"Check Vulnerabilities" pipeline using VulnerableCodeDB #284 (#551)

Signed-off-by: Thomas Druez <[email protected]>

Author: tdruez

CHANGELOG.rst

@@ -4,6 +4,12 @@ Changelog
 v31.1.0 (unreleased)
 --------------------
 
+- Add a new "check vulnerabilities" pipeline to lookup vulnerabilities in the
+  VulnerableCode database for all project discovered packages.
+  Vulnerability data is stored in the extra_data field of each package.
+  More details about VulnerableCode at https://github.com/nexB/vulnerablecode/
+  https://github.com/nexB/scancode.io/issues/101
+
 - Generate SBOM (Software Bill of Materials) compliant with the SPDX 2.3 specification
   as a new downloadable output.
   https://github.com/nexB/scancode.io/issues/389

docs/built-in-pipelines.rst

@@ -15,6 +15,14 @@ Pipeline Base Class
     :members:
     :member-order: bysource
 
+.. _pipeline_check_vulnerabilities:
+
+Check Vulnerabilities
+---------------------
+.. autoclass:: scanpipe.pipelines.check_vulnerabilities.CheckVulnerabilities()
+    :members:
+    :member-order: bysource
+
 .. _pipeline_docker:
 
 Docker Image Analysis

scancodeio/settings.py

@@ -311,3 +311,10 @@
     REST_FRAMEWORK["DEFAULT_PERMISSION_CLASSES"] = (
         "rest_framework.permissions.AllowAny",
     )
+
+# VulnerableCode integration
+
+VULNERABLECODE_URL = env.str("VULNERABLECODE_URL", default="")
+VULNERABLECODE_USER = env.str("VULNERABLECODE_USER", default="")
+VULNERABLECODE_PASSWORD = env.str("VULNERABLECODE_PASSWORD", default="")
+VULNERABLECODE_API_KEY = env.str("VULNERABLECODE_API_KEY", default="")

scancodeio/static/main.js

@@ -63,17 +63,32 @@ function setupCloseModalButtons() {
 function setupTabs() {
   const $tabLinks = getAll('.tabs a');
 
+  function activateTab($tabLink) {
+    const activeLink = document.querySelector('.tabs .is-active');
+    const activeTabContent = document.querySelector('.tab-content.is-active');
+    const targetId = $tabLink.dataset.target;
+    const targetTabContent = document.getElementById(targetId);
+
+    activeLink.classList.remove('is-active');
+    $tabLink.parentNode.classList.add('is-active');
+    if (activeTabContent) activeTabContent.classList.remove('is-active');
+    if (targetTabContent) targetTabContent.classList.add('is-active');
+
+    // Set the active tab in the URL hash. The "tab-" prefix is removed to avoid
+    // un-wanted scrolling to the related "id" element
+    document.location.hash = targetId.replace('tab-', '');
+  }
+
+  // Activate the related tab if hash is present in URL
+  if (document.location.hash !== "") {
+    let tabName = document.location.hash.slice(1);
+    let tabLink = document.querySelector(`a[data-target="tab-${tabName}"]`);
+    if (tabLink) activateTab(tabLink);
+  }
+
   $tabLinks.forEach(function ($el) {
-    $el.addEventListener('click', function (event) {
-      const activeLink = document.querySelector('.tabs .is-active');
-      const activeTabContent = document.querySelector('.tab-content.is-active');
-      const target_id = $el.dataset.target;
-      const targetTabContent = document.getElementById(target_id);
-
-      activeLink.classList.remove('is-active');
-      $el.parentNode.classList.add('is-active');
-      if (activeTabContent) activeTabContent.classList.remove('is-active');
-      if (targetTabContent) targetTabContent.classList.add('is-active');
+    $el.addEventListener('click', function () {
+      activateTab($el)
     });
   });
 }

scanpipe/pipelines/check_vulnerabilities.py

@@ -0,0 +1,61 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# http://nexb.com and https://github.com/nexB/scancode.io
+# The ScanCode.io software is licensed under the Apache License version 2.0.
+# Data generated with ScanCode.io is provided as-is without warranties.
+# ScanCode is a trademark of nexB Inc.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# ScanCode.io should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+#
+# ScanCode.io is a free software code scanning tool from nexB Inc. and others.
+# Visit https://github.com/nexB/scancode.io for support and download.
+
+from scanpipe.pipelines import Pipeline
+from scanpipe.pipes import vulnerablecode
+
+
+class CheckVulnerabilities(Pipeline):
+    """
+    A pipeline to check for discovered packages vulnerabilities in the VulnerableCode
+    database.
+
+    Vulnerability data is stored in the extra_data field of each package.
+    """
+
+    @classmethod
+    def steps(cls):
+        return (
+            cls.check_vulnerablecode_service_availability,
+            cls.lookup_vulnerabilities,
+        )
+
+    def check_vulnerablecode_service_availability(self):
+        """
+        Check if the VulnerableCode service if configured and available.
+        """
+        if not vulnerablecode.is_configured():
+            raise Exception("VulnerableCode is not configured.")
+
+        if not vulnerablecode.is_available():
+            raise Exception("VulnerableCode is not available.")
+
+    def lookup_vulnerabilities(self):
+        """
+        Check for vulnerabilities on each of the project's discovered package.
+        """
+        packages = self.project.discoveredpackages.all()
+
+        for package in packages:
+            purl = vulnerablecode.get_base_purl(package.package_url)
+            vulnerabilities = vulnerablecode.get_vulnerabilities_by_purl(purl)
+            package.update_extra_data({"discovered_vulnerabilities": vulnerabilities})

scanpipe/pipes/vulnerablecode.py

@@ -0,0 +1,216 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# http://nexb.com and https://github.com/nexB/scancode.io
+# The ScanCode.io software is licensed under the Apache License version 2.0.
+# Data generated with ScanCode.io is provided as-is without warranties.
+# ScanCode is a trademark of nexB Inc.
+#
+# You may not use this software except in compliance with the License.
+# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+# ScanCode.io should be considered or used as legal advice. Consult an Attorney
+# for any legal advice.
+#
+# ScanCode.io is a free software code scanning tool from nexB Inc. and others.
+# Visit https://github.com/nexB/scancode.io for support and download.
+
+import logging
+
+from django.conf import settings
+
+import requests
+
+label = "VulnerableCode"
+logger = logging.getLogger(__name__)
+session = requests.Session()
+
+
+VULNERABLECODE_API_URL = None
+VULNERABLECODE_URL = settings.VULNERABLECODE_URL
+if VULNERABLECODE_URL:
+    VULNERABLECODE_API_URL = f'{VULNERABLECODE_URL.rstrip("/")}/api/'
+
+# Basic Authentication
+VULNERABLECODE_USER = settings.VULNERABLECODE_USER
+VULNERABLECODE_PASSWORD = settings.VULNERABLECODE_PASSWORD
+basic_auth_enabled = VULNERABLECODE_USER and VULNERABLECODE_PASSWORD
+if basic_auth_enabled:
+    session.auth = (VULNERABLECODE_USER, VULNERABLECODE_PASSWORD)
+
+# Authentication with single API key
+VULNERABLECODE_API_KEY = settings.VULNERABLECODE_API_KEY
+if VULNERABLECODE_API_KEY:
+    session.headers.update({"Authorization": f"Token {VULNERABLECODE_API_KEY}"})
+
+
+def is_configured():
+    """
+    Returns True if the required VulnerableCode settings have been set.
+    """
+    if VULNERABLECODE_API_URL:
+        return True
+    return False
+
+
+def is_available():
+    """
+    Returns True if the configured VulnerableCode server is available.
+    """
+    if not is_configured():
+        return False
+
+    try:
+        response = session.head(VULNERABLECODE_API_URL)
+        response.raise_for_status()
+    except requests.exceptions.RequestException as request_exception:
+        logger.debug(f"{label} is_available() error: {request_exception}")
+        return False
+
+    return response.status_code == requests.codes.ok
+
+
+def get_base_purl(purl):
+    """
+    Returns the `purl` without qualifiers and subpath.
+    """
+    return purl.split("?")[0]
+
+
+def get_purls(packages, base=False):
+    """
+    Returns the PURLs for the given list of `packages`.
+    Do not include qualifiers nor subpath when `base` is provided.
+    """
+    return [
+        get_base_purl(package_url) if base else package_url
+        for package in packages
+        if (package_url := package.package_url)
+    ]
+
+
+def request_get(
+    url,
+    payload=None,
+    timeout=None,
+):
+    """
+    Wraps the HTTP request calls on the API.
+    """
+    if not url:
+        return
+
+    params = {"format": "json"}
+    if payload:
+        params.update(payload)
+
+    logger.debug(f"VulnerableCode: url={url} params={params}")
+    try:
+        response = session.get(url, params=params, timeout=timeout)
+        response.raise_for_status()
+        return response.json()
+    except (requests.RequestException, ValueError, TypeError) as exception:
+        logger.debug(f"{label} [Exception] {exception}")
+
+
+def request_post(
+    url,
+    data,
+    timeout=None,
+):
+    try:
+        response = session.post(url, json=data, timeout=timeout)
+        response.raise_for_status()
+        return response.json()
+    except (requests.RequestException, ValueError, TypeError) as exception:
+        logger.debug(f"{label} [Exception] {exception}")
+
+
+def _get_vulnerabilities(
+    url,
+    field_name,
+    field_value,
+    timeout=None,
+):
+    """
+    Get the list of vulnerabilities.
+    """
+    payload = {field_name: field_value}
+
+    response = request_get(url=url, payload=payload, timeout=timeout)
+    if response and response.get("count"):
+        results = response["results"]
+        return results
+
+
+def get_vulnerabilities_by_purl(
+    purl,
+    timeout=None,
+    api_url=VULNERABLECODE_API_URL,
+):
+    """
+    Get the list of vulnerabilities providing a package `purl`.
+    """
+    return _get_vulnerabilities(
+        url=f"{api_url}packages/",
+        field_name="purl",
+        field_value=get_base_purl(purl),
+        timeout=timeout,
+    )
+
+
+def get_vulnerabilities_by_cpe(
+    cpe,
+    timeout=None,
+    api_url=VULNERABLECODE_API_URL,
+):
+    """
+    Get the list of vulnerabilities providing a package or component `cpe`.
+    """
+    return _get_vulnerabilities(
+        url=f"{api_url}cpes/",
+        field_name="cpe",
+        field_value=cpe,
+        timeout=timeout,
+    )
+
+
+def bulk_search_by_purl(
+    purls,
+    timeout=None,
+    api_url=VULNERABLECODE_API_URL,
+):
+    """
+    Bulk search of vulnerabilities using the provided list of `purls`.
+    """
+    url = f"{api_url}packages/bulk_search"
+
+    data = {
+        "purls": purls,
+    }
+
+    logger.debug(f"VulnerableCode: url={url} purls_count={len(purls)}")
+    return request_post(url, data, timeout)
+
+
+def bulk_search_by_cpes(
+    cpes,
+    timeout=None,
+    api_url=VULNERABLECODE_API_URL,
+):
+    """
+    Bulk search of vulnerabilities using the provided list of `cpes`.
+    """
+    url = f"{api_url}cpes/bulk_search"
+
+    data = {
+        "cpes": cpes,
+    }
+
+    logger.debug(f"VulnerableCode: url={url} cpes_count={len(cpes)}")
+    return request_post(url, data, timeout)

scanpipe/templates/scanpipe/package_list.html

@@ -24,6 +24,11 @@
             <tr class="break-word">
               <td style="min-width: 500px;" title="{{ package.package_uid }}">
                 <a href="{{ package.get_absolute_url }}">{{ package.package_url }}</a>
+                {% if package.extra_data.discovered_vulnerabilities %}
+                  <a href="{{ package.get_absolute_url }}#extra_data">
+                    <i class="fas fa-bug fa-sm has-text-danger" title="Vulnerabilities"></i>
+                  </a>
+                {% endif %}
               </td>
               <td style="min-width: 300px; max-width: 400px;">
                 {{ package.license_expression|linebreaksbr }}

scanpipe/templates/scanpipe/tabset/tab_default.html

@@ -4,7 +4,7 @@
       {{ field_data.label }}
     </dt>
     <dd class="mb-4">
-      <pre class="break-all is-small">{{ field_data.value|default:''|default_if_none:''|urlize }}</pre>
+      <pre class="break-all wrap is-small">{{ field_data.value|default:''|default_if_none:''|urlize }}</pre>
     </dd>
   {% endfor %}
 </dl>

scanpipe/templates/scanpipe/tabset/tabset.html

@@ -6,7 +6,13 @@
           {% if tab_data.icon_class %}
             <span class="icon is-small"><i class="{{ tab_data.icon_class }}"></i></span>
           {% endif %}
-          <span>{{ label|capfirst }}</span>
+          <span>
+            {% if tab_data.verbose_name %}
+              {{ tab_data.verbose_name }}
+            {% else %}
+              {{ label|capfirst }}
+            {% endif %}
+          </span>
         </a>
       </li>
     {% endfor %}