From 68c80591e2e210ed9d9f8856bd9d2d8e0e098100 Mon Sep 17 00:00:00 2001 From: prabhu Date: Sat, 26 Aug 2023 03:36:38 +0100 Subject: [PATCH] Support for searching os packages without vendor (#62) Signed-off-by: Prabhu Subramanian --- pyproject.toml | 2 +- test/test_source.py | 2 +- vdb/lib/config.py | 1 + vdb/lib/db.py | 29 ++++++++++++++++++++--------- vdb/lib/osv.py | 14 ++++++++++---- vdb/lib/storage.py | 2 +- vdb/lib/utils.py | 8 +------- 7 files changed, 35 insertions(+), 23 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index abea3b3..1bbaa50 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "appthreat-vulnerability-db" -version = "5.2.0" +version = "5.2.1" description = "AppThreat's vulnerability database and package search library with a built-in file based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities." authors = [ {name = "Team AppThreat", email = "cloud@appthreat.com"}, diff --git a/test/test_source.py b/test/test_source.py index 266956d..0025c7d 100644 --- a/test/test_source.py +++ b/test/test_source.py @@ -3,10 +3,10 @@ import pytest +from vdb.lib.aqua import AquaSource from vdb.lib.gha import GitHubSource from vdb.lib.nvd import NvdSource from vdb.lib.osv import OSVSource -from vdb.lib.aqua import AquaSource @pytest.fixture diff --git a/vdb/lib/config.py b/vdb/lib/config.py index b7d45c5..4a88b88 100644 --- a/vdb/lib/config.py +++ b/vdb/lib/config.py @@ -61,6 +61,7 @@ "linux": "https://osv-vulnerabilities.storage.googleapis.com/Linux/all.zip", "debian": "https://osv-vulnerabilities.storage.googleapis.com/Debian/all.zip", "oss-fuzz": "https://osv-vulnerabilities.storage.googleapis.com/OSS-Fuzz/all.zip", + "cran": "https://osv-vulnerabilities.storage.googleapis.com/CRAN/all.zip", } aquasec_vuln_list_url = ( diff --git a/vdb/lib/db.py b/vdb/lib/db.py index 72764f5..d6889bf 100644 --- a/vdb/lib/db.py +++ b/vdb/lib/db.py @@ -151,21 +151,32 @@ def _key_func(data, match_list): max_affected_version_excluding, ): return True - # Search by vendor, name and version + # Search by pos or vendor, name and version if len(name_ver) == 3: - # Check if we have a hit - if ( - name_ver[0] == vendor - and name_ver[1] == package - and version_compare( + # Is name_ver[0] pos? + if "_" in name_ver[0]: + if name_ver[1] == package and version_compare( name_ver[2], min_affected_version_including, max_affected_version_including, min_affected_version_excluding, max_affected_version_excluding, - ) - ): - return True + ): + return True + else: + # Check if we have a hit + if ( + name_ver[0] == vendor + and name_ver[1] == package + and version_compare( + name_ver[2], + min_affected_version_including, + max_affected_version_including, + min_affected_version_excluding, + max_affected_version_excluding, + ) + ): + return True # Search by pos, vendor, name and version if len(name_ver) == 4: # Check if we have a hit diff --git a/vdb/lib/osv.py b/vdb/lib/osv.py index 6d4f9e1..dfcd731 100644 --- a/vdb/lib/osv.py +++ b/vdb/lib/osv.py @@ -31,7 +31,12 @@ json_lib = orjson if ORJSON_AVAILABLE else json -vendor_overrides = {"apk": "alpine", "deb": "debian", "go": "golang"} +vendor_overrides = { + "apk": "alpine", + "deb": "debian", + "go": "golang", + "crates.io": "crates", +} class OSVSource(NvdSource): @@ -183,7 +188,8 @@ def to_vuln(self, cve_data): vectorString = dvectorString exploitabilityScore = score ranges = pkg_data.get("ranges", []) - vendor = pkg_data.get("package", {}).get("ecosystem", "").lower() + vendor_ecosystem = pkg_data.get("package", {}).get("ecosystem", "").lower() + vendor = vendor_ecosystem pkg_name = pkg_data.get("package", {}).get("name", "") pkg_name_list = [] purl = parse_purl(pkg_data.get("package", {}).get("purl", "")) @@ -200,8 +206,8 @@ def to_vuln(self, cve_data): pkg_name_list.append(pkg_name) # For OS packages, such as alpine OSV appends the os version to the vendor # Let's remove it and add it to package name - if ":" in vendor and ("alpine" in vendor or "debian" in vendor): - tmpV = vendor.split(":") + if ":" in vendor_ecosystem and ("alpine" in vendor or "debian" in vendor): + tmpV = vendor_ecosystem.split(":") vendor = tmpV[0].lower() vdistro = tmpV[1] if vendor == "alpine": diff --git a/vdb/lib/storage.py b/vdb/lib/storage.py index 592979b..9aac4ae 100644 --- a/vdb/lib/storage.py +++ b/vdb/lib/storage.py @@ -81,7 +81,7 @@ def stream_bulk_search(match_list, key_func, db_file=config.vdb_bin_file): with open(db_file, mode="rb") as fp: for amatch in match_list: tmpA = amatch.split("|") - if len(tmpA) == 4: + if len(tmpA) >= 3: tmpB = tmpA[0].split("_") store_pos = tmpB[0] store_end_pos = None diff --git a/vdb/lib/utils.py b/vdb/lib/utils.py index d63da71..305d169 100644 --- a/vdb/lib/utils.py +++ b/vdb/lib/utils.py @@ -484,13 +484,7 @@ def version_compare( # Easy check if compare_ver and mae and compare_ver == mae: return False - ( - tcompare_ver, - tmin_version, - tmax_version, - tmie, - tmae, - ) = trim_epoch( + (tcompare_ver, tmin_version, tmax_version, tmie, tmae,) = trim_epoch( compare_ver, min_version, max_version,