aboutcode-org
diff --git a/‎.github/workflows/docs.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/docs.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/main.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/main.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CHANGELOG.rst‎
Lines changed: 8 additions & 0 deletions b/‎CHANGELOG.rst‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎requirements.txt‎
Lines changed: 3 additions & 0 deletions b/‎requirements.txt‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎setup.cfg‎
Lines changed: 4 additions & 1 deletion b/‎setup.cfg‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎vulnerabilities/import_runner.py‎
Lines changed: 0 additions & 1 deletion b/‎vulnerabilities/import_runner.py‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎vulnerabilities/importers/__init__.py‎
Lines changed: 4 additions & 2 deletions b/‎vulnerabilities/importers/__init__.py‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎vulnerabilities/importers/curl.py‎
Lines changed: 169 additions & 0 deletions b/‎vulnerabilities/importers/curl.py‎
Lines changed: 169 additions & 0 deletions
@@ -9,7 +9,7 @@ jobs:
     strategy:
       max-parallel: 4
       matrix:
-        python-version: [3.8]
+        python-version: [3.9]
 
     steps:
       - name: Checkout code
 
@@ -29,7 +29,7 @@ jobs:
     strategy:
       max-parallel: 4
       matrix:
-        python-version: ["3.8", "3.9", "3.10"]
+        python-version: ["3.9", "3.10", "3.11"]
 
     steps:
       - name: Checkout code
 
@@ -1,6 +1,14 @@
 Release notes
 =============
 
+Version (next)
+-------------------
+
+- Add Pipeline to flag ghost packages (#1533)
+- Add logging configuration (#1533)
+- Drop support for python 3.8 (#1533)
+
+
 Version v34.0.0
 -------------------
 
 
@@ -1,3 +1,4 @@
+aboutcode.pipeline==0.1.0
 aiosignal==1.2.0
 alabaster==0.7.12
 asgiref==3.6.0
@@ -10,6 +11,7 @@ bcrypt==3.2.0
 beautifulsoup4==4.10.0
 binaryornot==0.4.4
 black==22.3.0
+bleach==6.1.0
 boolean.py==3.8
 certifi==2024.7.4
 cffi==1.15.0
@@ -49,6 +51,7 @@ jsonschema==3.2.0
 license-expression==21.6.14
 lxml==4.9.1
 Markdown==3.3.4
+markdown-it-py==3.0.0
 MarkupSafe==2.1.1
 matplotlib-inline==0.1.3
 multidict==6.0.2
 
@@ -48,7 +48,7 @@ license_files =
     README.rst
 
 [options]
-python_requires = >=3.8
+python_requires = >=3.9
 
 packages=find:
 include_package_data = true
@@ -92,6 +92,9 @@ install_requires =
     requests>=2.25.1
     fetchcode>=0.3.0
 
+    #pipeline
+    aboutcode.pipeline>=0.1.0
+
     #vulntotal
     python-dotenv
     texttable
 
@@ -18,7 +18,6 @@
 
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importer import Importer
-from vulnerabilities.importers import IMPORTERS_REGISTRY
 from vulnerabilities.improver import Inference
 from vulnerabilities.improvers.default import DefaultImporter
 from vulnerabilities.models import Advisory
 
@@ -12,6 +12,7 @@
 from vulnerabilities.importers import apache_kafka
 from vulnerabilities.importers import apache_tomcat
 from vulnerabilities.importers import archlinux
+from vulnerabilities.importers import curl
 from vulnerabilities.importers import debian
 from vulnerabilities.importers import debian_oval
 from vulnerabilities.importers import elixir_security
@@ -30,7 +31,6 @@
 from vulnerabilities.importers import oss_fuzz
 from vulnerabilities.importers import postgresql
 from vulnerabilities.importers import project_kb_msr2019
-from vulnerabilities.importers import pypa
 from vulnerabilities.importers import pysec
 from vulnerabilities.importers import redhat
 from vulnerabilities.importers import retiredotnet
@@ -40,13 +40,13 @@
 from vulnerabilities.importers import ubuntu_usn
 from vulnerabilities.importers import vulnrichment
 from vulnerabilities.importers import xen
+from vulnerabilities.pipelines import pypa_importer
 
 IMPORTERS_REGISTRY = [
     nvd.NVDImporter,
     github.GitHubAPIImporter,
     gitlab.GitLabAPIImporter,
     npm.NpmImporter,
-    pypa.PyPaImporter,
     nginx.NginxImporter,
     pysec.PyPIImporter,
     alpine_linux.AlpineImporter,
@@ -73,8 +73,10 @@
     oss_fuzz.OSSFuzzImporter,
     ruby.RubyImporter,
     github_osv.GithubOSVImporter,
+    curl.CurlImporter,
     epss.EPSSImporter,
     vulnrichment.VulnrichImporter,
+    pypa_importer.PyPaImporterPipeline,
 ]
 
 IMPORTERS_REGISTRY = {x.qualified_name: x for x in IMPORTERS_REGISTRY}
@@ -0,0 +1,169 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import logging
+from datetime import datetime
+from datetime import timezone
+from typing import Iterable
+from typing import Mapping
+
+from cwe2.database import Database
+from packageurl import PackageURL
+from univers.version_range import GenericVersionRange
+from univers.versions import SemverVersion
+
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AffectedPackage
+from vulnerabilities.importer import Importer
+from vulnerabilities.importer import Reference
+from vulnerabilities.importer import VulnerabilitySeverity
+from vulnerabilities.severity_systems import SCORING_SYSTEMS
+from vulnerabilities.utils import fetch_response
+from vulnerabilities.utils import get_cwe_id
+from vulnerabilities.utils import get_item
+
+logger = logging.getLogger(__name__)
+
+
+class CurlImporter(Importer):
+
+    spdx_license_expression = "curl"
+    license_url = "https://curl.se/docs/copyright.html"
+    repo_url = "https://github.com/curl/curl-www/"
+    importer_name = "Curl Importer"
+    api_url = "https://curl.se/docs/vuln.json"
+
+    def fetch(self) -> Iterable[Mapping]:
+        response = fetch_response(self.api_url)
+        return response.json()
+
+    def advisory_data(self) -> Iterable[AdvisoryData]:
+        raw_data = self.fetch()
+        for data in raw_data:
+            cve_id = data.get("aliases") or []
+            cve_id = cve_id[0] if len(cve_id) > 0 else None
+            if not cve_id.startswith("CVE"):
+                package = data.get("database_specific").get("package")
+                logger.error(f"Invalid CVE ID: {cve_id} in package {package}")
+                continue
+            yield parse_advisory_data(data)
+
+
+def parse_advisory_data(raw_data) -> AdvisoryData:
+    """
+    Parse advisory data from raw JSON data and return an AdvisoryData object.
+
+    Args:
+        raw_data (dict): Raw JSON data containing advisory information.
+
+    Returns:
+        AdvisoryData: Parsed advisory data as an AdvisoryData object.
+
+    Example:
+        >>> raw_data = {
+        ...     "aliases": ["CVE-2024-2379"],
+        ...     "summary": "QUIC certificate check bypass with wolfSSL",
+        ...     "database_specific": {
+        ...         "package": "curl",
+        ...         "URL": "https://curl.se/docs/CVE-2024-2379.json",
+        ...         "www": "https://curl.se/docs/CVE-2024-2379.html",
+        ...         "issue": "https://hackerone.com/reports/2410774",
+        ...         "severity": "Low",
+        ...         "CWE": {
+        ...             "id": "CWE-297",
+        ...             "desc": "Improper Validation of Certificate with Host Mismatch"
+        ...         },
+        ...     },
+        ...     "published": "2024-03-27T08:00:00.00Z",
+        ...     "affected": [
+        ...         {
+        ...             "ranges": [
+        ...                 {
+        ...                     "type": "SEMVER",
+        ...                     "events": [
+        ...                         {"introduced": "8.6.0"},
+        ...                         {"fixed": "8.7.0"}
+        ...                     ]
+        ...                 }
+        ...             ],
+        ...             "versions": ["8.6.0"]
+        ...         }
+        ...     ]
+        ... }
+        >>> parse_advisory_data(raw_data)
+        AdvisoryData(aliases=['CVE-2024-2379'], summary='QUIC certificate check bypass with wolfSSL', affected_packages=[AffectedPackage(package=PackageURL(type='generic', namespace='curl.se', name='curl', version=None, qualifiers={}, subpath=None), affected_version_range=GenericVersionRange(constraints=(VersionConstraint(comparator='=', version=SemverVersion(string='8.6.0')),)), fixed_version=SemverVersion(string='8.7.0'))], references=[Reference(reference_id='', reference_type='', url='https://curl.se/docs/CVE-2024-2379.html', severities=[VulnerabilitySeverity(system=Cvssv3ScoringSystem(identifier='cvssv3.1', name='CVSSv3.1 Base Score', url='https://www.first.org/cvss/v3-1/', notes='CVSSv3.1 base score and vector'), value='Low', scoring_elements='', published_at=None)]), Reference(reference_id='', reference_type='', url='https://hackerone.com/reports/2410774', severities=[])], date_published=datetime.datetime(2024, 3, 27, 8, 0, tzinfo=datetime.timezone.utc), weaknesses=[297], url='https://curl.se/docs/CVE-2024-2379.json')
+    """
+
+    affected = get_item(raw_data, "affected")[0] if len(get_item(raw_data, "affected")) > 0 else []
+
+    ranges = get_item(affected, "ranges")[0] if len(get_item(affected, "ranges")) > 0 else []
+    events = get_item(ranges, "events")[1] if len(get_item(ranges, "events")) > 1 else {}
+    version_type = get_item(ranges, "type") if get_item(ranges, "type") else ""
+    fixed_version = events.get("fixed")
+    if version_type == "SEMVER" and fixed_version:
+        fixed_version = SemverVersion(fixed_version)
+
+    purl = PackageURL(type="generic", namespace="curl.se", name="curl")
+    versions = affected.get("versions") or []
+    affected_version_range = GenericVersionRange.from_versions(versions)
+
+    affected_package = AffectedPackage(
+        package=purl, affected_version_range=affected_version_range, fixed_version=fixed_version
+    )
+
+    database_specific = raw_data.get("database_specific") or {}
+    severity = VulnerabilitySeverity(
+        system=SCORING_SYSTEMS["cvssv3.1"], value=database_specific.get("severity", "")
+    )
+
+    references = []
+    ref_www = database_specific.get("www") or ""
+    ref_issue = database_specific.get("issue") or ""
+    if ref_www:
+        references.append(Reference(url=ref_www, severities=[severity]))
+    if ref_issue:
+        references.append(Reference(url=ref_issue))
+
+    date_published = datetime.strptime(
+        raw_data.get("published") or "", "%Y-%m-%dT%H:%M:%S.%fZ"
+    ).replace(tzinfo=timezone.utc)
+    weaknesses = get_cwe_from_curl_advisory(raw_data)
+
+    return AdvisoryData(
+        aliases=raw_data.get("aliases") or [],
+        summary=raw_data.get("summary") or "",
+        affected_packages=[affected_package],
+        references=references,
+        date_published=date_published,
+        weaknesses=weaknesses,
+        url=raw_data.get("database_specific", {}).get("URL", ""),
+    )
+
+
+def get_cwe_from_curl_advisory(raw_data):
+    """
+    Extracts CWE IDs from the given raw_data and returns a list of CWE IDs.
+
+        >>> get_cwe_from_curl_advisory({"database_specific": {"CWE": {"id": "CWE-333"}}})
+        [333]
+        >>> get_cwe_from_curl_advisory({"database_specific": {"CWE": {"id": ""}}})
+        []
+    """
+    weaknesses = []
+    db = Database()
+    cwe_string = get_item(raw_data, "database_specific", "CWE", "id") or ""
+
+    if cwe_string:
+        cwe_id = get_cwe_id(cwe_string)
+        try:
+            db.get(cwe_id)
+            weaknesses.append(cwe_id)
+        except Exception:
+            logger.error("Invalid CWE id")
+    return weaknesses