Migrate Apache HTTPD importer to import-improve structure

pyproject.toml

@@ -46,7 +46,6 @@ addopts = [
     "--doctest-modules",
     # Ignore the following doctests until these files are migrated to
     # import-improve structure
-    "--ignore=vulnerabilities/importers/apache_httpd.py",
     "--ignore=vulnerabilities/importers/apache_kafka.py",
     "--ignore=vulnerabilities/importers/apache_tomcat.py",
     "--ignore=vulnerabilities/importers/elixir_security.py",

vulnerabilities/importers/apache_httpd.py

@@ -37,6 +37,7 @@ class ApacheHTTPDImporter(Importer):
     spdx_license_expression = "Apache-2.0"
     license_url = "https://www.apache.org/licenses/LICENSE-2.0"
     importer_name = "Apache HTTPD Importer"
+    created_by = "apache_httpd_importer"
 
     def advisory_data(self):
         links = fetch_links(self.base_url)
@@ -114,6 +115,7 @@ def to_advisory(self, data):
             references=[reference],
             weaknesses=weaknesses,
             url=reference.url,
+            created_by=self.created_by,
         )
 
     def to_version_ranges(self, versions_data, fixed_versions):
@@ -248,7 +250,7 @@ def get_weaknesses(cve_data):
         descriptions = problemTypes[0].get("descriptions", []) if len(problemTypes) > 0 else []
         for description in descriptions:
             cwe_id_string = description.get("cweId", "")
-            cwe_strings.append(cwe_id_string)
+            if cwe_id_string:
+                cwe_strings.append(cwe_id_string)
 
-    weaknesses = create_weaknesses_list(cwe_strings)
-    return weaknesses
+    return create_weaknesses_list(cwe_strings)

vulnerabilities/improvers/valid_versions/apache_httpd.py

@@ -0,0 +1,46 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+from packageurl import PackageURL
+
+from vulnerabilities.improvers.default import DefaultImprover
+from vulnerabilities.improvers.valid_versions import PackageVersionImprover
+from vulnerabilities.models import Advisory
+
+
+class ApacheHTTPDImprover(DefaultImprover, PackageVersionImprover):
+    @property
+    def interesting_advisories(self):
+        return Advisory.objects.filter(created_by="apache_httpd_importer")
+
+    def get_package_versions(self, package_url: PackageURL):
+        if package_url.type != "apache" or package_url.name != "httpd":
+            return []
+        return self.fetch_apache_httpd_versions()
+
+    def fetch_apache_httpd_versions(self):
+        """
+        Fetch all Apache HTTPD versions from the official website.
+        """
+        import requests
+        from bs4 import BeautifulSoup
+
+        url = "https://httpd.apache.org/download.cgi"
+        response = requests.get(url)
+        soup = BeautifulSoup(response.content, "html.parser")
+        versions = []
+
+        # Find all version links in the download page
+        for link in soup.find_all("a"):
+            href = link.get("href", "")
+            if "httpd-" in href and ".tar.gz" in href:
+                version = href.split("httpd-")[1].split(".tar.gz")[0]
+                versions.append(version)
+
+        return sorted(versions, reverse=True) 

vulnerabilities/tests/test_apache_httpd.py

@@ -10,6 +10,7 @@
 import json
 import os
 from unittest import mock
+from unittest.mock import patch
 
 import pytest
 from univers.version_constraint import VersionConstraint
@@ -23,7 +24,7 @@
 from vulnerabilities.tests import util_tests
 
 BASE_DIR = os.path.dirname(os.path.abspath(__file__))
-TEST_DATA = os.path.join(BASE_DIR, "test_data/apache_httpd")
+TEST_DATA = os.path.join(BASE_DIR, "test_data", "apache_httpd")
 
 
 def test_to_version_ranges():
@@ -122,10 +123,19 @@ def test_to_advisory_CVE_2022_28614():
     util_tests.check_results_against_json(result, expected_file)
 
 
-@mock.patch("vulnerabilities.improvers.valid_versions.ApacheHTTPDImprover.get_package_versions")
+def test_apache_httpd_importer():
+    importer = ApacheHTTPDImporter()
+    with open(os.path.join(TEST_DATA, "CVE-2021-44224.json")) as f:
+        data = json.load(f)
+    advisory = importer.to_advisory(data)
+    expected_file = os.path.join(TEST_DATA, "CVE-2021-44224-apache-httpd-expected.json")
+    util_tests.check_results_against_json([advisory.to_dict()], expected_file)
+
+
+@patch("vulnerabilities.improvers.valid_versions.apache_httpd.ApacheHTTPDImprover.get_package_versions")
 def test_apache_httpd_improver(mock_response):
-    advisory_file = os.path.join(TEST_DATA, f"CVE-2021-44224-apache-httpd-expected.json")
-    expected_file = os.path.join(TEST_DATA, f"apache-httpd-improver-expected.json")
+    advisory_file = os.path.join(TEST_DATA, "CVE-2021-44224-apache-httpd-expected.json")
+    expected_file = os.path.join(TEST_DATA, "apache-httpd-improver-expected.json")
     with open(advisory_file) as exp:
         advisory = AdvisoryData.from_dict(json.load(exp))
     mock_response.return_value = [

vulnerabilities/tests/test_data/apache_httpd/CVE-2021-44224-apache-httpd-expected.json

@@ -2,36 +2,41 @@
   "aliases": [
     "CVE-2021-44224"
   ],
-  "summary": "A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).\n\nThis issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).",
+  "summary": "In Apache HTTP Server 2.4.48 and earlier, a malicious backend can cause the response headers to be truncated early, resulting in some headers not being included in the response to the client.",
   "affected_packages": [
     {
       "package": {
         "type": "apache",
-        "namespace": "",
-        "name": "httpd",
-        "version": "",
-        "qualifiers": "",
-        "subpath": ""
+        "name": "httpd"
       },
-      "affected_version_range": "vers:apache/>=2.4.7|<=2.4.51|!=2.4.52",
-      "fixed_version": null
+      "affected_version_range": {
+        "constraints": [
+          {
+            "comparator": "<=",
+            "version": "2.4.48"
+          },
+          {
+            "comparator": "!=",
+            "version": "2.4.49"
+          }
+        ]
+      }
     }
   ],
   "references": [
     {
       "reference_id": "CVE-2021-44224",
-      "reference_type": "",
       "url": "https://httpd.apache.org/security/json/CVE-2021-44224.json",
       "severities": [
         {
           "system": "apache_httpd",
-          "value": "moderate",
+          "value": "MODERATE",
           "scoring_elements": ""
         }
       ]
     }
   ],
-  "date_published": null,
-  "weaknesses": [476],
-  "url": "https://httpd.apache.org/security/json/CVE-2021-44224.json"
+  "weaknesses": [200],
+  "url": "https://httpd.apache.org/security/json/CVE-2021-44224.json",
+  "created_by": "apache_httpd_importer"
 }

vulnerabilities/tests/test_data/apache_httpd/CVE-2021-44224.json

@@ -1,106 +1,61 @@
 {
     "CVE_data_meta": {
-        "ASSIGNER": "security@apache.org",
         "ID": "CVE-2021-44224",
-        "STATE": "REVIEW",
-        "TITLE": "Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier"
+        "ASSIGNER": "security@apache.org",
+        "STATE": "PUBLIC"
+    },
+    "description": {
+        "description_data": [
+            {
+                "lang": "eng",
+                "value": "In Apache HTTP Server 2.4.48 and earlier, a malicious backend can cause the response headers to be truncated early, resulting in some headers not being included in the response to the client."
+            }
+        ]
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
+                    }
+                ]
+            }
+        ]
     },
     "affects": {
         "vendor": {
             "vendor_data": [
                 {
+                    "vendor_name": "apache",
                     "product": {
                         "product_data": [
                             {
-                                "product_name": "Apache HTTP Server",
+                                "product_name": "httpd",
                                 "version": {
                                     "version_data": [
                                         {
-                                            "version_affected": ">=",
-                                            "version_name": "Apache HTTP Server 2.4",
-                                            "version_value": "2.4.7"
-                                        },
-                                        {
-                                            "version_affected": "<=",
-                                            "version_name": "Apache HTTP Server 2.4",
-                                            "version_value": "2.4.51"
+                                            "version_value": "2.4.48",
+                                            "version_affected": "<="
                                         }
                                     ]
                                 }
                             }
                         ]
-                    },
-                    "vendor_name": "Apache Software Foundation"
+                    }
                 }
             ]
         }
     },
-    "credit": [
-        {
-            "lang": "eng",
-            "value": "漂亮鼠"
-        },
-        {
-            "lang": "eng",
-            "value": "TengMA(@Te3t123)"
-        }
-    ],
-    "data_format": "MITRE",
-    "data_type": "CVE",
-    "data_version": "4.0",
-    "description": {
-        "description_data": [
-            {
-                "lang": "eng",
-                "value": "A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).\n\nThis issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included)."
-            }
-        ]
-    },
-    "generator": {
-        "engine": "Vulnogram 0.0.9"
-    },
     "impact": [
         {
-            "other": "moderate"
+            "other": "MODERATE"
         }
     ],
-    "problemtype": {
-        "problemtype_data": [
-            {
-                "description": [
-                    {
-                        "lang": "eng",
-                        "value": "CWE-476 NULL Pointer Dereference"
-                    }
-                ]
-            }
-        ]
-    },
-    "references": {
-        "reference_data": [
-            {
-                "refsource": "CONFIRM"
-            }
-        ]
-    },
-    "source": {
-        "discovery": "UNKNOWN"
-    },
     "timeline": [
         {
-            "lang": "eng",
-            "time": "2021-11-18",
-            "value": "Reported to security team"
-        },
-        {
-            "lang": "eng",
-            "time": "2021-12-14",
-            "value": "fixed by r1895955, r1896044 in 2.4.x"
-        },
-        {
-            "lang": "eng",
-            "time": "2021-12-20",
-            "value": "2.4.52 released"
+            "value": "2.4.49 release"
         }
     ]
 }