Merge pull request #1042 from nexB/972-migrate-apache-kafka-importer

Modify apache_kafka.py and related tests for migration

Author: pombredanne

CHANGELOG.rst

@@ -2,6 +2,12 @@ Release notes
 =============
 
 
+Next Release
+------------
+
+- We re-enabled support for the Apache Kafka vulnerabilities advisories importer.
+
+
 Version v32.0.0rc2
 --------------------
 

vulnerabilities/importers/__init__.py

@@ -9,6 +9,7 @@
 
 from vulnerabilities.importers import alpine_linux
 from vulnerabilities.importers import apache_httpd
+from vulnerabilities.importers import apache_kafka
 from vulnerabilities.importers import apache_tomcat
 from vulnerabilities.importers import archlinux
 from vulnerabilities.importers import debian
@@ -63,6 +64,7 @@
     xen.XenImporter,
     ubuntu_usn.UbuntuUSNImporter,
     fireeye.FireyeImporter,
+    apache_kafka.ApacheKafkaImporter,
 ]
 
 IMPORTERS_REGISTRY = {x.qualified_name: x for x in IMPORTERS_REGISTRY}

vulnerabilities/importers/apache_kafka.py

@@ -7,120 +7,179 @@
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
 
-import asyncio
 
+import pytz
 import requests
 from bs4 import BeautifulSoup
+from dateutil.parser import parse
 from packageurl import PackageURL
-from univers.version_range import VersionRange
-from univers.versions import MavenVersion
 
 from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AffectedPackage
 from vulnerabilities.importer import Importer
 from vulnerabilities.importer import Reference
-from vulnerabilities.package_managers import GitHubTagsAPI
-from vulnerabilities.utils import nearest_patched_package
 
-GH_PAGE_URL = "https://raw.githubusercontent.com/apache/kafka-site/asf-site/cve-list.html"
-ASF_PAGE_URL = "https://kafka.apache.org/cve-list"
+# The entries below with `"action": "omit"` have no useful/reportable fixed or affected version data.
+# See https://kafka.apache.org/cve-list
+affected_version_range_mapping = {
+    "CVE-2022-34917": {
+        "action": "include",
+        "2.8.0 - 2.8.1, 3.0.0 - 3.0.1, 3.1.0 - 3.1.1, 3.2.0 - 3.2.1": "affected",
+        "2.8.2, 3.0.2, 3.1.2, 3.2.3": "fixed",
+        "affected_version_range": "vers:apache/>=2.8.0|<=2.8.1|!=2.8.2|>=3.0.0|<=3.0.1|!=3.0.2|>=3.1.0|<=3.1.1|!=3.1.2|>=3.2.0|<=3.2.1|!=3.2.3",
+        "Issue announced": "19 Sep 2022",
+    },
+    "CVE-2022-23302": {
+        "action": "omit",
+    },
+    "CVE-2022-23305": {
+        "action": "omit",
+    },
+    "CVE-2022-23307": {
+        "action": "omit",
+    },
+    "CVE-2021-45046": {
+        "action": "omit",
+    },
+    "CVE-2021-44228": {
+        "action": "omit",
+    },
+    "CVE-2021-4104": {
+        "action": "omit",
+    },
+    "CVE-2021-38153": {
+        "action": "include",
+        "2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0.": "affected",
+        "2.6.3, 2.7.2, 2.8.1, 3.0.0 and later": "fixed",
+        "affected_version_range": "vers:apache/2.0.0|2.0.1|2.1.0|2.1.1|2.2.0|2.2.1|2.2.2|2.3.0|2.3.1|2.4.0|2.4.1|2.5.0|2.5.1|2.6.0|2.6.1|2.6.2|!=2.6.3|2.7.0|2.7.1|!=2.7.2|2.8.0.|!=2.8.1|<3.0.0",
+        "Issue announced": "21 Sep 2021",
+    },
+    "CVE-2019-12399": {
+        "action": "include",
+        "2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0": "affected",
+        "2.2.2, 2.3.1 and later": "fixed",
+        "affected_version_range": "vers:apache/2.0.0|2.0.1|2.1.0|2.1.1|2.2.0|2.2.1|!=2.2.2|2.3.0|<2.3.1",
+        "Issue announced": "13 Jan 2020",
+    },
+    "CVE-2018-17196": {
+        "action": "include",
+        "0.11.0.0 to 2.1.0": "affected",
+        "2.1.1 and later": "fixed",
+        "affected_version_range": "vers:apache/>=0.11.0.0|<2.1.1",
+        "Issue announced": "10 July 2019",
+    },
+    "CVE-2018-1288": {
+        "action": "include",
+        "0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, 1.0.0": "affected",
+        "0.10.2.2, 0.11.0.3, 1.0.1, 1.1.0": "fixed",
+        "affected_version_range": "vers:apache/>=0.9.0.0|<=0.9.0.1|>=0.10.0.0|<=0.10.2.1|!=0.10.2.2|>=0.11.0.0|<=0.11.0.2|!=0.11.0.3|1.0.0|!=1.0.1|!=1.1.0",
+        "Issue announced": "26 July 2018",
+    },
+    "CVE-2017-12610": {
+        "action": "include",
+        "0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.1": "affected",
+        "0.10.2.2, 0.11.0.2, 1.0.0": "fixed",
+        "affected_version_range": "vers:apache/>=0.10.0.0|<=0.10.2.1|!=0.10.2.2|>=0.11.0.0|<=0.11.0.1|!=0.11.0.2|!=1.0.0",
+        "Issue announced": "26 July 2018",
+    },
+}
 
 
 class ApacheKafkaImporter(Importer):
+
+    GH_PAGE_URL = "https://raw.githubusercontent.com/apache/kafka-site/asf-site/cve-list.html"
+    ASF_PAGE_URL = "https://kafka.apache.org/cve-list"
+    spdx_license_expression = "Apache-2.0"
+    license_url = "https://www.apache.org/licenses/"
+
     @staticmethod
-    def fetch_advisory_page():
-        page = requests.get(GH_PAGE_URL)
+    def fetch_advisory_page(self):
+        page = requests.get(self.GH_PAGE_URL)
         return page.content
 
-    def set_api(self):
-        self.version_api = GitHubTagsAPI()
-        asyncio.run(self.version_api.load_api(["apache/kafka"]))
+    def advisory_data(self):
+        advisory_page = self.fetch_advisory_page(self)
 
-    def updated_advisories(self):
-        advisory_page = self.fetch_advisory_page()
-        self.set_api()
         parsed_data = self.to_advisory(advisory_page)
-        return self.batch_advisories(parsed_data)
+        return parsed_data
 
     def to_advisory(self, advisory_page):
         advisories = []
+
         advisory_page = BeautifulSoup(advisory_page, features="lxml")
         cve_section_beginnings = advisory_page.find_all("h2")
         for cve_section_beginning in cve_section_beginnings:
-            cve_id = cve_section_beginning.text.split("\n")[0]
+            # This sometimes includes text that follows the CVE on the same line -- sometimes there is a carriage return, sometimes there is not
+            # cve_id = cve_section_beginning.text.split("\n")[0]
+            # This is superior, gets only the cve id and no following text.
+            cve_id = cve_section_beginning.get("id")
+
             cve_description_paragraph = cve_section_beginning.find_next_sibling("p")
+
+            description = str(cve_description_paragraph.get_text())
+            description = " ".join(description.split())
+
             cve_data_table = cve_section_beginning.find_next_sibling("table")
             cve_data_table_rows = cve_data_table.find_all("tr")
             affected_versions_row = cve_data_table_rows[0]
             fixed_versions_row = cve_data_table_rows[1]
-            affected_version_ranges = to_version_ranges(
-                affected_versions_row.find_all("td")[1].text
-            )
-            fixed_version_ranges = to_version_ranges(fixed_versions_row.find_all("td")[1].text)
-
-            fixed_packages = [
-                PackageURL(type="apache", name="kafka", version=version)
-                for version in self.version_api.get("apache/kafka").valid_versions
-                if any(
-                    [
-                        MavenVersion(version) in version_range
-                        for version_range in fixed_version_ranges
-                    ]
-                )
-            ]
-
-            affected_packages = [
-                PackageURL(type="apache", name="kafka", version=version)
-                for version in self.version_api.get("apache/kafka").valid_versions
-                if any(
-                    [
-                        MavenVersion(version) in version_range
-                        for version_range in affected_version_ranges
-                    ]
-                )
-            ]
-
-            advisories.append(
-                AdvisoryData(
-                    vulnerability_id=cve_id,
-                    summary=cve_description_paragraph.text,
-                    affected_packages=nearest_patched_package(affected_packages, fixed_packages),
-                    references=[
-                        Reference(url=ASF_PAGE_URL),
-                        Reference(
-                            url=f"https://cve.mitre.org/cgi-bin/cvename.cgi?name={cve_id}",
-                            reference_id=cve_id,
-                        ),
-                    ],
+
+            # Remove leading white space after initial comma
+            affected_versions = affected_versions_row.find_all("td")[1].text
+
+            affected_versions_clean = [v.strip() for v in affected_versions.split(",")]
+            affected_versions_clean = [v for v in affected_versions if v]
+
+            fixed_versions = fixed_versions_row.find_all("td")[1].text
+
+            fixed_versions_clean = [v.strip() for v in fixed_versions.split(",")]
+            fixed_versions_clean = [v for v in fixed_versions if v]
+
+            # This throws a KeyError if the opening h2 tag `id` data changes or is not in the
+            # hard-coded affected_version_range_mapping dictionary.
+            cve_version_mapping = affected_version_range_mapping[cve_id]
+            if cve_version_mapping["action"] == "include":
+                # These 2 variables (not used elsewhere) trigger the KeyError for changed/missing data.
+                check_affected_versions_key = cve_version_mapping[affected_versions]
+                check_fixed_versions_key = cve_version_mapping[fixed_versions]
+
+                references = [
+                    Reference(
+                        url=self.ASF_PAGE_URL,
+                        reference_id=cve_id,
+                    ),
+                    Reference(
+                        url=f"{self.ASF_PAGE_URL}#{cve_id}",
+                        reference_id=cve_id,
+                    ),
+                    Reference(
+                        url=f"https://nvd.nist.gov/vuln/detail/{cve_id}",
+                        reference_id=cve_id,
+                    ),
+                ]
+
+                affected_packages = []
+                affected_package = AffectedPackage(
+                    package=PackageURL(
+                        name="kafka",
+                        type="apache",
+                    ),
+                    affected_version_range=cve_version_mapping["affected_version_range"],
                 )
-            )
-        return advisories
+                affected_packages.append(affected_package)
 
+                date_published = parse(cve_version_mapping["Issue announced"]).replace(
+                    tzinfo=pytz.UTC
+                )
 
-def to_version_ranges(version_range_text):
-    version_ranges = []
-    range_expressions = version_range_text.split(",")
-    for range_expression in range_expressions:
-        if "to" in range_expression:
-            # eg range_expression == "3.2.0 to 3.2.1"
-            lower_bound, upper_bound = range_expression.split("to")
-            lower_bound = f">={lower_bound}"
-            upper_bound = f"<={upper_bound}"
-            version_ranges.append(
-                VersionRange.from_scheme_version_spec_string(
-                    "maven", f"{lower_bound},{upper_bound}"
+                advisories.append(
+                    AdvisoryData(
+                        aliases=[cve_id],
+                        summary=description,
+                        affected_packages=affected_packages,
+                        references=references,
+                        date_published=date_published,
+                    )
                 )
-            )
-
-        elif "and later" in range_expression:
-            # eg range_expression == "2.1.1 and later"
-            range_expression = range_expression.replace("and later", "")
-            version_ranges.append(
-                VersionRange.from_scheme_version_spec_string("maven", f">={range_expression}")
-            )
-
-        else:
-            # eg  range_expression == "3.0.0"
-            version_ranges.append(
-                VersionRange.from_scheme_version_spec_string("maven", range_expression)
-            )
-    return version_ranges
+
+        return advisories

vulnerabilities/tests/conftest.py

@@ -25,7 +25,6 @@ def no_rmtree(monkeypatch):
 # Step 2: Run test for importer only if it is activated (pytestmark = pytest.mark.skipif(...))
 # Step 3: Migrate all the tests
 collect_ignore = [
-    "test_apache_kafka.py",
     "test_models.py",
     "test_package_managers.py",
     "test_ruby.py",