Skip to content

Commit ca8a6b3

Browse files
authored
Merge branch 'main' into disable_v1_api_ui_pipelines
2 parents d4ac472 + 8523bdf commit ca8a6b3

10 files changed

Lines changed: 194 additions & 5 deletions

File tree

requirements-dev.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
aboutcode.federated==1.0.3
12
aboutcode.pipeline==0.1.0
23
alabaster==0.7.16
34
altcha==1.0.0

requirements.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
aboutcode.federated==1.0.3
12
aboutcode.pipeline==0.1.0
23
altcha==1.0.0
34
asgiref==3.8.1
Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
# Generated by Django 5.2.11 on 2026-06-30 08:15
2+
3+
from django.db import migrations
4+
from django.db.models import Value
5+
from django.db.models.functions import Concat
6+
7+
8+
class Migration(migrations.Migration):
9+
10+
dependencies = [
11+
("vulnerabilities", "0137_alter_pipelineschedule_run_interval"),
12+
]
13+
14+
def fix_malformed_cvss_severity(apps, schema_editor):
15+
AdvisorySeverity = apps.get_model("vulnerabilities", "AdvisorySeverity")
16+
17+
AdvisorySeverity.objects.filter(
18+
scoring_system="cvssv3.1",
19+
scoring_elements__startswith="CVSS:3.0/",
20+
).update(scoring_system="cvssv3")
21+
22+
AdvisorySeverity.objects.filter(
23+
scoring_system="cvssv3",
24+
scoring_elements__isnull=False,
25+
).exclude(
26+
scoring_elements="",
27+
).exclude(
28+
scoring_elements__startswith="CVSS:3.0/",
29+
).update(
30+
scoring_elements=Concat(
31+
Value("CVSS:3.0/"),
32+
"scoring_elements",
33+
)
34+
)
35+
36+
operations = [
37+
migrations.RunPython(
38+
fix_malformed_cvss_severity,
39+
reverse_code=migrations.RunPython.noop,
40+
),
41+
]

vulnerabilities/pipelines/v2_importers/mozilla_importer.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ class MozillaImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
4646
spdx_license_expression = "MPL-2.0"
4747
license_url = "https://github.com/mozilla/foundation-security-advisories/blob/master/LICENSE"
4848

49+
exclude_from_package_todo = True
4950
precedence = 200
5051

5152
@classmethod

vulnerabilities/pipelines/v2_importers/postgresql_importer.py

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@
1414
from bs4 import BeautifulSoup
1515
from packageurl import PackageURL
1616
from univers.version_range import GenericVersionRange
17-
from univers.versions import GenericVersion
1817

1918
from vulnerabilities import severity_systems
2019
from vulnerabilities.importer import AdvisoryDataV2
@@ -122,9 +121,13 @@ def to_advisories(self, data, url):
122121
if link.startswith("/"):
123122
link = urlparse.urljoin("https://www.postgresql.org/", link)
124123
if "support/security/CVE" in link and vector_link_tag:
124+
if "v3-calculator" not in vector_link_tag["href"]:
125+
continue
126+
125127
parsed_link = urlparse.urlparse(vector_link_tag["href"])
126128
cvss3_vector = urlparse.parse_qs(parsed_link.query).get("vector", [""])[0]
127129
cvss3_base_score = vector_link_tag.text
130+
cvss3_vector = "CVSS:3.0/" + cvss3_vector.removeprefix("CVSS:3.0/")
128131
severities.append(
129132
VulnerabilitySeverity(
130133
system=severity_systems.CVSSV3,

vulnerabilities/pipes/osv_v2.py

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -269,9 +269,11 @@ def get_severities(raw_data, url) -> Iterable[VulnerabilitySeverity]:
269269
continue
270270

271271
severity_type = OSV_TO_VCIO_SEVERITY_MAP.get(severity_type, severity_type)
272-
system = SCORING_SYSTEMS[severity_type]
272+
if value.lower().startswith("cvss:3.0/"):
273+
severity_type = "cvssv3"
273274

274-
if severity_type in ["cvssv3.1", "cvssv4"]:
275+
system = SCORING_SYSTEMS[severity_type]
276+
if severity_type in ["cvssv3", "cvssv3.1", "cvssv4"]:
275277
scoring_element = value
276278
valid_vector = value[:-1] if value and value.endswith("/") else value
277279
value = system.compute(valid_vector)

vulnerabilities/tests/pipelines/v2_importers/test_postgresql_importer_v2.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@
3838
</td>
3939
<td>10.0, 10.1</td>
4040
<td>10.2</td>
41-
<td><a href="/vector?vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H">9.8</a></td>
41+
<td><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H">9.8</a></td>
4242
<td>Description of the issue</td>
4343
</tr>
4444
</tbody>
@@ -113,7 +113,7 @@ def test_cvss_parsing(mock_get, importer):
113113
severity = advisories[0].severities[0]
114114
assert severity.system.identifier == "cvssv3"
115115
assert severity.value == "9.8"
116-
assert "AV:N/AC:L/PR:N/UI:N" in severity.scoring_elements
116+
assert "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" == severity.scoring_elements
117117

118118

119119
@patch("vulnerabilities.pipelines.v2_importers.postgresql_importer.requests.get")

vulnerabilities/tests/pipes/test_osv_v2.py

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -293,3 +293,13 @@ def test_to_advisories_pypa7(self):
293293
)
294294
result = imported_data.to_dict()
295295
util_tests.check_results_against_json(result, expected_file)
296+
297+
def test_to_advisories_pypa8_cvss_v3_0_parsing(self):
298+
with open(os.path.join(TEST_DATA, "pypa/pypa-8.yaml")) as f:
299+
mock_response = saneyaml.load(f)
300+
expected_file = os.path.join(TEST_DATA, "pypa/pypa-expected-8.json")
301+
imported_data = parse_advisory_data_v3(
302+
mock_response, "pypi", advisory_url="https://test.com", advisory_text=""
303+
)
304+
result = imported_data.to_dict()
305+
util_tests.check_results_against_json(result, expected_file, regen=True)
Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
id: PYSEC-2024-26
2+
modified: 2024-02-06T20:20:18.162431Z
3+
published: 2024-01-29T23:15:00Z
4+
aliases:
5+
- CVE-2024-23829
6+
- GHSA-8qpw-xqxj-h4r2
7+
details: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
8+
Security-sensitive parts of the Python HTTP parser retained minor differences in
9+
allowable character sets, that must trigger error handling to robustly match frame
10+
boundaries of proxies in order to protect against injection of additional requests.
11+
Additionally, validation could trigger exceptions that were not handled consistently
12+
with processing of other malformed input. Being more lenient than internet standards
13+
require could, depending on deployment environment, assist in request smuggling.
14+
The unhandled exception could cause excessive resource consumption on the application
15+
server and/or its logging facilities. This vulnerability exists due to an incomplete
16+
fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.
17+
affected:
18+
- package:
19+
ecosystem: PyPI
20+
name: aiohttp
21+
purl: pkg:pypi/aiohttp
22+
ranges:
23+
- type: GIT
24+
events:
25+
- introduced: "0"
26+
- fixed: 33ccdfb0a12690af5bb49bda2319ec0907fa7827
27+
repo: https://github.com/aio-libs/aiohttp
28+
- type: ECOSYSTEM
29+
events:
30+
- introduced: "0"
31+
- fixed: 3.9.2
32+
versions:
33+
- "0.1"
34+
- 0.10.0
35+
- 0.10.1
36+
- 0.10.2
37+
- 0.11.0
38+
- 0.12.0
39+
- 0.13.0
40+
- 0.13.1
41+
severity:
42+
- type: CVSS_V3
43+
score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
44+
references:
45+
- type: EVIDENCE
46+
url: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
47+
- type: FIX
48+
url: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
49+
- type: ADVISORY
50+
url: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
51+
- type: FIX
52+
url: https://github.com/aio-libs/aiohttp/pull/8074
53+
- type: FIX
54+
url: https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827
55+
- type: ARTICLE
56+
url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/
Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
{
2+
"advisory_id": "PYSEC-2024-26",
3+
"aliases": [
4+
"CVE-2024-23829",
5+
"GHSA-8qpw-xqxj-h4r2"
6+
],
7+
"summary": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.",
8+
"affected_packages": [
9+
{
10+
"package": {
11+
"type": "pypi",
12+
"namespace": "",
13+
"name": "aiohttp",
14+
"version": "",
15+
"qualifiers": "",
16+
"subpath": ""
17+
},
18+
"affected_version_range": "vers:pypi/0.1|0.10.0|0.10.1|0.10.2|0.11.0|0.12.0|0.13.0|0.13.1",
19+
"fixed_version_range": "vers:pypi/3.9.2",
20+
"introduced_by_commit_patches": [],
21+
"fixed_by_commit_patches": [
22+
{
23+
"vcs_url": "https://github.com/aio-libs/aiohttp",
24+
"commit_hash": "33ccdfb0a12690af5bb49bda2319ec0907fa7827",
25+
"patch_text": null,
26+
"patch_checksum": null
27+
}
28+
]
29+
}
30+
],
31+
"references": [
32+
{
33+
"reference_id": "",
34+
"reference_type": "",
35+
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2"
36+
},
37+
{
38+
"reference_id": "",
39+
"reference_type": "",
40+
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2"
41+
},
42+
{
43+
"reference_id": "",
44+
"reference_type": "",
45+
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2"
46+
},
47+
{
48+
"reference_id": "",
49+
"reference_type": "",
50+
"url": "https://github.com/aio-libs/aiohttp/pull/8074"
51+
},
52+
{
53+
"reference_id": "",
54+
"reference_type": "",
55+
"url": "https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827"
56+
},
57+
{
58+
"reference_id": "",
59+
"reference_type": "",
60+
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/"
61+
}
62+
],
63+
"patches": [],
64+
"severities": [
65+
{
66+
"system": "cvssv3",
67+
"value": "6.5",
68+
"scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
69+
}
70+
],
71+
"date_published": "2024-01-29T23:15:00+00:00",
72+
"weaknesses": [],
73+
"url": "https://test.com"
74+
}

0 commit comments

Comments
 (0)