Merge branch 'main' into debian_importer_v2

Author: TG1999

docs/source/installation.rst

@@ -84,6 +84,10 @@ to run on a different port than 8000.
    are several steps that may be needed to secure such a deployment.
    Currently, this is not recommendend.
 
+.. tip::
+
+    Set ``STAGING`` to ``False`` in production to disable the staging environment warning.
+
 Execute a Command
 ^^^^^^^^^^^^^^^^^
 

vulnerabilities/pipes/osv_v2.py

@@ -17,7 +17,6 @@
 from cvss.exceptions import CVSS3MalformedError
 from cvss.exceptions import CVSS4MalformedError
 from packageurl import PackageURL
-from univers.version_constraint import InvalidConstraintsError
 from univers.version_constraint import VersionConstraint
 from univers.version_constraint import validate_comparators
 from univers.version_range import RANGE_CLASS_BY_SCHEMES
@@ -49,7 +48,7 @@
     "rubygems": "gem",
     "go": "golang",
     "hex": "hex",
-    "cargo": "cargo",
+    "crates.io": "cargo",
 }
 
 

vulnerabilities/templates/footer.html

@@ -1,9 +1,9 @@
 <footer class="footer">
     <div class="content has-text-centered">
         <p>
-            <strong>VulnerableCode</strong> is free software by <a href="https://github.com/nexB/vulnerablecode"> nexB Inc. and others</a> |
-            Source code license: <a href="https://github.com/nexB/vulnerablecode/blob/main/apache-2.0.LICENSE">Apache-2.0</a> |
-            Data license: <a href="https://github.com/nexB/vulnerablecode/blob/main/cc-by-sa-4.0.LICENSE">CC-BY-SA-4.0</a> | <a href="/tos">Terms of Service</a>
+            <strong>VulnerableCode</strong> is free software by <a href="https://github.com/aboutcode-org/vulnerablecode"> nexB Inc. and others</a> |
+            Source code license: <a href="https://github.com/aboutcode-org/vulnerablecode/blob/main/apache-2.0.LICENSE">Apache-2.0</a> |
+            Data license: <a href="https://github.com/aboutcode-org/vulnerablecode/blob/main/cc-by-sa-4.0.LICENSE">CC-BY-SA-4.0</a> | <a href="/tos">Terms of Service</a>
         </p>
     </div>
 </footer>

vulnerabilities/templates/navbar.html

@@ -1,6 +1,18 @@
 {% load utils %}
 
-<nav class="navbar is-dark mb-5 border-bottom-radius" role="navigation" aria-label="main navigation">
+
+{% if STAGING %}
+<div class="notification is-danger has-text-centered is-fixed-top my-0" style="border-radius: 0;">
+    <span class="icon">
+        <i class="fa fa-exclamation-triangle"></i>
+    </span>
+    <strong> Staging Environment:</strong>
+    Content and features may be unstable or change without notice.
+</div>
+{% endif %}
+
+<nav class="navbar is-dark mb-5 border-bottom-radius" role="navigation" aria-label="main navigation"
+    style="border-radius: 0;">
     <div class="navbar-brand ml-3">
         <a class="navbar-item is-size-4 has-text-weight-bold {% active_item 'home' %}" href="{% url 'home' %}">
             VulnerableCode<span class="nexb-orange">.</span>io
@@ -29,26 +41,27 @@
         <div class="navbar-item navbar-item is-cursor-help">
             <div class="dropdown is-right is-hoverable ">
                 <div class="dropdown-trigger has-text-grey-light">About</div>
-                    <div class="dropdown-menu navbar-hover-div" role="menu">
+                <div class="dropdown-menu navbar-hover-div" role="menu">
                     <div class="dropdown-content">
                         <div class="dropdown-item about-hover-div">
 
                             VulnerableCode is a free and open database of software package vulnerabilities.
                             <ul>
                                 <li>
                                     Live chat at <a href="https://gitter.im/aboutcode-org/vulnerablecode">
-                                    https://gitter.im/aboutcode-org/vulnerablecode</a>
+                                        https://gitter.im/aboutcode-org/vulnerablecode</a>
                                 </li>
                                 <li>
-                                    Source code and support at <a href="https://github.com/nexB/vulnerablecode">https://github.com/nexB/vulnerablecode</a>
+                                    Source code and support at <a
+                                        href="https://github.com/nexB/vulnerablecode">https://github.com/nexB/vulnerablecode</a>
                                 </li>
                                 <li>
-                                    Docs at <a href=https://vulnerablecode.readthedocs.org/>
+                                    Docs at <a href=https://vulnerablecode.readthedocs.org />
                                     https://vulnerablecode.readthedocs.org/</a>
                                 </li>
                                 <li>
                                     Sponsored by NLnet <a href="https://nlnet.nl/project/vulnerabilitydatabase/">
-                                    https://nlnet.nl/project/vulnerabilitydatabase/</a> for
+                                        https://nlnet.nl/project/vulnerabilitydatabase/</a> for
                                     <a href="https://www.aboutcode.org/">https://www.aboutcode.org/</a>
                                 </li>
                             </ul>
@@ -59,7 +72,7 @@
         </div>
         <div class="navbar-item navbar-item is-cursor-help">
             <div class="dropdown-trigger has-text-grey-light">
-            v{{ VULNERABLECODE_VERSION }}
+                v{{ VULNERABLECODE_VERSION }}
             </div>
         </div>
     </div>

vulnerabilities/tests/pipes/test_osv_v2.py

@@ -184,6 +184,16 @@ def test_to_advisories_github3(self):
         result = imported_data.to_dict()
         util_tests.check_results_against_json(result, expected_file)
 
+    def test_to_advisories_github4(self):
+        with open(os.path.join(TEST_DATA, "github/github-4.json")) as f:
+            mock_response = json.load(f)
+        expected_file = os.path.join(TEST_DATA, "github/github-expected-4.json")
+        imported_data = parse_advisory_data_v3(
+            mock_response, "cargo", advisory_url="https://test.com", advisory_text=""
+        )
+        result = imported_data.to_dict()
+        util_tests.check_results_against_json(result, expected_file)
+
     def test_to_advisories_oss_fuzz1(self):
         with open(os.path.join(TEST_DATA, "oss-fuzz/oss-fuzz-1.yaml")) as f:
             mock_response = saneyaml.load(f)

vulnerabilities/tests/test_data/osv_test/github/github-4.json

@@ -0,0 +1,47 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wjxc-pjx9-4wvm",
+  "modified": "2024-02-03T00:18:06Z",
+  "published": "2024-02-03T00:18:06Z",
+  "aliases": [],
+  "summary": "Nervos CKB Panic on malformed input",
+  "details": "### Impact\nCKB process will panic when received malformed p2p message because of snappy, which is used to compress network messages\n\n### References\nhttps://github.com/BurntSushi/rust-snappy/issues/29",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "ckb"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.34.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.34.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nervosnetwork/ckb/security/advisories/GHSA-wjxc-pjx9-4wvm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2024-02-03T00:18:06Z",
+    "nvd_published_at": null
+  }
+}

vulnerabilities/tests/test_data/osv_test/github/github-expected-4.json

@@ -0,0 +1,39 @@
+{
+  "advisory_id": "GHSA-wjxc-pjx9-4wvm",
+  "aliases": [],
+  "summary": "Nervos CKB Panic on malformed input\n### Impact\nCKB process will panic when received malformed p2p message because of snappy, which is used to compress network messages\n\n### References\nhttps://github.com/BurntSushi/rust-snappy/issues/29",
+  "affected_packages": [
+    {
+      "package": {
+        "type": "cargo",
+        "namespace": "",
+        "name": "ckb",
+        "version": "",
+        "qualifiers": "",
+        "subpath": ""
+      },
+      "affected_version_range": "vers:cargo/<=0.34.1",
+      "fixed_version_range": "vers:cargo/0.34.2",
+      "introduced_by_commit_patches": [],
+      "fixed_by_commit_patches": []
+    }
+  ],
+  "references_v2": [
+    {
+      "reference_id": "",
+      "reference_type": "",
+      "url": "https://github.com/nervosnetwork/ckb/security/advisories/GHSA-wjxc-pjx9-4wvm"
+    }
+  ],
+  "patches": [],
+  "severities": [
+    {
+      "system": "generic_textual",
+      "value": "HIGH",
+      "scoring_elements": ""
+    }
+  ],
+  "date_published": "2024-02-03T00:18:06+00:00",
+  "weaknesses": [],
+  "url": "https://test.com"
+}

vulnerablecode/context_processors.py

@@ -7,10 +7,16 @@
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
 
+from django.conf import settings
+
 from vulnerablecode import __version__ as vulnerablecode_version
 
 
 def versions(request):
     return {
         "VULNERABLECODE_VERSION": vulnerablecode_version,
     }
+
+
+def staging(request):
+    return {"STAGING": getattr(settings, "STAGING")}

vulnerablecode/settings.py

@@ -51,6 +51,9 @@
 # SECURITY WARNING: do not  run with debug turned on in production
 DEBUG_UI = env.bool("VULNERABLECODE_DEBUG_UI", default=False)
 
+# WARNING: Set this to False in production
+STAGING = env.bool("STAGING", default=True)
+
 EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
 EMAIL_HOST = env.str("EMAIL_HOST", default="")
 EMAIL_USE_TLS = True
@@ -139,6 +142,7 @@
                 "django.template.context_processors.request",
                 "django.template.context_processors.static",
                 "vulnerablecode.context_processors.versions",
+                "vulnerablecode.context_processors.staging",
             ],
         },
     },