diff --git a/tools/redhat/README.md b/tools/redhat/README.md index fd05dcf..d9fafae 100644 --- a/tools/redhat/README.md +++ b/tools/redhat/README.md @@ -19,7 +19,7 @@ $ pipenv install -e . Needs to be run in a folder where the Red Hat CSAF documents to convert already exist. Files can be downloaded the [Red Hat Customer Portal Security Data section](https://access.redhat.com/security/data/csaf/v2/advisories/) ~~~ -$ pipenv run convert_redhat testdata/rhsa-2024_4546.json +$ pipenv run python3 convert_redhat.py testdata/rhsa-2024_4546.json ~~~ OSV documents will be output in the `osv` directory by default. Override the default with the `--output_directory` option. diff --git a/tools/redhat/redhat_osv/osv.py b/tools/redhat/redhat_osv/osv.py index 4d0f5a0..5153df1 100644 --- a/tools/redhat/redhat_osv/osv.py +++ b/tools/redhat/redhat_osv/osv.py @@ -85,7 +85,8 @@ class Package: Class to hold package data for an Affect. Expects an ecosystem string that starts with CPE_PATTERN. Replaces the CPE prefix 'redhat' part with 'Red Hat' - to match more closely with other ecosystem identifiers in the OSV database + to match more closely with other ecosystem identifiers in the OSV database. + Also removes version and qualifiers from the CSAF remediation PURL """ cpe_pattern: re.Pattern = field(init=False, @@ -98,6 +99,10 @@ def __post_init__(self): if not self.cpe_pattern.match(self.ecosystem): raise ValueError(f"Got unsupported ecosystem: {self.ecosystem}") self.ecosystem = f"Red Hat{self.cpe_pattern.split(self.ecosystem, maxsplit=1)[-1]}" + if "@" in self.purl: + version_index = self.purl.index("@") + self.purl = self.purl[:version_index] + @dataclass diff --git a/tools/redhat/redhat_osv/osv_test.py b/tools/redhat/redhat_osv/osv_test.py index 6903c88..549614f 100644 --- a/tools/redhat/redhat_osv/osv_test.py +++ b/tools/redhat/redhat_osv/osv_test.py @@ -23,9 +23,14 @@ def test_missing_cvss_v3(self): assert csaf assert len(csaf.vulnerabilities) == 1 assert not csaf.vulnerabilities[0].cvss_v3_base_score + for vuln in csaf.vulnerabilities: + for remediation in vuln.remediations: + assert "@" in remediation.purl osv = OSV(csaf, "test_date") assert not hasattr(osv, "severity") + for affected in osv.affected: + assert "@" not in affected.package.purl class EventTest(unittest.TestCase): diff --git a/tools/redhat/testdata/RHSA-2024_4546.json b/tools/redhat/testdata/RHSA-2024_4546.json index 80d728b..312305c 100644 --- a/tools/redhat/testdata/RHSA-2024_4546.json +++ b/tools/redhat/testdata/RHSA-2024_4546.json @@ -1,5 +1,5 @@ { - "schema_version": "1.6.5", + "schema_version": "1.6.7", "id": "RHSA-2024:4546", "related": [ "CVE-2023-45288", @@ -19,7 +19,7 @@ "package": { "name": "git-lfs", "ecosystem": "Red Hat:rhel_aus:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=src" + "purl": "pkg:rpm/redhat/git-lfs" }, "ranges": [ { @@ -39,7 +39,7 @@ "package": { "name": "git-lfs", "ecosystem": "Red Hat:rhel_aus:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=x86_64" + "purl": "pkg:rpm/redhat/git-lfs" }, "ranges": [ { @@ -59,7 +59,7 @@ "package": { "name": "git-lfs-debuginfo", "ecosystem": "Red Hat:rhel_aus:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs-debuginfo@2.13.3-3.el8_6.1?arch=x86_64" + "purl": "pkg:rpm/redhat/git-lfs-debuginfo" }, "ranges": [ { @@ -79,7 +79,7 @@ "package": { "name": "git-lfs-debugsource", "ecosystem": "Red Hat:rhel_aus:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs-debugsource@2.13.3-3.el8_6.1?arch=x86_64" + "purl": "pkg:rpm/redhat/git-lfs-debugsource" }, "ranges": [ { @@ -99,7 +99,7 @@ "package": { "name": "git-lfs", "ecosystem": "Red Hat:rhel_e4s:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=ppc64le" + "purl": "pkg:rpm/redhat/git-lfs" }, "ranges": [ { @@ -119,7 +119,7 @@ "package": { "name": "git-lfs", "ecosystem": "Red Hat:rhel_e4s:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=src" + "purl": "pkg:rpm/redhat/git-lfs" }, "ranges": [ { @@ -139,7 +139,7 @@ "package": { "name": "git-lfs", "ecosystem": "Red Hat:rhel_e4s:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=x86_64" + "purl": "pkg:rpm/redhat/git-lfs" }, "ranges": [ { @@ -159,7 +159,7 @@ "package": { "name": "git-lfs-debuginfo", "ecosystem": "Red Hat:rhel_e4s:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs-debuginfo@2.13.3-3.el8_6.1?arch=ppc64le" + "purl": "pkg:rpm/redhat/git-lfs-debuginfo" }, "ranges": [ { @@ -179,7 +179,7 @@ "package": { "name": "git-lfs-debuginfo", "ecosystem": "Red Hat:rhel_e4s:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs-debuginfo@2.13.3-3.el8_6.1?arch=x86_64" + "purl": "pkg:rpm/redhat/git-lfs-debuginfo" }, "ranges": [ { @@ -199,7 +199,7 @@ "package": { "name": "git-lfs-debugsource", "ecosystem": "Red Hat:rhel_e4s:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs-debugsource@2.13.3-3.el8_6.1?arch=ppc64le" + "purl": "pkg:rpm/redhat/git-lfs-debugsource" }, "ranges": [ { @@ -219,7 +219,7 @@ "package": { "name": "git-lfs-debugsource", "ecosystem": "Red Hat:rhel_e4s:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs-debugsource@2.13.3-3.el8_6.1?arch=x86_64" + "purl": "pkg:rpm/redhat/git-lfs-debugsource" }, "ranges": [ { @@ -239,7 +239,7 @@ "package": { "name": "git-lfs", "ecosystem": "Red Hat:rhel_tus:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=src" + "purl": "pkg:rpm/redhat/git-lfs" }, "ranges": [ { @@ -259,7 +259,7 @@ "package": { "name": "git-lfs", "ecosystem": "Red Hat:rhel_tus:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs@2.13.3-3.el8_6.1?arch=x86_64" + "purl": "pkg:rpm/redhat/git-lfs" }, "ranges": [ { @@ -279,7 +279,7 @@ "package": { "name": "git-lfs-debuginfo", "ecosystem": "Red Hat:rhel_tus:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs-debuginfo@2.13.3-3.el8_6.1?arch=x86_64" + "purl": "pkg:rpm/redhat/git-lfs-debuginfo" }, "ranges": [ { @@ -299,7 +299,7 @@ "package": { "name": "git-lfs-debugsource", "ecosystem": "Red Hat:rhel_tus:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs-debugsource@2.13.3-3.el8_6.1?arch=x86_64" + "purl": "pkg:rpm/redhat/git-lfs-debugsource" }, "ranges": [ {