|
7 | 7 | # See https://aboutcode.org for more information about nexB OSS projects. |
8 | 8 | # |
9 | 9 |
|
10 | | -import json |
11 | | - |
12 | | -import requests |
13 | | - |
14 | 10 | from vulnerabilities.importer import AdvisoryData |
15 | 11 | from vulnerabilities.importer import Importer |
16 | | -from vulnerabilities.importer import Reference |
17 | | -from vulnerabilities.utils import create_etag |
| 12 | +from vulnerabilities.references import XsaReference |
| 13 | +from vulnerabilities.utils import fetch_response |
18 | 14 | from vulnerabilities.utils import is_cve |
19 | 15 |
|
20 | 16 |
|
21 | 17 | class XenImporter(Importer): |
22 | | - # CONFIG_CLASS = XenDBConfiguration |
23 | | - |
24 | | - def updated_advisories(self): |
25 | | - advisories = [] |
26 | | - if create_etag(data_src=self, url=self.config.db_url, etag_key="etag"): |
27 | | - advisories.extend(self.to_advisories(fetch(self.config.db_url))) |
28 | | - |
29 | | - return self.batch_advisories(advisories) |
30 | | - |
31 | | - def create_etag(self, url): |
32 | | - etag = requests.head(url).headers.get("etag") |
33 | | - if not etag: |
34 | | - return True |
35 | | - |
36 | | - elif url in self.config.etags: |
37 | | - if self.config.etags[url] == etag: |
38 | | - return False |
39 | | - |
40 | | - self.config.etags[url] = etag |
41 | | - return True |
42 | | - |
43 | | - @staticmethod |
44 | | - def to_advisories(xen_db): |
45 | | - advisories = [] |
46 | | - for xsa in xen_db[0]["xsas"]: |
47 | | - reference = get_xen_references(xsa["xsa"]) |
48 | | - title = xsa.get("title", [""]) |
49 | | - for cve in xsa.get("cve", [""]): |
50 | | - if not is_cve(cve): |
51 | | - cve = "" |
52 | | - |
53 | | - advisories.append( |
54 | | - AdvisoryData( |
55 | | - vulnerability_id=cve, |
56 | | - summary=title, |
57 | | - references=[reference], |
58 | | - ) |
59 | | - ) |
60 | | - return advisories |
61 | | - |
62 | | - |
63 | | -def get_xen_references(xsa_id): |
64 | | - return Reference( |
65 | | - reference_id="XSA-" + xsa_id, |
66 | | - url="https://xenbits.xen.org/xsa/advisory-{}.html".format(xsa_id), |
67 | | - ) |
68 | | - |
69 | 18 |
|
70 | | -def fetch(url): |
71 | | - response = requests.get(url).content |
72 | | - return json.loads(response) |
| 19 | + url = "https://xenbits.xen.org/xsa/xsa.json" |
| 20 | + spdx_license_expression = "LicenseRef-scancode-other-permissive" |
| 21 | + notice = """ |
| 22 | + From: George Dunlap <[email protected]> |
| 23 | + Date: Wed, Jan 25, 2023 at 4:57 PM |
| 24 | + Subject: Re: Usage of Xen Security Data in VulnerableCode |
| 25 | + To: Tushar Goel <[email protected]> |
| 26 | + |
| 27 | +
|
| 28 | + On Thu, Jan 19, 2023 at 1:10 PM Tushar Goel <[email protected]> wrote: |
| 29 | + > |
| 30 | + > Hi Andrew, |
| 31 | + > |
| 32 | + > > Maybe we want to make it CC-BY-4 to require people to reference back to |
| 33 | + > > the canonical upstream ? |
| 34 | + > Thanks for your response, can we have a more declarative statement on |
| 35 | + > the license from your end |
| 36 | + > and also can you please provide your acknowledgement over the usage of |
| 37 | + > Xen security data in vulnerablecode. |
| 38 | +
|
| 39 | +
|
| 40 | + Hey Tushar, |
| 41 | + Informally, the Xen Project Security Team is happy for you to include the data from xsa.json in your open-source vulnerability database. As a courtesy we'd request that it be documented where the information came from. (I think if the data includes links to then advisories on our website, that will suffice.) |
| 42 | + Formally, we're not copyright lawyers; but we don't think there's anything copyright-able in the xsa.json: There is no editorial or creative control in the generation of that file; it's just a collection of facts which you could re-generate by scanning all the advisories. (In fact that's exactly how the file is created; i.e., the collection of advisory texts is our "source of truth".) |
| 43 | + We do have "Officially license all advisory text as CC-BY-4" on our to-do list; if you'd be more comfortable with an official license for xsa.json as well, we can add that to the list. |
| 44 | +
|
| 45 | + -George |
| 46 | + """ |
| 47 | + |
| 48 | + def advisory_data(self): |
| 49 | + data = fetch_response(self.url).json() |
| 50 | + # The data looks like this |
| 51 | + # [ |
| 52 | + # { |
| 53 | + # "xsas": [ |
| 54 | + # { |
| 55 | + # "cve": [ |
| 56 | + # "CVE-2012-5510" |
| 57 | + # ], |
| 58 | + # "title": "XSA-1: Xen security advisory", |
| 59 | + # } |
| 60 | + # ] |
| 61 | + # } |
| 62 | + # ] |
| 63 | + if not data: |
| 64 | + return [] |
| 65 | + xsas = data[0]["xsas"] |
| 66 | + for xsa in xsas: |
| 67 | + yield from self.to_advisories(xsa) |
| 68 | + |
| 69 | + def to_advisories(self, xsa): |
| 70 | + xsa_id = xsa.get("xsa") |
| 71 | + references = [] |
| 72 | + if xsa_id: |
| 73 | + references.append(XsaReference.from_number(number=xsa_id)) |
| 74 | + title = xsa.get("title") |
| 75 | + for cve in xsa.get("cve") or []: |
| 76 | + # TODO: https://github.com/nexB/vulnerablecode/issues/981 |
| 77 | + if not is_cve(cve): |
| 78 | + continue |
| 79 | + yield AdvisoryData( |
| 80 | + aliases=[cve], |
| 81 | + summary=title, |
| 82 | + references=references, |
| 83 | + ) |
0 commit comments