Merge pull request aboutcode-org#1989 from ziadhany/linux-kernel

ziadhany · web-flow · commit 8b90a516e36e · 2026-05-15T10:31:38.000+03:00
Collect existing fix commits for Linux Kernel
diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py
@@ -58,6 +58,7 @@
 from vulnerabilities.pipelines.v2_importers import gitlab_importer as gitlab_importer_v2
 from vulnerabilities.pipelines.v2_importers import glibc_importer as glibc_importer_v2
 from vulnerabilities.pipelines.v2_importers import istio_importer as istio_importer_v2
+from vulnerabilities.pipelines.v2_importers import linux_kernel_importer as linux_kernel_importer_v2
 from vulnerabilities.pipelines.v2_importers import mattermost_importer as mattermost_importer_v2
 from vulnerabilities.pipelines.v2_importers import mozilla_importer as mozilla_importer_v2
 from vulnerabilities.pipelines.v2_importers import nginx_importer as nginx_importer_v2
@@ -118,6 +119,7 @@
         retiredotnet_importer_v2.RetireDotnetImporterPipeline,
         ubuntu_osv_importer_v2.UbuntuOSVImporterPipeline,
         alpine_linux_importer_v2.AlpineLinuxImporterPipeline,
+        linux_kernel_importer_v2.LinuxKernelPipeline,
         github_importer.GitHubAPIImporterPipeline,
         gitlab_importer.GitLabImporterPipeline,
         github_osv.GithubOSVImporter,
diff --git a/vulnerabilities/pipelines/v2_importers/linux_kernel_importer.py b/vulnerabilities/pipelines/v2_importers/linux_kernel_importer.py
@@ -0,0 +1,154 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+from collections import defaultdict
+from pathlib import Path
+
+from fetchcode.vcs import fetch_via_vcs
+from univers.version_range import GenericVersionRange
+
+from vulnerabilities.importer import AdvisoryDataV2
+from vulnerabilities.importer import AffectedPackageV2
+from vulnerabilities.importer import PackageCommitPatchData
+from vulnerabilities.importer import PatchData
+from vulnerabilities.importer import ReferenceV2
+from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
+from vulnerabilities.pipes.advisory import classify_patch_source
+from vulnerabilities.utils import commit_regex
+from vulnerabilities.utils import cve_regex
+from vulnerabilities.utils import is_commit
+
+
+class LinuxKernelPipeline(VulnerableCodeBaseImporterPipelineV2):
+    """
+    Pipeline to collect Linux Kernel Pipeline:
+    """
+
+    pipeline_id = "linux_kernel_cves_fix_commits"
+    spdx_license_expression = "Apache-2.0"
+    license_url = "https://github.com/nluedtke/linux_kernel_cves/blob/master/LICENSE"
+    run_once = True
+
+    @classmethod
+    def steps(cls):
+        return (
+            cls.clone,
+            cls.extract_kernel_cve_fix_commits,
+            cls.collect_and_store_advisories,
+            cls.clean_downloads,
+        )
+
+    def advisories_count(self):
+        root = Path(self.vcs_response.dest_dir)
+        return sum(1 for _ in root.rglob("data/*.txt"))
+
+    def clone(self):
+        self.repo_url = "git+https://github.com/nluedtke/linux_kernel_cves"
+        self.log(f"Cloning `{self.repo_url}`")
+        self.vcs_response = fetch_via_vcs(self.repo_url)
+
+    def extract_kernel_cve_fix_commits(self):
+        self.log(f"Processing linux kernel fix commits.")
+        base_path = Path(self.vcs_response.dest_dir) / "data"
+
+        for file_path in base_path.rglob("*.txt"):
+            if "_CVEs.txt" in file_path.name:
+                continue
+
+            if "_security.txt" in file_path.name:
+                self.parse_commits_file(file_path)
+
+    def collect_advisories(self):
+        for (
+            vulnerability_id,
+            fixed_versions_commits,
+        ) in self.cve_to_fixed_versions_and_commits.items():
+            references = []
+            patches = []
+            affected_packages = []
+
+            for fixed_version, commit_hash in fixed_versions_commits:
+                patch_url = f"https://github.com/torvalds/linux/commit/{commit_hash}"
+                if not commit_hash:
+                    continue
+
+                base_purl, patch_objs = classify_patch_source(
+                    url=patch_url,
+                    commit_hash=commit_hash,
+                    patch_text=None,
+                )
+
+                for patch_obj in patch_objs:
+                    fixed_version_range = GenericVersionRange.from_versions([fixed_version])
+                    if isinstance(patch_obj, PackageCommitPatchData):
+                        fixed_commit = patch_obj
+                        affected_package = AffectedPackageV2(
+                            package=base_purl,
+                            fixed_by_commit_patches=[fixed_commit],
+                            fixed_version_range=fixed_version_range,
+                        )
+                        affected_packages.append(affected_package)
+                    elif isinstance(patch_obj, PatchData):
+                        patches.append(patch_obj)
+                    elif isinstance(patch_obj, ReferenceV2):
+                        references.append(patch_obj)
+
+            yield AdvisoryDataV2(
+                advisory_id=vulnerability_id,
+                references=references,
+                affected_packages=affected_packages,
+                patches=patches,
+                url="https://github.com/nluedtke/linux_kernel_cves",
+            )
+
+    def parse_commits_file(self, file_path):
+        """Extract CVE-ID and commit hashes from a text file"""
+        self.cve_to_fixed_versions_and_commits = defaultdict(set)
+        fixed_version = None
+        with open(file_path, "r", encoding="utf-8") as f:
+            for line in f:
+                line = line.strip()
+
+                if not line:
+                    continue
+
+                if line.startswith("CVEs fixed in"):
+                    fixed_version = line.replace("CVEs fixed in", "").strip().rstrip(":")
+                    continue
+
+                parts = line.split(":", 2)
+
+                if len(parts) < 2:
+                    continue
+
+                cve_part = parts[0]
+                commit_part = parts[1]
+
+                cve_match = cve_regex.search(cve_part)
+                if not cve_match:
+                    continue
+
+                cve = cve_match.group(0)
+
+                sha1_match = commit_regex.search(commit_part)
+                commit_hash = sha1_match.group(0) if sha1_match else None
+
+                if not commit_hash or not is_commit(commit_hash):
+                    continue
+
+                self.cve_to_fixed_versions_and_commits[cve].add((fixed_version, commit_hash))
+
+    def clean_downloads(self):
+        """Cleanup any temporary repository data."""
+        if self.vcs_response:
+            self.log("Removing cloned repository")
+            self.vcs_response.delete()
+
+    def on_failure(self):
+        """Ensure cleanup is always performed on failure."""
+        self.clean_downloads()
diff --git a/vulnerabilities/tests/pipelines/v2_importers/test_linux_pipelines_v2.py b/vulnerabilities/tests/pipelines/v2_importers/test_linux_pipelines_v2.py
@@ -0,0 +1,29 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import os
+from pathlib import Path
+from unittest.mock import Mock
+
+import pytest
+
+from vulnerabilities.pipelines.v2_importers.linux_kernel_importer import LinuxKernelPipeline
+from vulnerabilities.tests import util_tests
+
+TEST_DATA = Path(__file__).parent.parent.parent / "test_data" / "linux_kernel"
+
+
+@pytest.mark.django_db
+def test_linux_kernel_advisories():
+    expected_file = os.path.join(TEST_DATA, "expected-linux-kernel-advisory.json")
+    pipeline = LinuxKernelPipeline()
+    pipeline.vcs_response = Mock(dest_dir=TEST_DATA)
+    pipeline.extract_kernel_cve_fix_commits()
+    result = [adv.to_dict() for adv in pipeline.collect_advisories()]
+    util_tests.check_results_against_json(result, expected_file)
diff --git a/vulnerabilities/tests/test_data/linux_kernel/data/3.12/3.12_security.txt b/vulnerabilities/tests/test_data/linux_kernel/data/3.12/3.12_security.txt
@@ -0,0 +1,31 @@
+
+CVEs fixed in 3.12:
+  CVE-2013-4511: 201f99f170df14ba52ea4c52847779042b7a623b uml: check length in exitcode_proc_write()
+  CVE-2013-4512: 201f99f170df14ba52ea4c52847779042b7a623b uml: check length in exitcode_proc_write()
+  CVE-2013-4513: c2c65cd2e14ada6de44cb527e7f1990bede24e15 staging: ozwpan: prevent overflow in oz_cdev_write()
+  CVE-2013-4514: b5e2f339865fb443107e5b10603e53bbc92dc054 staging: wlags49_h2: buffer overflow setting station name
+  CVE-2013-4515: 8d1e72250c847fa96498ec029891de4dc638a5ba Staging: bcm: info leak in ioctl
+  CVE-2013-4516: a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 Staging: sb105x: info leak in mp_get_count()
+  CVE-2013-6383: f856567b930dfcdbc3323261bf77240ccdde01f5 aacraid: missing capable() check in compat ioctl
+
+CVEs fixed in 3.12.1:
+  CVE-2013-4348: cec64fecff2eff7dd701b883ed3f5f6faf1aab92 net: flow_dissector: fail on evil iph->ihl
+
+CVEs fixed in 3.12.2:
+  CVE-2013-2929: 9d4dd888b4b5799ecadfb0d8c9adda7a76779806 exec/ptrace: fix get_dumpable() incorrect tests
+  CVE-2013-2930: 539ddb09c46389cc22d35543e40ccde2c2e20244 perf/ftrace: Fix paranoid level for enabling function tracer
+  CVE-2013-4345: 8ea7fffd97835f4e3ffd5f757df152a79835f65f crypto: ansi_cprng - Fix off by one error in non-block size request
+  CVE-2013-6378: 0f6ff65ed8d3630118c3149a4fbc493dd3b8fdc4 libertas: potential oops in debugfs
+  CVE-2013-6380: 12cc2209deeda65c963c84a5e6aaf0c39aca8e6d aacraid: prevent invalid pointer dereference
+  CVE-2013-7026: dd272212175ad47ee84cf38e9d5f99502df2d930 ipc,shm: fix shm_file deletion races
+
+CVE-2024-26791: (unk) btrfs: dev-replace: properly validate device names
+CVE-2024-26793: (unk) gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
+CVE-2024-26797: (unk) drm/amd/display: Prevent potential buffer overflow in map_hw_resources
+CVE-2024-26798: (unk) fbcon: always restore the old font data in fbcon_do_set_font()
+CVE-2024-26802: (unk) stmmac: Clear variable when destroying workqueue
+CVE-2024-26803: (unk) net: veth: clear GRO when clearing XDP even when down
+CVE-2024-26804: (unk) net: ip_tunnel: prevent perpetual headroom growth
+CVE-2024-26806: (unk) spi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks
+CVE-2024-26808: (unk) netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain
+CVE-2024-26809: (unk) netfilter: nft_set_pipapo: release elements in clone only from destroy path
diff --git a/vulnerabilities/tests/test_data/linux_kernel/expected-linux-kernel-advisory.json b/vulnerabilities/tests/test_data/linux_kernel/expected-linux-kernel-advisory.json
