Skip to content

Update OpenSSL advisories#1765

Closed
kunalsz wants to merge 10 commits intoaboutcode-org:mainfrom
kunalsz:openssl-advisories
Closed

Update OpenSSL advisories#1765
kunalsz wants to merge 10 commits intoaboutcode-org:mainfrom
kunalsz:openssl-advisories

Conversation

@kunalsz
Copy link

@kunalsz kunalsz commented Jan 29, 2025

Updated the importers/openssl.py file to scrape data from the new updated data source https://openssl-library.org/news/vulnerabilities/index.html.
Fixes #1747

@kunalsz
Updated OpenSSL advisories
dca077c 
Signed-off-by: kunalsz <kunalavengers@gmail.com>
@kunalsz
added and fixed tests
1140123 
Signed-off-by: kunalsz <kunalavengers@gmail.com>
@kunalsz
Copy link
Author

kunalsz commented Mar 23, 2025

@TG1999 I have added tests for the pipelines,you can now review it

@kunalsz kunalsz changed the title Updated OpenSSL advisories Update OpenSSL advisories Mar 26, 2025
@TG1999
Copy link
Contributor

TG1999 commented Apr 3, 2025

@kunalsz please resolve conflicts

@TG1999 TG1999 closed this Apr 3, 2025
@TG1999 TG1999 reopened this Apr 3, 2025
TG1999
TG1999 reviewed Apr 3, 2025
View reviewed changes
vulnerabilities/pipelines/openssl_importer.py


# fetch the content from the html data
def fetch_advisory_data(url):
Copy link
Contributor

@TG1999 TG1999 Apr 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add docstrings and doctests in all your functions please. Thanks!

kunalsz added 2 commits April 5, 2025 07:21
@kunalsz
Add doctrings and doctests
5a716cb 
Signed-off-by: kunalsz <kunalavengers@gmail.com>
@kunalsz
Resolve conflicts
d7f49b6 
Signed-off-by: kunalsz <kunalavengers@gmail.com>
keshav-space
keshav-space requested changes Apr 15, 2025
View reviewed changes
Copy link
Member

@keshav-space keshav-space left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kunalsz, see nits below, also make sure that pipeline is also collecting the fixed version.
Strange for Yubico you used the legacy Importer #1763, but here you're using VulnerableCodeBaseImporterPipeline.

vulnerabilities/pipelines/openssl_importer.py Outdated
"""Collect Advisories from Openssl"""

pipeline_id = "openssl_importer"
spdx_license_expression = "OpenSSL-standalone"
Copy link
Member

@keshav-space keshav-space Apr 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you paste the link from where you concluded that openssl advisory is under OpenSSL-standalone license?

Copy link
Author

@kunalsz kunalsz Apr 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like I used the wrong license, the correct one should be Apache License v2 , I'll update it

vulnerabilities/pipelines/openssl_importer.py
Comment on lines +249 to +259
versions = re.findall(r"(?<=from\s)([^\s]+)|(?<=before\s)([^\s]+)", affected)
versions = [v for group in versions for v in group if v] # ['1.0.1', '1.0.1j']
affected_version_range = OpensslVersionRange.from_versions(versions)
affected_packages.append(
AffectedPackage(
package=PackageURL(type="openssl", name="openssl"),
affected_version_range=affected_version_range,
)
)
Copy link
Member

@keshav-space keshav-space Apr 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not correct. For OpenSSL from 1.0.1 to 1.0.1j this will produce vers:openssl/1.0.1 which is incorrect affected range.

Copy link
Author

@kunalsz kunalsz Apr 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll make the necessary changes.

Copy link
Author

@kunalsz kunalsz Apr 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@keshav-space The versions are getting extracted correctly.

In CVE-2024-13176 one of the affected version string is from 1.1.1 before 1.1.1zb and it gets processed correctly to 'affected_version_range': 'vers:openssl/1.1.1|1.1.1zb'

As far as OpenSSL from 1.0.1 to 1.0.1j is concerned, all the affected ranges on the advisory page are in the format of from VERSION before VERSION , so the regex works correctly

kunalsz added 3 commits April 19, 2025 19:23
@kunalsz
Update License
1096cea 
Signed-off-by: kunalsz <kunalavengers@gmail.com>
@kunalsz
Add fixed versions
a3ab905 
Signed-off-by: kunalsz <kunalavengers@gmail.com>
@kunalsz
Merge remote-tracking branch 'origin/main' into openssl-advisories
3c0854d
@kunalsz kunalsz force-pushed the openssl-advisories branch from e2f03f5 to 3c0854d Compare April 23, 2025 20:35
kunalsz and others added 3 commits April 24, 2025 02:13
@kunalsz
Remove debug statement
b38dbfd
@kunalsz
Revert "Remove debug statement"
8c6487b 
This reverts commit b38dbfd.
@kunalsz
Remove debug statements
be6e234 
Signed-off-by: kunalsz <kunalavengers@gmail.com>
@kunalsz
Copy link
Author

kunalsz commented Apr 23, 2025

@keshav-space I have made the necessary changes, please review the PR

@keshav-space
Copy link
Member

keshav-space commented Jan 22, 2026

Closing this. We now have a fresh v2 importer for OpenSSL to import secjson advisories from https://github.com/openssl/release-metadata/tree/main/secjson. See #2119

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TG1999 TG1999 TG1999 left review comments

@keshav-space keshav-space keshav-space requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Error in running openSSL importer

3 participants

@kunalsz @TG1999 @keshav-space