Adds Samba Advisory #1802
Adds Samba Advisory #1802
Conversation
Signed-off-by: Rishi Garg <[email protected]>
Signed-off-by: Rishi Garg <[email protected]>
Signed-off-by: Rishi Garg <[email protected]>
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
There was a problem hiding this comment.
Thanks @Rishi-source, see feedback and suggestions below. parse_advisory_row is way too convoluted and is trying to do too many things at once. Affected version parsing is not working correctly. Also, browsing the samba package throws a Server Error (500). Make sure to run the import locally and cross validate the quality of the imported vulnerability against upstream advisory.
| if not hasattr(self, "advisory_data"): | ||
| return 0 |
There was a problem hiding this comment.
This will not be required, if fetch step fails for some reason entire pipeline would be terminated.
| cve_ids = [] | ||
| for link in cells[4].find_all("a"): | ||
| cve_id = link.get_text().strip() | ||
| if re.match(r"CVE-\d{4}-\d{4,}", cve_id): | ||
| cve_ids.append(cve_id) |
There was a problem hiding this comment.
CVE parsing is not clean it leads to 404 Client Error: Not Found for url: https://www.samba.org/samba/security/CVE-2019-19344..html
| if version_match: | ||
| affected_packages.append( | ||
| AffectedPackage( | ||
| package=base_purl, fixed_version=f"{version_match.group(1)}-fixed" | ||
| ) | ||
| ) |
There was a problem hiding this comment.
I honestly do not understand why would you put affected_version in fixed version.
And why are you mutating the original version by appending -fixed to version.
| ) | ||
| else: | ||
| affected_packages.append( | ||
| AffectedPackage(package=base_purl, fixed_version="unknown") |
There was a problem hiding this comment.
Why invent imaginary unknown fixed version?
| detailed_summary = issue_desc | ||
|
|
||
| for cve_id in cve_ids: | ||
| details = self.get_advisory_details(cve_id) |
There was a problem hiding this comment.
This will not work for generated id SAMBA-VULN-
| references=references, | ||
| affected_packages=affected_packages, | ||
| date_published=date_published, | ||
| url="https://www.samba.org/samba/history/security.html", |
There was a problem hiding this comment.
Shouldn't the url be the individual announcement like https://www.samba.org/samba/security/CVE-2023-3961.html?
| if version_match: | ||
| affected_packages.append( | ||
| AffectedPackage( | ||
| package=base_purl, fixed_version=f"{version_match.group(1)}-fixed" | ||
| ) | ||
| ) |
There was a problem hiding this comment.
Again why would you put affected_version in fixed version field.
|
Hi @keshav-space , |
| @@ -78,6 +79,20 @@ | |||
| ubuntu_usn.UbuntuUSNImporter, | |||
| fireeye.FireyeImporter, | |||
| oss_fuzz.OSSFuzzImporter, | |||
| ruby.RubyImporter, | |||
There was a problem hiding this comment.
These lines should not be there when using pipelines
Fixes #102