Skip to content

Commit 8234a9a

Browse files
keshav-spacekeshav-space
committed
Include PURL in VendorData
Signed-off-by: Keshav Priyadarshi <[email protected]>
1 parent dbcf200 commit 8234a9a

21 files changed

+88
-23
lines changed

vulntotal/datasources/deps.py

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
from urllib.parse import quote
1313

1414
import requests
15+
from packageurl import PackageURL
1516

1617
from vulntotal.validator import DataSource
1718
from vulntotal.validator import VendorData
@@ -41,7 +42,7 @@ def datasource_advisory(self, purl) -> Iterable[VendorData]:
4142
fetched_advisory = self.fetch_json_response(advisory_payload)
4243
self._raw_dump.append(fetched_advisory)
4344
if fetched_advisory:
44-
return parse_advisory(fetched_advisory)
45+
return parse_advisory(fetched_advisory, purl)
4546

4647
@classmethod
4748
def supported_ecosystem(cls):
@@ -56,11 +57,12 @@ def supported_ecosystem(cls):
5657
}
5758

5859

59-
def parse_advisory(advisory) -> Iterable[VendorData]:
60+
def parse_advisory(advisory, purl) -> Iterable[VendorData]:
6061
package = advisory["packages"][0]
6162
affected_versions = [event["version"] for event in package["versionsAffected"]]
6263
fixed_versions = [event["version"] for event in package["versionsUnaffected"]]
6364
yield VendorData(
65+
purl=PackageURL(purl.type, purl.namespace, purl.name),
6466
aliases=sorted(set(advisory["aliases"])),
6567
affected_versions=sorted(set(affected_versions)),
6668
fixed_versions=sorted(set(fixed_versions)),

vulntotal/datasources/gitlab.py

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
import requests
1818
import saneyaml
1919
from fetchcode import fetch
20+
from packageurl import PackageURL
2021

2122
from vulntotal.validator import DataSource
2223
from vulntotal.validator import VendorData
@@ -39,7 +40,7 @@ def datasource_advisory(self, purl) -> Iterable[VendorData]:
3940
location = download_subtree(casesensitive_package_slug)
4041
if location:
4142
interesting_advisories = parse_interesting_advisories(
42-
location, purl.version, delete_download=True
43+
location, purl, delete_download=True
4344
)
4445
return interesting_advisories
4546
clear_download(location)
@@ -151,7 +152,8 @@ def get_casesensitive_slug(path, package_slug):
151152
hasnext = paginated_tree["pageInfo"]["hasNextPage"]
152153

153154

154-
def parse_interesting_advisories(location, version, delete_download=False) -> Iterable[VendorData]:
155+
def parse_interesting_advisories(location, purl, delete_download=False) -> Iterable[VendorData]:
156+
version = purl.version
155157
path = Path(location)
156158
glob = "**/*.yml"
157159
files = (p for p in path.glob(glob) if p.is_file())
@@ -161,6 +163,7 @@ def parse_interesting_advisories(location, version, delete_download=False) -> It
161163
affected_range = gitlab_advisory["affected_range"]
162164
if gitlab_constraints_satisfied(affected_range, version):
163165
yield VendorData(
166+
purl=PackageURL(purl.type, purl.namespace, purl.name),
164167
aliases=gitlab_advisory["identifiers"],
165168
affected_versions=[affected_range],
166169
fixed_versions=gitlab_advisory["fixed_versions"],

vulntotal/datasources/oss_index.py

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
from typing import Iterable
1313

1414
import requests
15+
from packageurl import PackageURL
1516

1617
from vulntotal.validator import DataSource
1718
from vulntotal.validator import VendorData
@@ -57,7 +58,7 @@ def datasource_advisory(self, purl) -> Iterable[VendorData]:
5758
response = self.fetch_json_response([str(purl)])
5859
if response:
5960
self._raw_dump.append(response)
60-
return parse_advisory(response)
61+
return parse_advisory(response, purl)
6162

6263
@classmethod
6364
def supported_ecosystem(cls):
@@ -79,7 +80,7 @@ def supported_ecosystem(cls):
7980
}
8081

8182

82-
def parse_advisory(component) -> Iterable[VendorData]:
83+
def parse_advisory(component, purl) -> Iterable[VendorData]:
8384
response = component[0]
8485
vulnerabilities = response.get("vulnerabilities") or []
8586
for vuln in vulnerabilities:
@@ -89,6 +90,7 @@ def parse_advisory(component) -> Iterable[VendorData]:
8990
version_ranges = vuln.get("versionRanges") or []
9091
affected_versions.extend(version_ranges)
9192
yield VendorData(
93+
purl=PackageURL(purl.type, purl.namespace, purl.name),
9294
aliases=aliases,
9395
affected_versions=affected_versions,
9496
fixed_versions=fixed_versions,

vulntotal/datasources/osv.py

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
from typing import Iterable
1212

1313
import requests
14+
from packageurl import PackageURL
1415

1516
from vulntotal.ecosystem.nuget import search_closest_nuget_package_name
1617
from vulntotal.validator import DataSource
@@ -40,7 +41,7 @@ def datasource_advisory(self, purl) -> Iterable[VendorData]:
4041
return
4142
advisory = self.fetch_advisory(payload)
4243
self._raw_dump.append(advisory)
43-
return parse_advisory(advisory)
44+
return parse_advisory(advisory, purl)
4445

4546
@classmethod
4647
def supported_ecosystem(cls):
@@ -62,7 +63,7 @@ def supported_ecosystem(cls):
6263
}
6364

6465

65-
def parse_advisory(response) -> Iterable[VendorData]:
66+
def parse_advisory(response, purl) -> Iterable[VendorData]:
6667
"""
6768
Parse response from OSV API and yield VendorData
6869
"""
@@ -91,6 +92,7 @@ def parse_advisory(response) -> Iterable[VendorData]:
9192
pass
9293

9394
yield VendorData(
95+
purl=PackageURL(purl.type, purl.namespace, purl.name),
9496
aliases=sorted(list(set(aliases))),
9597
affected_versions=sorted(list(set(affected_versions))),
9698
fixed_versions=sorted(list(set(fixed))),

vulntotal/datasources/snyk.py

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313

1414
import requests
1515
from bs4 import BeautifulSoup
16+
from packageurl import PackageURL
1617

1718
from vulntotal.validator import DataSource
1819
from vulntotal.validator import VendorData
@@ -46,7 +47,7 @@ def datasource_advisory(self, purl) -> Iterable[VendorData]:
4647
advisory_html = self.fetch(advisory_payload)
4748
self._raw_dump.append(advisory_html)
4849
if advisory_html:
49-
yield parse_html_advisory(advisory_html, snyk_id, affected)
50+
yield parse_html_advisory(advisory_html, snyk_id, affected, purl)
5051

5152
@classmethod
5253
def supported_ecosystem(cls):
@@ -124,7 +125,7 @@ def extract_html_json_advisories(package_advisories):
124125
return vulnerablity
125126

126127

127-
def parse_html_advisory(advisory_html, snyk_id, affected) -> VendorData:
128+
def parse_html_advisory(advisory_html, snyk_id, affected, purl) -> VendorData:
128129
aliases = []
129130
fixed_versions = []
130131

@@ -145,6 +146,7 @@ def parse_html_advisory(advisory_html, snyk_id, affected) -> VendorData:
145146
fixed_versions = "".join(fixed[lower + 1 : upper]).split(",")
146147
aliases.append(snyk_id)
147148
return VendorData(
149+
purl=PackageURL(purl.type, purl.namespace, purl.name),
148150
aliases=aliases,
149151
affected_versions=affected,
150152
fixed_versions=fixed_versions,

vulntotal/datasources/vulnerablecode.py

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,7 @@ def datasource_advisory(self, purl) -> Iterable[VendorData]:
5353
for advisory in metadata_advisories[0]["affected_by_vulnerabilities"]:
5454
fetched_advisory = self.fetch_get_json(advisory["url"])
5555
self._raw_dump.append(fetched_advisory)
56-
yield parse_advisory(fetched_advisory)
56+
yield parse_advisory(fetched_advisory, purl)
5757

5858
@classmethod
5959
def supported_ecosystem(cls):
@@ -74,7 +74,7 @@ def supported_ecosystem(cls):
7474
}
7575

7676

77-
def parse_advisory(fetched_advisory) -> VendorData:
77+
def parse_advisory(fetched_advisory, purl) -> VendorData:
7878
aliases = [aliase["alias"] for aliase in fetched_advisory["aliases"]]
7979
affected_versions = []
8080
fixed_versions = []
@@ -83,7 +83,10 @@ def parse_advisory(fetched_advisory) -> VendorData:
8383
for instance in fetched_advisory["fixed_packages"]:
8484
fixed_versions.append(PackageURL.from_string(instance["purl"]).version)
8585
return VendorData(
86-
aliases=aliases, affected_versions=affected_versions, fixed_versions=fixed_versions
86+
purl=PackageURL(purl.type, purl.namespace, purl.name),
87+
aliases=aliases,
88+
affected_versions=affected_versions,
89+
fixed_versions=fixed_versions,
8790
)
8891

8992

vulntotal/tests/test_data/deps/parse_advisory-expected.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
[
22
{
3+
"purl": "pkg:generic/namespace/test",
34
"affected_versions": [
45
"2.0",
56
"2.0rc1",

vulntotal/tests/test_data/gitlab/parsed_advisory-expected.json

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
[
22
{
3+
"purl": "pkg:generic/namespace/test",
34
"affected_versions": [
45
"<=2.7.1"
56
],
@@ -11,6 +12,7 @@
1112
]
1213
},
1314
{
15+
"purl": "pkg:generic/namespace/test",
1416
"affected_versions": [
1517
"<2.8.1"
1618
],
@@ -23,6 +25,7 @@
2325
]
2426
},
2527
{
28+
"purl": "pkg:generic/namespace/test",
2629
"affected_versions": [
2730
"<2.10.1"
2831
],
@@ -34,6 +37,7 @@
3437
]
3538
},
3639
{
40+
"purl": "pkg:generic/namespace/test",
3741
"affected_versions": [
3842
"<2.11.3"
3943
],

vulntotal/tests/test_data/oss_index/parse_advisory-expected.json

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,61 +1,70 @@
11
[
22
{
3+
"purl": "pkg:generic/namespace/test",
34
"affected_versions": [],
45
"fixed_versions": [],
56
"aliases": [
67
"CVE-2021-3907"
78
]
89
},
910
{
11+
"purl": "pkg:generic/namespace/test",
1012
"affected_versions": [],
1113
"fixed_versions": [],
1214
"aliases": [
1315
"CVE-2021-3761"
1416
]
1517
},
1618
{
19+
"purl": "pkg:generic/namespace/test",
1720
"affected_versions": [],
1821
"fixed_versions": [],
1922
"aliases": [
2023
"CVE-2021-3908"
2124
]
2225
},
2326
{
27+
"purl": "pkg:generic/namespace/test",
2428
"affected_versions": [],
2529
"fixed_versions": [],
2630
"aliases": [
2731
"CVE-2021-3909"
2832
]
2933
},
3034
{
35+
"purl": "pkg:generic/namespace/test",
3136
"affected_versions": [],
3237
"fixed_versions": [],
3338
"aliases": [
3439
"CVE-2021-3910"
3540
]
3641
},
3742
{
43+
"purl": "pkg:generic/namespace/test",
3844
"affected_versions": [],
3945
"fixed_versions": [],
4046
"aliases": [
4147
"CVE-2021-3978"
4248
]
4349
},
4450
{
51+
"purl": "pkg:generic/namespace/test",
4552
"affected_versions": [],
4653
"fixed_versions": [],
4754
"aliases": [
4855
"CVE-2021-3911"
4956
]
5057
},
5158
{
59+
"purl": "pkg:generic/namespace/test",
5260
"affected_versions": [],
5361
"fixed_versions": [],
5462
"aliases": [
5563
"CVE-2021-3912"
5664
]
5765
},
5866
{
67+
"purl": "pkg:generic/namespace/test",
5968
"affected_versions": [],
6069
"fixed_versions": [],
6170
"aliases": [

vulntotal/tests/test_data/osv/parse_advisory_data-expected.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
[
22
{
3+
"purl": "pkg:generic/namespace/test",
34
"affected_versions": [
45
"0",
56
"2.0",
@@ -31,6 +32,7 @@
3132
]
3233
},
3334
{
35+
"purl": "pkg:generic/namespace/test",
3436
"affected_versions": [
3537
"0",
3638
"2.0",
@@ -63,6 +65,7 @@
6365
]
6466
},
6567
{
68+
"purl": "pkg:generic/namespace/test",
6669
"affected_versions": [
6770
"0",
6871
"2.0",
@@ -107,6 +110,7 @@
107110
]
108111
},
109112
{
113+
"purl": "pkg:generic/namespace/test",
110114
"affected_versions": [
111115
"0",
112116
"2.0",
@@ -142,6 +146,7 @@
142146
]
143147
},
144148
{
149+
"purl": "pkg:generic/namespace/test",
145150
"affected_versions": [
146151
"0",
147152
"2.0",

0 commit comments

Comments
 (0)