Skip to content

Huawei Pipeline Added with Tests #1770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Huawei Pipeline Added with Tests #1770

wants to merge 5 commits into from

Conversation

Rishi-source
Copy link

The following pull request is fixes the issue fixes #1750 and adds a pipeline importer with tests.

Signed-off-by: Rishi Garg [email protected]

@Rishi-source
Copy link
Author

Hi @TG1999 , Can you please review this pipeline importer.

@kunalsz
Copy link

kunalsz commented Feb 11, 2025

@Rishi-source I am also a contributor for vulnerablecode. You recently pushed code for huawei pipelines. I was working on some other advisories , and wanted to create tests for it , how should I create the JSON files for tests ? The output of my advisory data looks like this. Your help will be really appreciated

AdvisoryData(aliases='CVE-2024-13176', summary='A timing side-channel which could potentially allow recovering\nthe private key exists in the ECDSA signature computation.', affected_packages=[AffectedPackage(package=PackageURL(type='openssl', namespace=None, name='openssl', version=None, qualifiers={}, subpath=None), affected_version_range=OpensslVersionRange(constraints=(VersionConstraint(comparator='=', version=OpensslVersion(string='3.4.0')), VersionConstraint(comparator='=', version=OpensslVersion(string='3.4.1')))), fixed_version=None), AffectedPackage(package=PackageURL(type='openssl', namespace=None, name='openssl', version=None, qualifiers={}, subpath=None), affected_version_range=OpensslVersionRange(constraints=(VersionConstraint(comparator='=', version=OpensslVersion(string='3.3.0')), VersionConstraint(comparator='=', version=OpensslVersion(string='3.3.3')))), fixed_version=None), AffectedPackage(package=PackageURL(type='openssl', namespace=None, name='openssl', version=None, qualifiers={}, subpath=None), affected_version_range=OpensslVersionRange(constraints=(VersionConstraint(comparator='=', version=OpensslVersion(string='3.2.0')), VersionConstraint(comparator='=', version=OpensslVersion(string='3.2.4')))), fixed_version=None), AffectedPackage(package=PackageURL(type='openssl', namespace=None, name='openssl', version=None, qualifiers={}, subpath=None), affected_version_range=OpensslVersionRange(constraints=(VersionConstraint(comparator='=', version=OpensslVersion(string='3.1.0')), VersionConstraint(comparator='=', version=OpensslVersion(string='3.1.8')))), fixed_version=None), AffectedPackage(package=PackageURL(type='openssl', namespace=None, name='openssl', version=None, qualifiers={}, subpath=None), affected_version_range=OpensslVersionRange(constraints=(VersionConstraint(comparator='=', version=OpensslVersion(string='3.0.0')), VersionConstraint(comparator='=', version=OpensslVersion(string='3.0.16')))), fixed_version=None), AffectedPackage(package=PackageURL(type='openssl', namespace=None, name='openssl', version=None, qualifiers={}, subpath=None), affected_version_range=OpensslVersionRange(constraints=(VersionConstraint(comparator='=', version=OpensslVersion(string='1.1.1')), VersionConstraint(comparator='=', version=OpensslVersion(string='1.1.1zb')))), fixed_version=None), AffectedPackage(package=PackageURL(type='openssl', namespace=None, name='openssl', version=None, qualifiers={}, subpath=None), affected_version_range=OpensslVersionRange(constraints=(VersionConstraint(comparator='=', version=OpensslVersion(string='1.0.2')), VersionConstraint(comparator='=', version=OpensslVersion(string='1.0.2zl')))), fixed_version=None)], references=[Reference(reference_id='CVE-2024-13176', reference_type='', url='https://www.cve.org/CVERecord?id=CVE-2024-13176', severities=[VulnerabilitySeverity(system=ScoringSystem(identifier='generic_textual', name='Generic textual severity rating', url='', notes='Severity for generic scoring systems. Contains generic textual values like High, Low etc'), value='Low', scoring_elements='', published_at=None)]), Reference(reference_id='CVE-2024-13176', reference_type='', url='https://openssl-library.org/news/secadv/20250120.txt', severities=[VulnerabilitySeverity(system=ScoringSystem(identifier='generic_textual', name='Generic textual severity rating', url='', notes='Severity for generic scoring systems. Contains generic textual values like High, Low etc'), value='Low', scoring_elements='', published_at=None)]), Reference(reference_id='CVE-2024-13176', reference_type='', url='https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f', severities=[VulnerabilitySeverity(system=ScoringSystem(identifier='generic_textual', name='Generic textual severity rating', url='', notes='Severity for generic scoring systems. Contains generic textual values like High, Low etc'), value='Low', scoring_elements='', published_at=None)]), Reference(reference_id='CVE-2024-13176', reference_type='', url='https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902', severities=[VulnerabilitySeverity(system=ScoringSystem(identifier='generic_textual', name='Generic textual severity rating', url='', notes='Severity for generic scoring systems. Contains generic textual values like High, Low etc'), value='Low', scoring_elements='', published_at=None)]), Reference(reference_id='CVE-2024-13176', reference_type='', url='https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65', severities=[VulnerabilitySeverity(system=ScoringSystem(identifier='generic_textual', name='Generic textual severity rating', url='', notes='Severity for generic scoring systems. Contains generic textual values like High, Low etc'), value='Low', scoring_elements='', published_at=None)]), Reference(reference_id='CVE-2024-13176', reference_type='', url='https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467', severities=[VulnerabilitySeverity(system=ScoringSystem(identifier='generic_textual', name='Generic textual severity rating', url='', notes='Severity for generic scoring systems. Contains generic textual values like High, Low etc'), value='Low', scoring_elements='', published_at=None)]), Reference(reference_id='CVE-2024-13176', reference_type='', url='https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844', severities=[VulnerabilitySeverity(system=ScoringSystem(identifier='generic_textual', name='Generic textual severity rating', url='', notes='Severity for generic scoring systems. Contains generic textual values like High, Low etc'), value='Low', scoring_elements='', published_at=None)]), Reference(reference_id='CVE-2024-13176', reference_type='', url='https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86', severities=[VulnerabilitySeverity(system=ScoringSystem(identifier='generic_textual', name='Generic textual severity rating', url='', notes='Severity for generic scoring systems. Contains generic textual values like High, Low etc'), value='Low', scoring_elements='', published_at=None)]), Reference(reference_id='CVE-2024-13176', reference_type='', url='https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded', severities=[VulnerabilitySeverity(system=ScoringSystem(identifier='generic_textual', name='Generic textual severity rating', url='', notes='Severity for generic scoring systems. Contains generic textual values like High, Low etc'), value='Low', scoring_elements='', published_at=None)])], date_published=datetime.datetime(2025, 1, 20, 0, 0, tzinfo=datetime.timezone.utc), weaknesses=[], url='https://openssl-library.org/news/vulnerabilities/index.html#CVE-2024-13176')

@Rishi-source
Copy link
Author

Hi @kunalsz, In order to convert the advisory data to json you have to firstly convert your AdvisoryData object to a dictionary

advisory_dict = advisory_data.to_dict()

then import json and convert the dictionary to JSON formatted string.

import json
json_string = json.dumps(advisory_dict)

you can add indent = 2 it enhances the readability of json format.
after this print the json string on your cli or save it in the form of file.

@armijnhemel armijnhemel mentioned this pull request Mar 29, 2025
Open
keshav-space
keshav-space requested changes Apr 17, 2025
View reviewed changes
Copy link
Member

@keshav-space keshav-space left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Rishi-source, see the suggestions and feedback. Again, browsing the vulnerability package details throws 500 error. Make sure to test the pipeline on your local machine and also cross-validate the imported vulnerability against the upstream advisory.

vulnerabilities/pipelines/huawei_bulletin_importer.py
Comment on lines +51 to +52
spdx_license_expression = "LicenseRef-Terms-Of-Use"
license_url = "https://consumer.huawei.com/en/legal/terms-of-use/"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not the license for the security bulletin. We should leave this empty for now and reach out to them later to clarify the license for the security advisory.

vulnerabilities/pipelines/huawei_bulletin_importer.py
Comment on lines +56 to +58
def __init__(self):
super().__init__()
self.raw_data = None
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is unnecessary.

vulnerabilities/pipelines/huawei_bulletin_importer.py
"""
self.log(f"Fetching {self.url}")
try:
response = requests.get(f"{self.url}2024/9/")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does not make sense to collect advisories only from Sep-2024, we should collect all the security bulletins from https://consumer.huawei.com/en/support/bulletin/.

vulnerabilities/pipelines/huawei_bulletin_importer.py
AffectedPackage(
package=PackageURL(type="huawei", name=system_type),
affected_version_range=VersionRange.from_string(
f"vers:generic/={version_number}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead, we should add the huawei VersionRange in univers and use that here.

vulnerabilities/pipelines/huawei_bulletin_importer.py
Reference(
reference_id=data["cve_id"],
url=f"https://nvd.nist.gov/vuln/detail/{data['cve_id']}",
severities=[severity],
Copy link
Member

@keshav-space keshav-space Apr 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is completely wrong. This severity score is coming from huawei. why would you add NVD url to it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keshav-space keshav-space keshav-space requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Collect from https://consumer.huawei.com/en/support/bulletin/2024/9/
4 participants
@Rishi-source @kunalsz @keshav-space @Rishi-garg03