Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Apache Log4j Advisories #1744

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add Apache Log4j Advisories #1744

wants to merge 6 commits into from

Conversation

NucleonGodX
Copy link

This pull request addresses issue #586 by adding an importer for Apache Log4j advisories
image

@NucleonGodX
initial push, add apachelog4importer
208a9d5 
Signed-off-by: NucleonGodX <racerpro41@gmail.com>
@NucleonGodX
codestyle changes
434f637 
Signed-off-by: NucleonGodX <racerpro41@gmail.com>
@NucleonGodX NucleonGodX marked this pull request as draft January 15, 2025 06:58
@NucleonGodX NucleonGodX marked this pull request as ready for review January 17, 2025 11:12
@TG1999
Copy link
Contributor

TG1999 commented Jan 23, 2025

@NucleonGodX thanks for your contributions, can you please use pipeline structure. https://github.com/aboutcode-org/vulnerablecode/blob/main/vulnerabilities/pipelines/nvd_importer.py check this for example

pombredanne
pombredanne requested changes Jan 24, 2025
View reviewed changes
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! In addition to use the new pipelines, here are a few comments for your consideration. We also need some tests.

vulnerabilities/importers/apache_log4j.py Outdated
@@ -0,0 +1,252 @@
import logging
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use the same header as in other files

vulnerabilities/importers/apache_log4j.py Outdated
@@ -0,0 +1,252 @@
import logging
import xml.etree.ElementTree as ET
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider using the cyclonedx python library to parse this, and not parsing XML yourself

vulnerabilities/importers/apache_log4j.py Outdated
Parse the XML content and create AdvisoryData objects.
"""
advisories = []
version_mapping = [
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why use mapping? are you positively sure that these are forever all the known versions of log4j? Also this would not be a mapping, rather just a set of some versions?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added them from https://www.cvedetails.com/version-list/45/37215/1/Apache-Log4j.html?order=0.

vulnerabilities/importers/apache_log4j.py Outdated
"2.17.1",
]

try:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why a try/except here?

vulnerabilities/importers/apache_log4j.py Outdated
]

try:
root = ET.fromstring(xml_content)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use the cyclonedx parser.

vulnerabilities/improvers/valid_versions.py

class Log4jImprover(ValidVersionImprover):
importer = ApacheLog4jImporter
ignorable_versions = []
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We likely need some improver to get and expand the list of known versions

@NucleonGodX
suggestions applied, importer converted to pipeline
32c9345 
Signed-off-by: NucleonGodX <racerpro41@gmail.com>
@NucleonGodX
clean-up
79e83d1 
Signed-off-by: NucleonGodX <racerpro41@gmail.com>
@NucleonGodX
severity_systems and weaknesses updated for importer
ee6578a 
Signed-off-by: NucleonGodX <racerpro41@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pombredanne pombredanne Awaiting requested review from pombredanne

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@NucleonGodX @TG1999 @pombredanne