severity_systems and weaknesses updated for importer

Signed-off-by: NucleonGodX <[email protected]>
aboutcode-org · Jan 30, 2025 · ee6578a · ee6578a
1 parent 79e83d1
commit ee6578a
Show file tree

Hide file tree

Showing 2 changed files with 117 additions and 6 deletions.
diff --git a/vulnerabilities/pipelines/apache_log4j_importer.py b/vulnerabilities/pipelines/apache_log4j_importer.py
@@ -19,11 +19,14 @@
 from packageurl import PackageURL
 from univers.versions import MavenVersion
 
+from vulnerabilities import severity_systems
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importer import AffectedPackage
 from vulnerabilities.importer import Reference
+from vulnerabilities.importer import VulnerabilitySeverity
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline
 from vulnerabilities.utils import fetch_response
+from vulnerabilities.utils import get_cwe_id
 
 logger = logging.getLogger(__name__)
 
@@ -157,12 +160,30 @@ def _process_vulnerability(self, vulnerability) -> Iterable[AdvisoryData]:
         if vulnerability.published:
             published_str = str(vulnerability.published)
             date_published = parse(published_str).replace(tzinfo=pytz.UTC)
+        severities = []
+        weaknesses = []
+        for cwe in vulnerability.cwes:
+            cwe_id = cwe
+            weaknesses.append(get_cwe_id(f"CWE-{cwe_id}"))
 
         references = [
             Reference(url=f"https://nvd.nist.gov/vuln/detail/{cve_id}", reference_id=cve_id),
             Reference(url=f"{self.ASF_PAGE_URL}#{cve_id}", reference_id=cve_id),
         ]
 
+        for rating in vulnerability.ratings:
+            cvssv3_score = str(rating.score)
+            cvssv3_vector = rating.vector
+            cvssv3_url = str(rating.source.url)
+            severities.append(
+                VulnerabilitySeverity(
+                    system=severity_systems.CVSSV3,
+                    value=cvssv3_score,
+                    scoring_elements=cvssv3_vector,
+                )
+            )
+            references.append(Reference(url=cvssv3_url, severities=severities))
+
         fixed_versions = self._extract_fixed_versions(vulnerability.recommendation)
         affected_packages = self._get_affected_packages(vulnerability, fixed_versions)
 
@@ -173,6 +194,7 @@ def _process_vulnerability(self, vulnerability) -> Iterable[AdvisoryData]:
                 affected_packages=affected_packages,
                 references=references,
                 date_published=date_published,
+                weaknesses=weaknesses,
                 url=f"{self.ASF_PAGE_URL}#{cve_id}",
             )
 

diff --git a/vulnerabilities/tests/test_data/apache_log4j/parse-advisory-apache-log4j-expected.json b/vulnerabilities/tests/test_data/apache_log4j/parse-advisory-apache-log4j-expected.json
@@ -30,10 +30,24 @@
         "reference_type": "",
         "url": "https://logging.apache.org/security.html#CVE-2017-5645",
         "severities": []
+      },
+      {
+        "reference_id": "",
+        "reference_type": "",
+        "url": "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P)&version=2.0",
+        "severities": [
+          {
+            "system": "cvssv3",
+            "value": "7.5",
+            "scoring_elements": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
+          }
+        ]
       }
     ],
     "date_published": "2017-04-17T00:00:00+00:00",
-    "weaknesses": [],
+    "weaknesses": [
+      502
+    ],
     "url": "https://logging.apache.org/security.html#CVE-2017-5645"
   },
   {
@@ -79,10 +93,24 @@
         "reference_type": "",
         "url": "https://logging.apache.org/security.html#CVE-2020-9488",
         "severities": []
+      },
+      {
+        "reference_id": "",
+        "reference_type": "",
+        "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N&version=3.1",
+        "severities": [
+          {
+            "system": "cvssv3",
+            "value": "3.7",
+            "scoring_elements": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+          }
+        ]
       }
     ],
     "date_published": "2017-04-27T00:00:00+00:00",
-    "weaknesses": [],
+    "weaknesses": [
+      295
+    ],
     "url": "https://logging.apache.org/security.html#CVE-2020-9488"
   },
   {
@@ -140,10 +168,27 @@
         "reference_type": "",
         "url": "https://logging.apache.org/security.html#CVE-2021-44228",
         "severities": []
+      },
+      {
+        "reference_id": "",
+        "reference_type": "",
+        "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1",
+        "severities": [
+          {
+            "system": "cvssv3",
+            "value": "10.0",
+            "scoring_elements": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+          }
+        ]
       }
     ],
     "date_published": "2021-12-10T00:00:00+00:00",
-    "weaknesses": [],
+    "weaknesses": [
+      20,
+      400,
+      502,
+      917
+    ],
     "url": "https://logging.apache.org/security.html#CVE-2021-44228"
   },
   {
@@ -201,10 +246,25 @@
         "reference_type": "",
         "url": "https://logging.apache.org/security.html#CVE-2021-44832",
         "severities": []
+      },
+      {
+        "reference_id": "",
+        "reference_type": "",
+        "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H&version=3.1",
+        "severities": [
+          {
+            "system": "cvssv3",
+            "value": "6.6",
+            "scoring_elements": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
+          }
+        ]
       }
     ],
     "date_published": "2021-12-28T00:00:00+00:00",
-    "weaknesses": [],
+    "weaknesses": [
+      20,
+      74
+    ],
     "url": "https://logging.apache.org/security.html#CVE-2021-44832"
   },
   {
@@ -262,10 +322,24 @@
         "reference_type": "",
         "url": "https://logging.apache.org/security.html#CVE-2021-45046",
         "severities": []
+      },
+      {
+        "reference_id": "",
+        "reference_type": "",
+        "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H&version=3.1",
+        "severities": [
+          {
+            "system": "cvssv3",
+            "value": "9.0",
+            "scoring_elements": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
+          }
+        ]
       }
     ],
     "date_published": "2021-12-14T00:00:00+00:00",
-    "weaknesses": [],
+    "weaknesses": [
+      917
+    ],
     "url": "https://logging.apache.org/security.html#CVE-2021-45046"
   },
   {
@@ -323,10 +397,25 @@
         "reference_type": "",
         "url": "https://logging.apache.org/security.html#CVE-2021-45105",
         "severities": []
+      },
+      {
+        "reference_id": "",
+        "reference_type": "",
+        "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1",
+        "severities": [
+          {
+            "system": "cvssv3",
+            "value": "5.9",
+            "scoring_elements": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+          }
+        ]
       }
     ],
     "date_published": "2021-12-18T00:00:00+00:00",
-    "weaknesses": [],
+    "weaknesses": [
+      20,
+      674
+    ],
     "url": "https://logging.apache.org/security.html#CVE-2021-45105"
   }
 ]