Skip to content

Update OpenSSL advisories #1765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Update OpenSSL advisories #1765

wants to merge 10 commits into from

Conversation

kunalsz
Copy link

@kunalsz kunalsz commented Jan 29, 2025

Updated the importers/openssl.py file to scrape data from the new updated data source https://openssl-library.org/news/vulnerabilities/index.html.
Fixes #1747

@kunalsz
Copy link
Author

kunalsz commented Mar 23, 2025

@TG1999 I have added tests for the pipelines,you can now review it

@kunalsz kunalsz changed the title Updated OpenSSL advisories Update OpenSSL advisories Mar 26, 2025
@TG1999
Copy link
Contributor

TG1999 commented Apr 3, 2025

@kunalsz please resolve conflicts

@TG1999 TG1999 closed this Apr 3, 2025
@TG1999 TG1999 reopened this Apr 3, 2025
TG1999
TG1999 reviewed Apr 3, 2025
View reviewed changes
vulnerabilities/pipelines/openssl_importer.py


# fetch the content from the html data
def fetch_advisory_data(url):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add docstrings and doctests in all your functions please. Thanks!

kunalsz added 2 commits April 5, 2025 07:21
keshav-space
keshav-space requested changes Apr 15, 2025
View reviewed changes
Copy link
Member

@keshav-space keshav-space left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kunalsz, see nits below, also make sure that pipeline is also collecting the fixed version.
Strange for Yubico you used the legacy Importer #1763, but here you're using VulnerableCodeBaseImporterPipeline.

vulnerabilities/pipelines/openssl_importer.py Outdated
"""Collect Advisories from Openssl"""

pipeline_id = "openssl_importer"
spdx_license_expression = "OpenSSL-standalone"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you paste the link from where you concluded that openssl advisory is under OpenSSL-standalone license?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like I used the wrong license, the correct one should be Apache License v2 , I'll update it

vulnerabilities/pipelines/openssl_importer.py Outdated
Comment on lines 249 to 259
versions = re.findall(r"(?<=from\s)([^\s]+)|(?<=before\s)([^\s]+)", affected)
versions = [v for group in versions for v in group if v] # ['1.0.1', '1.0.1j']
affected_version_range = OpensslVersionRange.from_versions(versions)
affected_packages.append(
AffectedPackage(
package=PackageURL(type="openssl", name="openssl"),
affected_version_range=affected_version_range,
)
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not correct. For OpenSSL from 1.0.1 to 1.0.1j this will produce vers:openssl/1.0.1 which is incorrect affected range.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll make the necessary changes.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@keshav-space The versions are getting extracted correctly.

In CVE-2024-13176 one of the affected version string is from 1.1.1 before 1.1.1zb and it gets processed correctly to 'affected_version_range': 'vers:openssl/1.1.1|1.1.1zb'

As far as OpenSSL from 1.0.1 to 1.0.1j is concerned, all the affected ranges on the advisory page are in the format of from VERSION before VERSION , so the regex works correctly

@kunalsz kunalsz force-pushed the openssl-advisories branch from e2f03f5 to 3c0854d Compare April 23, 2025 20:35
@kunalsz
Copy link
Author

kunalsz commented Apr 23, 2025

@keshav-space I have made the necessary changes, please review the PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TG1999 TG1999 TG1999 left review comments

@keshav-space keshav-space keshav-space requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Error in running openSSL importer
3 participants
@kunalsz @TG1999 @keshav-space