Skip to content

Migrate Xen, Curl, Istio and OSS-Fuzz importer#1946

Merged
TG1999 merged 13 commits intomainfrom
migrate_xen_importer
Jul 17, 2025
Merged

Migrate Xen, Curl, Istio and OSS-Fuzz importer#1946
TG1999 merged 13 commits intomainfrom
migrate_xen_importer

Conversation

@TG1999
Copy link
Contributor

@TG1999 TG1999 commented Jul 16, 2025
edited
Loading

Closes: #1878

@TG1999 TG1999 changed the title Migrate Xen importer Migrate Xen, Curl, Istio and OSS-Fuzz importer Jul 16, 2025
TG1999 added 13 commits July 17, 2025 17:25
@TG1999
Migrate Xen importer
0922e44 
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
@TG1999
Add tests for Xen importer
e954b60 
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
@TG1999
Migrate CURL importer
0b5f4ab 
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
@TG1999
Fix tests
655c583 
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
@TG1999
Add OSS Fuzz importer
729c86a 
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
@TG1999
Add OSS Fuzz importer
a08bde0 
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
@TG1999
Migrate Istio importer
b63464e 
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
@TG1999
Add tests for OSS-FUZZ
da0bf37 
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
@TG1999
Fix tests
2e10f7e 
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
@TG1999
Add postgresql importer
3e09dc9 
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
@TG1999
Add mozilla importer
edbbc67 
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
@TG1999
Fix tests
4c20709 
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
@TG1999
Fix linting errors
3479b49 
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
@TG1999 TG1999 force-pushed the migrate_xen_importer branch from 6d6626e to 3479b49 Compare July 17, 2025 11:59
@TG1999 TG1999 merged commit f423cb7 into main Jul 17, 2025
10 checks passed
@TG1999 TG1999 deleted the migrate_xen_importer branch July 17, 2025 12:03
keshav-space
keshav-space reviewed Jul 17, 2025
View reviewed changes
Copy link
Member

@keshav-space keshav-space left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @TG1999, see some feedback.

vulnerabilities/pipelines/v2_importers/apache_httpd_importer.py
weaknesses=weaknesses,
url=reference.url,
severities=severities,
original_advisory_text=json.dumps(data, indent=2, ensure_ascii=False),
Copy link
Member

@keshav-space keshav-space Jul 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need indent.

vulnerabilities/pipelines/v2_importers/curl_importer.py
weaknesses = get_cwe_from_curl_advisory(raw_data)

aliases = raw_data.get("aliases", [])
advisory_id = raw_data.get("id") or ""
Copy link
Member

@keshav-space keshav-space Jul 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of returning an advisory data with no advisory_id, we should log error and continue.

vulnerabilities/pipelines/v2_importers/elixir_security_importer.py
affected_packages=affected_packages,
url=advisory_url,
date_published=date_published,
original_advisory_text=advisory_text or str(yaml_file),
Copy link
Member

@keshav-space keshav-space Jul 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be more appropriate to do yaml dump instead of str(yaml_file)?

vulnerabilities/pipelines/v2_importers/istio_importer.py
]
)

title = data.get("title") or ""
Copy link
Member

@keshav-space keshav-space Jul 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are using it as an advisory_id, if there is no title we should log error and continue, instead for returning a AdvisoryData with empty advisory_id.

vulnerabilities/pipelines/v2_importers/npm_importer.py
references_v2=references,
severities=severities,
url=f"https://github.com/nodejs/security-wg/blob/main/vuln/npm/{id}.json",
original_advisory_text=advisory_text or json.dumps(data, indent=2, ensure_ascii=False),
Copy link
Member

@keshav-space keshav-space Jul 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't advisory_text already a JSON dump?

advisory_text or json.dumps(data, indent=2, ensure_ascii=False)

This seems redundant, if we don't have an advisory_text how can we have data.

vulnerabilities/pipelines/v2_importers/postgresql_importer.py
if not self.links:
self.collect_links()
return len(self.links)
return 30
Copy link
Member

@keshav-space keshav-space Jul 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not fixed postgres will have more advisory here in future, right?

@TG1999 TG1999 mentioned this pull request Jul 18, 2025
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@keshav-space keshav-space keshav-space left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

VCIO-next: Advisory model migration Batch 2

2 participants

@TG1999 @keshav-space