Add a "Check Vulnerabilities" pipeline #284

Signed-off-by: Thomas Druez <[email protected]>

Author: tdruez

docs/built-in-pipelines.rst

@@ -15,6 +15,14 @@ Pipeline Base Class
     :members:
     :member-order: bysource
 
+.. _pipeline_check_vulnerabilities:
+
+Check Vulnerabilities
+---------------------
+.. autoclass:: scanpipe.pipelines.check_vulnerabilities.CheckVulnerabilities()
+    :members:
+    :member-order: bysource
+
 .. _pipeline_docker:
 
 Docker Image Analysis

scancodeio/settings.py

@@ -311,3 +311,10 @@
     REST_FRAMEWORK["DEFAULT_PERMISSION_CLASSES"] = (
         "rest_framework.permissions.AllowAny",
     )
+
+# VulnerableCode integration
+
+VULNERABLECODE_URL = env.str("VULNERABLECODE_URL", default="")
+VULNERABLECODE_USER = env.str("VULNERABLECODE_USER", default="")
+VULNERABLECODE_PASSWORD = env.str("VULNERABLECODE_PASSWORD", default="")
+VULNERABLECODE_API_KEY = env.str("VULNERABLECODE_API_KEY", default="")

scanpipe/pipelines/check_vulnerabilities.py

@@ -0,0 +1,61 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# http://nexb.com and https://github.com/nexB/scancode.io
+# The ScanCode.io software is licensed under the Apache License version 2.0.
+# Data generated with ScanCode.io is provided as-is without warranties.
+# ScanCode is a trademark of nexB Inc.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# ScanCode.io should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+#
+# ScanCode.io is a free software code scanning tool from nexB Inc. and others.
+# Visit https://github.com/nexB/scancode.io for support and download.
+
+from scanpipe.pipelines import Pipeline
+from scanpipe.pipes import vulnerablecode
+
+
+class CheckVulnerabilities(Pipeline):
+    """
+    A pipeline to check for discovered packages vulnerabilities in the VulnerableCode
+    database.
+
+    Vulnerability data is stored in the extra_data field of each package.
+    """
+
+    @classmethod
+    def steps(cls):
+        return (
+            cls.check_vulnerablecode_service_availability,
+            cls.lookup_vulnerabilities,
+        )
+
+    def check_vulnerablecode_service_availability(self):
+        """
+        Check if the VulnerableCode service if configured and available.
+        """
+        if not vulnerablecode.is_configured():
+            raise Exception("VulnerableCode is not configured.")
+
+        if not vulnerablecode.is_available():
+            raise Exception("VulnerableCode is not available.")
+
+    def lookup_vulnerabilities(self):
+        """
+        Check for vulnerabilities on each of the project's discovered package.
+        """
+        packages = self.project.discoveredpackages.all()
+
+        for package in packages:
+            purl = vulnerablecode.get_base_purl(package.package_url)
+            vulnerabilities = vulnerablecode.get_vulnerabilities_by_purl(purl)
+            package.update_extra_data({"discovered_vulnerabilities": vulnerabilities})

scanpipe/pipes/vulnerablecode.py

@@ -0,0 +1,274 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# http://nexb.com and https://github.com/nexB/scancode.io
+# The ScanCode.io software is licensed under the Apache License version 2.0.
+# Data generated with ScanCode.io is provided as-is without warranties.
+# ScanCode is a trademark of nexB Inc.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# ScanCode.io should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+#
+# ScanCode.io is a free software code scanning tool from nexB Inc. and others.
+# Visit https://github.com/nexB/scancode.io for support and download.
+
+import logging
+
+from django.conf import settings
+
+import requests
+
+label = "VulnerableCode"
+logger = logging.getLogger(__name__)
+session = requests.Session()
+
+
+VULNERABLECODE_API_URL = None
+VULNERABLECODE_URL = settings.VULNERABLECODE_URL
+if VULNERABLECODE_URL:
+    VULNERABLECODE_API_URL = f'{VULNERABLECODE_URL.rstrip("/")}/api/'
+
+# Basic Authentication
+VULNERABLECODE_USER = settings.VULNERABLECODE_USER
+VULNERABLECODE_PASSWORD = settings.VULNERABLECODE_PASSWORD
+basic_auth_enabled = VULNERABLECODE_USER and VULNERABLECODE_PASSWORD
+if basic_auth_enabled:
+    session.auth = (VULNERABLECODE_USER, VULNERABLECODE_PASSWORD)
+
+# Authentication with single API key
+VULNERABLECODE_API_KEY = settings.VULNERABLECODE_API_KEY
+if VULNERABLECODE_API_KEY:
+    session.headers.update({"Authorization": f"Token {VULNERABLECODE_API_KEY}"})
+
+
+def is_configured():
+    """
+    Returns True if the required VulnerableCode settings have been set.
+    """
+    if VULNERABLECODE_API_URL:
+        return True
+    return False
+
+
+def is_service_available(label, session, url, raise_exceptions):
+    """
+    Base function that checks if a configured integration service is available.
+    """
+    try:
+        response = session.head(url)
+        response.raise_for_status()
+    except requests.exceptions.RequestException as request_exception:
+        logger.debug(f"{label} is_available() error: {request_exception}")
+        if raise_exceptions:
+            raise
+        return False
+
+    return response.status_code == requests.codes.ok
+
+
+def is_available(raise_exceptions=False):
+    """
+    Returns True if the configured VulnerableCode server is available.
+    """
+    if not is_configured():
+        return False
+
+    return is_service_available(
+        label, session, VULNERABLECODE_API_URL, raise_exceptions
+    )
+
+
+def request_get(
+    url,
+    payload=None,
+    timeout=None,
+):
+    """
+    Wraps the HTTP request calls on the API.
+    """
+    if not url:
+        return
+
+    params = {"format": "json"}
+    if payload:
+        params.update(payload)
+
+    logger.debug(f"VulnerableCode: url={url} params={params}")
+    try:
+        response = session.get(url, params=params, timeout=timeout)
+        response.raise_for_status()
+        return response.json()
+    except (requests.RequestException, ValueError, TypeError) as exception:
+        logger.debug(f"{label} [Exception] {exception}")
+
+
+def request_post(
+    url,
+    data,
+    timeout=None,
+):
+    try:
+        response = session.post(url, json=data, timeout=timeout)
+        response.raise_for_status()
+        return response.json()
+    except (requests.RequestException, ValueError, TypeError) as exception:
+        logger.debug(f"{label} [Exception] {exception}")
+
+
+def get_base_purl(purl):
+    """
+    Returns the `purl` without the qualifiers and the subpath.
+    """
+    return purl.split("?")[0]
+
+
+def _get_vulnerabilities(
+    url,
+    field_name,
+    field_value,
+    timeout=None,
+):
+    """
+    Get the list of vulnerabilities.
+    """
+    payload = {field_name: field_value}
+
+    response = request_get(url=url, payload=payload, timeout=timeout)
+    if response and response.get("count"):
+        results = response["results"]
+        return results
+
+
+def get_vulnerabilities_by_purl(
+    purl,
+    timeout=None,
+    api_url=VULNERABLECODE_API_URL,
+):
+    """
+    Get the list of vulnerabilities providing a package `purl`.
+    """
+    return _get_vulnerabilities(
+        url=f"{api_url}packages/",
+        field_name="purl",
+        field_value=get_base_purl(purl),
+        timeout=timeout,
+    )
+
+
+def get_vulnerabilities_by_cpe(
+    cpe,
+    timeout=None,
+    api_url=VULNERABLECODE_API_URL,
+):
+    """
+    Get the list of vulnerabilities providing a package or component `cpe`.
+    """
+    return _get_vulnerabilities(
+        url=f"{api_url}cpes/",
+        field_name="cpe",
+        field_value=cpe,
+        timeout=timeout,
+    )
+
+
+def bulk_search_by_purl(
+    purls,
+    timeout=None,
+    api_url=VULNERABLECODE_API_URL,
+):
+    """
+    Bulk search of vulnerabilities using the provided list of `purls`.
+    """
+    url = f"{api_url}packages/bulk_search"
+
+    data = {
+        "purls": purls,
+    }
+
+    logger.debug(f"VulnerableCode: url={url} purls_count={len(purls)}")
+    return request_post(url, data, timeout)
+
+
+def bulk_search_by_cpes(
+    cpes,
+    timeout=None,
+    api_url=VULNERABLECODE_API_URL,
+):
+    """
+    Bulk search of vulnerabilities using the provided list of `cpes`.
+    """
+    url = f"{api_url}cpes/bulk_search"
+
+    data = {
+        "cpes": cpes,
+    }
+
+    logger.debug(f"VulnerableCode: url={url} cpes_count={len(cpes)}")
+    return request_post(url, data, timeout)
+
+
+def get_purls(packages):
+    """
+    Returns the PURLs for the given list of `packages`.
+    List comprehension is not used on purpose to avoid crafting each
+    PURL twice.
+    """
+    purls = []
+    for package in packages:
+        package_url = package.package_url
+        if package_url:
+            purls.append(package_url)
+    return purls
+
+
+def get_vulnerable_purls(packages):
+    """
+    Returns a list of PURLs for which at least one `affected_by_vulnerabilities`
+    was found in the VulnerableCodeDB for the given list of `packages`.
+    """
+    purls = get_purls(packages)
+
+    if not purls:
+        return []
+
+    search_results = bulk_search_by_purl(purls, timeout=5)
+    if not search_results:
+        return []
+
+    return [
+        entry.get("purl")
+        for entry in search_results
+        if entry.get("affected_by_vulnerabilities")
+    ]
+
+
+def get_vulnerable_cpes(components):
+    """
+    Returns a list of vulnerable CPEs found in the VulnerableCodeDB for the given list
+    of `components`.
+    """
+    cpes = [component.cpe for component in components if component.cpe]
+
+    if not cpes:
+        return []
+
+    search_results = bulk_search_by_cpes(cpes, timeout=5)
+    if not search_results:
+        return []
+
+    vulnerable_cpes = [
+        reference.get("reference_id")
+        for entry in search_results
+        for reference in entry.get("references")
+        if reference.get("reference_id").startswith("cpe")
+    ]
+
+    return list(set(vulnerable_cpes))

scanpipe/templates/scanpipe/tabset/tab_default.html

@@ -4,7 +4,7 @@
       {{ field_data.label }}
     </dt>
     <dd class="mb-4">
-      <pre class="break-all is-small">{{ field_data.value|default:''|default_if_none:''|urlize }}</pre>
+      <pre class="break-all wrap is-small">{{ field_data.value|default:''|default_if_none:''|urlize }}</pre>
     </dd>
   {% endfor %}
 </dl>

setup.cfg

@@ -104,6 +104,7 @@ console_scripts =
     scanpipe = scancodeio:command_line
 
 scancodeio_pipelines =
+    check_vulnerabilities = scanpipe.pipelines.check_vulnerabilities:CheckVulnerabilities
     docker = scanpipe.pipelines.docker:Docker
     docker_windows = scanpipe.pipelines.docker_windows:DockerWindows
     load_inventory = scanpipe.pipelines.load_inventory:LoadInventory