Add apache_httpd improver

TG1999 · TG1999 · commit 522ab6a63681 · 2023-01-27T18:59:14.000+05:30
Signed-off-by: Tushar Goel &lt;tushar.goel.dav@gmail.com&gt;
diff --git a/vulnerabilities/importers/apache_httpd.py b/vulnerabilities/importers/apache_httpd.py
@@ -7,11 +7,17 @@
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
 
-import asyncio
+import logging
 import urllib
+from datetime import datetime
+from typing import Iterable
+from typing import List
+from typing import Mapping
+from typing import Optional
 
 import requests
 from bs4 import BeautifulSoup
+from django.db.models.query import QuerySet
 from packageurl import PackageURL
 from univers.version_constraint import VersionConstraint
 from univers.version_range import ApacheVersionRange
@@ -21,8 +27,20 @@
 from vulnerabilities.importer import AffectedPackage
 from vulnerabilities.importer import Importer
 from vulnerabilities.importer import Reference
+from vulnerabilities.importer import UnMergeablePackageError
 from vulnerabilities.importer import VulnerabilitySeverity
+from vulnerabilities.improver import Improver
+from vulnerabilities.improver import Inference
+from vulnerabilities.models import Advisory
+from vulnerabilities.package_managers import GitHubTagsAPI
+from vulnerabilities.package_managers import VersionAPI
 from vulnerabilities.severity_systems import APACHE_HTTPD
+from vulnerabilities.utils import AffectedPackage as LegacyAffectedPackage
+from vulnerabilities.utils import get_affected_packages_by_patched_package
+from vulnerabilities.utils import nearest_patched_package
+from vulnerabilities.utils import resolve_version_range
+
+logger = logging.getLogger(__name__)
 
 
 class ApacheHTTPDImporter(Importer):
@@ -147,7 +165,7 @@ def fetch_links(url):
     return links
 
 
-ignore_tags = {
+IGNORE_TAGS = {
     "AGB_BEFORE_AAA_CHANGES",
     "APACHE_1_2b1",
     "APACHE_1_2b10",
@@ -209,3 +227,80 @@ def fetch_links(url):
     "post_ajp_proxy",
     "pre_ajp_proxy",
 }
+
+
+class ApacheHTTPDImprover(Improver):
+    def __init__(self) -> None:
+        self.versions_fetcher_by_purl: Mapping[str, VersionAPI] = {}
+        self.vesions_by_purl = {}
+
+    @property
+    def interesting_advisories(self) -> QuerySet:
+        return Advisory.objects.filter(created_by=ApacheHTTPDImporter.qualified_name)
+
+    def get_package_versions(
+        self, package_url: PackageURL, until: Optional[datetime] = None
+    ) -> List[str]:
+        """
+        Return a list of `valid_versions` for the `package_url`
+        """
+        api_name = "apache/httpd"
+        versions_fetcher = GitHubTagsAPI()
+        return versions_fetcher.get_until(package_name=api_name, until=until).valid_versions
+
+    def get_inferences(self, advisory_data: AdvisoryData) -> Iterable[Inference]:
+        """
+        Yield Inferences for the given advisory data
+        """
+        if not advisory_data.affected_packages:
+            return
+        try:
+            purl, affected_version_ranges, _ = AffectedPackage.merge(
+                advisory_data.affected_packages
+            )
+        except UnMergeablePackageError:
+            logger.error(f"Cannot merge with different purls {advisory_data.affected_packages!r}")
+            return iter([])
+
+        pkg_type = purl.type
+        pkg_namespace = purl.namespace
+        pkg_name = purl.name
+
+        if not self.vesions_by_purl.get(str(purl)):
+            valid_versions = self.get_package_versions(
+                package_url=purl, until=advisory_data.date_published
+            )
+            self.vesions_by_purl[str(purl)] = valid_versions
+
+        valid_versions = self.vesions_by_purl[str(purl)]
+
+        for affected_version_range in affected_version_ranges:
+            aff_vers, unaff_vers = resolve_version_range(
+                affected_version_range=affected_version_range,
+                package_versions=valid_versions,
+                ignorable_versions=IGNORE_TAGS,
+            )
+            affected_purls = [
+                PackageURL(type=pkg_type, namespace=pkg_namespace, name=pkg_name, version=version)
+                for version in aff_vers
+            ]
+
+            unaffected_purls = [
+                PackageURL(type=pkg_type, namespace=pkg_namespace, name=pkg_name, version=version)
+                for version in unaff_vers
+            ]
+
+            affected_packages: List[LegacyAffectedPackage] = nearest_patched_package(
+                vulnerable_packages=affected_purls, resolved_packages=unaffected_purls
+            )
+
+            for (
+                fixed_package,
+                affected_packages,
+            ) in get_affected_packages_by_patched_package(affected_packages).items():
+                yield Inference.from_advisory_data(
+                    advisory_data,
+                    confidence=100,  # We are getting all valid versions to get this inference
+                    affected_purls=affected_packages,
+                    fixed_purl=fixed_package,
+                )
diff --git a/vulnerabilities/improvers/__init__.py b/vulnerabilities/improvers/__init__.py
@@ -20,6 +20,7 @@
     importers.istio.IstioImprover,
     oval.DebianOvalBasicImprover,
     oval.UbuntuOvalBasicImprover,
+    importers.apache_httpd.ApacheHTTPDImprover,
 ]
 
 IMPROVERS_REGISTRY = {x.qualified_name: x for x in IMPROVERS_REGISTRY}

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@`
`20`	`20`	`importers.istio.IstioImprover,`
`21`	`21`	`oval.DebianOvalBasicImprover,`
`22`	`22`	`oval.UbuntuOvalBasicImprover,`
	`23`	`+ importers.apache_httpd.ApacheHTTPDImprover,`
`23`	`24`	`]`
`24`	`25`
`25`	`26`	`IMPROVERS_REGISTRY = {x.qualified_name: x for x in IMPROVERS_REGISTRY}`