redhatproductsecurity / advisory-parser Goto Github PK
View Code? Open in Web Editor NEWA library for parsing security advisories
License: GNU Lesser General Public License v3.0
A library for parsing security advisories
License: GNU Lesser General Public License v3.0
CVE-2022-1292 in MySQL Oracle CPU Jul 2022 (https://www.oracle.com/security-alerts/cpujul2022verbose.html#MSQL) has no CVSS score. As a result, the parser is failing here:
https://github.com/mprpic/advisory-parser/blob/master/advisory_parser/parsers/mysql.py#L135
ValueError: not enough values to unpack (expected 2, got 1)
.
Proposed patch:
--- advisory_parser/parsers/mysql.py.orig 2022-08-04 14:35:50.421965529 +0200
+++ advisory_parser/parsers/mysql.py 2022-08-04 14:36:10.956021469 +0200
@@ -134,7 +134,15 @@
description = "\n".join(description)
# Take the text part only, i.e. anything before the CVSS string
- description, cvss_text = re.split(r"\n\s*CVSS v?3\.[0-9] (?=Base Score)", description)
+ desc_cvss = re.split(r"\n\s*CVSS v?3\.[0-9] (?=Base Score)", description)
+ if len(desc_cvss) != 2:
+ warnings.append(
+ "ERROR: Could not identify CVSS score in {}; skipping:\n\n{}\n---".format(
+ cve, description
+ )
+ )
+ continue
+ description, cvss_text = desc_cvss
# Filter out some whitespace
description = description.replace("\n", " ").replace(" ", " ").strip()
URL: https://www.oracle.com/security-alerts/cpujul2020.html
Traceback (most recent call last):
File "/usr/bin/sfm2", line 11, in
load_entry_point('sfm2client==2.22.1', 'console_scripts', 'sfm2')()
File "/usr/lib/python3.7/site-packages/sfm2client/cli/main.py", line 32, in main
app.run()
File "/usr/lib/python3.7/site-packages/sfm2client/cli/app.py", line 94, in run
self.invoke(sys.argv[1:])
File "/usr/lib/python3.7/site-packages/smclip/commands.py", line 330, in invoke
rv = command.invoke(sub_args) # Subcommand invocation
File "/usr/lib/python3.7/site-packages/smclip/commands.py", line 330, in invoke
rv = command.invoke(sub_args) # Subcommand invocation
File "/usr/lib/python3.7/site-packages/smclip/commands.py", line 140, in invoke
return self.invoke_callbacks(parsed_args)
File "/usr/lib/python3.7/site-packages/smclip/commands.py", line 155, in invoke_callbacks
rv = self.this_action(**action_args)
File "/usr/lib/python3.7/site-packages/sfm2client/cli/flaw.py", line 833, in this_action
flaws, warnings = AdvisoryParser.parse_from_url(advisory_url)
File "/usr/lib/python3.7/site-packages/advisory_parser/parser.py", line 33, in parse_from_url
return parse_mysql_advisory(url)
File "/usr/lib/python3.7/site-packages/advisory_parser/parsers/mysql.py", line 118, in parse_mysql_advisory
description, cvss_text = re.split(r'\n\s*CVSS v3', description)
ValueError: not enough values to unpack (expected 2, got 1)
The hardcoded CVSS scores in CVSS3_MAP
should be bumped to CVSS v3.1.
(venv) ap $ python
>>> from advisory_parser import Parser
>>> f, w = Parser.parse_from_url("https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/testuser/temp/ap/venv/lib64/python3.7/site-packages/advisory_parser/parser.py", line 24, in parse_from_url
return parse_chrome_advisory(url)
File "/home/testuser/temp/ap/venv/lib64/python3.7/site-packages/advisory_parser/parsers/chrome.py", line 112, in parse_chrome_advisory
cvss3 = CVSS3_MAP[impact]
KeyError: 'cve-2019-19880,'
>>>
(venv) ap $ pip list | grep advisory-parser
advisory-parser 1.9
URL: https://chromereleases.googleblog.com/2020/08/stable-channel-update-for-desktop_25.html
... AdvisoryParser.parse_from_url(advisory_url)
File "/usr/lib/python3.7/site-packages/advisory_parser/parser.py", line 24, in parse_from_url
return parse_chrome_advisory(url)
File "/usr/lib/python3.7/site-packages/advisory_parser/parsers/chrome.py", line 62, in parse_chrome_advisory
metadata, text = line.split(':')
ValueError: too many values to unpack (expected 2)
MySQL advisory parser does not pull the full URL from the advisory for external reference. It pulls "/security-alerts/cpujan2020.html" while it should be full "https://www.oracle.com/security-alerts/cpujan2020.html"
Description of problem:
While trying to parse Oracle October critical patch advisory: https://www.oracle.com/security-alerts/cpuoct2019verbose.html
Traceback (most recent call last):
...
File "/usr/lib/python3.7/site-packages/advisory_parser/parser.py", line 35, in parse_from_url
return parse_mysql_advisory(url)
File "/usr/lib/python3.7/site-packages/advisory_parser/parsers/mysql.py", line 116, in parse_mysql_advisory
description, cvss_text = re.split('\n *CVSS v3\.0', description)
ValueError: not enough values to unpack (expected 2, got 1)
Parsing of the Jan 2019 CPU fails with:
File "advisory_parser/parsers/mysql.py", line 116, in parse_mysql_advisory
description, cvss_text = description.split('CVSS v3.0')
ValueError: too many values to unpack (expected 2)
The problem is triggered by the CVE-2018-0732 description, which includes:
...
Note: MySQL Enterprise Monitor is not vulnerable to this CVE because it does not use the TLS functionality included in OpenSSL. The CVSS v3.0 Base Score for this CVE in the National Vulnerability Database (NVD) is 7.5.
CVSS v3.0 Base Score 0.0 (). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
This seems to work as hotfix, I've not investigated if it's proper long-term solution.
description, cvss_text = description.split('\nCVSS v3.0')
Hopefully, the wording triggering the problem is not common, so this may not affected future CPUs.
Local patch you provided that worked.
local_patch.txt
Wireshark advisories often come in large numbers and take a lot of time to file. I would really like if we had an option to parse these advisories similarly to what we already do with mysql/chrome/flash.
They are written in a way which allows nice parsing, and we already used to do that with upstream-advisory-manager.
Sample advisory:
https://www.wireshark.org/security/wnpa-sec-2018-38.html
Please add a parser for Jenkins advisories. Data that can be retrieved:
References:
Google Releases blog recently changed its layout and therefore can not be parsed by advisory-parser any more. It fails with error as:
Could not parse public date (Beta Channel Update for Desktop) from https://chromereleases.googleblog.com/...
The following archive.org links can be used to compare how formatting of the same post changed between Oct22 and Oct25:
https://web.archive.org/web/20191022191950/https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html
https://web.archive.org/web/20191025133128/https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html
The above error seems to be the direct consequence of having the post date moved before the post title (Stable Channel Update for Desktop).
Additional concern is that the end of blog post is no longer detected correctly. Text 'Labels:\nStable updates' used to serve as separator, but the text that appears now is 'Labels: Desktop Update, Stable updates'.
MySQL advisory parser fails on Oct 2019 CPU with the following error for all CVEs:
ERROR: Could not identify product in CVE-...
The reason for that is change in the wording of Oracle description from:
Vulnerability in the ... component of Oracle MySQL (subcomponent: ...).
to
Vulnerability in the ... product of Oracle MySQL (component: ...).
Worked around the problem by changing regular expressions for extracting product and component names to the following, which should handle both old and new formats:
product = re.search(r'^Vulnerability in the (.+) (component|product) of ', description)
component = re.search(r'\((sub)?component: ([^\)]+\)?)\)', description).group(2)
There's a different output of the parser probably based on different versions of python used: python-3.7 vs python-3.6
For some flaws, subcomponent indicated in Oracle CPU has format as "Server: Packaging (OpenSSL)" or "InnoDB (zlib)". The regex to extract this value searches for string "subcomponent: " followed by arbitrary number of any characters other than closing bracket ')':
https://github.com/mprpic/advisory-parser/blob/v1.7/advisory_parser/parsers/mysql.py#L150
So the above component names are extracted as "Server: Packaging (OpenSSL" or "InnoDB (zlib", missing the closing bracket.
Alternative to fixing the regex is to skip components with '(' in name, as the "(foo)" syntax only seems to be when flaw is in a third-party library bundled with MySQL.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.