-
Notifications
You must be signed in to change notification settings - Fork 200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Almalinux advisories #1491
base: main
Are you sure you want to change the base?
Add Almalinux advisories #1491
Conversation
Added almalinux advisories and tests for it Signed-off-by: ambuj <[email protected]>
@ziadhany as this importer uses osv.py importer so shall I add AlmaLinux:8 and AlmaLinux:9 in supported ecosystems in osv.py |
@ambuj-1211 yes, you should add it to this |
Signed-off-by: ambuj <[email protected]>
@ambuj-1211
but you will face another issue. you need to add support for almalinux in univers. |
Signed-off-by: ambuj <[email protected]>
Signed-off-by: ambuj <[email protected]>
Signed-off-by: ambuj <[email protected]>
Signed-off-by: ambuj <[email protected]>
return dedupe(fixed_versions) | ||
|
||
|
||
def get_affected_version_range(affected_pkg, raw_id, supported_ecosystem): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ziadhany unable to figure out how to find affected version range
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ambuj-1211, we don't handle getting the affected version range from introduced
and fixed
in OSV. We only obtain this using versions.
I recommend handling this in a separate issue. Please create one for it.
Additionally, please review the following link:
https://github.com/nexB/vulnerablecode/blob/main/vulnerabilities/tests/test_osv.py#L270
If we don't have a affected versions set this as null.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ziadhany I have done some changes, let me know if it require something else and also tell me if I need to squash the commits to make the history cleaner. And do I need to select update with rebase for this branch?
Signed-off-by: ambuj <[email protected]>
Signed-off-by: ambuj <[email protected]>
@ziadhany can this be merged ? |
I still need to review this code |
…tion - Added a detailed docstring to the `parse_advisory_data` function in the `almalinux-importer` module. - The docstring includes a clear description of the function's purpose, arguments, return value, and an example usage. - Improved the readability and structure of the example output in the docstring to ensure clarity and consistency. This documentation enhancement makes the `parse_advisory_data` function easier to understand and use, aiding future development and maintenance. Signed-off-by: ambuj <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not use the existing OSV script directly or modify it to support Almalinux, instead of rewriting the entire code?
import json | ||
import logging | ||
from pathlib import Path | ||
from typing import Any |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
from typing import Any |
from univers.version_range import RANGE_CLASS_BY_SCHEMES | ||
from univers.version_range import RpmVersionRange | ||
from univers.versions import InvalidVersion |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ambuj-1211 please remove the unused imports.
from univers.version_range import RANGE_CLASS_BY_SCHEMES | |
from univers.version_range import RpmVersionRange | |
from univers.versions import InvalidVersion |
from vulnerabilities.utils import get_cwe_id | ||
|
||
logger = logging.getLogger(__name__) | ||
BASE_URL = "https://github.com/AlmaLinux/osv-database" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please keep the URL within the importer class.
try: | ||
self.clone(repo_url=self.BASE_URL) | ||
base_path = Path(self.vcs_response.dest_dir) | ||
advisory_dirs = base_path / "tree/master/advisories" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ambuj-1211 This path isn't functioning; the importer isn't actually importing any data.
advisory_dirs = base_path / "tree/master/advisories" | |
advisory_dirs = base_path / "advisories/" |
Please ensure you run the importer and verify the data is correctly imported.
spdx_license_expression = "MIT License" | ||
license_url = "https://github.com/AlmaLinux/osv-database/blob/master/LICENSE" | ||
importer_name = "Alma Linux Importer" | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
repo_url = "git+https://github.com/AlmaLinux/osv-database" |
|
||
|
||
class AlmaImporter(Importer): | ||
spdx_license_expression = "MIT License" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please refer to https://spdx.org/licenses/ before writing the SPDX license expression.
spdx_license_expression = "MIT License" | |
spdx_license_expression = "MIT" |
@ambuj-1211 Update the OSV
|
Fix #1201
@ziadhany @TG1999 @keshav-space This is the basic nit to adds Alma Linux advisories into vulnerablecode database, please review it to make further changes.