add-amazon-linux-advisories-initial-commit

Signed-off-by: ambuj <kulshreshthaak.12@gmail.com>

Author: ambuj-1211

vulnerabilities/importers/amazon_linux.py

@@ -0,0 +1,219 @@
+#
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import logging
+from datetime import datetime
+from typing import Any
+from typing import Iterable
+from typing import List
+from typing import Mapping
+from typing import Optional
+from urllib.parse import urljoin
+
+import pytz
+from bs4 import BeautifulSoup
+from packageurl import PackageURL
+from univers.version_range import RpmVersionRange
+
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AffectedPackage
+from vulnerabilities.importer import Importer
+from vulnerabilities.importer import Reference
+from vulnerabilities.importer import VulnerabilitySeverity
+from vulnerabilities.references import WireSharkReference
+from vulnerabilities.references import XsaReference
+from vulnerabilities.references import ZbxReference
+from vulnerabilities.severity_systems import SCORING_SYSTEMS
+from vulnerabilities.utils import fetch_response
+from vulnerabilities.utils import is_cve
+
+LOGGER = logging.getLogger(__name__)
+BASE_URL = "https://alas.aws.amazon.com/"
+other_url = "https://explore.alas.aws.amazon.com/{cve_id.json}"  # use this in the url in code to get details for the specific cve.
+
+
+class AmazonLinuxImporter(Importer):
+    spdx_license_expression = "CC BY 4.0"  # check if this is correct
+    license_url = " "  # todo
+
+    importer_name = "Amazon Linux Importer"
+
+    def advisory_data(self) -> Iterable[AdvisoryData]:
+        amazon_linux_1_url = BASE_URL + "/index.html"
+        amazon_linux_2_url = BASE_URL + "/alas2.html"
+        amazon_linux_2023_url = BASE_URL + "/alas2023.html"
+        amazonlinux_advisories_pages = [
+            amazon_linux_1_url,
+            amazon_linux_2_url,
+            amazon_linux_2023_url,
+        ]
+        alas_dict = {}
+        for amazonlinux_advisories_page in amazonlinux_advisories_pages:
+            alas_dict.update(fetch_alas_id_and_advisory_links(amazonlinux_advisories_page))
+
+        for alas_id, alas_url in alas_dict.items():
+            # It iterates through alas_dict to get alas ids and alas url
+            if alas_id and alas_url:
+                alas_advisory_page_content = fetch_response(alas_url).content
+                yield process_advisory_data(alas_id, alas_advisory_page_content, alas_url)
+
+
+def fetch_alas_id_and_advisory_links(page_url: str) -> dict[str, str]:
+    """
+    Return a dictionary where 'ALAS' entries are the keys and
+    their corresponding advisory page links are the values.
+    """
+
+    page_response_content = fetch_response(page_url).content
+    # Parse the HTML content
+    soup = BeautifulSoup(page_response_content, "html.parser")
+    alas_dict = {}
+
+    if page_url == "https://alas.aws.amazon.com/index.html":
+        # Find all relevant ALAS links and their IDs
+        for row in soup.find_all("tr", id=True):
+            alas_id = row["id"]
+            link_tag = row.find("a", href=True)
+            if link_tag:
+                full_url = "https://alas.aws.amazon.com/" + link_tag["href"]
+                alas_dict[alas_id] = full_url
+
+    elif page_url == "https://alas.aws.amazon.com/alas2.html":
+        # Find all relevant ALAS links and their IDs
+        for row in soup.find_all("tr", id=True):
+            alas_id = row["id"]
+            link_tag = row.find("a", href=True)
+            if link_tag:
+                full_url = "https://alas.aws.amazon.com/AL2" + link_tag["href"]
+                alas_dict[alas_id] = full_url
+
+    else:
+        # Find all relevant ALAS links and their IDs
+        for row in soup.find_all("tr", id=True):
+            alas_id = row["id"]
+            link_tag = row.find("a", href=True)
+            if link_tag:
+                full_url = "https://alas.aws.amazon.com/AL2023/" + link_tag["href"]
+                alas_dict[alas_id] = full_url
+    return alas_dict
+
+
+def process_advisory_data(alas_id, alas_advisory_page_content, alas_url) -> Optional[AdvisoryData]:
+
+    soup = BeautifulSoup(alas_advisory_page_content, "html.parser")
+    aliases = []
+    aliases.append(alas_id)
+
+    # Find the advisory release date
+    release_date_span = next(
+        (
+            span
+            for span in soup.find_all("span", class_="alas-info")
+            if "Advisory Release Date:" in span.get_text(strip=True)
+        ),
+        None,
+    )
+
+    release_date = (
+        release_date_span.get_text(strip=True).split(":", 1)[1].strip()
+        if release_date_span
+        else None
+    )
+    date_published = get_date_published(release_date)
+
+    # Extract Issue Overview (all points of issue overviews texts)
+    issue_overview = []
+    for p in soup.find("div", id="issue_overview").find_all("p"):
+        issue_overview.append(p.text.strip())
+    summary = create_summary(issue_overview)
+
+    # Extract Affected Packages (list of strings)
+    processed_affected_packages = []
+    affected_packages_section = soup.find("div", id="affected_packages")
+    if affected_packages_section:
+        affected_packages = affected_packages_section.find_all("p")
+        affected_packages = [pkg.text.strip() for pkg in affected_packages]
+
+    # getting new packages
+    new_packages_div = soup.find("div", id="new_packages")
+
+    # Extract the text elements between <br /> tags within this div
+    if new_packages_div:
+        new_packages_list = [
+            element.strip() for element in new_packages_div.pre.stripped_strings if element.strip()
+        ]
+    else:
+        new_packages_list = []
+
+    for package in affected_packages:
+        purl = PackageURL(type="rpm", namespace="alas.aws.amazon", name=package)
+        # fixed_version = get_fixed_versions(new_packages_list)
+        processed_affected_packages.append(
+            AffectedPackage(package=purl, affected_version_range=None, fixed_version=None)
+        )
+
+    cve_list = []
+    for link in soup.find("div", id="references").find_all("a", href=True):
+        if "CVE-" in link.text:
+            cve_list.append((link.text.strip(), "https://alas.aws.amazon.com" + link["href"]))
+
+    references: List[Reference] = []
+    for cve_id, cve_url in cve_list:
+        cve_json_url = f"https://explore.alas.aws.amazon.com/{cve_id}"
+        response = fetch_response(cve_json_url)
+
+        # Parse the JSON data
+        cve_info = response.json()
+        severity_scores = cve_info.get("scores", [])
+        severity = []
+        for score in severity_scores:
+            severity.append(
+                VulnerabilitySeverity(
+                    system=SCORING_SYSTEMS[score.get("type", "").lower()],
+                    value=score.get("score", ""),
+                    scoring_elements=score.get("vector", ""),
+                )
+            )
+        references.append(Reference(reference_id=cve_id, url=cve_url, severities=severity))
+
+    url = alas_url
+
+    return AdvisoryData(
+        aliases=aliases,
+        date_published=date_published,
+        summary=summary,
+        references=references,
+        affected_packages=processed_affected_packages,
+        url=url,
+    )
+
+
+def get_date_published(release_date_string):
+
+    # Parse the date and time
+    date_part = release_date_string[:16]
+    time_zone = release_date_string[17:]
+
+    # Convert to datetime object (naive)
+    naive_date = datetime.strptime(date_part, "%Y-%m-%d %H:%M")
+
+    # Convert to aware datetime by adding the Pacific time zone
+    timezone = pytz.timezone("America/Los_Angeles")
+    date_published = timezone.localize(naive_date)
+    return date_published
+
+
+def create_summary(summary_point: List):
+    summary = ". ".join(summary_point)
+
+    # Add a period at the end if the final sentence doesn't end with one
+    if not summary.endswith("."):
+        summary += "."
+    return summary

vulnerabilities/tests/test_amazon_linux.py

@@ -0,0 +1,33 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+import json
+import os
+from unittest import TestCase
+
+from bs4 import BeautifulSoup
+
+from vulnerabilities.importers.amazon_linux import process_advisory_data
+from vulnerabilities.tests import util_tests
+
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+TEST_DATA = os.path.join(BASE_DIR, "test_data/amazon_linux")
+
+
+class TestAmazonLinuxImporter(TestCase):
+    def test_process_advisory_data1(self):
+        with open(
+            os.path.join(TEST_DATA, "amazon_linux_advisory_test1.html"), "r", encoding="utf-8"
+        ) as file:
+            html_content = file.read()
+        result = process_advisory_data(
+            "ALAS-2024-1943", html_content, "https://test-url.com/ALAS-2024-1943.html"
+        ).to_dict()
+        # expected_file = os.path.join(TEST_DATA, "github_osv_expected_1.json")
+        print(f"Output is {result}")
+        # util_tests.check_results_against_json(result, expected_file)

vulnerabilities/tests/test_data/amazon_linux/amazon_linux_advisory_test1.html

@@ -0,0 +1,130 @@
+
+<!doctype html>
+<html>
+    <head>
+        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+        <title>ALAS-2024-1943</title>
+        <link rel='icon' type='image/x-icon' href='static/favicon.ico' />
+<link rel="stylesheet" href="static/bootstrap.min.css" type='text/css' media='print, projection, screen' >
+<link rel='stylesheet' href='static/blue_style.css' type='text/css' media='print, projection, screen' />
+<link rel='stylesheet' href='static/fontawesome.css' type='text/css' media='print, projection, screen' />
+<link rel='stylesheet' href='static/style.css' type='text/css' media='print, projection, screen' />
+<script type='text/javascript' src='static/jquery.min.js'></script>
+<script type='text/javascript' src='static/jquery.tablesorter.min.js'></script>
+<script type="text/javascript" src="static/index.js"></script>
+
+<!--Add constant cookie banner on this page-->
+<script type = 'text/javascript'>
+    var shortbread = AWSCShortbread();
+    shortbread.checkForCookieConsent();
+    function customize() {
+        shortbread.customizeCookies();
+    }
+</script>
+
+<style>
+    a{text-decoration: none; color: #0073BB}
+    a:visited{color: #0073BB}
+    .Site {
+        display: flex;
+        display: -webkit-flex; /* Safari */
+        min-height: 100vh;
+        flex-direction: column;
+    }
+    .Site-content {
+        flex: 1;
+    }
+</style>
+    </head>
+    <body class="Site">
+        <main class="Site-content">
+            <div class="container">
+                <nav class="navbar navbar-fixed-top navbar-inverse" style="background-color: #000000" id="bs-navbar">
+    <a style="font-size: 20px; color: #FF9900" class="navbar-brand" href="/"><b>Amazon Linux Security Center</b></a>
+    <ul class="nav navbar-nav navbar-right" style="color: #ff9900">
+    <li style="background-color: #FF9900;"> <a style="color: #000000" href="/index.html">Amazon Linux 1</a> </li><li style="background-color: #333333;"> <a style="color: #FFFFFF" href="/alas2.html">Amazon Linux 2</a> </li><li style="background-color: #333333;"> <a style="color: #FFFFFF" href="/alas2023.html">Amazon Linux 2023</a> </li><li style="background-color: #333333;"> <a style="color: #FFFFFF" href="/announcements.html">Announcements</a> </li><li style="background-color: #333333;"> <a style="color: #FFFFFF" href="/faqs.html">FAQs</a> </li>
+    </ul>
+</nav>
+            </div>
+            <div style='min-height: 523px; margin-top:80px;' class='nine columns content-with-nav' role='main'>
+                <section>
+                    <div class='title'>
+                        <h1 id='ALAS-2024-1943'>ALAS-2024-1943</h1>
+                    </div>
+
+                    <div class='text'>
+                        <hr class='mid-pad'>
+                        <span class='alas-info'>
+                            <b>Amazon Linux 1 Security Advisory:</b> ALAS-2024-1943
+                        </span><br />
+                        <span class='alas-info'><b>Advisory Release Date:</b> 2024-07-03 21:01 Pacific</span><br />
+                        <span class='alas-info'><b>Advisory Updated Date:</b> 2024-07-08 17:04 Pacific</span><br />
+
+                        <div id='severity' class='alas-info'>
+                            <b>Severity:</b>
+                            <span class='date'>
+                                <span class='bulletin-type'>
+                                    <i class='fas fa-exclamation-triangle'></i>
+                                </span>
+                            </span>
+                            Important<br />
+                        </div>
+
+                        <div id='references'>
+                            <b>References:</b>
+                            <a href='/cve/html/CVE-2021-47110.html' target='_blank' rel='noopener noreferrer'>CVE-2021-47110&nbsp;</a>
+                            <br />
+                            <a href="../../faqs.html">FAQs regarding Amazon Linux ALAS/CVE Severity</a>
+                        </div>
+
+                        <hr class='mid-pad'>
+                        <div id='issue_overview'>
+                            <b>Issue Overview:</b>
+                            <p>In the Linux kernel, the following vulnerability has been resolved:</p><p>x86/kvm: Disable kvmclock on all CPUs on shutdown (CVE-2021-47110)</p>
+                        </div>
+
+                        <div id='affected_packages' class='alas-info'>
+                            <br />
+                            <b>Affected Packages:</b>
+                            <br />
+                            <p>kernel</p>
+                        </div>
+
+                        <div id='issue_correction'>
+                            <br />
+                            <b>Issue Correction:</b>
+                            <br />Run <i>yum update kernel</i> to update your system.<br /></div>
+                        <br />
+                        <div id='new_packages'>
+                            <b>New Packages:</b><pre>i686:<br />&nbsp;&nbsp;&nbsp; kernel-debuginfo-4.14.348-187.565.amzn1.i686<br />&nbsp;&nbsp;&nbsp; kernel-devel-4.14.348-187.565.amzn1.i686<br />&nbsp;&nbsp;&nbsp; kernel-tools-devel-4.14.348-187.565.amzn1.i686<br />&nbsp;&nbsp;&nbsp; kernel-headers-4.14.348-187.565.amzn1.i686<br />&nbsp;&nbsp;&nbsp; perf-debuginfo-4.14.348-187.565.amzn1.i686<br />&nbsp;&nbsp;&nbsp; kernel-debuginfo-common-i686-4.14.348-187.565.amzn1.i686<br />&nbsp;&nbsp;&nbsp; kernel-tools-4.14.348-187.565.amzn1.i686<br />&nbsp;&nbsp;&nbsp; perf-4.14.348-187.565.amzn1.i686<br />&nbsp;&nbsp;&nbsp; kernel-4.14.348-187.565.amzn1.i686<br />&nbsp;&nbsp;&nbsp; kernel-tools-debuginfo-4.14.348-187.565.amzn1.i686<br /><br />src:<br />&nbsp;&nbsp;&nbsp; kernel-4.14.348-187.565.amzn1.src<br /><br />x86_64:<br />&nbsp;&nbsp;&nbsp; kernel-devel-4.14.348-187.565.amzn1.x86_64<br />&nbsp;&nbsp;&nbsp; kernel-tools-debuginfo-4.14.348-187.565.amzn1.x86_64<br />&nbsp;&nbsp;&nbsp; kernel-4.14.348-187.565.amzn1.x86_64<br />&nbsp;&nbsp;&nbsp; kernel-headers-4.14.348-187.565.amzn1.x86_64<br />&nbsp;&nbsp;&nbsp; kernel-tools-4.14.348-187.565.amzn1.x86_64<br />&nbsp;&nbsp;&nbsp; kernel-tools-devel-4.14.348-187.565.amzn1.x86_64<br />&nbsp;&nbsp;&nbsp; kernel-debuginfo-common-x86_64-4.14.348-187.565.amzn1.x86_64<br />&nbsp;&nbsp;&nbsp; perf-4.14.348-187.565.amzn1.x86_64<br />&nbsp;&nbsp;&nbsp; kernel-debuginfo-4.14.348-187.565.amzn1.x86_64<br />&nbsp;&nbsp;&nbsp; perf-debuginfo-4.14.348-187.565.amzn1.x86_64<br /><br /></pre></div>
+                    </div>
+                    <div style="flex:1; margin-bottom: 40px;" class="links-container">
+                        <h3 class="section-heading">Additional References</h3>
+                        <p>
+                            Red Hat:&nbsp;<a style="margin-bottom: 40px;" href="https://access.redhat.com/security/cve/CVE-2021-47110" target="_blank" rel="noopener noreferrer">CVE-2021-47110</a></p>
+                        <p>
+                            Mitre:&nbsp;<a style="margin-bottom: 40px;" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47110" target="_blank" rel="noopener noreferrer">CVE-2021-47110</a></p>
+                    </div>
+                </section>
+            </div>
+        </main>
+        <footer style="padding-left: 30px; padding-right: 30px;"><p style="color: #687078">
+      CVE description copyright &#169 2023
+      <a href="https://cve.mitre.org/about/termsofuse.html" target="_blank" rel="noopener noreferrer">The MITRE Corporation</a>
+    </p>
+    <p style="color: #687078">
+      CVE description copyright &#169 2023 Red Hat, Inc. Per
+      <a href="https://access.redhat.com/security/data" target="_blank" rel="noopener noreferrer">https://access.redhat.com/security/data</a>,
+      RedHat's CVE report is licensed under
+      <a href="https://creativecommons.org/licenses/by/4.0/" target="_blank" rel="noopener noreferrer">CC BY 4.0</a>.
+    </p>
+</footer>
+        <footer style="padding-left: 30px; padding-right: 30px;"><p>
+        <a href="https://aws.amazon.com/privacy/" target="_blank" rel="noopener noreferrer">Privacy</a> |
+        <a href="https://aws.amazon.com/terms/" target="_blank" rel="noopener noreferrer">Site terms apply, and downloading this site or portions of it is permitted</a> |
+        <a href="#" onclick="customize()">Cookie preferences</a> |
+        <span style="color: #687078">&#169 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.</span>
+    </p>
+</footer>
+    </body>
+</html>