redhatproductsecurity / advisory-parser Goto Github PK

CVE-2022-1292 in MySQL Oracle CPU Jul 2022 (https://www.oracle.com/security-alerts/cpujul2022verbose.html#MSQL) has no CVSS score. As a result, the parser is failing here:

https://github.com/mprpic/advisory-parser/blob/master/advisory_parser/parsers/mysql.py#L135

ValueError: not enough values to unpack (expected 2, got 1).

Proposed patch:

--- advisory_parser/parsers/mysql.py.orig	2022-08-04 14:35:50.421965529 +0200
+++ advisory_parser/parsers/mysql.py	2022-08-04 14:36:10.956021469 +0200
@@ -134,7 +134,15 @@
         description = "\n".join(description)
 
         # Take the text part only, i.e. anything before the CVSS string
-        description, cvss_text = re.split(r"\n\s*CVSS v?3\.[0-9] (?=Base Score)", description)
+        desc_cvss = re.split(r"\n\s*CVSS v?3\.[0-9] (?=Base Score)", description)
+        if len(desc_cvss) != 2:
+            warnings.append(
+                "ERROR: Could not identify CVSS score in {}; skipping:\n\n{}\n---".format(
+                    cve, description
+                )
+            )
+            continue
+        description, cvss_text = desc_cvss
 
         # Filter out some whitespace
         description = description.replace("\n", " ").replace("  ", " ").strip()

URL: https://www.oracle.com/security-alerts/cpujul2020.html

Traceback (most recent call last):
File "/usr/bin/sfm2", line 11, in
load_entry_point('sfm2client==2.22.1', 'console_scripts', 'sfm2')()
File "/usr/lib/python3.7/site-packages/sfm2client/cli/main.py", line 32, in main
app.run()
File "/usr/lib/python3.7/site-packages/sfm2client/cli/app.py", line 94, in run
self.invoke(sys.argv[1:])
File "/usr/lib/python3.7/site-packages/smclip/commands.py", line 330, in invoke
rv = command.invoke(sub_args) # Subcommand invocation
File "/usr/lib/python3.7/site-packages/smclip/commands.py", line 330, in invoke
rv = command.invoke(sub_args) # Subcommand invocation
File "/usr/lib/python3.7/site-packages/smclip/commands.py", line 140, in invoke
return self.invoke_callbacks(parsed_args)
File "/usr/lib/python3.7/site-packages/smclip/commands.py", line 155, in invoke_callbacks
rv = self.this_action(**action_args)
File "/usr/lib/python3.7/site-packages/sfm2client/cli/flaw.py", line 833, in this_action
flaws, warnings = AdvisoryParser.parse_from_url(advisory_url)
File "/usr/lib/python3.7/site-packages/advisory_parser/parser.py", line 33, in parse_from_url
return parse_mysql_advisory(url)
File "/usr/lib/python3.7/site-packages/advisory_parser/parsers/mysql.py", line 118, in parse_mysql_advisory
description, cvss_text = re.split(r'\n\s*CVSS v3', description)
ValueError: not enough values to unpack (expected 2, got 1)

The hardcoded CVSS scores in CVSS3_MAP should be bumped to CVSS v3.1.

URL: https://chromereleases.googleblog.com/2020/08/stable-channel-update-for-desktop_25.html

... AdvisoryParser.parse_from_url(advisory_url)
  File "/usr/lib/python3.7/site-packages/advisory_parser/parser.py", line 24, in parse_from_url
    return parse_chrome_advisory(url)
  File "/usr/lib/python3.7/site-packages/advisory_parser/parsers/chrome.py", line 62, in parse_chrome_advisory
    metadata, text = line.split(':')
ValueError: too many values to unpack (expected 2)

MySQL advisory parser does not pull the full URL from the advisory for external reference. It pulls "/security-alerts/cpujan2020.html" while it should be full "https://www.oracle.com/security-alerts/cpujan2020.html"

Description of problem:

While trying to parse Oracle October critical patch advisory: https://www.oracle.com/security-alerts/cpuoct2019verbose.html

Traceback (most recent call last):
...
  File "/usr/lib/python3.7/site-packages/advisory_parser/parser.py", line 35, in parse_from_url
    return parse_mysql_advisory(url)
  File "/usr/lib/python3.7/site-packages/advisory_parser/parsers/mysql.py", line 116, in parse_mysql_advisory
    description, cvss_text = re.split('\n *CVSS v3\.0', description)
ValueError: not enough values to unpack (expected 2, got 1)

Parsing of the Jan 2019 CPU fails with:

  File "advisory_parser/parsers/mysql.py", line 116, in parse_mysql_advisory
    description, cvss_text = description.split('CVSS v3.0')
ValueError: too many values to unpack (expected 2)

The problem is triggered by the CVE-2018-0732 description, which includes:

...

Note: MySQL Enterprise Monitor is not vulnerable to this CVE because it does not use the TLS functionality included in OpenSSL. The CVSS v3.0 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.

CVSS v3.0 Base Score 0.0 (). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).

This seems to work as hotfix, I've not investigated if it's proper long-term solution.

description, cvss_text = description.split('\nCVSS v3.0')

Hopefully, the wording triggering the problem is not common, so this may not affected future CPUs.

Local patch you provided that worked.
local_patch.txt

Wireshark advisories often come in large numbers and take a lot of time to file. I would really like if we had an option to parse these advisories similarly to what we already do with mysql/chrome/flash.

They are written in a way which allows nice parsing, and we already used to do that with upstream-advisory-manager.

Sample advisory:
https://www.wireshark.org/security/wnpa-sec-2018-38.html

Please add a parser for Jenkins advisories. Data that can be retrieved:

• CVE ID
• Flaw summary
• Flaw description
• CVSS 3.0 score
• Fixed in version
• Public date
• References link Ex.: https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1498

References:

https://jenkins.io/security/advisory/2019-09-25/

Google Releases blog recently changed its layout and therefore can not be parsed by advisory-parser any more. It fails with error as:

Could not parse public date (Beta Channel Update for Desktop) from https://chromereleases.googleblog.com/...

The following archive.org links can be used to compare how formatting of the same post changed between Oct22 and Oct25:

https://web.archive.org/web/20191022191950/https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html
https://web.archive.org/web/20191025133128/https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html

The above error seems to be the direct consequence of having the post date moved before the post title (Stable Channel Update for Desktop).

Additional concern is that the end of blog post is no longer detected correctly. Text 'Labels:\nStable updates' used to serve as separator, but the text that appears now is 'Labels: Desktop Update, Stable updates'.

MySQL advisory parser fails on Oct 2019 CPU with the following error for all CVEs:

ERROR: Could not identify product in CVE-...

The reason for that is change in the wording of Oracle description from:

Vulnerability in the ... component of Oracle MySQL (subcomponent: ...).

to

Vulnerability in the ... product of Oracle MySQL (component: ...).

Worked around the problem by changing regular expressions for extracting product and component names to the following, which should handle both old and new formats:

product = re.search(r'^Vulnerability in the (.+) (component|product) of ', description)

component = re.search(r'\((sub)?component: ([^\)]+\)?)\)', description).group(2)

There's a different output of the parser probably based on different versions of python used: python-3.7 vs python-3.6

For some flaws, subcomponent indicated in Oracle CPU has format as "Server: Packaging (OpenSSL)" or "InnoDB (zlib)". The regex to extract this value searches for string "subcomponent: " followed by arbitrary number of any characters other than closing bracket ')':

https://github.com/mprpic/advisory-parser/blob/v1.7/advisory_parser/parsers/mysql.py#L150

So the above component names are extracted as "Server: Packaging (OpenSSL" or "InnoDB (zlib", missing the closing bracket.

Alternative to fixing the regex is to skip components with '(' in name, as the "(foo)" syntax only seems to be when flaw is in a third-party library bundled with MySQL.