Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Import data from GSD #706 #787

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Import data from GSD #706 #787

wants to merge 1 commit into from

Conversation

ziadhany
Copy link
Collaborator

@ziadhany ziadhany commented Jul 2, 2022
edited by pombredanne

This PR adds a new importer for the GSD #706
Signed-off-by: Ziad ziadhany2016@gmail.com

@ziadhany ziadhany marked this pull request as ready for review July 5, 2022 14:11
@ziadhany ziadhany self-assigned this Jul 5, 2022
@ziadhany ziadhany added this to In progress in GSoC 2022 @ziadhany via automation Jul 5, 2022
@pombredanne pombredanne changed the title GSD importer Import data from GSD #706 Jul 12, 2022
TG1999
TG1999 requested changes Jul 14, 2022
View reviewed changes
vulnerabilities/importers/gsd.py Show resolved Hide resolved
vulnerabilities/importers/gsd.py Show resolved Hide resolved
vulnerabilities/importers/gsd.py Outdated Show resolved Hide resolved
vulnerabilities/importers/gsd.py Show resolved Hide resolved
vulnerabilities/importers/gsd.py Show resolved Hide resolved
vulnerabilities/tests/test_gsd.py
"references": {
"reference_data": [
{
"name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10198",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Try to extract a reference ID from the reference url, I think a valid id for this example can be SB10198

vulnerabilities/importers/gsd.py Show resolved Hide resolved
vulnerabilities/importers/gsd.py Show resolved Hide resolved
@TG1999
Copy link
Member

TG1999 commented Jul 14, 2022

@ziadhany please run this importer and add logs for that here, and also run the improve command over this imported data and provide the logs for that

@ziadhany
Copy link
Collaborator Author

ziadhany commented Sep 6, 2022

Importing data using vulnerabilities.importers.gsd.GSDImporter
JSONDecodeError('Expecting value: line 1 column 2 (char 1)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Extra data: line 1 column 2 (char 1)')
JSONDecodeError('Extra data: line 1 column 2 (char 1)')
JSONDecodeError('Extra data: line 1 column 2 (char 1)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Extra data: line 1 column 2 (char 1)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
Successfully imported data using vulnerabilities.importers.gsd.GSDImporter

Process finished with exit code 0

@ziadhany
Copy link
Collaborator Author

ziadhany commented Sep 6, 2022 

` in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression., provided: sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool. The issues has been fixed in sqlparse 0.4.2.
Inconsistent summary for <Vulnerability: VULCOID-20V>. Existing: Path Traversal in SharpZipLib, provided: SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry `../evil.txt` may be extracted in the parent directory of `destFolder`. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.
Inconsistent summary for <Vulnerability: VULCOID-20U>. Existing: Path Traversal in SharpZipLib, provided: SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.3.0 and prior to version 1.3.3, a check was added if the destination file is under destination directory. However, it is not enforced that `destDir` ends with slash. If the `destDir` is not slash terminated like `/home/user/dir` it is possible to create a file with a name thats begins with the destination directory, i.e. `/home/user/dir.sh`. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. Version 1.3.3 contains a patch for this vulnerability.
Traceback (most recent call last):
  File "/home/ziad/PycharmProjects/vulnerablecode/vulnerabilities/management/commands/improve.py", line 59, in improve_data
    ImproveRunner(improver).run()
  File "/home/ziad/PycharmProjects/vulnerablecode/vulnerabilities/improve_runner.py", line 40, in run
    inferences = improver.get_inferences(advisory_data=advisory.to_advisory_data())
  File "/home/ziad/PycharmProjects/vulnerablecode/vulnerabilities/models.py", line 403, in to_advisory_data
    affected_packages=[AffectedPackage.from_dict(pkg) for pkg in self.affected_packages],
  File "/home/ziad/PycharmProjects/vulnerablecode/vulnerabilities/models.py", line 403, in <listcomp>
    affected_packages=[AffectedPackage.from_dict(pkg) for pkg in self.affected_packages],
  File "/home/ziad/PycharmProjects/vulnerablecode/vulnerabilities/importer.py", line 208, in from_dict
    affected_version_range = VersionRange.from_string(
  File "/home/ziad/PycharmProjects/univers/venv/lib/python3.10/site-packages/univers/version_range.py", line 118, in from_string
    raise ValueError(f"{vers!r} specifies no version range constraints.")
ValueError: 'vers:gem/' specifies no version range constraints.
Failed to run improver vulnerabilities.improvers.default.DefaultImprover. Continuing...
CommandError: 1 failed!: vulnerabilities.improvers.default.DefaultImprover

@ziadhany ziadhany mentioned this pull request Sep 22, 2022
Open
9 tasks
@TG1999 TG1999 added this to the v31.0 milestone Oct 11, 2022
@TG1999
Copy link
Member

TG1999 commented Nov 18, 2022

@ziadhany according to your logs the improver has some errors, were you able to investigate or identify the underlying issues.

@ziadhany
Copy link
Collaborator Author

ziadhany commented Dec 6, 2022

@ziadhany according to your logs the improver has some errors, were you able to investigate or identify the underlying issues.

I am trying to reduce the size of GSD by downloading the zip file so I can easily debug the importer and improve.

@pombredanne pombredanne modified the milestones: v31.0, v32.0.0 Dec 8, 2022
@TG1999 TG1999 marked this pull request as draft January 3, 2023 16:50
@TG1999 TG1999 modified the milestones: v32.0.0, v33.0.0 Jan 13, 2023
@ziadhany
Add logs and fix encode
fc5623c 
Add a doctest

Fix gsd aliases , add gsd test

Add gsd importer initial config
Signed-off-by: Ziad <ziadhany2016@gmail.com>
@TG1999 TG1999 modified the milestones: v33.0.0, v34.0.0 Sep 12, 2023
@pombredanne
Copy link
Member

Based on discussions it seems that GSD has unique vulnerabilities for the Linux kernel that are not available elsewhere and we need to reconsider what to do with these.

@ziadhany
Copy link
Collaborator Author

Based on discussions it seems that GSD has unique vulnerabilities for the Linux kernel that are not available elsewhere and we need to reconsider what to do with these.

ok, I'll work on that this week

@TG1999
Copy link
Member

TG1999 commented Dec 6, 2023

@pombredanne @ziadhany what have we decided on this PR, is it ready for review ?

@ziadhany ziadhany mentioned this pull request Dec 8, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TG1999 TG1999 TG1999 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@ziadhany ziadhany

Labels
Data collection Priority: low
Projects
GSoC 2022 @ziadhany
In progress
Milestone
v35.0.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ziadhany @TG1999 @pombredanne