yavdb 0.4.6 → 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.circleci/config.yml +8 -11
- data/Gemfile.lock +10 -6
- data/README.md +2 -2
- data/lib/yavdb/constants.rb +1 -1
- data/lib/yavdb/sources/rustsec.rb +89 -0
- data/lib/yavdb/version.rb +1 -1
- data/yavdb.gemspec +1 -0
- metadata +17 -3
- data/lib/yavdb/sources/ossindex.rb +0 -140
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: '098100217162c420c325d890510998f31dd80f1f'
|
4
|
+
data.tar.gz: cb80e815cc5360812cfe708990fe49e739799828
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: '06800098df9eed75b94e2b6206e598c19b177194a2cdffc6a7c2aeaab3f1848ece390afeb6c93c168f3b789d5eb4ccaea4ed9731f4d85192d80c34b8957724d7'
|
7
|
+
data.tar.gz: f38a8088c2b9832b4fb8fe5b616318a0e4b3111f000fd046627657441f7495a7a75ef14b7e9c525a82dac437368fae8953bc9df75dc8e41161e3d19d2338b00c
|
data/.circleci/config.yml
CHANGED
@@ -8,10 +8,6 @@ jobs:
|
|
8
8
|
steps:
|
9
9
|
- checkout
|
10
10
|
|
11
|
-
- name: Install Bundler Version
|
12
|
-
type: shell
|
13
|
-
command: gem install bundler -v 1.16
|
14
|
-
|
15
11
|
- name: Prepare yavdb cache
|
16
12
|
type: shell
|
17
13
|
command: echo "$(date)" > /tmp/yavdb.cache.log
|
@@ -19,22 +15,23 @@ jobs:
|
|
19
15
|
- name: Restore gem cache
|
20
16
|
type: cache-restore
|
21
17
|
keys:
|
22
|
-
-
|
23
|
-
- 2-gem-yavdb-
|
18
|
+
- gem-cache-1-{{ checksum "Gemfile.lock" }}
|
24
19
|
|
25
20
|
- name: Restore yavdb cache
|
26
21
|
type: cache-restore
|
27
22
|
keys:
|
28
|
-
-
|
29
|
-
-
|
23
|
+
- 2-crawler-yavdb-cache-{{ checksum "/tmp/yavdb.cache.log" }}
|
24
|
+
- 2-crawler-yavdb-cache
|
30
25
|
|
31
26
|
- name: Bundle Install
|
32
27
|
type: shell
|
33
|
-
command:
|
28
|
+
command: |
|
29
|
+
sudo gem update --system
|
30
|
+
bundle install --path /tmp/vendor/bundle
|
34
31
|
|
35
32
|
- name: Save bundler cache
|
36
33
|
type: cache-save
|
37
|
-
key:
|
34
|
+
key: gem-cache-1-{{ checksum "Gemfile.lock" }}
|
38
35
|
paths:
|
39
36
|
- /tmp/vendor/bundle
|
40
37
|
|
@@ -48,7 +45,7 @@ jobs:
|
|
48
45
|
|
49
46
|
- name: Save yavdb cache
|
50
47
|
type: cache-save
|
51
|
-
key:
|
48
|
+
key: 2-crawler-yavdb-cache-{{ checksum "/tmp/yavdb.cache.log" }}
|
52
49
|
paths:
|
53
50
|
- ~/.yavdb/cache
|
54
51
|
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
yavdb (0.
|
4
|
+
yavdb (0.5.0)
|
5
5
|
execjs (~> 2.7.0)
|
6
6
|
json (~> 2.1)
|
7
7
|
kramdown (~> 1.17)
|
@@ -9,12 +9,14 @@ PATH
|
|
9
9
|
semantic_interval (~> 0.1)
|
10
10
|
therubyracer (~> 0.12)
|
11
11
|
thor (~> 0.20)
|
12
|
+
toml-rb (~> 1.1)
|
12
13
|
|
13
14
|
GEM
|
14
15
|
remote: https://rubygems.org/
|
15
16
|
specs:
|
16
17
|
ansi (1.5.0)
|
17
18
|
ast (2.4.0)
|
19
|
+
citrus (3.0.2)
|
18
20
|
codacy-coverage (2.1.0)
|
19
21
|
simplecov
|
20
22
|
diff-lcs (1.3)
|
@@ -27,8 +29,8 @@ GEM
|
|
27
29
|
oga (2.15)
|
28
30
|
ast
|
29
31
|
ruby-ll (~> 2.1)
|
30
|
-
parallel (1.
|
31
|
-
parser (2.
|
32
|
+
parallel (1.13.0)
|
33
|
+
parser (2.6.0.0)
|
32
34
|
ast (~> 2.4.0)
|
33
35
|
powerpack (0.1.2)
|
34
36
|
rainbow (3.0.0)
|
@@ -49,7 +51,7 @@ GEM
|
|
49
51
|
rspec-support (3.8.0)
|
50
52
|
rspec_junit_formatter (0.4.1)
|
51
53
|
rspec-core (>= 2, < 4, != 2.12.0)
|
52
|
-
rubocop (0.
|
54
|
+
rubocop (0.64.0)
|
53
55
|
jaro_winkler (~> 1.5.1)
|
54
56
|
parallel (~> 1.10)
|
55
57
|
parser (>= 2.5, != 2.5.1.1)
|
@@ -57,7 +59,7 @@ GEM
|
|
57
59
|
rainbow (>= 2.2.2, < 4.0)
|
58
60
|
ruby-progressbar (~> 1.7)
|
59
61
|
unicode-display_width (~> 1.4.0)
|
60
|
-
rubocop-rspec (1.
|
62
|
+
rubocop-rspec (1.32.0)
|
61
63
|
rubocop (>= 0.60.0)
|
62
64
|
ruby-ll (2.1.2)
|
63
65
|
ansi
|
@@ -73,6 +75,8 @@ GEM
|
|
73
75
|
libv8 (~> 3.16.14.15)
|
74
76
|
ref
|
75
77
|
thor (0.20.3)
|
78
|
+
toml-rb (1.1.2)
|
79
|
+
citrus (~> 3.0, > 3.0)
|
76
80
|
unicode-display_width (1.4.1)
|
77
81
|
|
78
82
|
PLATFORMS
|
@@ -89,4 +93,4 @@ DEPENDENCIES
|
|
89
93
|
yavdb!
|
90
94
|
|
91
95
|
BUNDLED WITH
|
92
|
-
1.
|
96
|
+
1.17.3
|
data/README.md
CHANGED
@@ -12,10 +12,10 @@ developers identify and fix know vulnerabilities in their apps.
|
|
12
12
|
The sources for this database include
|
13
13
|
[Rubysec](https://rubysec.com/),
|
14
14
|
[snyk](https://snyk.io/),
|
15
|
-
[OSSIndex (deprecated)](https://ossindex.net/),
|
16
15
|
[Friends of PHP](https://github.com/FriendsOfPHP/security-advisories),
|
17
16
|
[Magento Related Security Advisories](https://github.com/victims/victims-cve-db),
|
18
|
-
[Victims CVE Database](https://github.com/victims/victims-cve-db)
|
17
|
+
[Victims CVE Database](https://github.com/victims/victims-cve-db),
|
18
|
+
[RustSec](https://github.com/RustSec/advisory-db)
|
19
19
|
|
20
20
|
## Prerequisites
|
21
21
|
|
data/lib/yavdb/constants.rb
CHANGED
@@ -28,7 +28,7 @@ module YAVDB
|
|
28
28
|
DEFAULT_YAVDB_DATABASE_PATH = File.expand_path(File.join(DEFAULT_YAVDB_PATH, 'database')).freeze
|
29
29
|
DEFAULT_CACHE_PATH = File.expand_path(File.join(ENV['HOME'], '.yavdb', 'cache')).freeze
|
30
30
|
|
31
|
-
POSSIBLE_PACKAGE_MANAGERS = ['npm', 'rubygems', 'maven', 'nuget', 'packagist', 'pypi', 'go'].freeze
|
31
|
+
POSSIBLE_PACKAGE_MANAGERS = ['npm', 'rubygems', 'maven', 'nuget', 'packagist', 'pypi', 'go', 'cargo'].freeze
|
32
32
|
|
33
33
|
SEVERITIES = ['low', 'medium', 'high'].freeze
|
34
34
|
|
@@ -0,0 +1,89 @@
|
|
1
|
+
# yavdb - The Free and Open Source vulnerability database
|
2
|
+
# Copyright (C) 2017-present Rodrigo Fernandes
|
3
|
+
#
|
4
|
+
# This program is free software: you can redistribute it and/or modify
|
5
|
+
# it under the terms of the GNU Affero General Public License as
|
6
|
+
# published by the Free Software Foundation, either version 3 of the
|
7
|
+
# License, or (at your option) any later version.
|
8
|
+
#
|
9
|
+
# This program is distributed in the hope that it will be useful,
|
10
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
11
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
12
|
+
# GNU Affero General Public License for more details.
|
13
|
+
#
|
14
|
+
# You should have received a copy of the GNU Affero General Public License
|
15
|
+
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
16
|
+
|
17
|
+
require 'date'
|
18
|
+
require 'toml-rb'
|
19
|
+
|
20
|
+
require_relative '../dtos/advisory'
|
21
|
+
require_relative '../source_types/git_repo'
|
22
|
+
|
23
|
+
module YAVDB
|
24
|
+
module Sources
|
25
|
+
module RustSec
|
26
|
+
class Client
|
27
|
+
|
28
|
+
REPOSITORY_URL = 'https://github.com/RustSec/advisory-db'.freeze
|
29
|
+
PACKAGE_MANAGER = 'cargo'.freeze
|
30
|
+
|
31
|
+
def self.advisories
|
32
|
+
YAVDB::SourceTypes::GitRepo.search('crates/**/*.toml', REPOSITORY_URL).map do |repo_path, file_paths|
|
33
|
+
Dir.chdir(repo_path) do
|
34
|
+
file_paths.map do |file_path|
|
35
|
+
advisory_hash = TomlRB.load_file(file_path)
|
36
|
+
create(advisory_hash['advisory'])
|
37
|
+
end
|
38
|
+
end
|
39
|
+
end.flatten
|
40
|
+
end
|
41
|
+
|
42
|
+
class << self
|
43
|
+
|
44
|
+
private
|
45
|
+
|
46
|
+
def create(advisory_hash)
|
47
|
+
date = Date.strptime(advisory_hash['date'].to_s, '%Y-%m-%d')
|
48
|
+
severity = 'high' # since no value is provided will use highest
|
49
|
+
cve = advisory_hash['aliases']&.select { |a| a.start_with?('CVE') }
|
50
|
+
references = advisory_hash['url'] && [advisory_hash['url']]
|
51
|
+
|
52
|
+
vuln_id = "rustsec:cargo:#{advisory_hash['package']}:#{advisory_hash['id']}"
|
53
|
+
|
54
|
+
YAVDB::Advisory.new(
|
55
|
+
vuln_id,
|
56
|
+
advisory_hash['title'],
|
57
|
+
advisory_hash['description'],
|
58
|
+
advisory_hash['package'],
|
59
|
+
nil,
|
60
|
+
advisory_hash['unaffected_versions'],
|
61
|
+
advisory_hash['patched_versions'],
|
62
|
+
severity,
|
63
|
+
PACKAGE_MANAGER,
|
64
|
+
cve,
|
65
|
+
nil, #:cwe
|
66
|
+
nil,
|
67
|
+
nil, #:cvss_v2_vector
|
68
|
+
nil,
|
69
|
+
nil, #:cvss_v3_vector
|
70
|
+
nil,
|
71
|
+
date,
|
72
|
+
date,
|
73
|
+
date,
|
74
|
+
['RustSec'],
|
75
|
+
references,
|
76
|
+
generate_url(advisory_hash)
|
77
|
+
)
|
78
|
+
end
|
79
|
+
|
80
|
+
def generate_url(advisory_hash)
|
81
|
+
"#{REPOSITORY_URL}/blob/master/crates/#{advisory_hash['package']}/#{advisory_hash['id']}.toml"
|
82
|
+
end
|
83
|
+
|
84
|
+
end
|
85
|
+
|
86
|
+
end
|
87
|
+
end
|
88
|
+
end
|
89
|
+
end
|
data/lib/yavdb/version.rb
CHANGED
data/yavdb.gemspec
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: yavdb
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.5.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Rodrigo Fernandes
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-02-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: codacy-coverage
|
@@ -206,6 +206,20 @@ dependencies:
|
|
206
206
|
- - "~>"
|
207
207
|
- !ruby/object:Gem::Version
|
208
208
|
version: '0.20'
|
209
|
+
- !ruby/object:Gem::Dependency
|
210
|
+
name: toml-rb
|
211
|
+
requirement: !ruby/object:Gem::Requirement
|
212
|
+
requirements:
|
213
|
+
- - "~>"
|
214
|
+
- !ruby/object:Gem::Version
|
215
|
+
version: '1.1'
|
216
|
+
type: :runtime
|
217
|
+
prerelease: false
|
218
|
+
version_requirements: !ruby/object:Gem::Requirement
|
219
|
+
requirements:
|
220
|
+
- - "~>"
|
221
|
+
- !ruby/object:Gem::Version
|
222
|
+
version: '1.1'
|
209
223
|
description: "\n Yet Another Vulnerability Database\n The Free and Open Source
|
210
224
|
vulnerability database.\n "
|
211
225
|
email:
|
@@ -242,8 +256,8 @@ files:
|
|
242
256
|
- lib/yavdb/source_types/git_repo.rb
|
243
257
|
- lib/yavdb/sources/friends_of_php.rb
|
244
258
|
- lib/yavdb/sources/npmjs.rb
|
245
|
-
- lib/yavdb/sources/ossindex.rb
|
246
259
|
- lib/yavdb/sources/ruby_advisory.rb
|
260
|
+
- lib/yavdb/sources/rustsec.rb
|
247
261
|
- lib/yavdb/sources/snyk_io.rb
|
248
262
|
- lib/yavdb/sources/victims.rb
|
249
263
|
- lib/yavdb/utils/cache.rb
|
@@ -1,140 +0,0 @@
|
|
1
|
-
# yavdb - The Free and Open Source vulnerability database
|
2
|
-
# Copyright (C) 2017-present Rodrigo Fernandes
|
3
|
-
#
|
4
|
-
# This program is free software: you can redistribute it and/or modify
|
5
|
-
# it under the terms of the GNU Affero General Public License as
|
6
|
-
# published by the Free Software Foundation, either version 3 of the
|
7
|
-
# License, or (at your option) any later version.
|
8
|
-
#
|
9
|
-
# This program is distributed in the hope that it will be useful,
|
10
|
-
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
11
|
-
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
12
|
-
# GNU Affero General Public License for more details.
|
13
|
-
#
|
14
|
-
# You should have received a copy of the GNU Affero General Public License
|
15
|
-
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
16
|
-
|
17
|
-
require 'oga'
|
18
|
-
require 'oga/xml/entities'
|
19
|
-
|
20
|
-
require_relative '../dtos/advisory'
|
21
|
-
require_relative '../utils/http'
|
22
|
-
|
23
|
-
module YAVDB
|
24
|
-
module Sources
|
25
|
-
module OSSIndex
|
26
|
-
class Client
|
27
|
-
|
28
|
-
API_URL = 'https://ossindex.net'
|
29
|
-
PACKAGE_MANAGERS = ['npm', 'maven', 'composer', 'nuget', 'rubygems', 'pypi']
|
30
|
-
PACKAGE_MANAGER_ALIAS = Hash['composer' => 'packagist']
|
31
|
-
|
32
|
-
def self.advisories
|
33
|
-
PACKAGE_MANAGERS.map do |package_manager|
|
34
|
-
packages = fetch_packages(package_manager)
|
35
|
-
parse_vulnerabilities(package_manager, packages)
|
36
|
-
end.flatten
|
37
|
-
end
|
38
|
-
|
39
|
-
class << self
|
40
|
-
|
41
|
-
private
|
42
|
-
|
43
|
-
def fetch_packages(package_manager)
|
44
|
-
next_url = start_url(package_manager)
|
45
|
-
packages = []
|
46
|
-
|
47
|
-
while next_url
|
48
|
-
ossindex = YAVDB::Utils::HTTP.get_page_contents(next_url, true, 'ossindex/advisories')
|
49
|
-
ossindex_json = JSON.parse(ossindex.join)
|
50
|
-
page_packages = ossindex_json['packages']
|
51
|
-
|
52
|
-
packages.concat(page_packages)
|
53
|
-
|
54
|
-
next_url = ossindex_json['next']
|
55
|
-
end
|
56
|
-
|
57
|
-
packages
|
58
|
-
end
|
59
|
-
|
60
|
-
def parse_vulnerabilities(package_manager, packages)
|
61
|
-
packages
|
62
|
-
.map do |package|
|
63
|
-
package['vulnerabilities'].map do |advisory|
|
64
|
-
create(package_manager, package, advisory)
|
65
|
-
end
|
66
|
-
end.flatten
|
67
|
-
end
|
68
|
-
|
69
|
-
def create(package_manager, package, advisory)
|
70
|
-
published_date = Date.strptime((advisory['published'] / 1000).to_s, '%s')
|
71
|
-
updated_date = Date.strptime((advisory['updated'] / 1000).to_s, '%s')
|
72
|
-
|
73
|
-
cve = if advisory['cve']
|
74
|
-
[advisory['cve']].map(&:strip).reject(&:empty?)
|
75
|
-
else
|
76
|
-
[]
|
77
|
-
end
|
78
|
-
|
79
|
-
package_manager = PACKAGE_MANAGER_ALIAS[package_manager] || package_manager
|
80
|
-
|
81
|
-
package_name =
|
82
|
-
if package_manager == 'maven'
|
83
|
-
"#{package['group']}:#{package['name']}"
|
84
|
-
elsif package_manager == 'packagist'
|
85
|
-
"#{package['group']}/#{package['name']}"
|
86
|
-
else
|
87
|
-
package['name']
|
88
|
-
end
|
89
|
-
|
90
|
-
versions = advisory['versions']
|
91
|
-
.map { |v| v.split('||') }
|
92
|
-
.flatten
|
93
|
-
.map(&:strip)
|
94
|
-
.reject(&:empty?)
|
95
|
-
.reject { |v| v == '-' }
|
96
|
-
.map { |version| version.gsub("''", '') }
|
97
|
-
versions = ['*'] unless versions.any?
|
98
|
-
|
99
|
-
vuln_id = "ossindex:#{package_manager}:#{package_name}:#{advisory['id']}"
|
100
|
-
|
101
|
-
YAVDB::Advisory.new(
|
102
|
-
vuln_id,
|
103
|
-
advisory['title'],
|
104
|
-
advisory['description'],
|
105
|
-
package_name,
|
106
|
-
versions,
|
107
|
-
nil, #:unaffected_versions
|
108
|
-
nil, #:patched_versions
|
109
|
-
nil, #:severity
|
110
|
-
package_manager,
|
111
|
-
cve,
|
112
|
-
nil, #:cwe
|
113
|
-
nil, #:osvdb
|
114
|
-
nil, #:cvss_v2_vector
|
115
|
-
nil, #:cvss_v2_score
|
116
|
-
nil, #:cvss_v3_vector
|
117
|
-
nil, #:cvss_v3_score
|
118
|
-
published_date,
|
119
|
-
published_date,
|
120
|
-
updated_date,
|
121
|
-
['OSSIndex'],
|
122
|
-
advisory['references'],
|
123
|
-
website_url(package['id'])
|
124
|
-
)
|
125
|
-
end
|
126
|
-
|
127
|
-
def start_url(package_manager)
|
128
|
-
"#{API_URL}/v2.0/vulnerability/pm/#{package_manager}/fromtill/0/-1"
|
129
|
-
end
|
130
|
-
|
131
|
-
def website_url(id)
|
132
|
-
"#{API_URL}/resource/package/#{id}/vulnerabilities"
|
133
|
-
end
|
134
|
-
|
135
|
-
end
|
136
|
-
|
137
|
-
end
|
138
|
-
end
|
139
|
-
end
|
140
|
-
end
|