yavdb 0.2.1 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +2 -2
- data/README.md +3 -6
- data/lib/yavdb/database.rb +7 -1
- data/lib/yavdb/dtos/advisory.rb +3 -3
- data/lib/yavdb/sources/friends_of_php.rb +8 -2
- data/lib/yavdb/sources/ossindex.rb +4 -1
- data/lib/yavdb/sources/ruby_advisory.rb +4 -1
- data/lib/yavdb/sources/snyk_io.rb +6 -2
- data/lib/yavdb/sources/victims.rb +4 -1
- data/lib/yavdb/version.rb +1 -1
- metadata +2 -3
- data/lib/yavdb/sources/nodesecurity_io.rb +0 -120
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f1f0cdfd79936efa10947a4b983c295f7059d930
|
4
|
+
data.tar.gz: 2ba6d7e40d9cb9d56249ff767ec5156520a610ae
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d29009672be459fc5c40701735d46f8460ccb3fad87169ecb1937a0858d6028cb008b8b2c4b1097758a418ea70c93ef959d0391f8e36cd729374b21afbdda3b7
|
7
|
+
data.tar.gz: ff5295068f3530f150004146154df3583bcce4a412d083181520b43a9b4e8d7401af7c330f4df6a85d325dc8cf0d47423d121de60949132ee8f9e805eb7c4fa4
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
@@ -12,8 +12,8 @@ developers identify and fix know vulnerabilities in their apps.
|
|
12
12
|
The sources for this database include
|
13
13
|
[Rubysec](https://rubysec.com/),
|
14
14
|
[snyk](https://snyk.io/),
|
15
|
-
[OSSIndex](https://ossindex.net/),
|
16
|
-
[NodeSecurity](https://nodesecurity.io/),
|
15
|
+
[OSSIndex (deprecated)](https://ossindex.net/),
|
16
|
+
[NodeSecurity (deprecated)](https://nodesecurity.io/),
|
17
17
|
[Friends of PHP](https://github.com/FriendsOfPHP/security-advisories),
|
18
18
|
[Magento Related Security Advisories](https://github.com/victims/victims-cve-db),
|
19
19
|
[Victims CVE Database](https://github.com/victims/victims-cve-db)
|
@@ -25,11 +25,9 @@ The sources for this database include
|
|
25
25
|
## Installation
|
26
26
|
|
27
27
|
```sh
|
28
|
-
gem install yavdb
|
28
|
+
gem install yavdb
|
29
29
|
```
|
30
30
|
|
31
|
-
> Notice the `--pre` in the end
|
32
|
-
|
33
31
|
## TODO:
|
34
32
|
|
35
33
|
#### Tests
|
@@ -38,7 +36,6 @@ gem install yavdb --pre
|
|
38
36
|
- [ ] [Rubysec](lib/yavdb/sources/ruby_advisory.rb)
|
39
37
|
- [X] [snyk](lib/yavdb/sources/snyk_io.rb)
|
40
38
|
- [ ] [OSSIndex](lib/yavdb/sources/ossindex.rb)
|
41
|
-
- [X] [NodeSecurity](lib/yavdb/sources/nodesecurity_io.rb)
|
42
39
|
- [ ] [Friends of PHP and Magento Related Security Advisories](lib/yavdb/sources/friends_of_php.rb)
|
43
40
|
- [ ] [Victims CVE Database](lib/yavdb/sources/victims.rb)
|
44
41
|
* Others
|
data/lib/yavdb/database.rb
CHANGED
@@ -60,12 +60,18 @@ module YAVDB
|
|
60
60
|
def save_to_file(database_path, vulns)
|
61
61
|
vulns.map do |package_manager, vunerabilities_by_pm|
|
62
62
|
vunerabilities_by_pm.map do |package, vunerabilities_by_p|
|
63
|
+
previous_vulnerabilities = search(database_path, package_manager, package)
|
64
|
+
|
63
65
|
package_path = package_path(database_path, package_manager, package)
|
64
66
|
package_path_directory = File.dirname(package_path)
|
65
67
|
FileUtils.mkdir_p(package_path_directory) unless File.exist?(package_path_directory)
|
66
68
|
|
69
|
+
uniq_vunerabilities_by_p = Hash[previous_vulnerabilities.concat(vunerabilities_by_p).map { |vuln| [vuln.id, vuln] }].values
|
70
|
+
|
71
|
+
next unless uniq_vunerabilities_by_p.any?
|
72
|
+
|
67
73
|
File.open(package_path, 'wb') do |file|
|
68
|
-
package_vulns_yml_str =
|
74
|
+
package_vulns_yml_str = uniq_vunerabilities_by_p
|
69
75
|
.sort_by(&:id)
|
70
76
|
.map(&:to_map)
|
71
77
|
.to_yaml(
|
data/lib/yavdb/dtos/advisory.rb
CHANGED
@@ -79,9 +79,9 @@ module YAVDB
|
|
79
79
|
def to_map
|
80
80
|
map = {}
|
81
81
|
members.each do |m|
|
82
|
-
next
|
83
|
-
|
84
|
-
|
82
|
+
next if !self[m] ||
|
83
|
+
(self[m].is_a?(String) && self[m].empty?) ||
|
84
|
+
(self[m].is_a?(Array) && self[m].none?)
|
85
85
|
|
86
86
|
map[m.to_s] = self[m] if self[m]
|
87
87
|
end
|
@@ -54,9 +54,15 @@ module YAVDB
|
|
54
54
|
info['versions'].join(' ')
|
55
55
|
end.flatten
|
56
56
|
|
57
|
+
cves = [advisory_hash['cve']].reject { |cve| cve == '~' }
|
58
|
+
|
57
59
|
package_name = advisory_hash['reference'].gsub(%r{composer:\/\/(.*)}, '\1')
|
60
|
+
|
61
|
+
vuln_id_stamp = (cves && cves[0]) || date
|
62
|
+
vuln_id = "friendsofphp:packagist:#{package_name}:#{vuln_id_stamp}"
|
63
|
+
|
58
64
|
YAVDB::Advisory.new(
|
59
|
-
|
65
|
+
vuln_id,
|
60
66
|
advisory_hash['title'],
|
61
67
|
nil, #:description
|
62
68
|
package_name,
|
@@ -65,7 +71,7 @@ module YAVDB
|
|
65
71
|
nil, #:patched_versions
|
66
72
|
nil, #:severity
|
67
73
|
PACKAGE_MANAGER,
|
68
|
-
|
74
|
+
cves,
|
69
75
|
nil, #:cwe
|
70
76
|
nil, #:osvdb
|
71
77
|
nil, #:cvss_v2_vector
|
@@ -95,8 +95,11 @@ module YAVDB
|
|
95
95
|
.reject { |v| v == '-' }
|
96
96
|
versions = ['*'] unless versions.any?
|
97
97
|
|
98
|
+
vuln_id_stamp = (cve && cve[0]) || published_date
|
99
|
+
vuln_id = "ossindex:#{package_manager}:#{package_name}:#{vuln_id_stamp}"
|
100
|
+
|
98
101
|
YAVDB::Advisory.new(
|
99
|
-
|
102
|
+
vuln_id,
|
100
103
|
advisory['title'],
|
101
104
|
advisory['description'],
|
102
105
|
package_name,
|
@@ -54,8 +54,11 @@ module YAVDB
|
|
54
54
|
['*']
|
55
55
|
end
|
56
56
|
|
57
|
+
vuln_id_stamp = (cve && cve[0]) || date
|
58
|
+
vuln_id = "rubyadvisory:rubygems:#{advisory_hash['gem']}:#{vuln_id_stamp}"
|
59
|
+
|
57
60
|
YAVDB::Advisory.new(
|
58
|
-
|
61
|
+
vuln_id,
|
59
62
|
advisory_hash['title'],
|
60
63
|
advisory_hash['description'],
|
61
64
|
advisory_hash['gem'],
|
@@ -119,8 +119,13 @@ module YAVDB
|
|
119
119
|
published_date
|
120
120
|
end
|
121
121
|
|
122
|
+
vuln_id_stamp = (sidebar_data[:cve] && sidebar_data[:cve][0]) ||
|
123
|
+
sidebar_data[:id].split(%r{-|:}).last ||
|
124
|
+
disclosed_date
|
125
|
+
vuln_id = "snykio:#{package_manager}:#{affected_package}:#{vuln_id_stamp}"
|
126
|
+
|
122
127
|
YAVDB::Advisory.new(
|
123
|
-
|
128
|
+
vuln_id,
|
124
129
|
title,
|
125
130
|
body_data[:description],
|
126
131
|
affected_package,
|
@@ -157,7 +162,6 @@ module YAVDB
|
|
157
162
|
last_elem = description_sections.last
|
158
163
|
new_body = last_elem[:body].push(field)
|
159
164
|
last_elem[:body] = new_body
|
160
|
-
description_sections.push(last_elem)
|
161
165
|
end
|
162
166
|
end
|
163
167
|
|
@@ -59,8 +59,11 @@ module YAVDB
|
|
59
59
|
|
60
60
|
def create(advisory_hash, language, url)
|
61
61
|
advisory_hash['affected'].map do |affected_package|
|
62
|
+
vuln_id_stamp = advisory_hash['cve'] || 'date'
|
63
|
+
vuln_id = "victims:#{language.package_manager}:#{language.name_parser[affected_package]}:#{vuln_id_stamp}"
|
64
|
+
|
62
65
|
YAVDB::Advisory.new(
|
63
|
-
|
66
|
+
vuln_id,
|
64
67
|
advisory_hash['title'],
|
65
68
|
advisory_hash['description'],
|
66
69
|
language.name_parser[affected_package],
|
data/lib/yavdb/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: yavdb
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Rodrigo Fernandes
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-10-
|
11
|
+
date: 2018-10-21 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -227,7 +227,6 @@ files:
|
|
227
227
|
- lib/yavdb/dtos/advisory.rb
|
228
228
|
- lib/yavdb/source_types/git_repo.rb
|
229
229
|
- lib/yavdb/sources/friends_of_php.rb
|
230
|
-
- lib/yavdb/sources/nodesecurity_io.rb
|
231
230
|
- lib/yavdb/sources/ossindex.rb
|
232
231
|
- lib/yavdb/sources/ruby_advisory.rb
|
233
232
|
- lib/yavdb/sources/snyk_io.rb
|
@@ -1,120 +0,0 @@
|
|
1
|
-
# yavdb - The Free and Open Source vulnerability database
|
2
|
-
# Copyright (C) 2017-present Rodrigo Fernandes
|
3
|
-
#
|
4
|
-
# This program is free software: you can redistribute it and/or modify
|
5
|
-
# it under the terms of the GNU Affero General Public License as
|
6
|
-
# published by the Free Software Foundation, either version 3 of the
|
7
|
-
# License, or (at your option) any later version.
|
8
|
-
#
|
9
|
-
# This program is distributed in the hope that it will be useful,
|
10
|
-
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
11
|
-
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
12
|
-
# GNU Affero General Public License for more details.
|
13
|
-
#
|
14
|
-
# You should have received a copy of the GNU Affero General Public License
|
15
|
-
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
16
|
-
|
17
|
-
require 'oga'
|
18
|
-
require 'oga/xml/entities'
|
19
|
-
require 'date'
|
20
|
-
|
21
|
-
require_relative '../dtos/advisory'
|
22
|
-
require_relative '../utils/http'
|
23
|
-
|
24
|
-
module YAVDB
|
25
|
-
module Sources
|
26
|
-
module NodeSecurityIO
|
27
|
-
class Client
|
28
|
-
|
29
|
-
API_URL = 'https://api.nodesecurity.io/advisories'
|
30
|
-
WEBSITE_URL = 'https://nodesecurity.io/advisories'
|
31
|
-
|
32
|
-
def self.advisories
|
33
|
-
fetch_advisories.map do |advisory_hash|
|
34
|
-
create(advisory_hash)
|
35
|
-
end
|
36
|
-
end
|
37
|
-
|
38
|
-
class << self
|
39
|
-
|
40
|
-
private
|
41
|
-
|
42
|
-
def fetch_advisories
|
43
|
-
offset = 0
|
44
|
-
advisories = []
|
45
|
-
|
46
|
-
loop do
|
47
|
-
nodesecurity = YAVDB::Utils::HTTP.get_page_contents("#{API_URL}?offset=#{offset}", false, 'nodesecurity.io/advisories')
|
48
|
-
advisories_json = JSON.parse(nodesecurity.join)
|
49
|
-
|
50
|
-
advisories_json['count'].positive? ? advisories = advisories.concat(advisories_json['results']) : break
|
51
|
-
|
52
|
-
offset += advisories_json['count']
|
53
|
-
end
|
54
|
-
|
55
|
-
advisories
|
56
|
-
end
|
57
|
-
|
58
|
-
def create(advisory_hash)
|
59
|
-
publish_date = Date.parse(advisory_hash['publish_date'])
|
60
|
-
created_at = Date.parse(advisory_hash['created_at'])
|
61
|
-
updated_at = Date.parse(advisory_hash['updated_at'])
|
62
|
-
|
63
|
-
vulnerable_versions =
|
64
|
-
if advisory_hash['vulnerable_versions'].nil? || advisory_hash['vulnerable_versions'].empty?
|
65
|
-
'*'
|
66
|
-
else
|
67
|
-
advisory_hash['vulnerable_versions']
|
68
|
-
end
|
69
|
-
|
70
|
-
YAVDB::Advisory.new(
|
71
|
-
"nodesecurity:npm:#{advisory_hash['module_name']}:#{publish_date}",
|
72
|
-
advisory_hash['title'],
|
73
|
-
advisory_hash['overview'],
|
74
|
-
advisory_hash['module_name'],
|
75
|
-
[vulnerable_versions],
|
76
|
-
nil, #:unaffected_versions
|
77
|
-
advisory_hash['patched_versions'],
|
78
|
-
severity(advisory_hash['cvss_score']),
|
79
|
-
'npm',
|
80
|
-
advisory_hash['cves'],
|
81
|
-
nil, #:cwe
|
82
|
-
nil, #:osvdb
|
83
|
-
nil, #:cvss_v2_vector
|
84
|
-
nil, #:cvss_v2_score
|
85
|
-
advisory_hash['cvss_vector'],
|
86
|
-
advisory_hash['cvss_score'],
|
87
|
-
publish_date,
|
88
|
-
created_at,
|
89
|
-
updated_at,
|
90
|
-
[advisory_hash['author']],
|
91
|
-
clean_references(advisory_hash['references']),
|
92
|
-
"#{WEBSITE_URL}/#{advisory_hash['id']}"
|
93
|
-
)
|
94
|
-
end
|
95
|
-
|
96
|
-
def severity(cvss_score)
|
97
|
-
case cvss_score
|
98
|
-
when 0.0..3.3 then
|
99
|
-
'low'
|
100
|
-
when 3.3..6.6 then
|
101
|
-
'medium'
|
102
|
-
else
|
103
|
-
'high'
|
104
|
-
end
|
105
|
-
end
|
106
|
-
|
107
|
-
def clean_references(references)
|
108
|
-
if references
|
109
|
-
[references.gsub(%r{.*?(http.+)}, '\1')]
|
110
|
-
else
|
111
|
-
[]
|
112
|
-
end
|
113
|
-
end
|
114
|
-
|
115
|
-
end
|
116
|
-
|
117
|
-
end
|
118
|
-
end
|
119
|
-
end
|
120
|
-
end
|