Merge pull request #1155 from TG1999/add_conan

Add support for conan advisories
nexB · Mar 29, 2023 · 20a88ef · 20a88ef
2 parents e4849ff + 45f1fe2
commit 20a88ef
Show file tree

Hide file tree

Showing 7 changed files with 172 additions and 142 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,8 +2,21 @@ Release notes
 =============
 
 
+Next Release
+--------------
+
+- We added loading of env for GitHub datasource in vulntotal.
+- We fixed import process in github importer in vulnerablecode reported here 
+  https://github.com/nexB/vulnerablecode/issues/1142.
+- We added an improver to get all package versions 
+  of all ecosystems for a range of affected packages.
+- We added documentation for configuring throttling rate for API endpoints.
+- We fixed kbmsr2019 importer.
+- We added support for conan advisories through gitlab importer.
+
+
 Version v32.0.0rc3
-------------
+-------------------
 
 - Add aliases to package endpoint.
 - We added Apache HTTPD improver.

diff --git a/requirements.txt b/requirements.txt
@@ -107,7 +107,7 @@ toml==0.10.2
 tomli==2.0.1
 traitlets==5.1.1
 typing_extensions==4.1.1
-univers==30.9.1
+univers==30.10.0
 urllib3==1.26.9
 wcwidth==0.2.5
 websocket-client==0.59.0

diff --git a/setup.cfg b/setup.cfg
@@ -70,7 +70,7 @@ install_requires =
 
     #essentials
     packageurl-python>=0.10.5rc1
-    univers>=30.9.1
+    univers>=30.10.0
     license-expression>=21.6.14
 
     # file and data formats

diff --git a/vulnerabilities/importers/gitlab.py b/vulnerabilities/importers/gitlab.py
@@ -33,7 +33,7 @@
 
 
 PURL_TYPE_BY_GITLAB_SCHEME = {
-    # "conan": "conan",
+    "conan": "conan",
     "gem": "gem",
     # Entering issue to parse go package names https://github.com/nexB/vulnerablecode/issues/742
     # "go": "golang",
@@ -203,7 +203,7 @@ def parse_gitlab_advisory(file):
     affected_version_range = None
     fixed_versions = gitlab_advisory.get("fixed_versions") or []
     affected_range = gitlab_advisory.get("affected_range")
-    gitlab_native_schemes = set(["pypi", "gem", "npm", "go", "packagist"])
+    gitlab_native_schemes = set(["pypi", "gem", "npm", "go", "packagist", "conan"])
     vrc: VersionRange = RANGE_CLASS_BY_SCHEMES[purl.type]
     gitlab_scheme = GITLAB_SCHEME_BY_PURL_TYPE[purl.type]
     try:

diff --git a/vulnerabilities/package_managers.py b/vulnerabilities/package_managers.py
@@ -556,6 +556,22 @@ def fetch(self, pkg: str) -> Iterable[PackageVersion]:
             )
 
 
+class ConanVersionAPI(VersionAPI):
+    """
+    Fetch versions of ``conan`` packages from the Conan API
+    """
+
+    package_type = "conan"
+
+    def fetch(self, pkg: str) -> Iterable[PackageVersion]:
+        response = get_response(
+            url=f"https://conan.io/center/api/ui/details?name={pkg}&user=_&channel=_",
+            content_type="json",
+        )
+        for release in response["versions"]:
+            yield PackageVersion(value=release["version"])
+
+
 class GoproxyVersionAPI(VersionAPI):
     """
     Fetch versions of Go "golang" packages from the Go proxy API
@@ -688,6 +704,7 @@ def fetch(self, pkg: str) -> Iterable[PackageVersion]:
     CratesVersionAPI,
     DebianVersionAPI,
     GitHubTagsAPI,
+    ConanVersionAPI,
 }
 
 VERSION_API_CLASSES_BY_PACKAGE_TYPE = {cls.package_type: cls for cls in VERSION_API_CLASSES}

diff --git a/vulnerabilities/tests/test_data/openssl/security_advisories-advisory_data-expected.json b/vulnerabilities/tests/test_data/openssl/security_advisories-advisory_data-expected.json