1313from urllib .request import urlopen
1414
1515from packageurl import PackageURL
16+ from univers .version_range import ArchLinuxVersionRange
17+ from univers .versions import ArchLinuxVersion
1618
1719from vulnerabilities import severity_systems
1820from vulnerabilities .importer import AdvisoryData
21+ from vulnerabilities .importer import AffectedPackage
1922from vulnerabilities .importer import Importer
2023from vulnerabilities .importer import Reference
2124from vulnerabilities .importer import VulnerabilitySeverity
2225from vulnerabilities .utils import fetch_response
23- from vulnerabilities .utils import nearest_patched_package
2426
2527
2628class ArchlinuxImporter (Importer ):
@@ -35,37 +37,28 @@ def advisory_data(self) -> Iterable[AdvisoryData]:
3537 for record in self .fetch ():
3638 yield self .parse_advisory (record )
3739
38- # The JSON includes 'status' and 'type' fields do we want to incorporate them into the AdvisoryData objects?
39- # Although not directly reflected in the JSON, the web page for at least some references include an additional reference,
40- # see, e.g., https://security.archlinux.org/AVG-2781 (one of our test inputs, which lists this ref: https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24)
41- # Do we want to incorporate them into the AdvisoryData objects?
4240 def parse_advisory (self , record ) -> List [AdvisoryData ]:
4341 advisories = []
4442 aliases = record ["issues" ]
4543 for alias in record ["issues" ]:
4644 affected_packages = []
4745 for name in record ["packages" ]:
48- impacted_purls , resolved_purls = [], []
49- impacted_purls .append (
46+ summary = record .get ("type" ) or ""
47+ if summary == "unknown" :
48+ summary = ""
49+
50+ affected_packages = AffectedPackage (
5051 PackageURL (
5152 name = name ,
5253 type = "alpm" ,
5354 namespace = "archlinux" ,
54- version = record ["affected" ],
55- )
55+ ),
56+ affected_version_range = ArchLinuxVersionRange .from_versions (
57+ [record .get ("affected" ) or "" ]
58+ ),
59+ fixed_version = ArchLinuxVersion (record .get ("fixed" ) or "" ),
5660 )
5761
58- if record ["fixed" ]:
59- resolved_purls .append (
60- PackageURL (
61- name = name ,
62- type = "alpm" ,
63- namespace = "archlinux" ,
64- version = record ["fixed" ],
65- )
66- )
67- affected_packages .extend (nearest_patched_package (impacted_purls , resolved_purls ))
68-
6962 references = []
7063 references .append (
7164 Reference (
@@ -89,11 +82,8 @@ def parse_advisory(self, record) -> List[AdvisoryData]:
8982
9083 advisories .append (
9184 AdvisoryData (
92- # Do we want/need to keep this inside a list? "aliases" is plural but I understand we want to break out each alias individually.
93- # However, it looks like alpine_linux.py and nginx.py, for example, return a list of aliases.
94- aliases = [alias ],
95- # aliases=alias,
96- summary = "" ,
85+ aliases = [alias , record ["name" ]],
86+ summary = summary ,
9787 affected_packages = affected_packages ,
9888 references = references ,
9989 )
@@ -106,23 +96,50 @@ def parse_advisory(self, record) -> List[AdvisoryData]:
10696 print ("\n \r =================================\n \r " )
10797
10898 for advisory in advisories :
109- print (f"1. aliases: { advisory .aliases } \r " )
110- print ("" )
111- print (f"2. summary: { advisory .summary } \r " )
112- print ("" )
113- print (f"3. affected_packages: { advisory .affected_packages } \r " )
114- for pkg in advisory .affected_packages :
115- print ("" )
116- print ("vulnerable_package: {}\r " .format (pkg .vulnerable_package ))
117- print ("" )
118- print ("patched_package: {}\r " .format (pkg .patched_package ))
119- print ("" )
99+ print (f"1. aliases: { advisory .aliases } \r \n " )
100+ for alias in advisory .aliases :
101+
102+ print ("\t alias: {}\r \n " .format (alias ))
103+
104+ print (f"2. summary: { advisory .summary } \r \n " )
105+
106+ print (f"3. affected_packages: { advisory .affected_packages } \r \n " )
107+
108+ print ("\t package: {}\r \n " .format (advisory .affected_packages .package ))
109+
110+ print ("\t \t type: {}\r " .format (advisory .affected_packages .package .type ))
111+
112+ print ("\t \t namespace: {}\r " .format (advisory .affected_packages .package .namespace ))
113+
114+ print ("\t \t name: {}\r " .format (advisory .affected_packages .package .name ))
115+
116+ print ("\t \t version: {}\r " .format (advisory .affected_packages .package .version ))
117+
118+ print ("\t \t qualifiers: {}\r " .format (advisory .affected_packages .package .qualifiers ))
119+
120+ print ("\t \t subpath: {}\r \n " .format (advisory .affected_packages .package .subpath ))
121+
122+ print (
123+ "\t affected_version_range: {}\r \n " .format (
124+ advisory .affected_packages .affected_version_range
125+ )
126+ )
127+
128+ print ("\t fixed_version: {}\r \n " .format (advisory .affected_packages .fixed_version ))
129+
120130 print (f"4. references: { advisory .references } \r " )
121131 for ref in advisory .references :
122- print ("" )
123- print ("ref: {}\r " .format (ref ))
124- print ("" )
132+
133+ print ("\r \n ref: {}\r \n " .format (ref ))
134+
135+ print ("\t reference_id: {}\r \n " .format (ref .reference_id ))
136+
137+ print ("\t url: {}\r \n " .format (ref .url ))
138+
139+ print ("\t severities: {}\r \n " .format (ref .severities ))
140+
125141 print (f"5. date_published: { advisory .date_published } \r " )
142+
126143 print ("\n \r =================================\n \r " )
127144
128145 return advisories
0 commit comments