yavdb 0.2.1 → 0.3.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 9cb5bd2ebaf5e3a0511328aa22b474bb22b9ce22
4
- data.tar.gz: dea395b8c916a9b8d83560df597b03bcbb92bf8b
3
+ metadata.gz: f1f0cdfd79936efa10947a4b983c295f7059d930
4
+ data.tar.gz: 2ba6d7e40d9cb9d56249ff767ec5156520a610ae
5
5
  SHA512:
6
- metadata.gz: 28e19a9021b471964697a9b2e4a9733c6dc05d2301e3fb0380fcd88853568568cdfde0395cf8f896b1e57f54b6bc040c2059a64dd1965bf64d84609a66caffc0
7
- data.tar.gz: ff70031ab40e5492833fe28eb6dc72b03a69ef5aa0dc0ddab4c474d45750b693c3a821e523938a8d6b3ad8ab604e291353f7a4e6e88e8266fc61506dfcbaff51
6
+ metadata.gz: d29009672be459fc5c40701735d46f8460ccb3fad87169ecb1937a0858d6028cb008b8b2c4b1097758a418ea70c93ef959d0391f8e36cd729374b21afbdda3b7
7
+ data.tar.gz: ff5295068f3530f150004146154df3583bcce4a412d083181520b43a9b4e8d7401af7c330f4df6a85d325dc8cf0d47423d121de60949132ee8f9e805eb7c4fa4
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- yavdb (0.2.1)
4
+ yavdb (0.3.0)
5
5
  json (~> 2.1)
6
6
  kramdown (~> 1.17)
7
7
  oga (~> 2.15)
@@ -82,4 +82,4 @@ DEPENDENCIES
82
82
  yavdb!
83
83
 
84
84
  BUNDLED WITH
85
- 1.16.3
85
+ 1.16.6
data/README.md CHANGED
@@ -12,8 +12,8 @@ developers identify and fix know vulnerabilities in their apps.
12
12
  The sources for this database include
13
13
  [Rubysec](https://rubysec.com/),
14
14
  [snyk](https://snyk.io/),
15
- [OSSIndex](https://ossindex.net/),
16
- [NodeSecurity](https://nodesecurity.io/),
15
+ [OSSIndex (deprecated)](https://ossindex.net/),
16
+ [NodeSecurity (deprecated)](https://nodesecurity.io/),
17
17
  [Friends of PHP](https://github.com/FriendsOfPHP/security-advisories),
18
18
  [Magento Related Security Advisories](https://github.com/victims/victims-cve-db),
19
19
  [Victims CVE Database](https://github.com/victims/victims-cve-db)
@@ -25,11 +25,9 @@ The sources for this database include
25
25
  ## Installation
26
26
 
27
27
  ```sh
28
- gem install yavdb --pre
28
+ gem install yavdb
29
29
  ```
30
30
 
31
- > Notice the `--pre` in the end
32
-
33
31
  ## TODO:
34
32
 
35
33
  #### Tests
@@ -38,7 +36,6 @@ gem install yavdb --pre
38
36
  - [ ] [Rubysec](lib/yavdb/sources/ruby_advisory.rb)
39
37
  - [X] [snyk](lib/yavdb/sources/snyk_io.rb)
40
38
  - [ ] [OSSIndex](lib/yavdb/sources/ossindex.rb)
41
- - [X] [NodeSecurity](lib/yavdb/sources/nodesecurity_io.rb)
42
39
  - [ ] [Friends of PHP and Magento Related Security Advisories](lib/yavdb/sources/friends_of_php.rb)
43
40
  - [ ] [Victims CVE Database](lib/yavdb/sources/victims.rb)
44
41
  * Others
@@ -60,12 +60,18 @@ module YAVDB
60
60
  def save_to_file(database_path, vulns)
61
61
  vulns.map do |package_manager, vunerabilities_by_pm|
62
62
  vunerabilities_by_pm.map do |package, vunerabilities_by_p|
63
+ previous_vulnerabilities = search(database_path, package_manager, package)
64
+
63
65
  package_path = package_path(database_path, package_manager, package)
64
66
  package_path_directory = File.dirname(package_path)
65
67
  FileUtils.mkdir_p(package_path_directory) unless File.exist?(package_path_directory)
66
68
 
69
+ uniq_vunerabilities_by_p = Hash[previous_vulnerabilities.concat(vunerabilities_by_p).map { |vuln| [vuln.id, vuln] }].values
70
+
71
+ next unless uniq_vunerabilities_by_p.any?
72
+
67
73
  File.open(package_path, 'wb') do |file|
68
- package_vulns_yml_str = vunerabilities_by_p
74
+ package_vulns_yml_str = uniq_vunerabilities_by_p
69
75
  .sort_by(&:id)
70
76
  .map(&:to_map)
71
77
  .to_yaml(
@@ -79,9 +79,9 @@ module YAVDB
79
79
  def to_map
80
80
  map = {}
81
81
  members.each do |m|
82
- next unless self[m] && (
83
- (self[m].is_a?(String) && !self[m].empty?) ||
84
- (self[m].is_a?(Array) && self[m].any?))
82
+ next if !self[m] ||
83
+ (self[m].is_a?(String) && self[m].empty?) ||
84
+ (self[m].is_a?(Array) && self[m].none?)
85
85
 
86
86
  map[m.to_s] = self[m] if self[m]
87
87
  end
@@ -54,9 +54,15 @@ module YAVDB
54
54
  info['versions'].join(' ')
55
55
  end.flatten
56
56
 
57
+ cves = [advisory_hash['cve']].reject { |cve| cve == '~' }
58
+
57
59
  package_name = advisory_hash['reference'].gsub(%r{composer:\/\/(.*)}, '\1')
60
+
61
+ vuln_id_stamp = (cves && cves[0]) || date
62
+ vuln_id = "friendsofphp:packagist:#{package_name}:#{vuln_id_stamp}"
63
+
58
64
  YAVDB::Advisory.new(
59
- "friendsofphp:packagist:#{package_name}:#{date}",
65
+ vuln_id,
60
66
  advisory_hash['title'],
61
67
  nil, #:description
62
68
  package_name,
@@ -65,7 +71,7 @@ module YAVDB
65
71
  nil, #:patched_versions
66
72
  nil, #:severity
67
73
  PACKAGE_MANAGER,
68
- [advisory_hash['cve']].reject { |cve| cve == '~' },
74
+ cves,
69
75
  nil, #:cwe
70
76
  nil, #:osvdb
71
77
  nil, #:cvss_v2_vector
@@ -95,8 +95,11 @@ module YAVDB
95
95
  .reject { |v| v == '-' }
96
96
  versions = ['*'] unless versions.any?
97
97
 
98
+ vuln_id_stamp = (cve && cve[0]) || published_date
99
+ vuln_id = "ossindex:#{package_manager}:#{package_name}:#{vuln_id_stamp}"
100
+
98
101
  YAVDB::Advisory.new(
99
- "ossindex:#{package_manager}:#{package_name}:#{published_date}",
102
+ vuln_id,
100
103
  advisory['title'],
101
104
  advisory['description'],
102
105
  package_name,
@@ -54,8 +54,11 @@ module YAVDB
54
54
  ['*']
55
55
  end
56
56
 
57
+ vuln_id_stamp = (cve && cve[0]) || date
58
+ vuln_id = "rubyadvisory:rubygems:#{advisory_hash['gem']}:#{vuln_id_stamp}"
59
+
57
60
  YAVDB::Advisory.new(
58
- "rubyadvisory:rubygems:#{advisory_hash['gem']}:#{date}",
61
+ vuln_id,
59
62
  advisory_hash['title'],
60
63
  advisory_hash['description'],
61
64
  advisory_hash['gem'],
@@ -119,8 +119,13 @@ module YAVDB
119
119
  published_date
120
120
  end
121
121
 
122
+ vuln_id_stamp = (sidebar_data[:cve] && sidebar_data[:cve][0]) ||
123
+ sidebar_data[:id].split(%r{-|:}).last ||
124
+ disclosed_date
125
+ vuln_id = "snykio:#{package_manager}:#{affected_package}:#{vuln_id_stamp}"
126
+
122
127
  YAVDB::Advisory.new(
123
- "snykio:#{package_manager}:#{affected_package}:#{disclosed_date}",
128
+ vuln_id,
124
129
  title,
125
130
  body_data[:description],
126
131
  affected_package,
@@ -157,7 +162,6 @@ module YAVDB
157
162
  last_elem = description_sections.last
158
163
  new_body = last_elem[:body].push(field)
159
164
  last_elem[:body] = new_body
160
- description_sections.push(last_elem)
161
165
  end
162
166
  end
163
167
 
@@ -59,8 +59,11 @@ module YAVDB
59
59
 
60
60
  def create(advisory_hash, language, url)
61
61
  advisory_hash['affected'].map do |affected_package|
62
+ vuln_id_stamp = advisory_hash['cve'] || 'date'
63
+ vuln_id = "victims:#{language.package_manager}:#{language.name_parser[affected_package]}:#{vuln_id_stamp}"
64
+
62
65
  YAVDB::Advisory.new(
63
- "victims:#{language.package_manager}:#{language.name_parser[affected_package]}:date",
66
+ vuln_id,
64
67
  advisory_hash['title'],
65
68
  advisory_hash['description'],
66
69
  language.name_parser[affected_package],
@@ -16,6 +16,6 @@
16
16
 
17
17
  module YAVDB
18
18
 
19
- VERSION = '0.2.1'
19
+ VERSION = '0.3.0'
20
20
 
21
21
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: yavdb
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.1
4
+ version: 0.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rodrigo Fernandes
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-10-17 00:00:00.000000000 Z
11
+ date: 2018-10-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -227,7 +227,6 @@ files:
227
227
  - lib/yavdb/dtos/advisory.rb
228
228
  - lib/yavdb/source_types/git_repo.rb
229
229
  - lib/yavdb/sources/friends_of_php.rb
230
- - lib/yavdb/sources/nodesecurity_io.rb
231
230
  - lib/yavdb/sources/ossindex.rb
232
231
  - lib/yavdb/sources/ruby_advisory.rb
233
232
  - lib/yavdb/sources/snyk_io.rb
@@ -1,120 +0,0 @@
1
- # yavdb - The Free and Open Source vulnerability database
2
- # Copyright (C) 2017-present Rodrigo Fernandes
3
- #
4
- # This program is free software: you can redistribute it and/or modify
5
- # it under the terms of the GNU Affero General Public License as
6
- # published by the Free Software Foundation, either version 3 of the
7
- # License, or (at your option) any later version.
8
- #
9
- # This program is distributed in the hope that it will be useful,
10
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
11
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
- # GNU Affero General Public License for more details.
13
- #
14
- # You should have received a copy of the GNU Affero General Public License
15
- # along with this program. If not, see <http://www.gnu.org/licenses/>.
16
-
17
- require 'oga'
18
- require 'oga/xml/entities'
19
- require 'date'
20
-
21
- require_relative '../dtos/advisory'
22
- require_relative '../utils/http'
23
-
24
- module YAVDB
25
- module Sources
26
- module NodeSecurityIO
27
- class Client
28
-
29
- API_URL = 'https://api.nodesecurity.io/advisories'
30
- WEBSITE_URL = 'https://nodesecurity.io/advisories'
31
-
32
- def self.advisories
33
- fetch_advisories.map do |advisory_hash|
34
- create(advisory_hash)
35
- end
36
- end
37
-
38
- class << self
39
-
40
- private
41
-
42
- def fetch_advisories
43
- offset = 0
44
- advisories = []
45
-
46
- loop do
47
- nodesecurity = YAVDB::Utils::HTTP.get_page_contents("#{API_URL}?offset=#{offset}", false, 'nodesecurity.io/advisories')
48
- advisories_json = JSON.parse(nodesecurity.join)
49
-
50
- advisories_json['count'].positive? ? advisories = advisories.concat(advisories_json['results']) : break
51
-
52
- offset += advisories_json['count']
53
- end
54
-
55
- advisories
56
- end
57
-
58
- def create(advisory_hash)
59
- publish_date = Date.parse(advisory_hash['publish_date'])
60
- created_at = Date.parse(advisory_hash['created_at'])
61
- updated_at = Date.parse(advisory_hash['updated_at'])
62
-
63
- vulnerable_versions =
64
- if advisory_hash['vulnerable_versions'].nil? || advisory_hash['vulnerable_versions'].empty?
65
- '*'
66
- else
67
- advisory_hash['vulnerable_versions']
68
- end
69
-
70
- YAVDB::Advisory.new(
71
- "nodesecurity:npm:#{advisory_hash['module_name']}:#{publish_date}",
72
- advisory_hash['title'],
73
- advisory_hash['overview'],
74
- advisory_hash['module_name'],
75
- [vulnerable_versions],
76
- nil, #:unaffected_versions
77
- advisory_hash['patched_versions'],
78
- severity(advisory_hash['cvss_score']),
79
- 'npm',
80
- advisory_hash['cves'],
81
- nil, #:cwe
82
- nil, #:osvdb
83
- nil, #:cvss_v2_vector
84
- nil, #:cvss_v2_score
85
- advisory_hash['cvss_vector'],
86
- advisory_hash['cvss_score'],
87
- publish_date,
88
- created_at,
89
- updated_at,
90
- [advisory_hash['author']],
91
- clean_references(advisory_hash['references']),
92
- "#{WEBSITE_URL}/#{advisory_hash['id']}"
93
- )
94
- end
95
-
96
- def severity(cvss_score)
97
- case cvss_score
98
- when 0.0..3.3 then
99
- 'low'
100
- when 3.3..6.6 then
101
- 'medium'
102
- else
103
- 'high'
104
- end
105
- end
106
-
107
- def clean_references(references)
108
- if references
109
- [references.gsub(%r{.*?(http.+)}, '\1')]
110
- else
111
- []
112
- end
113
- end
114
-
115
- end
116
-
117
- end
118
- end
119
- end
120
- end