Skip to content

#1 Query cve-search' database for package vulnerabilities #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tdruez merged 12 commits into from
Jun 27, 2017
Merged

#1 Query cve-search' database for package vulnerabilities #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
a973fb7
#1 Query cve-search' db
kartiksibal Jun 9, 2017
1f3bf76
#1 Use args instead of user-input
kartiksibal Jun 9, 2017
115933b
#1 Use format
kartiksibal Jun 9, 2017
4e5d290
#1 general fixes
kartiksibal Jun 16, 2017
d2dad49
#1 Changes in testdata
kartiksibal Jun 17, 2017
892a28c
#1 Minor fixes
kartiksibal Jun 18, 2017
2c542bd
#2 Return cvss,summary and cve-ids
kartiksibal Jun 20, 2017
50e094b
#2 Remove boilerplate code
kartiksibal Jun 21, 2017
fe1441d
#2 Remove dict comprehension
kartiksibal Jun 22, 2017
240ec00
#2 Use dict comprehension & added test cases
kartiksibal Jun 27, 2017
2ad3a9c
#2 Added test cases
kartiksibal Jun 27, 2017
09413f9
#2 Fixes unit tests
kartiksibal Jun 27, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions api_data.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
#!/usr/bin/env python
Copy link
Member

@pombredanne pombredanne Jun 17, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are missing a license header ;)

Copy link
Contributor Author

@kartiksibal kartiksibal Jun 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

#
# Copyright (c) 2017 nexB Inc. and others. All rights reserved.
# http://nexb.com and https://github.com/nexB/vulnerablecode/
# The VulnerableCode software is licensed under the Apache License version 2.0.
# Data generated with VulnerableCode requires an acknowledgment.
#
# You may not use this software except in compliance with the License.
# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# When you publish or redistribute any data created with VulnerableCode or any VulnerableCode
# derivative work, you must accompany this data with the following acknowledgment:
#
# Generated with VulnerableCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
# VulnerableCode should be considered or used as legal advice. Consult an Attorney
# for any legal advice.
# VulnerableCode is a free software code scanning tool from nexB Inc. and others.
# Visit https://github.com/nexB/vulnerablecode/ for support and download.

import json
from urllib.request import urlopen


def data_cve_circl(name, version=None):
"""
Output cve-ids, if any, related to a package.
Take as input, a package name, type, package version and
query cve-search' dataset for any reported vulnerabilities
"""
url = f'https://cve.circl.lu/api/search/{name}'

if version:
url += f'/{version}'
Copy link
Member

@pombredanne pombredanne Jun 23, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This f is Python 3-only, right? I guess this is OK as we said we would only support Python3, right?

Copy link
Contributor Author

@kartiksibal kartiksibal Jun 23, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that was an update in 3.6 and yes as you said earlier to support 3.6+. So, this can stay.


raw_data = urlopen(url).read()
data = json.loads(raw_data)

if version:
return data

return data['data']


def extract_fields(data, fields_names):
"""
Return requested data fields using data generated by
cve-search' api. Takes as input data, fields requested
"""
return [{name: item.get(name) for name in fields_names}
for item in data]
84 changes: 84 additions & 0 deletions test_api_data.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
#
# Copyright (c) 2017 nexB Inc. and others. All rights reserved.
# http://nexb.com and https://github.com/nexB/vulnerablecode/
# The VulnerableCode software is licensed under the Apache License version 2.0.
# Data generated with VulnerableCode requires an acknowledgment.
#
# You may not use this software except in compliance with the License.
# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# When you publish or redistribute any data created with VulnerableCode or any VulnerableCode
# derivative work, you must accompany this data with the following acknowledgment:
#
# Generated with VulnerableCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
# VulnerableCode should be considered or used as legal advice. Consult an Attorney
# for any legal advice.
# VulnerableCode is a free software code scanning tool from nexB Inc. and others.
# Visit https://github.com/nexB/vulnerablecode/ for support and download.

import api_data as api
import json

test_data = """
[{
"Modified": "2008-11-15T00:00:00",
"Published": "2007-02-19T21:28:00",
"access": {
"authentication": "NONE",
"complexity": "MEDIUM",
"vector": "NETWORK"
},
"cvss": 4.3,
"cvss-time": "2007-02-20T14:55:00",
"id": "CVE-2007-1004",
"impact": {
"availability": "NONE",
"confidentiality": "NONE",
"integrity": "PARTIAL"
},
"reason": "Link",
"references": [
"http://securityreason.com/securityalert/2264",
"http://www.securityfocus.com/archive/1/archive/1/460369/100/0/threaded",
"http://www.securityfocus.com/archive/1/archive/1/460412/100/0/threaded",
"http://www.securityfocus.com/archive/1/archive/1/460617/100/0/threaded",
"http://www.securityfocus.com/bid/22601",
"http://xforce.iss.net/xforce/xfdb/32580"
],
"summary": "Mozilla Firefox might allow remote",
"vulnerable_configuration": [
"cpe:2.3:a:mozilla:firefox:2.0:rc3"
],
"vulnerable_configuration_cpe_2_2": [
"cpe:/a:mozilla:firefox:2.0:rc3"
]}]
"""


def test_extract_fields_data():
fields_names = ['id', 'cvss', 'summary']
data = json.loads(test_data)
extracted_data = api.extract_fields(data=data, fields_names=fields_names)

assert extracted_data == [{'cvss': 4.3, 'id': 'CVE-2007-1004',
'summary': 'Mozilla Firefox might allow remote'}]


def test_extract_fields():
fields_names = []
data = json.loads(test_data)
extracted_data = api.extract_fields(data=data, fields_names=fields_names)
assert extracted_data == [{}]

fields_names = ['']
extracted_data = api.extract_fields(data=data, fields_names=fields_names)
assert extracted_data == [{'': None}]

fields_names = ['invalid_field']
extracted_data = api.extract_fields(data=data, fields_names=fields_names)
assert extracted_data == [{'invalid_field': None}]