Merge branch 'main' into alpine-migrate

Author: ziadhany

README.rst

@@ -1,7 +1,37 @@
-===============
+==============
 VulnerableCode
+==============
+
+VulnerableCode is a database of software package vulnerabilities with Web UI and API.
+
+Why Use VulnerableCode?
+=======================
+
+VulnerableCode provides a Web UI and API to access a database of known software package 
+vulnerabilities with comprehensive information from upstream and downstream public 
+sources including packages affected by a vulnerability and packages that fix a 
+vulnerability. 
+
+There is a `public VulnerableCode database <https://public.vulnerablecode.io/>`_ 
+and the project also provides the tools to build your own instance of the database.
+
+Getting Started
 ===============
 
+Instructions to get you up and running on your local machine are at `Getting Started <https://vulnerablecode.readthedocs.io/en/stable/>`_
+
+The VulnerableCode documentation also provides:
+
+- prerequisites for installing the software.
+- an introduction to the user interface.
+- how to use the API.
+- tutorials for adding new pipelines to import and improve advisories.
+- extensive reference information about VulnerableCode data.
+- guidelines for contributing to code development.
+
+Build and tests status
+======================
+
 |Build Status| |Code License| |Data License| |Python 3.8+| |stability-wip| |Gitter chat|
 
 
@@ -18,11 +48,12 @@ VulnerableCode
    :target: https://gitter.im/aboutcode-org/vulnerablecode
 
 
+Benefits of VulnerableCode
+==========================
+
 VulnerableCode is a free and open database of open source software package
 vulnerabilities **because open source software vulnerability data and tools
-should be free and open source themselves**:
-
-We are trying to change this and evolve the status quo in a few other areas!
+should be free and open source themselves**.
 
 - Vulnerability databases have been **traditionally proprietary** even though they
   are mostly about free and open source software. 
@@ -37,110 +68,29 @@ We are trying to change this and evolve the status quo in a few other areas!
   easier to find a package and whether it is vulnerable.
 
 PURLs were designed initially for ScanCode and VulnerableCode. PURL is
-now a de-facto standard for vulnerability management and package references.
-See https://github.com/package-url/purl-spec
-
-The VulnerableCode project is a FOSS community resource to help improve the
-security of the open source software ecosystem and its users at large.
-
-VulnerableCode consists of a database and the tools to collect, refine and keep
-the database current. 
-
-
-.. pull-quote::
-   **Warning**
-   VulnerableCode is under active development and may not be ready for production
-use depending on your use cases.
-
-Read more about VulnerableCode at https://vulnerablecode.readthedocs.org/
+now a `standard <https://github.com/package-url/purl-spec>`_ for vulnerability management 
+and package references.
 
 The VulnerableCode tech stack is Python, Django, PostgreSQL, nginx and Docker and
 several libraries.
 
-Getting started
-===============
-
-Run with Docker
----------------
-
-First install docker, then run
-
-.. code:: bash
-
-    git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
-    make envfile
-    docker compose build
-    docker compose up -d
-    docker compose run vulnerablecode ./manage.py import --list
-
-Then run an importer for nginx advisories (which is small)
+Support
+=======
 
-.. code:: bash
+If you have a specific problem, suggestion or bug, please submit a
+`GitHub issue <https://github.com/aboutcode-org/vulnerablecode/issues>`_.
 
-    docker compose exec vulnerablecode ./manage.py import nginx_importer
-    docker compose exec vulnerablecode ./manage.py improve --all
-
-At this point, the VulnerableCode app and API should be up and running with
-some data at http://localhost
-
-
-Populate VulnerableCode database
---------------------------------
-
-VulnerableCode data collection works in two steps: importing data from multiple
-sources and then refining and improving how package and software vulnerabilities
-are related.
-
-To run all importers and improvers use this
-
-.. code:: bash
-
-   ./manage.py import --all
-
-.. code:: bash
-
-   ./manage.py improve --all
-
-
-Local development installation
-------------------------------
-
-On a Debian system, use this
-
-.. code:: bash
-
-    sudo apt-get install  python3-venv python3-dev postgresql libpq-dev build-essential
-    git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
-    make dev envfile postgres
-    make test
-    source venv/bin/activate
-    ./manage.py import nginx_importer
-    ./manage.py improve --all
-    make run
-
-At this point, the VulnerableCode app and API is up at http://127.0.0.1:8001/
+For quick questions or socializing, join the AboutCode community discussions on `Slack <https://join.slack.com/t/aboutcode-org/shared_invite/zt-3li3bfs78-mmtKG0Qhv~G2dSlNCZW2pA>`_.
 
+Interested in commercial suppport? Contact the `AboutCode team <mailto:hello@aboutcode.org>`_.
 
 License
-========
-
-Copyright (c) nexB Inc. and others. All rights reserved.
-
-VulnerableCode is a trademark of nexB Inc.
-
-SPDX-License-Identifier: Apache-2.0 AND CC-BY-SA-4.0
-
-VulnerableCode software is licensed under the Apache License version 2.0.
-
-VulnerableCode data is licensed collectively under CC-BY-SA-4.0.
-
-See https://www.apache.org/licenses/LICENSE-2.0 for the license text.
-
-See https://creativecommons.org/licenses/by-sa/4.0/legalcode for the license text.
-
-See https://github.com/nexB/vulnerablecode for support or download. 
+=======
 
-See https://aboutcode.org for more information about nexB OSS projects.
+* `Apache-2.0 <apache-2.0.LICENSE>`_ is the overall license.
+* `CC-BY-SA-4.0 <cc-by-sa-4.0.LICENSE>`_ applies to reference datasets.
+* There are multiple secondary permissive or copyleft licenses (LGPL, MIT,
+  BSD, GPL 2/3, etc.) for third-party components and test suite code and data.
 
 
 Acknowledgements, Funding, Support and Sponsoring

vulnerabilities/importers/__init__.py

@@ -48,6 +48,7 @@
 from vulnerabilities.pipelines.v2_importers import apache_tomcat_importer as apache_tomcat_v2
 from vulnerabilities.pipelines.v2_importers import archlinux_importer as archlinux_importer_v2
 from vulnerabilities.pipelines.v2_importers import curl_importer as curl_importer_v2
+from vulnerabilities.pipelines.v2_importers import debian_importer as debian_importer_v2
 from vulnerabilities.pipelines.v2_importers import (
     elixir_security_importer as elixir_security_importer_v2,
 )
@@ -104,6 +105,7 @@
         ruby_importer_v2.RubyImporterPipeline,
         epss_importer_v2.EPSSImporterPipeline,
         nginx_importer_v2.NginxImporterPipeline,
+        debian_importer_v2.DebianImporterPipeline,
         mattermost_importer_v2.MattermostImporterPipeline,
         apache_tomcat_v2.ApacheTomcatImporterPipeline,
         alpine_linux_importer_v2.AlpineLinuxImporterPipeline,

vulnerabilities/pipelines/v2_importers/debian_importer.py

@@ -0,0 +1,187 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import re
+from typing import Any
+from typing import Iterable
+from typing import Mapping
+
+from packageurl import PackageURL
+from univers.version_range import DebianVersionRange
+
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AffectedPackageV2
+from vulnerabilities.importer import ReferenceV2
+from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
+from vulnerabilities.utils import create_weaknesses_list
+from vulnerabilities.utils import dedupe
+from vulnerabilities.utils import fetch_response
+from vulnerabilities.utils import get_item
+
+
+class DebianImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
+    """Debian Importer Pipeline"""
+
+    pipeline_id = "debian_importer_v2"
+    spdx_license_expression = "LicenseRef-scancode-other-permissive"
+    license_url = "https://www.debian.org/license"
+    notice = """
+    From: Tushar Goel <tgoel@nexb.com>
+    Date: Thu, May 12, 2022 at 11:42 PM +00:00
+    Subject: Usage of Debian Security Data in VulnerableCode
+    To: <team@security.debian.org>
+
+    Hey,
+
+    We would like to integrate the debian security data in vulnerablecode
+    [1][2] which is a FOSS db of FOSS vulnerability data. We were not able
+    to know under which license the debian security data comes. We would
+    be grateful to have your acknowledgement over usage of the debian
+    security data in vulnerablecode and have some kind of licensing
+    declaration from your side.
+
+    [1] - https://github.com/nexB/vulnerablecode
+    [2] - https://github.com/nexB/vulnerablecode/pull/723
+
+    Regards,
+
+    From: Moritz Mühlenhoff <jmm@inutil.org>
+    Date: Wed, May 17, 2022, 19:12 PM +00:00
+    Subject: Re: Usage of Debian Security Data in VulnerableCode
+    To: Tushar Goel <tgoel@nexb.com>
+    Cc: <team@security.debian.org>
+
+
+    Am Thu, May 12, 2022 at 05:12:48PM +0530 schrieb Tushar Goel:
+    > Hey,
+    >
+    > We would like to integrate the debian security data in vulnerablecode
+    > [1][2] which is a FOSS db of FOSS vulnerability data. We were not able
+    > to know under which license the debian security data comes. We would
+    > be grateful to have your acknowledgement over usage of the debian
+    > security data in vulnerablecode and have some kind of licensing
+    > declaration from your side.
+
+    We don't have a specific license, but you have our endorsemen to
+    reuse the data by all means :-)
+
+    Cheers,
+        Moritz
+    """
+
+    api_url = "https://security-tracker.debian.org/tracker/data/json"
+    response = None
+
+    @classmethod
+    def steps(cls):
+        return (cls.collect_and_store_advisories,)
+
+    def get_response(self):
+        try:
+            response = fetch_response(self.api_url)
+            if response:
+                return response.json()
+            return {}
+        except Exception as e:
+            self.log(f"Error fetching data from {self.api_url!r}: {e}")
+            return {}
+
+    def advisories_count(self) -> int:
+        adv_count = 0
+        if not self.response:
+            self.response = self.get_response()
+        for pkg in self.response:
+            recs = len(self.response[pkg])
+            adv_count += recs
+        return adv_count
+
+    def collect_advisories(self) -> Iterable[AdvisoryData]:
+        if not self.response:
+            self.response = self.get_response()
+        for pkg_name, records in self.response.items():
+            yield from self.parse(pkg_name, records)
+
+    def parse(self, pkg_name: str, records: Mapping[str, Any]) -> Iterable[AdvisoryData]:
+
+        for record_identifier, record in records.items():
+            affected_versions = []
+            fixed_versions = []
+
+            releases = record["releases"].items()
+            for release_name, release_record in releases:
+                version = get_item(release_record, "repositories", release_name)
+
+                if not version:
+                    self.log(
+                        f"Version not found for {release_name} in {record} in package {pkg_name}"
+                    )
+                    continue
+
+                purl = PackageURL(
+                    name=pkg_name,
+                    type="deb",
+                    namespace="debian",
+                    qualifiers={"distro": release_name},
+                )
+
+                if release_record.get("status", "") == "resolved":
+                    fixed_versions.append(version)
+                else:
+                    affected_versions.append(version)
+
+                if release_record.get("fixed_version"):
+                    fixed_versions.append(release_record["fixed_version"])
+
+            references = []
+            debianbug = record.get("debianbug")
+            if debianbug:
+                bug_url = f"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug={debianbug}"
+                references.append(ReferenceV2(url=bug_url, reference_id=str(debianbug)))
+            affected_versions = dedupe(affected_versions)
+            fixed_versions = dedupe(fixed_versions)
+            if affected_versions:
+                affected_version_range = DebianVersionRange.from_versions(affected_versions)
+            else:
+                affected_version_range = None
+            affected_packages = []
+            for fixed_version in fixed_versions:
+                affected_packages.append(
+                    AffectedPackageV2(
+                        package=purl,
+                        affected_version_range=affected_version_range,
+                        fixed_version_range=DebianVersionRange.from_versions([fixed_version]),
+                    )
+                )
+            weaknesses = get_cwe_from_debian_advisory(record)
+
+            yield AdvisoryData(
+                advisory_id=f"{pkg_name}/{record_identifier}",
+                aliases=[record_identifier],
+                summary=record.get("description", ""),
+                affected_packages=affected_packages,
+                references=references,
+                weaknesses=weaknesses,
+                url=f"https://security-tracker.debian.org/tracker/{record_identifier}",
+            )
+
+
+def get_cwe_from_debian_advisory(record):
+    """
+    Extracts CWE ID strings from the given raw_data and returns a list of CWE IDs.
+
+        >>> get_cwe_from_debian_advisory({"description":"PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerability in HTML_QuickForm's getSubmitValue method, HTML_QuickForm's validate method, HTML_QuickForm_hierselect's _setOptions method, HTML_QuickForm_element's _findValue method, HTML_QuickForm_element's _prepareValue method. that can result in Possible information disclosure, possible impact on data integrity and execution of arbitrary code. This attack appear to be exploitable via A specially crafted query string could be utilised, e.g. http://www.example.com/admin/add_practice_type_id[1]=fubar%27])%20OR%20die(%27OOK!%27);%20//&mode=live. This vulnerability appears to have been fixed in 3.2.15."})
+        [95]
+        >>> get_cwe_from_debian_advisory({"description":"There is no WEAKNESS DATA"})
+        []
+    """
+    description = record.get("description") or ""
+    pattern = r"CWE-\d+"
+    cwe_strings = re.findall(pattern, description)
+    weaknesses = create_weaknesses_list(cwe_strings)
+    return weaknesses

vulnerabilities/pipes/osv_v2.py

@@ -17,7 +17,6 @@
 from cvss.exceptions import CVSS3MalformedError
 from cvss.exceptions import CVSS4MalformedError
 from packageurl import PackageURL
-from univers.version_constraint import InvalidConstraintsError
 from univers.version_constraint import VersionConstraint
 from univers.version_constraint import validate_comparators
 from univers.version_range import RANGE_CLASS_BY_SCHEMES
@@ -49,7 +48,7 @@
     "rubygems": "gem",
     "go": "golang",
     "hex": "hex",
-    "cargo": "cargo",
+    "crates.io": "cargo",
 }