-
-
Notifications
You must be signed in to change notification settings - Fork 303
Expand file tree
/
Copy pathdebian_oval.py
More file actions
77 lines (68 loc) · 3.14 KB
/
debian_oval.py
File metadata and controls
77 lines (68 loc) · 3.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#
# Copyright (c) nexB Inc. and others. All rights reserved.
# VulnerableCode is a trademark of nexB Inc.
# SPDX-License-Identifier: Apache-2.0
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
# See https://github.com/aboutcode-org/vulnerablecode for support or download.
# See https://aboutcode.org for more information about nexB OSS projects.
#
import bz2
import xml.etree.ElementTree as ET
import requests
from vulnerabilities.importer import OvalImporter
from vulnerabilities.utils import get_http_headers
class DebianOvalImporter(OvalImporter):
spdx_license_expression = "LicenseRef-scancode-other-permissive"
license_url = "https://www.debian.org/license"
notice = """
From: Tushar Goel <tgoel@nexb.com>
Date: Thu, May 12, 2022 at 11:42 PM +00:00
Subject: Usage of Debian Security Data in VulnerableCode
To: <team@security.debian.org>
Hey,
We would like to integrate the debian security data in vulnerablecode
[1][2] which is a FOSS db of FOSS vulnerability data. We were not able
to know under which license the debian security data comes. We would
be grateful to have your acknowledgement over usage of the debian
security data in vulnerablecode and have some kind of licensing
declaration from your side.
[1] - https://github.com/nexB/vulnerablecode
[2] - https://github.com/nexB/vulnerablecode/pull/723
Regards,
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Wed, May 17, 2022, 19:12 PM +00:00
Subject: Re: Usage of Debian Security Data in VulnerableCode
To: Tushar Goel <tgoel@nexb.com>
Cc: <team@security.debian.org>
Am Thu, May 12, 2022 at 05:12:48PM +0530 schrieb Tushar Goel:
> Hey,
>
> We would like to integrate the debian security data in vulnerablecode
> [1][2] which is a FOSS db of FOSS vulnerability data. We were not able
> to know under which license the debian security data comes. We would
> be grateful to have your acknowledgement over usage of the debian
> security data in vulnerablecode and have some kind of licensing
> declaration from your side.
We don't have a specific license, but you have our endorsemen to
reuse the data by all means :-)
Cheers,
Moritz
"""
importer_name = "Debian Oval Importer"
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
# we could avoid setting translations, and have it
# set by default in the OvalParser, but we don't yet know
# whether all OVAL providers use the same format
self.translations = {"less than": "<"}
def _fetch(self):
releases = ["wheezy", "stretch", "jessie", "buster", "bullseye"]
for release in releases:
file_url = f"https://www.debian.org/security/oval/oval-definitions-{release}.xml.bz2"
self.data_url = file_url
resp = requests.get(file_url, headers=get_http_headers()).content
extracted = bz2.decompress(resp)
yield (
{"type": "deb", "namespace": "debian", "qualifiers": {"distro": release}},
ET.ElementTree(ET.fromstring(extracted.decode("utf-8"))),
)