yavdb 0.2.1 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +2 -2
- data/README.md +3 -6
- data/lib/yavdb/database.rb +7 -1
- data/lib/yavdb/dtos/advisory.rb +3 -3
- data/lib/yavdb/sources/friends_of_php.rb +8 -2
- data/lib/yavdb/sources/ossindex.rb +4 -1
- data/lib/yavdb/sources/ruby_advisory.rb +4 -1
- data/lib/yavdb/sources/snyk_io.rb +6 -2
- data/lib/yavdb/sources/victims.rb +4 -1
- data/lib/yavdb/version.rb +1 -1
- metadata +2 -3
- data/lib/yavdb/sources/nodesecurity_io.rb +0 -120
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f1f0cdfd79936efa10947a4b983c295f7059d930
|
|
4
|
+
data.tar.gz: 2ba6d7e40d9cb9d56249ff767ec5156520a610ae
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d29009672be459fc5c40701735d46f8460ccb3fad87169ecb1937a0858d6028cb008b8b2c4b1097758a418ea70c93ef959d0391f8e36cd729374b21afbdda3b7
|
|
7
|
+
data.tar.gz: ff5295068f3530f150004146154df3583bcce4a412d083181520b43a9b4e8d7401af7c330f4df6a85d325dc8cf0d47423d121de60949132ee8f9e805eb7c4fa4
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
|
@@ -12,8 +12,8 @@ developers identify and fix know vulnerabilities in their apps.
|
|
|
12
12
|
The sources for this database include
|
|
13
13
|
[Rubysec](https://rubysec.com/),
|
|
14
14
|
[snyk](https://snyk.io/),
|
|
15
|
-
[OSSIndex](https://ossindex.net/),
|
|
16
|
-
[NodeSecurity](https://nodesecurity.io/),
|
|
15
|
+
[OSSIndex (deprecated)](https://ossindex.net/),
|
|
16
|
+
[NodeSecurity (deprecated)](https://nodesecurity.io/),
|
|
17
17
|
[Friends of PHP](https://github.com/FriendsOfPHP/security-advisories),
|
|
18
18
|
[Magento Related Security Advisories](https://github.com/victims/victims-cve-db),
|
|
19
19
|
[Victims CVE Database](https://github.com/victims/victims-cve-db)
|
|
@@ -25,11 +25,9 @@ The sources for this database include
|
|
|
25
25
|
## Installation
|
|
26
26
|
|
|
27
27
|
```sh
|
|
28
|
-
gem install yavdb
|
|
28
|
+
gem install yavdb
|
|
29
29
|
```
|
|
30
30
|
|
|
31
|
-
> Notice the `--pre` in the end
|
|
32
|
-
|
|
33
31
|
## TODO:
|
|
34
32
|
|
|
35
33
|
#### Tests
|
|
@@ -38,7 +36,6 @@ gem install yavdb --pre
|
|
|
38
36
|
- [ ] [Rubysec](lib/yavdb/sources/ruby_advisory.rb)
|
|
39
37
|
- [X] [snyk](lib/yavdb/sources/snyk_io.rb)
|
|
40
38
|
- [ ] [OSSIndex](lib/yavdb/sources/ossindex.rb)
|
|
41
|
-
- [X] [NodeSecurity](lib/yavdb/sources/nodesecurity_io.rb)
|
|
42
39
|
- [ ] [Friends of PHP and Magento Related Security Advisories](lib/yavdb/sources/friends_of_php.rb)
|
|
43
40
|
- [ ] [Victims CVE Database](lib/yavdb/sources/victims.rb)
|
|
44
41
|
* Others
|
data/lib/yavdb/database.rb
CHANGED
|
@@ -60,12 +60,18 @@ module YAVDB
|
|
|
60
60
|
def save_to_file(database_path, vulns)
|
|
61
61
|
vulns.map do |package_manager, vunerabilities_by_pm|
|
|
62
62
|
vunerabilities_by_pm.map do |package, vunerabilities_by_p|
|
|
63
|
+
previous_vulnerabilities = search(database_path, package_manager, package)
|
|
64
|
+
|
|
63
65
|
package_path = package_path(database_path, package_manager, package)
|
|
64
66
|
package_path_directory = File.dirname(package_path)
|
|
65
67
|
FileUtils.mkdir_p(package_path_directory) unless File.exist?(package_path_directory)
|
|
66
68
|
|
|
69
|
+
uniq_vunerabilities_by_p = Hash[previous_vulnerabilities.concat(vunerabilities_by_p).map { |vuln| [vuln.id, vuln] }].values
|
|
70
|
+
|
|
71
|
+
next unless uniq_vunerabilities_by_p.any?
|
|
72
|
+
|
|
67
73
|
File.open(package_path, 'wb') do |file|
|
|
68
|
-
package_vulns_yml_str =
|
|
74
|
+
package_vulns_yml_str = uniq_vunerabilities_by_p
|
|
69
75
|
.sort_by(&:id)
|
|
70
76
|
.map(&:to_map)
|
|
71
77
|
.to_yaml(
|
data/lib/yavdb/dtos/advisory.rb
CHANGED
|
@@ -79,9 +79,9 @@ module YAVDB
|
|
|
79
79
|
def to_map
|
|
80
80
|
map = {}
|
|
81
81
|
members.each do |m|
|
|
82
|
-
next
|
|
83
|
-
|
|
84
|
-
|
|
82
|
+
next if !self[m] ||
|
|
83
|
+
(self[m].is_a?(String) && self[m].empty?) ||
|
|
84
|
+
(self[m].is_a?(Array) && self[m].none?)
|
|
85
85
|
|
|
86
86
|
map[m.to_s] = self[m] if self[m]
|
|
87
87
|
end
|
|
@@ -54,9 +54,15 @@ module YAVDB
|
|
|
54
54
|
info['versions'].join(' ')
|
|
55
55
|
end.flatten
|
|
56
56
|
|
|
57
|
+
cves = [advisory_hash['cve']].reject { |cve| cve == '~' }
|
|
58
|
+
|
|
57
59
|
package_name = advisory_hash['reference'].gsub(%r{composer:\/\/(.*)}, '\1')
|
|
60
|
+
|
|
61
|
+
vuln_id_stamp = (cves && cves[0]) || date
|
|
62
|
+
vuln_id = "friendsofphp:packagist:#{package_name}:#{vuln_id_stamp}"
|
|
63
|
+
|
|
58
64
|
YAVDB::Advisory.new(
|
|
59
|
-
|
|
65
|
+
vuln_id,
|
|
60
66
|
advisory_hash['title'],
|
|
61
67
|
nil, #:description
|
|
62
68
|
package_name,
|
|
@@ -65,7 +71,7 @@ module YAVDB
|
|
|
65
71
|
nil, #:patched_versions
|
|
66
72
|
nil, #:severity
|
|
67
73
|
PACKAGE_MANAGER,
|
|
68
|
-
|
|
74
|
+
cves,
|
|
69
75
|
nil, #:cwe
|
|
70
76
|
nil, #:osvdb
|
|
71
77
|
nil, #:cvss_v2_vector
|
|
@@ -95,8 +95,11 @@ module YAVDB
|
|
|
95
95
|
.reject { |v| v == '-' }
|
|
96
96
|
versions = ['*'] unless versions.any?
|
|
97
97
|
|
|
98
|
+
vuln_id_stamp = (cve && cve[0]) || published_date
|
|
99
|
+
vuln_id = "ossindex:#{package_manager}:#{package_name}:#{vuln_id_stamp}"
|
|
100
|
+
|
|
98
101
|
YAVDB::Advisory.new(
|
|
99
|
-
|
|
102
|
+
vuln_id,
|
|
100
103
|
advisory['title'],
|
|
101
104
|
advisory['description'],
|
|
102
105
|
package_name,
|
|
@@ -54,8 +54,11 @@ module YAVDB
|
|
|
54
54
|
['*']
|
|
55
55
|
end
|
|
56
56
|
|
|
57
|
+
vuln_id_stamp = (cve && cve[0]) || date
|
|
58
|
+
vuln_id = "rubyadvisory:rubygems:#{advisory_hash['gem']}:#{vuln_id_stamp}"
|
|
59
|
+
|
|
57
60
|
YAVDB::Advisory.new(
|
|
58
|
-
|
|
61
|
+
vuln_id,
|
|
59
62
|
advisory_hash['title'],
|
|
60
63
|
advisory_hash['description'],
|
|
61
64
|
advisory_hash['gem'],
|
|
@@ -119,8 +119,13 @@ module YAVDB
|
|
|
119
119
|
published_date
|
|
120
120
|
end
|
|
121
121
|
|
|
122
|
+
vuln_id_stamp = (sidebar_data[:cve] && sidebar_data[:cve][0]) ||
|
|
123
|
+
sidebar_data[:id].split(%r{-|:}).last ||
|
|
124
|
+
disclosed_date
|
|
125
|
+
vuln_id = "snykio:#{package_manager}:#{affected_package}:#{vuln_id_stamp}"
|
|
126
|
+
|
|
122
127
|
YAVDB::Advisory.new(
|
|
123
|
-
|
|
128
|
+
vuln_id,
|
|
124
129
|
title,
|
|
125
130
|
body_data[:description],
|
|
126
131
|
affected_package,
|
|
@@ -157,7 +162,6 @@ module YAVDB
|
|
|
157
162
|
last_elem = description_sections.last
|
|
158
163
|
new_body = last_elem[:body].push(field)
|
|
159
164
|
last_elem[:body] = new_body
|
|
160
|
-
description_sections.push(last_elem)
|
|
161
165
|
end
|
|
162
166
|
end
|
|
163
167
|
|
|
@@ -59,8 +59,11 @@ module YAVDB
|
|
|
59
59
|
|
|
60
60
|
def create(advisory_hash, language, url)
|
|
61
61
|
advisory_hash['affected'].map do |affected_package|
|
|
62
|
+
vuln_id_stamp = advisory_hash['cve'] || 'date'
|
|
63
|
+
vuln_id = "victims:#{language.package_manager}:#{language.name_parser[affected_package]}:#{vuln_id_stamp}"
|
|
64
|
+
|
|
62
65
|
YAVDB::Advisory.new(
|
|
63
|
-
|
|
66
|
+
vuln_id,
|
|
64
67
|
advisory_hash['title'],
|
|
65
68
|
advisory_hash['description'],
|
|
66
69
|
language.name_parser[affected_package],
|
data/lib/yavdb/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: yavdb
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rodrigo Fernandes
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-10-
|
|
11
|
+
date: 2018-10-21 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -227,7 +227,6 @@ files:
|
|
|
227
227
|
- lib/yavdb/dtos/advisory.rb
|
|
228
228
|
- lib/yavdb/source_types/git_repo.rb
|
|
229
229
|
- lib/yavdb/sources/friends_of_php.rb
|
|
230
|
-
- lib/yavdb/sources/nodesecurity_io.rb
|
|
231
230
|
- lib/yavdb/sources/ossindex.rb
|
|
232
231
|
- lib/yavdb/sources/ruby_advisory.rb
|
|
233
232
|
- lib/yavdb/sources/snyk_io.rb
|
|
@@ -1,120 +0,0 @@
|
|
|
1
|
-
# yavdb - The Free and Open Source vulnerability database
|
|
2
|
-
# Copyright (C) 2017-present Rodrigo Fernandes
|
|
3
|
-
#
|
|
4
|
-
# This program is free software: you can redistribute it and/or modify
|
|
5
|
-
# it under the terms of the GNU Affero General Public License as
|
|
6
|
-
# published by the Free Software Foundation, either version 3 of the
|
|
7
|
-
# License, or (at your option) any later version.
|
|
8
|
-
#
|
|
9
|
-
# This program is distributed in the hope that it will be useful,
|
|
10
|
-
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
11
|
-
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
12
|
-
# GNU Affero General Public License for more details.
|
|
13
|
-
#
|
|
14
|
-
# You should have received a copy of the GNU Affero General Public License
|
|
15
|
-
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
16
|
-
|
|
17
|
-
require 'oga'
|
|
18
|
-
require 'oga/xml/entities'
|
|
19
|
-
require 'date'
|
|
20
|
-
|
|
21
|
-
require_relative '../dtos/advisory'
|
|
22
|
-
require_relative '../utils/http'
|
|
23
|
-
|
|
24
|
-
module YAVDB
|
|
25
|
-
module Sources
|
|
26
|
-
module NodeSecurityIO
|
|
27
|
-
class Client
|
|
28
|
-
|
|
29
|
-
API_URL = 'https://api.nodesecurity.io/advisories'
|
|
30
|
-
WEBSITE_URL = 'https://nodesecurity.io/advisories'
|
|
31
|
-
|
|
32
|
-
def self.advisories
|
|
33
|
-
fetch_advisories.map do |advisory_hash|
|
|
34
|
-
create(advisory_hash)
|
|
35
|
-
end
|
|
36
|
-
end
|
|
37
|
-
|
|
38
|
-
class << self
|
|
39
|
-
|
|
40
|
-
private
|
|
41
|
-
|
|
42
|
-
def fetch_advisories
|
|
43
|
-
offset = 0
|
|
44
|
-
advisories = []
|
|
45
|
-
|
|
46
|
-
loop do
|
|
47
|
-
nodesecurity = YAVDB::Utils::HTTP.get_page_contents("#{API_URL}?offset=#{offset}", false, 'nodesecurity.io/advisories')
|
|
48
|
-
advisories_json = JSON.parse(nodesecurity.join)
|
|
49
|
-
|
|
50
|
-
advisories_json['count'].positive? ? advisories = advisories.concat(advisories_json['results']) : break
|
|
51
|
-
|
|
52
|
-
offset += advisories_json['count']
|
|
53
|
-
end
|
|
54
|
-
|
|
55
|
-
advisories
|
|
56
|
-
end
|
|
57
|
-
|
|
58
|
-
def create(advisory_hash)
|
|
59
|
-
publish_date = Date.parse(advisory_hash['publish_date'])
|
|
60
|
-
created_at = Date.parse(advisory_hash['created_at'])
|
|
61
|
-
updated_at = Date.parse(advisory_hash['updated_at'])
|
|
62
|
-
|
|
63
|
-
vulnerable_versions =
|
|
64
|
-
if advisory_hash['vulnerable_versions'].nil? || advisory_hash['vulnerable_versions'].empty?
|
|
65
|
-
'*'
|
|
66
|
-
else
|
|
67
|
-
advisory_hash['vulnerable_versions']
|
|
68
|
-
end
|
|
69
|
-
|
|
70
|
-
YAVDB::Advisory.new(
|
|
71
|
-
"nodesecurity:npm:#{advisory_hash['module_name']}:#{publish_date}",
|
|
72
|
-
advisory_hash['title'],
|
|
73
|
-
advisory_hash['overview'],
|
|
74
|
-
advisory_hash['module_name'],
|
|
75
|
-
[vulnerable_versions],
|
|
76
|
-
nil, #:unaffected_versions
|
|
77
|
-
advisory_hash['patched_versions'],
|
|
78
|
-
severity(advisory_hash['cvss_score']),
|
|
79
|
-
'npm',
|
|
80
|
-
advisory_hash['cves'],
|
|
81
|
-
nil, #:cwe
|
|
82
|
-
nil, #:osvdb
|
|
83
|
-
nil, #:cvss_v2_vector
|
|
84
|
-
nil, #:cvss_v2_score
|
|
85
|
-
advisory_hash['cvss_vector'],
|
|
86
|
-
advisory_hash['cvss_score'],
|
|
87
|
-
publish_date,
|
|
88
|
-
created_at,
|
|
89
|
-
updated_at,
|
|
90
|
-
[advisory_hash['author']],
|
|
91
|
-
clean_references(advisory_hash['references']),
|
|
92
|
-
"#{WEBSITE_URL}/#{advisory_hash['id']}"
|
|
93
|
-
)
|
|
94
|
-
end
|
|
95
|
-
|
|
96
|
-
def severity(cvss_score)
|
|
97
|
-
case cvss_score
|
|
98
|
-
when 0.0..3.3 then
|
|
99
|
-
'low'
|
|
100
|
-
when 3.3..6.6 then
|
|
101
|
-
'medium'
|
|
102
|
-
else
|
|
103
|
-
'high'
|
|
104
|
-
end
|
|
105
|
-
end
|
|
106
|
-
|
|
107
|
-
def clean_references(references)
|
|
108
|
-
if references
|
|
109
|
-
[references.gsub(%r{.*?(http.+)}, '\1')]
|
|
110
|
-
else
|
|
111
|
-
[]
|
|
112
|
-
end
|
|
113
|
-
end
|
|
114
|
-
|
|
115
|
-
end
|
|
116
|
-
|
|
117
|
-
end
|
|
118
|
-
end
|
|
119
|
-
end
|
|
120
|
-
end
|