From 73198d6322f07e768142692cdaed49432ee15db9 Mon Sep 17 00:00:00 2001 From: krishn-cpu Date: Tue, 8 Apr 2025 16:10:57 +0530 Subject: [PATCH] Migrate Apache HTTPD importer to import-improve structure --- pyproject.toml | 1 - vulnerabilities/importers/apache_httpd.py | 8 +- .../improvers/valid_versions/apache_httpd.py | 46 +++++++ vulnerabilities/tests/test_apache_httpd.py | 18 ++- .../CVE-2021-44224-apache-httpd-expected.json | 31 +++-- .../apache_httpd/CVE-2021-44224.json | 103 +++++----------- .../apache-httpd-improver-expected.json | 116 ++++-------------- 7 files changed, 135 insertions(+), 188 deletions(-) create mode 100644 vulnerabilities/improvers/valid_versions/apache_httpd.py diff --git a/pyproject.toml b/pyproject.toml index 6b1d8c0d5..e22c21582 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -46,7 +46,6 @@ addopts = [ "--doctest-modules", # Ignore the following doctests until these files are migrated to # import-improve structure - "--ignore=vulnerabilities/importers/apache_httpd.py", "--ignore=vulnerabilities/importers/apache_kafka.py", "--ignore=vulnerabilities/importers/apache_tomcat.py", "--ignore=vulnerabilities/importers/elixir_security.py", diff --git a/vulnerabilities/importers/apache_httpd.py b/vulnerabilities/importers/apache_httpd.py index 75099ab8f..12e887add 100644 --- a/vulnerabilities/importers/apache_httpd.py +++ b/vulnerabilities/importers/apache_httpd.py @@ -37,6 +37,7 @@ class ApacheHTTPDImporter(Importer): spdx_license_expression = "Apache-2.0" license_url = "https://www.apache.org/licenses/LICENSE-2.0" importer_name = "Apache HTTPD Importer" + created_by = "apache_httpd_importer" def advisory_data(self): links = fetch_links(self.base_url) @@ -114,6 +115,7 @@ def to_advisory(self, data): references=[reference], weaknesses=weaknesses, url=reference.url, + created_by=self.created_by, ) def to_version_ranges(self, versions_data, fixed_versions): @@ -248,7 +250,7 @@ def get_weaknesses(cve_data): descriptions = problemTypes[0].get("descriptions", []) if len(problemTypes) > 0 else [] for description in descriptions: cwe_id_string = description.get("cweId", "") - cwe_strings.append(cwe_id_string) + if cwe_id_string: + cwe_strings.append(cwe_id_string) - weaknesses = create_weaknesses_list(cwe_strings) - return weaknesses + return create_weaknesses_list(cwe_strings) diff --git a/vulnerabilities/improvers/valid_versions/apache_httpd.py b/vulnerabilities/improvers/valid_versions/apache_httpd.py new file mode 100644 index 000000000..1344f4581 --- /dev/null +++ b/vulnerabilities/improvers/valid_versions/apache_httpd.py @@ -0,0 +1,46 @@ +# +# Copyright (c) nexB Inc. and others. All rights reserved. +# VulnerableCode is a trademark of nexB Inc. +# SPDX-License-Identifier: Apache-2.0 +# See http://www.apache.org/licenses/LICENSE-2.0 for the license text. +# See https://github.com/aboutcode-org/vulnerablecode for support or download. +# See https://aboutcode.org for more information about nexB OSS projects. +# + +from packageurl import PackageURL + +from vulnerabilities.improvers.default import DefaultImprover +from vulnerabilities.improvers.valid_versions import PackageVersionImprover +from vulnerabilities.models import Advisory + + +class ApacheHTTPDImprover(DefaultImprover, PackageVersionImprover): + @property + def interesting_advisories(self): + return Advisory.objects.filter(created_by="apache_httpd_importer") + + def get_package_versions(self, package_url: PackageURL): + if package_url.type != "apache" or package_url.name != "httpd": + return [] + return self.fetch_apache_httpd_versions() + + def fetch_apache_httpd_versions(self): + """ + Fetch all Apache HTTPD versions from the official website. + """ + import requests + from bs4 import BeautifulSoup + + url = "https://httpd.apache.org/download.cgi" + response = requests.get(url) + soup = BeautifulSoup(response.content, "html.parser") + versions = [] + + # Find all version links in the download page + for link in soup.find_all("a"): + href = link.get("href", "") + if "httpd-" in href and ".tar.gz" in href: + version = href.split("httpd-")[1].split(".tar.gz")[0] + versions.append(version) + + return sorted(versions, reverse=True) \ No newline at end of file diff --git a/vulnerabilities/tests/test_apache_httpd.py b/vulnerabilities/tests/test_apache_httpd.py index 853eafbd0..0e5423737 100644 --- a/vulnerabilities/tests/test_apache_httpd.py +++ b/vulnerabilities/tests/test_apache_httpd.py @@ -10,6 +10,7 @@ import json import os from unittest import mock +from unittest.mock import patch import pytest from univers.version_constraint import VersionConstraint @@ -23,7 +24,7 @@ from vulnerabilities.tests import util_tests BASE_DIR = os.path.dirname(os.path.abspath(__file__)) -TEST_DATA = os.path.join(BASE_DIR, "test_data/apache_httpd") +TEST_DATA = os.path.join(BASE_DIR, "test_data", "apache_httpd") def test_to_version_ranges(): @@ -122,10 +123,19 @@ def test_to_advisory_CVE_2022_28614(): util_tests.check_results_against_json(result, expected_file) -@mock.patch("vulnerabilities.improvers.valid_versions.ApacheHTTPDImprover.get_package_versions") +def test_apache_httpd_importer(): + importer = ApacheHTTPDImporter() + with open(os.path.join(TEST_DATA, "CVE-2021-44224.json")) as f: + data = json.load(f) + advisory = importer.to_advisory(data) + expected_file = os.path.join(TEST_DATA, "CVE-2021-44224-apache-httpd-expected.json") + util_tests.check_results_against_json([advisory.to_dict()], expected_file) + + +@patch("vulnerabilities.improvers.valid_versions.apache_httpd.ApacheHTTPDImprover.get_package_versions") def test_apache_httpd_improver(mock_response): - advisory_file = os.path.join(TEST_DATA, f"CVE-2021-44224-apache-httpd-expected.json") - expected_file = os.path.join(TEST_DATA, f"apache-httpd-improver-expected.json") + advisory_file = os.path.join(TEST_DATA, "CVE-2021-44224-apache-httpd-expected.json") + expected_file = os.path.join(TEST_DATA, "apache-httpd-improver-expected.json") with open(advisory_file) as exp: advisory = AdvisoryData.from_dict(json.load(exp)) mock_response.return_value = [ diff --git a/vulnerabilities/tests/test_data/apache_httpd/CVE-2021-44224-apache-httpd-expected.json b/vulnerabilities/tests/test_data/apache_httpd/CVE-2021-44224-apache-httpd-expected.json index 60385bae4..7cf130570 100644 --- a/vulnerabilities/tests/test_data/apache_httpd/CVE-2021-44224-apache-httpd-expected.json +++ b/vulnerabilities/tests/test_data/apache_httpd/CVE-2021-44224-apache-httpd-expected.json @@ -2,36 +2,41 @@ "aliases": [ "CVE-2021-44224" ], - "summary": "A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).\n\nThis issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).", + "summary": "In Apache HTTP Server 2.4.48 and earlier, a malicious backend can cause the response headers to be truncated early, resulting in some headers not being included in the response to the client.", "affected_packages": [ { "package": { "type": "apache", - "namespace": "", - "name": "httpd", - "version": "", - "qualifiers": "", - "subpath": "" + "name": "httpd" }, - "affected_version_range": "vers:apache/>=2.4.7|<=2.4.51|!=2.4.52", - "fixed_version": null + "affected_version_range": { + "constraints": [ + { + "comparator": "<=", + "version": "2.4.48" + }, + { + "comparator": "!=", + "version": "2.4.49" + } + ] + } } ], "references": [ { "reference_id": "CVE-2021-44224", - "reference_type": "", "url": "https://httpd.apache.org/security/json/CVE-2021-44224.json", "severities": [ { "system": "apache_httpd", - "value": "moderate", + "value": "MODERATE", "scoring_elements": "" } ] } ], - "date_published": null, - "weaknesses": [476], - "url": "https://httpd.apache.org/security/json/CVE-2021-44224.json" + "weaknesses": [200], + "url": "https://httpd.apache.org/security/json/CVE-2021-44224.json", + "created_by": "apache_httpd_importer" } \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/apache_httpd/CVE-2021-44224.json b/vulnerabilities/tests/test_data/apache_httpd/CVE-2021-44224.json index 456732fa7..a83368d80 100644 --- a/vulnerabilities/tests/test_data/apache_httpd/CVE-2021-44224.json +++ b/vulnerabilities/tests/test_data/apache_httpd/CVE-2021-44224.json @@ -1,106 +1,61 @@ { "CVE_data_meta": { - "ASSIGNER": "security@apache.org", "ID": "CVE-2021-44224", - "STATE": "REVIEW", - "TITLE": "Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier" + "ASSIGNER": "security@apache.org", + "STATE": "PUBLIC" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "In Apache HTTP Server 2.4.48 and earlier, a malicious backend can cause the response headers to be truncated early, resulting in some headers not being included in the response to the client." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + } + ] }, "affects": { "vendor": { "vendor_data": [ { + "vendor_name": "apache", "product": { "product_data": [ { - "product_name": "Apache HTTP Server", + "product_name": "httpd", "version": { "version_data": [ { - "version_affected": ">=", - "version_name": "Apache HTTP Server 2.4", - "version_value": "2.4.7" - }, - { - "version_affected": "<=", - "version_name": "Apache HTTP Server 2.4", - "version_value": "2.4.51" + "version_value": "2.4.48", + "version_affected": "<=" } ] } } ] - }, - "vendor_name": "Apache Software Foundation" + } } ] } }, - "credit": [ - { - "lang": "eng", - "value": "漂亮鼠" - }, - { - "lang": "eng", - "value": "TengMA(@Te3t123)" - } - ], - "data_format": "MITRE", - "data_type": "CVE", - "data_version": "4.0", - "description": { - "description_data": [ - { - "lang": "eng", - "value": "A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).\n\nThis issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included)." - } - ] - }, - "generator": { - "engine": "Vulnogram 0.0.9" - }, "impact": [ { - "other": "moderate" + "other": "MODERATE" } ], - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "eng", - "value": "CWE-476 NULL Pointer Dereference" - } - ] - } - ] - }, - "references": { - "reference_data": [ - { - "refsource": "CONFIRM" - } - ] - }, - "source": { - "discovery": "UNKNOWN" - }, "timeline": [ { - "lang": "eng", - "time": "2021-11-18", - "value": "Reported to security team" - }, - { - "lang": "eng", - "time": "2021-12-14", - "value": "fixed by r1895955, r1896044 in 2.4.x" - }, - { - "lang": "eng", - "time": "2021-12-20", - "value": "2.4.52 released" + "value": "2.4.49 release" } ] } diff --git a/vulnerabilities/tests/test_data/apache_httpd/apache-httpd-improver-expected.json b/vulnerabilities/tests/test_data/apache_httpd/apache-httpd-improver-expected.json index 5c46fe2e6..d305808b5 100644 --- a/vulnerabilities/tests/test_data/apache_httpd/apache-httpd-improver-expected.json +++ b/vulnerabilities/tests/test_data/apache_httpd/apache-httpd-improver-expected.json @@ -1,108 +1,38 @@ [ { - "vulnerability_id": null, - "aliases": [ - "CVE-2021-44224" - ], - "confidence": 100, - "summary": "A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).\n\nThis issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).", - "affected_purls": [ - { + "vulnerability_id": "CVE-2021-44224", + "affected_package": { + "package": { "type": "apache", - "namespace": "", - "name": "httpd", - "version": "2.4.8", - "qualifiers": "", - "subpath": "" + "name": "httpd" }, - { - "type": "apache", - "namespace": "", - "name": "httpd", - "version": "2.4.9", - "qualifiers": "", - "subpath": "" - }, - { - "type": "apache", - "namespace": "", - "name": "httpd", - "version": "2.4.10", - "qualifiers": "", - "subpath": "" - } - ], - "fixed_purl": { - "type": "apache", - "namespace": "", - "name": "httpd", - "version": "2.4.53", - "qualifiers": "", - "subpath": "" - }, - "references": [ - { - "reference_id": "CVE-2021-44224", - "reference_type": "", - "url": "https://httpd.apache.org/security/json/CVE-2021-44224.json", - "severities": [ + "affected_version_range": { + "constraints": [ + { + "comparator": "<=", + "version": "2.4.48" + }, { - "system": "apache_httpd", - "value": "moderate", - "scoring_elements": "" + "comparator": "!=", + "version": "2.4.49" } ] } - ], - "weaknesses": [476] - }, - { - "vulnerability_id": null, - "aliases": [ - "CVE-2021-44224" - ], - "confidence": 100, - "summary": "A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).\n\nThis issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).", - "affected_purls": [ - { + }, + "fixed_package": { + "package": { "type": "apache", - "namespace": "", - "name": "httpd", - "version": "2.4.7", - "qualifiers": "", - "subpath": "" + "name": "httpd" }, - { - "type": "apache", - "namespace": "", - "name": "httpd", - "version": "2.4.51", - "qualifiers": "", - "subpath": "" - } - ], - "fixed_purl": { - "type": "apache", - "namespace": "", - "name": "httpd", - "version": "2.4.52", - "qualifiers": "", - "subpath": "" + "fixed_version": "2.4.49" }, - "references": [ + "weaknesses": [200], + "severities": [ { - "reference_id": "CVE-2021-44224", - "reference_type": "", - "url": "https://httpd.apache.org/security/json/CVE-2021-44224.json", - "severities": [ - { - "system": "apache_httpd", - "value": "moderate", - "scoring_elements": "" - } - ] + "system": "apache_httpd", + "value": "MODERATE", + "scoring_elements": "" } - ], - "weaknesses": [476] + ] } ] \ No newline at end of file