Avoid mixing explicit affected packages with last known affected ranges to keep ranges consistent.

Signed-off-by: ziad hany <[email protected]>

Author: ziadhany

vulnerabilities/importers/osv_v2.py

@@ -17,9 +17,11 @@
 from cvss.exceptions import CVSS3MalformedError
 from cvss.exceptions import CVSS4MalformedError
 from packageurl import PackageURL
+from univers.version_constraint import InvalidConstraintsError
 from univers.version_constraint import VersionConstraint
-from univers.version_constraint import simplify_constraints
+from univers.version_constraint import validate_comparators
 from univers.version_range import RANGE_CLASS_BY_SCHEMES
+from univers.version_range import build_range_from_github_advisory_constraint
 from univers.versions import InvalidVersion
 from univers.versions import SemverVersion
 
@@ -83,20 +85,6 @@ def parse_advisory_data_v3(
             continue
 
         affected_constraints = []
-        explicit_affected_constraints = get_explicit_affected_constraints(
-            affected_pkg=affected_pkg,
-            raw_id=advisory_id,
-            supported_ecosystem=purl.type,
-        )
-        affected_constraints.extend(explicit_affected_constraints)
-
-        last_known_affected = get_last_known_affected__constraint(
-            affected_pkg=affected_pkg,
-            raw_id=advisory_id,
-            supported_ecosystem=purl.type,
-        )
-        affected_constraints.extend(last_known_affected)
-
         fixed_constraints = []
         for r in affected_pkg.get("ranges") or []:
             (
@@ -109,9 +97,11 @@ def parse_advisory_data_v3(
                 raw_id=advisory_id,
                 supported_ecosystem=purl.type,
             )
+            if affected_constraint:
+                affected_constraints.extend(affected_constraint)
 
-            affected_constraints.extend(affected_constraint)
-            fixed_constraints.extend(fixed_constraint)
+            if fixed_constraint:
+                fixed_constraints.extend(fixed_constraint)
 
             repo_url = r.get("repo")
             commit_processing_queue = [
@@ -139,22 +129,27 @@ def parse_advisory_data_v3(
                             references.append(patch_obj)
 
         version_range_class = RANGE_CLASS_BY_SCHEMES.get(purl.type)
-
         affected_version_range = None
         if affected_constraints:
             try:
-                affected_version_range = version_range_class(
-                    constraints=simplify_constraints(affected_constraints)
-                )
+                valid_affected_constraints = VersionConstraint.simplify(affected_constraints)
+                if not validate_comparators(valid_affected_constraints):
+                    raise InvalidConstraintsError(
+                        f"Failed to build Affected VersionRange Constraints for {advisory_id}: {valid_affected_constraints}"
+                    )
+                affected_version_range = version_range_class(constraints=valid_affected_constraints)
             except Exception as e:
                 logger.error(f"Failed to build VersionRange for {advisory_id}: {e}")
 
         fixed_version_range = None
         if fixed_constraints:
             try:
-                fixed_version_range = version_range_class(
-                    constraints=simplify_constraints(fixed_constraints)
-                )
+                valid_fixed_constraints = VersionConstraint.simplify(fixed_constraints)
+                if not validate_comparators(valid_fixed_constraints):
+                    raise InvalidConstraintsError(
+                        f"Failed to build Fixed VersionRange Constraints for {advisory_id}: {valid_fixed_constraints}"
+                    )
+                fixed_version_range = version_range_class(constraints=valid_fixed_constraints)
             except Exception as e:
                 logger.error(f"Failed to build VersionRange for {advisory_id}: {e}")
 
@@ -177,6 +172,32 @@ def parse_advisory_data_v3(
             except Exception as e:
                 logger.error(f"Invalid AffectedPackageV2 {e} for {advisory_id}")
 
+        explicit_affected_range = get_explicit_affected_range(
+            affected_pkg=affected_pkg,
+            raw_id=advisory_id,
+            supported_ecosystem=purl.type,
+        )
+        if explicit_affected_range:
+            affected_packages.append(
+                AffectedPackageV2(
+                    package=purl,
+                    affected_version_range=explicit_affected_range,
+                )
+            )
+
+        explicit_last_known_affected_range = get_last_known_affected_range(
+            affected_pkg=affected_pkg,
+            raw_id=advisory_id,
+            supported_ecosystem=purl.type,
+        )
+        if explicit_last_known_affected_range:
+            affected_packages.append(
+                AffectedPackageV2(
+                    package=purl,
+                    affected_version_range=explicit_last_known_affected_range,
+                )
+            )
+
     database_specific = raw_data.get("database_specific") or {}
     cwe_ids = database_specific.get("cwe_ids") or []
     weaknesses = list(map(get_cwe_id, cwe_ids))
@@ -335,17 +356,17 @@ def get_affected_purl(affected_pkg, raw_id):
         return None
 
 
-def get_explicit_affected_constraints(affected_pkg, raw_id, supported_ecosystem):
+def get_explicit_affected_range(affected_pkg, raw_id, supported_ecosystem):
     """
-    Return a list of explicit version constraints for the ``affected_pkg`` data.
+    Return an explicit affected version range for the affected package data.
     """
     affected_versions = affected_pkg.get("versions") or []
     constraints = []
 
     version_range_class = RANGE_CLASS_BY_SCHEMES.get(supported_ecosystem)
     if not version_range_class:
         logger.error(f"unsupported ecosystem {supported_ecosystem}")
-        return []
+        return
 
     for version in affected_versions:
         try:
@@ -356,30 +377,33 @@ def get_explicit_affected_constraints(affected_pkg, raw_id, supported_ecosystem)
             logger.error(
                 f"Invalid VersionConstraint: {version} " f"for OSV id: {raw_id!r}: error:{e!r}"
             )
-    return constraints
+    if not constraints:
+        return
+    return version_range_class(constraints=constraints)
 
 
-def get_last_known_affected__constraint(affected_pkg, raw_id, supported_ecosystem):
+def get_last_known_affected_range(affected_pkg, raw_id, supported_ecosystem):
     """
     Return the last_known_affected_version_range from the database_specific
     """
     database_specific = affected_pkg.get("database_specific") or {}
     last_known_value = database_specific.get("last_known_affected_version_range")
 
     if not last_known_value:
-        return []
+        return
 
     try:
-        version_range_class = RANGE_CLASS_BY_SCHEMES.get(supported_ecosystem)
-        version_range = version_range_class.from_native(last_known_value)
-        return version_range.constraints
+        affected_version_range = build_range_from_github_advisory_constraint(
+            supported_ecosystem, last_known_value
+        )
+        return affected_version_range
 
     except Exception as e:
         logger.error(
             f"Invalid VersionConstraint in last_known_affected_version_range: {last_known_value!r} "
             f"for OSV id: {raw_id!r}: error:{e!r}"
         )
-        return []
+        return
 
 
 def get_version_ranges_constraints(ranges, raw_id, supported_ecosystem):
@@ -419,7 +443,7 @@ def get_version_ranges_constraints(ranges, raw_id, supported_ecosystem):
     for event_type, event_value in extract_events(ranges):
         if range_type == "GIT":
             if event_value == "0":
-                event_value = "4b825dc642cb6eb9a060e54bf8d69288fbee4904"
+                continue
 
             if event_type == "fixed":
                 fixed_commits.append(event_value)

vulnerabilities/pipelines/v2_importers/github_osv_importer.py

@@ -11,7 +11,7 @@
 from pathlib import Path
 from typing import Iterable
 
-from fetchcode.vcs import fetch_via_vcs
+from fetchcode.vcs import fetch_via_vcs, VCSResponse
 
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importers.osv_v2 import parse_advisory_data_v3
@@ -41,7 +41,8 @@ def steps(cls):
 
     def clone(self):
         self.log(f"Cloning `{self.repo_url}`")
-        self.vcs_response = fetch_via_vcs(self.repo_url)
+        # self.vcs_response = fetch_via_vcs(self.repo_url)
+        self.vcs_response = VCSResponse(dest_dir="/home/ziad-hany/PycharmProjects/advisory-database", vcs_type="git", domain="GitHub")
 
     def advisories_count(self):
         advisory_dir = Path(self.vcs_response.dest_dir) / "advisories/github-reviewed"
@@ -79,9 +80,10 @@ def collect_advisories(self) -> Iterable[AdvisoryData]:
             )
 
     def clean_downloads(self):
-        if self.vcs_response:
-            self.log("Removing cloned repository")
-            self.vcs_response.delete()
+        pass
+        # if self.vcs_response:
+        #     self.log("Removing cloned repository")
+        #     self.vcs_response.delete()
 
     def on_failure(self):
         self.clean_downloads()

vulnerabilities/tests/test_data/osv_test/github/github-3.json

@@ -0,0 +1,75 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8hxh-r6f7-jf45",
+  "modified": "2021-10-04T21:26:20Z",
+  "published": "2020-10-16T17:03:43Z",
+  "aliases": [],
+  "summary": "Memory exhaustion in http4s-async-http-client with large or malicious compressed responses",
+  "details": "### Impact\nA server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM.  It does not affect http4s servers, other client backends, or clients that speak only to trusted servers.  This is related to a transitive dependency on netty-codec-4.1.45.Final, which is affected by [CVE-2020-11612](https://app.snyk.io/vuln/SNYK-JAVA-IONETTY-564897).\n\n### Patches\nUpgrade to http4s-async-http-client >= 0.21.8.  All 1.0 milestones are also safe.\n\n### Workarounds\nAdd an explicit runtime dependency on async-http-client's netty dependencies that evicts them to an unaffected version:\n\n```scala\nlibraryDependencies ++= Seq(\n  \"io.netty\" %  \"netty-codec\"         % \"4.1.53.Final\" % Runtime,\n  \"io.netty\" %  \"netty-codec-socks\"   % \"4.1.53.Final\" % Runtime,\n  \"io.netty\" %  \"netty-handler-proxy\" % \"4.1.53.Final\" % Runtime,\n  \"io.netty\" %  \"netty-common\"        % \"4.1.53.Final\" % Runtime,\n  \"io.netty\" %  \"netty-transport\"     % \"4.1.53.Final\" % Runtime,\n  \"io.netty\" %  \"netty-handler\"       % \"4.1.53.Final\" % Runtime,\n  \"io.netty\" %  \"netty-resolver-dns\"  % \"4.1.53.Final\" % Runtime\n)\n```\n\n### References\n* https://app.snyk.io/vuln/SNYK-JAVA-IONETTY-564897\n* https://github.com/http4s/http4s/issues/3681\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [http4s](https://github.com/http4s/http4s/issues/new)\n* Contact a maintainer privately per [http4s' security policy](https://github.com/http4s/http4s/blob/master/SECURITY.md#reporting-a-vulnerability)",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.http4s:http4s-async-http-client_2.13"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.21.8"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.21.7"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.http4s:http4s-async-http-client_2.12"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.21.8"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.21.7"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/http4s/http4s/security/advisories/GHSA-8hxh-r6f7-jf45"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/http4s/http4s"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2020-10-16T17:03:18Z",
+    "nvd_published_at": null
+  }
+}

vulnerabilities/tests/test_data/osv_test/github/github-expected-2.json

@@ -18,6 +18,20 @@
       "fixed_version_range": "vers:composer/2.9.5",
       "introduced_by_commit_patches": [],
       "fixed_by_commit_patches": []
+    },
+    {
+      "package": {
+        "type": "composer",
+        "namespace": "devcode-it",
+        "name": "openstamanager",
+        "version": "",
+        "qualifiers": "",
+        "subpath": ""
+      },
+      "affected_version_range": "vers:composer/<=2.9.4",
+      "fixed_version_range": null,
+      "introduced_by_commit_patches": [],
+      "fixed_by_commit_patches": []
     }
   ],
   "references_v2": [