities = list(get_severities(raw_data=raw_data))
+    references = get_references(raw_data=raw_data, severities=severities)
+
+    affected_packages = []
+
+    for affected_pkg in raw_data.get("affected") or []:
+        purl = get_affected_purl(affected_pkg=affected_pkg, raw_id=raw_id)
+        ranges = affected_packages.get("ranges") or []
+        events = ranges[0].get("events") or []
+        if not purl:
+            logger.error(f"Unsupported package type: {affected_pkg!r} in OSV: {raw_id!r}")
+            continue
+
+        affected_version_range = get_affected_version_range(
+            affected_pkg=affected_pkg,
+            raw_id=raw_id,
+            supported_ecosystem=purl.type,
+        )
+
+        for fixed_range in affected_pkg.get("ranges") or []:
+            fixed_version = get_fixed_versions(
+                fixed_range=fixed_range,
+                raw_id=raw_id,
+                supported_ecosystem=purl.type,  # can use these information in future to update the get_fixed_version function.
+            )
+
+            for version in fixed_version:
+                affected_packages.append(
+                    AffectedPackage(
+                        package=purl,
+                        affected_version_range=affected_version_range,
+                        fixed_version=version,
+                    )
+                )
+
+    database_specific = raw_data.get("database_specific") or {}
+    cwe_ids = database_specific.get("cwe_ids") or []
+    weaknesses = list(map(get_cwe_id, cwe_ids))
+
+    return AdvisoryData(
+        aliases=aliases,
+        summary=summary,
+        references=references,
+        affected_packages=affected_packages,
+        date_published=date_published,
+        weaknesses=weaknesses,
+        url=advisory_url,
+    )
+
+
+def get_affected_purl(affected_pkg, raw_id):
+    package = affected_pkg.get("package") or {}
+    purl = package.get("purl")
+    if purl:
+        try:
+            purl = PackageURL.from_string(purl)
+        except ValueError:
+            logger.error(
+                f"Invalid PackageURL: {purl!r} for OSV "
+                f"affected_pkg {affected_pkg} and id: {raw_id}"
+            )
+
+    else:
+        ecosys = package.get("ecosystem")
+        name = package.get("name")
+        purl = PackageURL(type="rpm", namespace="almalinux", name=name)
+
+    return PackageURL.from_string(str(purl))
+
+
+def get_fixed_versions(fixed_range) -> List[Version]:
+    fixed_versions = []
+    fixed_range_type = fixed_range["type"]
+    for version in extract_fixed_versions(fixed_range):
+        fixed_versions.append(RpmVersion(version))
+    return dedupe(fixed_versions)
+
+
+def get_affected_version_range(affected_pkg, raw_id, supported_ecosystem):
+    """
+    Return a univers VersionRange for the ``affected_pkg`` package data mapping
+    or None. Use a ``raw_id`` OSV id and ``supported_ecosystem``.
+    """
+    fixed_range = affected_pkg.get("ranges") or []
+    fixed_range = fixed_range[0] if len(fixed_range) > 0 else {}
+    fixed_version = get_fixed_versions(fixed_range)[0]
+    introduced = fixed_range.get("events") or []
+    introduced = introduced[0] if len(introduced) > 0 else {}
+    introduced_version = introduced.get("introduced") or ""
+
+    return RpmVersionRange.from_native()
diff --git a/vulnerabilities/importers/osv.py b/vulnerabilities/importers/osv.py
@@ -41,6 +41,8 @@
     "go": "golang",
     "hex": "hex",
     "cargo": "cargo",
+    "almalinux:8": "almalinux:8",
+    "almalinux:9": "almalinux:9",
 }
 
 

diff --git a/vulnerabilities/tests/test_almalinux.py b/vulnerabilities/tests/test_almalinux.py
@@ -0,0 +1,58 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+import json
+import os
+from unittest import TestCase
+
+from vulnerabilities.importers.osv import parse_advisory_data
+from vulnerabilities.tests import util_tests
+
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+TEST_DATA = os.path.join(BASE_DIR, "test_data/almalinux")
+
+
+class AlmaImporter(TestCase):
+    def test_almalinux_importer1(self):
+        with open(os.path.join(TEST_DATA, "almalinux_test_1.json")) as f:
+            mock_response = json.load(f)
+        expected_file = os.path.join(TEST_DATA, "almalinux_expected_1.json")
+        imported_data = parse_advisory_data(
+            mock_response,
+            supported_ecosystems=["almalinux:8", "almalinux:9"],
+            advisory_url="https://github.com/AlmaLinux/osv-database"
+            "/blob/master/advisories/almalinux8/almalinux_test_1.json",
+        )
+        result = imported_data.to_dict()
+        util_tests.check_results_against_json(result, expected_file)
+
+    def test_almalinux_importer2(self):
+        with open(os.path.join(TEST_DATA, "almalinux_test_2.json")) as f:
+            mock_response = json.load(f)
+        expected_file = os.path.join(TEST_DATA, "almalinux_expected_2.json")
+        imported_data = parse_advisory_data(
+            mock_response,
+            supported_ecosystems=["almalinux:8", "almalinux:9"],
+            advisory_url="https://github.com/AlmaLinux/osv-database"
+            "/blob/master/advisories/almalinux8/almalinux_test_2.json",
+        )
+        result = imported_data.to_dict()
+        util_tests.check_results_against_json(result, expected_file)
+
+    def test_github_osv_importer3(self):
+        with open(os.path.join(TEST_DATA, "almalinux_test_3.json")) as f:
+            mock_response = json.load(f)
+        expected_file = os.path.join(TEST_DATA, "almalinux_expected_3.json")
+        imported_data = parse_advisory_data(
+            mock_response,
+            supported_ecosystems=["almalinux:8", "almalinux:9"],
+            advisory_url="https://github.com/AlmaLinux/osv-database"
+            "/blob/master/advisories/almalinux8/almalinux_test_3.json",
+        )
+        result = imported_data.to_dict()
+        util_tests.check_results_against_json(result, expected_file)
diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_1.json
@@ -0,0 +1,21 @@
+{
+  "aliases": ["ALBA-2019:3336"], 
+  "summary": "nss-altfiles bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", 
+  "affected_packages": [
+    {
+      "package": {"type": "almalinux:8", "namespace": "", "name": "nss-altfiles", "version": "", "qualifiers": "", "subpath": ""}, 
+    "affected_version_range": null, 
+    "fixed_version": "2.18.1-12.el8"
+  }
+  ], 
+  "references": [
+    {
+      "reference_id": "", 
+    "url": "https://errata.almalinux.org/8/ALBA-2019-3336.html", 
+    "severities": []
+  }
+  ], 
+  "date_published": "2019-11-05T17:32:18+00:00", 
+  "weaknesses": [], 
+  "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_1.json"
+}
diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_2.json
@@ -0,0 +1,17 @@
+{
+    "aliases": ["ALEA-2019:3314"], 
+    "summary": "python3-azure-sdk bug fix and enhancement update\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", 
+    "affected_packages": [
+        {
+            "package": {
+                "type": "almalinux:8", "namespace": "", "name": "python3-azure-sdk", "version": "", "qualifiers": "", "subpath": ""
+                }, 
+                "affected_version_range": null, 
+                "fixed_version": "4.0.0-9.el8"
+        }
+    ], 
+    "references": [], 
+    "date_published": "2019-11-05T17:29:24+00:00", 
+    "weaknesses": [], 
+    "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_2.json"
+}
diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json b/vulnerabilities/tests/test_data/almalinux/almalinux_expected_3.json
@@ -0,0 +1,50 @@
+{
+    "aliases": ["ALSA-2022:8221"], 
+    "summary": "Moderate: xorg-x11-server security and bug fix update\nX.Org is an open-source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.\n\nSecurity Fix(es)n\n* xorg-x11-server: X.Org Server ProcXkbSetGeometry out-of-bounds access (CVE-2022-2319)\n* xorg-x11-server: out-of-bounds access in ProcXkbSetDeviceInfo request handler of the Xkb extension VE-2022-2320)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.", 
+    "affected_packages": [
+        {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xdmx", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"},
+        {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xephyr", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, 
+        {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xnest", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, 
+        {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xorg", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, 
+        {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-Xvfb", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, 
+        {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-common", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, 
+        {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-devel", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}, 
+        {"package": {"type": "almalinux:9", "namespace": "", "name": "xorg-x11-server-source", "version": "", "qualifiers": "", "subpath": ""}, "affected_version_range": null, "fixed_version": "1.20.11-11.el9"}
+
+    ], 
+    "references": [
+        {
+            "reference_id": "", 
+            "url": "https://access.redhat.com/errata/RHSA-2022:8221", 
+            "severities": []
+        }, 
+        {
+            "reference_id": "", 
+            "url": "https://access.redhat.com/security/cve/CVE-2022-2319", 
+            "severities": []
+        }, 
+        {
+            "reference_id": "", 
+            "url": "https://access.redhat.com/security/cve/CVE-2022-2320", 
+            "severities": []
+        }, 
+        {
+            "reference_id": "", 
+            "url": "https://bugzilla.redhat.com/2106671", 
+            "severities": []
+        }, 
+        {
+            "reference_id": "", 
+            "url": "https://bugzilla.redhat.com/2106683", 
+            "severities": []
+        }, 
+        {
+            "reference_id": "", 
+            "url": "https://errata.almalinux.org/9/ALSA-2022-8221.html", 
+            "severities": []
+        }
+    ], 
+    "date_published": "2022-11-15T00:00:00+00:00", 
+    "weaknesses": [], 
+    "url": "https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/almalinux_test_3.json"
+}
diff --git a/vulnerabilities/tests/test_data/almalinux/almalinux_test_1.json b/vulnerabilities/tests/test_data/almalinux/almalinux_test_1.json
@@ -0,0 +1,35 @@
+{
+  "id": "ALBA-2019:3336",
+  "summary": "nss-altfiles bug fix and enhancement update",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "AlmaLinux:8",
+        "name": "nss-altfiles"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.18.1-12.el8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "related": [],
+  "published": "2019-11-05T17:32:18Z",
+  "modified": "2021-11-12T10:20:54Z",
+  "details": "For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
+  "references": [
+    {
+      "url": "https://errata.almalinux.org/8/ALBA-2019-3336.html",
+      "type": "ADVISORY"
+    }
+  ]
+}