Merge remote-tracking branch 'keshav-space/oss_index_datasource' into vulntotal-clean

Author: pombredanne

vulntotal/datasources/oss_index.py

@@ -0,0 +1,110 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# http://nexb.com and https://github.com/nexB/vulnerablecode/
+# The VulnTotal software is licensed under the Apache License version 2.0.
+# Data generated with VulnTotal require an acknowledgment.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# When you publish or redistribute any data created with VulnTotal or any VulnTotal
+# derivative work, you must accompany this data with the following acknowledgment:
+#
+#  Generated with VulnTotal and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+#  OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+#  VulnTotal should be considered or used as legal advice. Consult an Attorney
+#  for any legal advice.
+#  VulnTotal is a free software tool from nexB Inc. and others.
+#  Visit https://github.com/nexB/vulnerablecode/ for support and download.
+
+import json
+import logging
+import os
+from typing import Iterable
+
+import requests
+
+from vulntotal.validator import DataSource
+from vulntotal.validator import VendorData
+
+logger = logging.getLogger(__name__)
+
+
+class OSSDataSource(DataSource):
+    spdx_license_expression = "TODO"
+    license_url = "TODO"
+    api_unauthenticated = "https://ossindex.sonatype.org/api/v3/component-report"
+    api_authenticated = "https://ossindex.sonatype.org/api/v3/authorized/component-report"
+
+    def fetch_json_response(self, coordinates):
+        username = os.environ.get("OSS_USERNAME", None)
+        token = os.environ.get("OSS_TOKEN", None)
+        auth = None
+        url = self.api_unauthenticated
+        if username and token:
+            auth = (username, token)
+            url = self.api_authenticated
+        response = requests.post(url, auth=auth, json={"coordinates": coordinates})
+
+        if response.status_code == 200:
+            return response.json()
+        elif response.status_code == 401:
+            logger.error("Invalid credentials")
+        elif response.status_code == 429:
+            msg = (
+                "Too many requests"
+                if auth
+                else "Too many requests: add OSS_USERNAME and OSS_TOKEN in .env file"
+            )
+            logger.error(msg)
+        else:
+            logger.error(f"unknown status code: {response.status_code} while fetching: {url}")
+
+    def datasource_advisory(self, purl) -> Iterable[VendorData]:
+        if purl.type not in self.supported_ecosystem():
+            logger.error("Unsupported PURL")
+            return
+
+        response = self.fetch_json_response([str(purl)])
+        if response:
+            self._raw_dump.append(response)
+            return parse_advisory(response)
+
+    @classmethod
+    def supported_ecosystem(cls):
+        return {
+            "cargo": "cargo",
+            "cocoapods": "cocoapods",
+            "composer": "composer",
+            "conan": "conan",
+            "conda": "conda",
+            "cran": "cran",
+            "golang": "golang",
+            "maven": "maven",
+            "npm": "npm",
+            "nuget": "nuget",
+            "pypi": "pypi",
+            "rpm": "rpm",
+            "gem": "gem",
+            "swift": "swift",
+        }
+
+
+def parse_advisory(component) -> Iterable[VendorData]:
+    response = component[0]
+    if response["vulnerabilities"]:
+        for vuln in response["vulnerabilities"]:
+            aliases = [vuln["id"]]
+            affected_versions = []
+            fixed_versions = []
+            if "versionRanges" in vuln:
+                affected_versions.extend(vuln["versionRanges"])
+            yield VendorData(
+                aliases=aliases,
+                affected_versions=affected_versions,
+                fixed_versions=fixed_versions,
+            )

vulntotal/tests/test_data/oss_index/advisory.json

@@ -0,0 +1,143 @@
+[
+  {
+    "coordinates":"pkg:golang/github.com/cloudflare/[email protected]",
+    "reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/cloudflare/[email protected]?utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
+    "vulnerabilities":[
+      {
+        "id":"CVE-2021-3907",
+        "displayName":"CVE-2021-3907",
+        "title":"[CVE-2021-3907] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
+        "description":"OctoRPKI does not escape a URI with a filename containing \"..\", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.",
+        "cvssScore":9.8,
+        "cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+        "cwe":"CWE-22",
+        "cve":"CVE-2021-3907",
+        "reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3907?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
+        "externalReferences":[
+          "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3907",
+          "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh"
+        ]
+      },
+      {
+        "id":"CVE-2021-3761",
+        "displayName":"CVE-2021-3761",
+        "title":"[CVE-2021-3761] CWE-787: Out-of-bounds Write",
+        "description":"Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitting an invalid VRP \"MaxLength\" value, causing RTR sessions to terminate. An attacker can use this to disable RPKI Origin Validation in a victim network (for example AS 13335 - Cloudflare) prior to launching a BGP hijack which during normal operations would be rejected as \"RPKI invalid\". Additionally, in certain deployments RTR session flapping in and of itself also could cause BGP routing churn, causing availability issues.",
+        "cvssScore":7.5,
+        "cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+        "cwe":"CWE-787",
+        "cve":"CVE-2021-3761",
+        "reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3761?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
+        "externalReferences":[
+          "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3761",
+          "https://github.com/cloudflare/cfrpki/pull/90",
+          "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9",
+          "https://github.com/CVEProject/cvelist/commit/8f3edcdf139aa823e1f17aa15b337ab92436ebf7"
+        ]
+      },
+      {
+        "id":"CVE-2021-3908",
+        "displayName":"CVE-2021-3908",
+        "title":"[CVE-2021-3908] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
+        "description":"OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.",
+        "cvssScore":7.5,
+        "cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+        "cwe":"CWE-400",
+        "cve":"CVE-2021-3908",
+        "reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3908?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
+        "externalReferences":[
+          "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3908",
+          "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq"
+        ]
+      },
+      {
+        "id":"CVE-2021-3909",
+        "displayName":"CVE-2021-3909",
+        "title":"[CVE-2021-3909] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
+        "description":"OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.",
+        "cvssScore":7.5,
+        "cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+        "cwe":"CWE-400",
+        "cve":"CVE-2021-3909",
+        "reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3909?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
+        "externalReferences":[
+          "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3909",
+          "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244"
+        ]
+      },
+      {
+        "id":"CVE-2021-3910",
+        "displayName":"CVE-2021-3910",
+        "title":"[CVE-2021-3910] CWE-20: Improper Input Validation",
+        "description":"OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\\0) character).",
+        "cvssScore":7.5,
+        "cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+        "cwe":"CWE-20",
+        "cve":"CVE-2021-3910",
+        "reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3910?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
+        "externalReferences":[
+          "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3910",
+          "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j"
+        ]
+      },
+      {
+        "id":"CVE-2021-3978",
+        "displayName":"CVE-2021-3978",
+        "title":"[CVE-2021-3978] CWE-281: Improper Preservation of Permissions",
+        "description":"github.com/cloudflare/cfrpki - Improper Preservation of Permissions",
+        "cvssScore":7.4,
+        "cvssVector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
+        "cwe":"CWE-281",
+        "cve":"CVE-2021-3978",
+        "reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3978?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
+        "externalReferences":[
+          "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3978",
+          "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85"
+        ]
+      },
+      {
+        "id":"CVE-2021-3911",
+        "displayName":"CVE-2021-3911",
+        "title":"[CVE-2021-3911] CWE-252: Unchecked Return Value",
+        "description":"If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.",
+        "cvssScore":6.5,
+        "cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
+        "cwe":"CWE-252",
+        "cve":"CVE-2021-3911",
+        "reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3911?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
+        "externalReferences":[
+          "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3911",
+          "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22"
+        ]
+      },
+      {
+        "id":"CVE-2021-3912",
+        "displayName":"CVE-2021-3912",
+        "title":"[CVE-2021-3912] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
+        "description":"OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).",
+        "cvssScore":6.5,
+        "cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
+        "cwe":"CWE-400",
+        "cve":"CVE-2021-3912",
+        "reference":"https://ossindex.sonatype.org/vulnerability/CVE-2021-3912?component-type=golang&component-name=github.com%2Fcloudflare%2Fcfrpki&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
+        "externalReferences":[
+          "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3912",
+          "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg"
+        ]
+      },
+      {
+        "id":"sonatype-2022-0972",
+        "displayName":"sonatype-2022-0972",
+        "title":"1 vulnerability found",
+        "description":"1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account",
+        "cvssScore":6.5,
+        "cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+        "cwe":"CWE-699",
+        "reference":"https://ossindex.sonatype.org/vulnerability/sonatype-2022-0972",
+        "externalReferences":[
+          
+        ]
+      }
+    ]
+  }
+]

vulntotal/tests/test_data/oss_index/parse_advisory-expected.json

@@ -0,0 +1,65 @@
+[
+  {
+    "affected_versions": [],
+    "fixed_versions": [],
+    "aliases": [
+      "CVE-2021-3907"
+    ]
+  },
+  {
+    "affected_versions": [],
+    "fixed_versions": [],
+    "aliases": [
+      "CVE-2021-3761"
+    ]
+  },
+  {
+    "affected_versions": [],
+    "fixed_versions": [],
+    "aliases": [
+      "CVE-2021-3908"
+    ]
+  },
+  {
+    "affected_versions": [],
+    "fixed_versions": [],
+    "aliases": [
+      "CVE-2021-3909"
+    ]
+  },
+  {
+    "affected_versions": [],
+    "fixed_versions": [],
+    "aliases": [
+      "CVE-2021-3910"
+    ]
+  },
+  {
+    "affected_versions": [],
+    "fixed_versions": [],
+    "aliases": [
+      "CVE-2021-3978"
+    ]
+  },
+  {
+    "affected_versions": [],
+    "fixed_versions": [],
+    "aliases": [
+      "CVE-2021-3911"
+    ]
+  },
+  {
+    "affected_versions": [],
+    "fixed_versions": [],
+    "aliases": [
+      "CVE-2021-3912"
+    ]
+  },
+  {
+    "affected_versions": [],
+    "fixed_versions": [],
+    "aliases": [
+      "sonatype-2022-0972"
+    ]
+  }
+]

vulntotal/tests/test_oss_index.py

@@ -0,0 +1,43 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# http://nexb.com and https://github.com/nexB/vulnerablecode/
+# The VulnTotal software is licensed under the Apache License version 2.0.
+# Data generated with VulnTotal require an acknowledgment.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# When you publish or redistribute any data created with VulnTotal or any VulnTotal
+# derivative work, you must accompany this data with the following acknowledgment:
+#
+#  Generated with VulnTotal and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+#  OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+#  VulnTotal should be considered or used as legal advice. Consult an Attorney
+#  for any legal advice.
+#  VulnTotal is a free software tool from nexB Inc. and others.
+#  Visit https://github.com/nexB/vulnerablecode/ for support and download.
+
+import json
+from pathlib import Path
+
+from commoncode import testcase
+from packageurl import PackageURL
+
+from vulnerabilities.tests import util_tests
+from vulntotal.datasources import oss_index
+
+
+class TestDeps(testcase.FileBasedTesting):
+    test_data_dir = str(Path(__file__).resolve().parent / "test_data" / "oss_index")
+
+    def test_parse_advisory(self):
+        advisory_file = self.get_test_loc("advisory.json")
+        with open(advisory_file) as f:
+            advisory = json.load(f)
+        results = [adv.to_dict() for adv in oss_index.parse_advisory(advisory)]
+        expected_file = self.get_test_loc("parse_advisory-expected.json", must_exist=False)
+        util_tests.check_results_against_json(results, expected_file)