From ff5a842960179f8399434cfd36caeed23bb5c218 Mon Sep 17 00:00:00 2001 From: young <954906362@qq.com> Date: Wed, 14 Dec 2022 21:36:46 +0800 Subject: [PATCH 1/3] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E4=B8=8A=E4=BC=A0?= =?UTF-8?q?=E6=96=87=E4=BB=B6=E5=92=8C=E6=8E=A5=E5=8F=A3=E4=B8=8D=E4=B8=80?= =?UTF-8?q?=E8=87=B4=E4=BD=86=E6=B2=A1=E6=8A=A5=E9=94=99=E7=9A=84=E9=97=AE?= =?UTF-8?q?=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../cve_handler/manager/parse_advisory.py | 9 ++++++--- .../cve_handler/manager/parse_unaffected.py | 8 ++++++++ apollo/handler/cve_handler/view.py | 18 ++++++++++++++---- 3 files changed, 28 insertions(+), 7 deletions(-) diff --git a/apollo/handler/cve_handler/manager/parse_advisory.py b/apollo/handler/cve_handler/manager/parse_advisory.py index 773f746..4848ea3 100644 --- a/apollo/handler/cve_handler/manager/parse_advisory.py +++ b/apollo/handler/cve_handler/manager/parse_advisory.py @@ -15,12 +15,12 @@ Time: Author: Description: parse security advisory xml file, insert into database """ +from collections import defaultdict from xml.etree import cElementTree as ET from xml.etree.ElementTree import ParseError -from collections import defaultdict -from vulcanus.log.log import LOGGER from apollo.function.customize_exception import ParseAdvisoryError +from vulcanus.log.log import LOGGER __all__ = ["parse_security_advisory"] @@ -99,7 +99,10 @@ def parse_cvrf_dict(cvrf_dict): ParseXmlError """ # affected package of this security advisory. joined with ',' if have multiple packages - cvrf_note = cvrf_dict["cvrfdoc"]["DocumentNotes"]["Note"] + cve_document_notes = cvrf_dict["cvrfdoc"].get("DocumentNotes", "") + if not cve_document_notes: + return [], [], [] + cvrf_note = cve_document_notes["Note"] affected_pkgs = "" for info in cvrf_note: if info["Title"] == "Affected Component": diff --git a/apollo/handler/cve_handler/manager/parse_unaffected.py b/apollo/handler/cve_handler/manager/parse_unaffected.py index 9b4ae03..7212a5c 100644 --- a/apollo/handler/cve_handler/manager/parse_unaffected.py +++ b/apollo/handler/cve_handler/manager/parse_unaffected.py @@ -76,7 +76,13 @@ def parse_cvrf_dict(cvrf_dict): Raises: ParseXmlError """ + cvrf_note = cvrf_dict["cvrfdoc"].get("DocumentNotes", "") + if cvrf_note: + return [], [], [] + cve_info_list = cvrf_dict["cvrfdoc"]["Vulnerability"] + if isinstance(cve_info_list, dict): + cve_info_list = [cve_info_list] cve_table_rows = [] cve_pkg_rows = [] doc_list = [] @@ -87,6 +93,8 @@ def parse_cvrf_dict(cvrf_dict): remediation = cve_info["Remediations"]["Remediation"] if isinstance(remediation, list): remediation = remediation[0] + if remediation["Type"] != "Unaffected": + continue cvss_score = cve_info["CVSSScoreSets"]["ScoreSet"]["BaseScore"] severity = parse_cve_severity(cvss_score) cve_row = { diff --git a/apollo/handler/cve_handler/view.py b/apollo/handler/cve_handler/view.py index 4bfde0f..f90bd8e 100644 --- a/apollo/handler/cve_handler/view.py +++ b/apollo/handler/cve_handler/view.py @@ -229,8 +229,10 @@ class VulUploadAdvisory(BaseResponse): def _save_single_advisory(proxy, file_path): file_name = os.path.basename(file_path) try: - cve_rows, cve_pkg_rows, cve_pkg_docs = parse_security_advisory( - file_path) + cve_rows, cve_pkg_rows, cve_pkg_docs = parse_security_advisory(file_path) + if cve_rows == [] and cve_pkg_rows == [] and cve_pkg_docs == []: + os.remove(file_path) + return WRONG_FILE_FORMAT os.remove(file_path) except (KeyError, ParseAdvisoryError) as error: os.remove(file_path) @@ -264,8 +266,10 @@ class VulUploadAdvisory(BaseResponse): for file_path in file_path_list: file_name = os.path.basename(file_path) try: - cve_rows, cve_pkg_rows, cve_pkg_docs = parse_security_advisory( - file_path) + cve_rows, cve_pkg_rows, cve_pkg_docs = parse_security_advisory(file_path) + if cve_rows == [] and cve_pkg_rows == [] and cve_pkg_docs == []: + shutil.rmtree(folder_path) + return WRONG_FILE_FORMAT except (KeyError, ParseAdvisoryError) as error: fail_list.append(file_name) LOGGER.error( @@ -356,6 +360,9 @@ class VulUploadUnaffected(BaseResponse): file_name = os.path.basename(file_path) try: cve_rows, cve_pkg_rows, doc_list = parse_unaffected_cve(file_path) + if cve_rows == [] and cve_pkg_rows == [] and doc_list == []: + os.remove(file_path) + return WRONG_FILE_FORMAT os.remove(file_path) except (KeyError, ParseAdvisoryError) as error: os.remove(file_path) @@ -387,6 +394,9 @@ class VulUploadUnaffected(BaseResponse): file_name = os.path.basename(file_path) try: cve_rows, cve_pkg_rows, doc_list = parse_unaffected_cve(file_path) + if cve_rows == [] and cve_pkg_rows == [] and doc_list == []: + shutil.rmtree(folder_path) + return WRONG_FILE_FORMAT except (KeyError, ParseAdvisoryError) as error: fail_list.append(file_name) LOGGER.error("Some error occurred when parsing unaffected cve advisory '%s'." % file_name) -- Gitee From 574bbe874c9f87f7e2fff223fb48da047be8b83c Mon Sep 17 00:00:00 2001 From: young <954906362@qq.com> Date: Thu, 15 Dec 2022 10:03:58 +0800 Subject: [PATCH 2/3] =?UTF-8?q?=E6=96=87=E4=BB=B6=E4=B8=8E=E6=8E=A5?= =?UTF-8?q?=E5=8F=A3=E4=B8=8D=E4=B8=80=E8=87=B4=E7=9A=84=E9=94=99=E8=AF=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apollo/handler/cve_handler/view.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apollo/handler/cve_handler/view.py b/apollo/handler/cve_handler/view.py index f90bd8e..cea00eb 100644 --- a/apollo/handler/cve_handler/view.py +++ b/apollo/handler/cve_handler/view.py @@ -265,6 +265,9 @@ class VulUploadAdvisory(BaseResponse): fail_list = [] for file_path in file_path_list: file_name = os.path.basename(file_path) + suffix = file_name.split('.')[-1] + if suffix != "xml": + return WRONG_FILE_FORMAT try: cve_rows, cve_pkg_rows, cve_pkg_docs = parse_security_advisory(file_path) if cve_rows == [] and cve_pkg_rows == [] and cve_pkg_docs == []: @@ -392,6 +395,9 @@ class VulUploadUnaffected(BaseResponse): fail_list = [] for file_path in file_path_list: file_name = os.path.basename(file_path) + suffix = file_name.split('.')[-1] + if suffix != "xml": + return WRONG_FILE_FORMAT try: cve_rows, cve_pkg_rows, doc_list = parse_unaffected_cve(file_path) if cve_rows == [] and cve_pkg_rows == [] and doc_list == []: -- Gitee From b5e456ab33a323c8156a024c64b5a2193883347d Mon Sep 17 00:00:00 2001 From: young <954906362@qq.com> Date: Thu, 15 Dec 2022 16:40:08 +0800 Subject: [PATCH 3/3] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E4=BB=A3=E7=A0=81?= =?UTF-8?q?=E6=A3=80=E8=A7=86=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../handler/cve_handler/manager/parse_unaffected.py | 2 -- apollo/handler/cve_handler/view.py | 13 +++++++------ 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/apollo/handler/cve_handler/manager/parse_unaffected.py b/apollo/handler/cve_handler/manager/parse_unaffected.py index 7212a5c..6338cd1 100644 --- a/apollo/handler/cve_handler/manager/parse_unaffected.py +++ b/apollo/handler/cve_handler/manager/parse_unaffected.py @@ -93,8 +93,6 @@ def parse_cvrf_dict(cvrf_dict): remediation = cve_info["Remediations"]["Remediation"] if isinstance(remediation, list): remediation = remediation[0] - if remediation["Type"] != "Unaffected": - continue cvss_score = cve_info["CVSSScoreSets"]["ScoreSet"]["BaseScore"] severity = parse_cve_severity(cvss_score) cve_row = { diff --git a/apollo/handler/cve_handler/view.py b/apollo/handler/cve_handler/view.py index cea00eb..8c161a3 100644 --- a/apollo/handler/cve_handler/view.py +++ b/apollo/handler/cve_handler/view.py @@ -230,10 +230,9 @@ class VulUploadAdvisory(BaseResponse): file_name = os.path.basename(file_path) try: cve_rows, cve_pkg_rows, cve_pkg_docs = parse_security_advisory(file_path) - if cve_rows == [] and cve_pkg_rows == [] and cve_pkg_docs == []: - os.remove(file_path) - return WRONG_FILE_FORMAT os.remove(file_path) + if not all([cve_rows, cve_pkg_rows, cve_pkg_docs]): + return WRONG_FILE_FORMAT except (KeyError, ParseAdvisoryError) as error: os.remove(file_path) LOGGER.error( @@ -267,10 +266,11 @@ class VulUploadAdvisory(BaseResponse): file_name = os.path.basename(file_path) suffix = file_name.split('.')[-1] if suffix != "xml": + shutil.rmtree(folder_path) return WRONG_FILE_FORMAT try: cve_rows, cve_pkg_rows, cve_pkg_docs = parse_security_advisory(file_path) - if cve_rows == [] and cve_pkg_rows == [] and cve_pkg_docs == []: + if not all([cve_rows, cve_pkg_rows, cve_pkg_docs]): shutil.rmtree(folder_path) return WRONG_FILE_FORMAT except (KeyError, ParseAdvisoryError) as error: @@ -363,7 +363,7 @@ class VulUploadUnaffected(BaseResponse): file_name = os.path.basename(file_path) try: cve_rows, cve_pkg_rows, doc_list = parse_unaffected_cve(file_path) - if cve_rows == [] and cve_pkg_rows == [] and doc_list == []: + if not all([cve_rows, cve_pkg_rows, doc_list]): os.remove(file_path) return WRONG_FILE_FORMAT os.remove(file_path) @@ -397,10 +397,11 @@ class VulUploadUnaffected(BaseResponse): file_name = os.path.basename(file_path) suffix = file_name.split('.')[-1] if suffix != "xml": + shutil.rmtree(folder_path) return WRONG_FILE_FORMAT try: cve_rows, cve_pkg_rows, doc_list = parse_unaffected_cve(file_path) - if cve_rows == [] and cve_pkg_rows == [] and doc_list == []: + if not all([cve_rows, cve_pkg_rows, doc_list]): shutil.rmtree(folder_path) return WRONG_FILE_FORMAT except (KeyError, ParseAdvisoryError) as error: -- Gitee