Skip to content

Migrate Xen, Curl, Istio and OSS-Fuzz importer #1946

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Jul 17, 2025
Merged

Migrate Xen, Curl, Istio and OSS-Fuzz importer #1946

merged 13 commits into from
Jul 17, 2025

Conversation

TG1999
Copy link
Contributor

@TG1999 TG1999 commented Jul 16, 2025
edited
Loading

Closes: #1878

@TG1999 TG1999 changed the title Migrate Xen importer Migrate Xen, Curl, Istio and OSS-Fuzz importer Jul 16, 2025
TG1999 added 13 commits July 17, 2025 17:25
@TG1999
Migrate Xen importer
0922e44 
Signed-off-by: Tushar Goel <[email protected]>
@TG1999
Add tests for Xen importer
e954b60 
Signed-off-by: Tushar Goel <[email protected]>
@TG1999
Migrate CURL importer
0b5f4ab 
Signed-off-by: Tushar Goel <[email protected]>
@TG1999
Fix tests
655c583 
Signed-off-by: Tushar Goel <[email protected]>
@TG1999
Add OSS Fuzz importer
729c86a 
Signed-off-by: Tushar Goel <[email protected]>
@TG1999
Add OSS Fuzz importer
a08bde0 
Signed-off-by: Tushar Goel <[email protected]>
@TG1999
Migrate Istio importer
b63464e 
Signed-off-by: Tushar Goel <[email protected]>
@TG1999
Add tests for OSS-FUZZ
da0bf37 
Signed-off-by: Tushar Goel <[email protected]>
@TG1999
Fix tests
2e10f7e 
Signed-off-by: Tushar Goel <[email protected]>
@TG1999
Add postgresql importer
3e09dc9 
Signed-off-by: Tushar Goel <[email protected]>
@TG1999
Add mozilla importer
edbbc67 
Signed-off-by: Tushar Goel <[email protected]>
@TG1999
Fix tests
4c20709 
Signed-off-by: Tushar Goel <[email protected]>
@TG1999
Fix linting errors
3479b49 
Signed-off-by: Tushar Goel <[email protected]>
@TG1999 TG1999 force-pushed the migrate_xen_importer branch from 6d6626e to 3479b49 Compare July 17, 2025 11:59
@TG1999 TG1999 merged commit f423cb7 into main Jul 17, 2025
10 checks passed
@TG1999 TG1999 deleted the migrate_xen_importer branch July 17, 2025 12:03
keshav-space
keshav-space reviewed Jul 17, 2025
View reviewed changes
Copy link
Member

@keshav-space keshav-space left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @TG1999, see some feedback.

vulnerabilities/pipelines/v2_importers/apache_httpd_importer.py
@@ -307,6 +312,8 @@ def to_advisory(self, data):
weaknesses=weaknesses,
url=reference.url,
severities=severities,
original_advisory_text=json.dumps(data, indent=2, ensure_ascii=False),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need indent.

vulnerabilities/pipelines/v2_importers/curl_importer.py
weaknesses = get_cwe_from_curl_advisory(raw_data)

aliases = raw_data.get("aliases", [])
advisory_id = raw_data.get("id") or ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of returning an advisory data with no advisory_id, we should log error and continue.

vulnerabilities/pipelines/v2_importers/elixir_security_importer.py
@@ -129,4 +136,5 @@ def process_file(self, file, base_path) -> Iterable[AdvisoryData]:
affected_packages=affected_packages,
url=advisory_url,
date_published=date_published,
original_advisory_text=advisory_text or str(yaml_file),
Copy link
Member

@keshav-space keshav-space Jul 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be more appropriate to do yaml dump instead of str(yaml_file)?

vulnerabilities/pipelines/v2_importers/istio_importer.py
]
)

title = data.get("title") or ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are using it as an advisory_id, if there is no title we should log error and continue, instead for returning a AdvisoryData with empty advisory_id.

vulnerabilities/pipelines/v2_importers/npm_importer.py
@@ -130,6 +134,7 @@ def to_advisory_data(self, file: Path) -> Iterable[AdvisoryData]:
references_v2=references,
severities=severities,
url=f"https://github.com/nodejs/security-wg/blob/main/vuln/npm/{id}.json",
original_advisory_text=advisory_text or json.dumps(data, indent=2, ensure_ascii=False),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't advisory_text already a JSON dump?

advisory_text or json.dumps(data, indent=2, ensure_ascii=False)

This seems redundant, if we don't have an advisory_text how can we have data.

vulnerabilities/pipelines/v2_importers/postgresql_importer.py
if not self.links:
self.collect_links()
return len(self.links)
return 30
Copy link
Member

@keshav-space keshav-space Jul 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not fixed postgres will have more advisory here in future, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keshav-space keshav-space keshav-space left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

VCIO-next: Advisory model migration Batch 2
2 participants
@TG1999 @keshav-space