Merge pull request #2118 from ziadhany/glibc_importer

ziadhany · web-flow · commit 4ade6958fe14 · 2026-05-15T00:50:49.000+03:00
Add support for glib importer
diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py
@@ -56,6 +56,7 @@
 from vulnerabilities.pipelines.v2_importers import gentoo_importer as gentoo_importer_v2
 from vulnerabilities.pipelines.v2_importers import github_osv_importer as github_osv_importer_v2
 from vulnerabilities.pipelines.v2_importers import gitlab_importer as gitlab_importer_v2
+from vulnerabilities.pipelines.v2_importers import glibc_importer as glibc_importer_v2
 from vulnerabilities.pipelines.v2_importers import istio_importer as istio_importer_v2
 from vulnerabilities.pipelines.v2_importers import mattermost_importer as mattermost_importer_v2
 from vulnerabilities.pipelines.v2_importers import mozilla_importer as mozilla_importer_v2
@@ -111,6 +112,7 @@
         nginx_importer_v2.NginxImporterPipeline,
         debian_importer_v2.DebianImporterPipeline,
         mattermost_importer_v2.MattermostImporterPipeline,
+        glibc_importer_v2.GlibcImporterPipeline,
         apache_tomcat_v2.ApacheTomcatImporterPipeline,
         suse_score_importer_v2.SUSESeverityScoreImporterPipeline,
         retiredotnet_importer_v2.RetireDotnetImporterPipeline,
diff --git a/vulnerabilities/pipelines/v2_importers/glibc_importer.py b/vulnerabilities/pipelines/v2_importers/glibc_importer.py
@@ -0,0 +1,187 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+from pathlib import Path
+
+import dateparser
+from fetchcode.vcs import fetch_via_vcs
+from packageurl import PackageURL
+from pytz import UTC
+from univers.version_range import GenericVersionRange
+from univers.versions import InvalidVersion
+
+from vulnerabilities.importer import AdvisoryDataV2
+from vulnerabilities.importer import AffectedPackageV2
+from vulnerabilities.importer import PackageCommitPatchData
+from vulnerabilities.importer import logger
+from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
+from vulnerabilities.utils import build_description
+
+
+class GlibcImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
+    """
+    Pipeline to collect glibc advisories:
+    """
+
+    pipeline_id = "glibc_importer_v2"
+    spdx_license_expression = "LGPL-2.1-only"
+    license_url = "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=LICENSES"
+    repo_url = "git+https://sourceware.org/git/glibc.git"
+
+    precedence = 200
+
+    @classmethod
+    def steps(cls):
+        return (
+            cls.clone,
+            cls.collect_and_store_advisories,
+            cls.clean_downloads,
+        )
+
+    def clone(self):
+        self.log(f"Cloning `{self.repo_url}`")
+        self.vcs_response = fetch_via_vcs(self.repo_url)
+
+    def advisories_count(self):
+        root = Path(self.vcs_response.dest_dir) / "advisories"
+        return sum(1 for _ in root.rglob("*"))
+
+    def collect_advisories(self):
+        base_path = Path(self.vcs_response.dest_dir) / "advisories"
+        for file_path in base_path.rglob("*"):
+            if not file_path.name.startswith("GLIBC-SA"):
+                continue
+
+            with open(file_path) as f:
+                vulnerability_data = f.read()
+
+            parsed_items = self.parse_advisory_text(vulnerability_data)
+            fixed_commits, fixed_versions, affected_commits, affected_versions = [], [], [], []
+            advisory_id = file_path.name
+            cve_id = None
+            summary = None
+            description = None
+            date_published = None
+            for item in parsed_items:
+                name = item.get("name")
+                if name == "summary":
+                    summary = item.get("value")
+                elif name == "description":
+                    description = item.get("value")
+                elif name == "CVE-Id":
+                    cve_id = item.get("value")
+                elif name == "Public-Date":
+                    date_published_value = item.get("value")
+                    date_published = dateparser.parse(date_published_value).replace(tzinfo=UTC)
+                elif name == "Vulnerable-Commit":
+                    fix_commit = item.get("commit")
+                    affected_commits.append(fix_commit)
+
+                    fixed_version = item.get("version")
+                    affected_versions.append(fixed_version)
+                elif name == "Fix-Commit":
+                    fix_commit = item.get("commit")
+                    fixed_commits.append(fix_commit)
+
+                    fixed_version = item.get("version")
+                    fixed_versions.append(fixed_version)
+
+            affected_packages = []
+            purl = PackageURL(
+                type="sid",
+                namespace="gnu.org",
+                name="glibc",
+            )
+
+            affected_version_range = None
+            try:
+                affected_version_range = GenericVersionRange.from_versions(affected_versions)
+            except InvalidVersion as e:
+                logger.error(
+                    f"InvalidVersion while parsing affected_version_range: {affected_versions} error: {e}"
+                )
+
+            fixed_version_range = None
+            try:
+                fixed_version_range = GenericVersionRange.from_versions(fixed_versions)
+            except InvalidVersion as e:
+                logger.error(
+                    f"InvalidVersion while parsing fixed_version_range: {fixed_versions} error: {e}"
+                )
+
+            fixed_by_commit_patches = [
+                PackageCommitPatchData(
+                    vcs_url="https://sourceware.org/git/glibc.git", commit_hash=fixed_commit
+                )
+                for fixed_commit in fixed_commits
+            ]
+            introduced_by_commit_patches = [
+                PackageCommitPatchData(
+                    vcs_url="https://sourceware.org/git/glibc.git", commit_hash=affected_commit
+                )
+                for affected_commit in affected_commits
+            ]
+
+            if (
+                affected_version_range
+                or fixed_version_range
+                or introduced_by_commit_patches
+                or fixed_by_commit_patches
+            ):
+                affected_packages.append(
+                    AffectedPackageV2(
+                        package=purl,
+                        affected_version_range=affected_version_range,
+                        fixed_version_range=fixed_version_range,
+                        introduced_by_commit_patches=introduced_by_commit_patches,
+                        fixed_by_commit_patches=fixed_by_commit_patches,
+                    )
+                )
+
+            yield AdvisoryDataV2(
+                advisory_id=advisory_id,
+                aliases=[cve_id] if cve_id else [],
+                summary=build_description(summary, description),
+                affected_packages=affected_packages,
+                date_published=date_published,
+                url="https://sourceware.org/git/glibc.git",
+            )
+
+    def parse_advisory_text(self, text):
+        summary, _, tail = text.partition("\n\n")
+        description, _, metadata = tail.partition("\n\n")
+
+        parsed = [
+            {"name": "summary", "value": summary},
+            {"name": "description", "value": description},
+        ]
+
+        for line in metadata.splitlines():
+            name, _, value = line.partition(": ")
+            if name.endswith(
+                (
+                    "Commit",
+                    "Backport",
+                )
+            ):
+                commit, _, version = value.partition(" ")
+                parsed.append({"name": name, "commit": commit, "version": version.strip(")(")})
+            else:
+                parsed.append({"name": name, "value": value})
+        return parsed
+
+    def clean_downloads(self):
+        """Cleanup any temporary repository data."""
+        if self.vcs_response:
+            self.log(f"Removing cloned repository")
+            self.vcs_response.delete()
+
+    def on_failure(self):
+        """Ensure cleanup is always performed on failure."""
+        self.clean_downloads()
diff --git a/vulnerabilities/tests/pipelines/v2_importers/test_glibc_importer_v2.py b/vulnerabilities/tests/pipelines/v2_importers/test_glibc_importer_v2.py
@@ -0,0 +1,38 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+from pathlib import Path
+from unittest.mock import Mock
+from unittest.mock import patch
+
+import pytest
+
+from vulnerabilities.pipelines.v2_importers.glibc_importer import GlibcImporterPipeline
+from vulnerabilities.tests import util_tests
+
+TEST_DATA = Path(__file__).parent.parent.parent / "test_data" / "glibc"
+
+TEST_CVE_FILES = [
+    TEST_DATA / "advisories" / "GLIBC-SA-2023-0001",
+    TEST_DATA / "advisories" / "GLIBC-SA-2025-0004",
+    TEST_DATA / "advisories" / "GLIBC-SA-2026-0002",
+]
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("glibc_file", TEST_CVE_FILES)
+def test_glibc_advisories_per_file(glibc_file):
+    pipeline = GlibcImporterPipeline()
+    pipeline.vcs_response = Mock(dest_dir=TEST_DATA)
+
+    with patch.object(Path, "rglob", return_value=[glibc_file]):
+        result = [adv.to_dict() for adv in pipeline.collect_advisories()]
+
+    expected_file = glibc_file.with_name(glibc_file.stem + "-expected.json")
+    util_tests.check_results_against_json(result, expected_file)
diff --git a/vulnerabilities/tests/test_data/glibc/advisories/GLIBC-SA-2023-0001 b/vulnerabilities/tests/test_data/glibc/advisories/GLIBC-SA-2023-0001
@@ -0,0 +1,14 @@
+printf: incorrect output for integers with thousands separator and width field
+
+When the printf family of functions is called with a format specifier
+that uses an <apostrophe> (enable grouping) and a minimum width
+specifier, the resulting output could be larger than reasonably expected
+by a caller that computed a tight bound on the buffer size.  The
+resulting larger than expected output could result in a buffer overflow
+in the printf family of functions.
+
+CVE-Id: CVE-2023-25139
+Public-Date: 2023-02-02
+Vulnerable-Commit: e88b9f0e5cc50cab57a299dc7efe1a4eb385161d (2.37)
+Fix-Commit: c980549cc6a1c03c23cc2fe3e7b0fe626a0364b0 (2.38)
+Fix-Commit: 07b9521fc6369d000216b96562ff7c0ed32a16c4 (2.37-4)
diff --git a/vulnerabilities/tests/test_data/glibc/advisories/GLIBC-SA-2023-0001-expected.json b/vulnerabilities/tests/test_data/glibc/advisories/GLIBC-SA-2023-0001-expected.json
@@ -0,0 +1,51 @@
+[
+  {
+    "advisory_id": "GLIBC-SA-2023-0001",
+    "aliases": [
+      "CVE-2023-25139"
+    ],
+    "summary": "printf: incorrect output for integers with thousands separator and width field\nWhen the printf family of functions is called with a format specifier\nthat uses an <apostrophe> (enable grouping) and a minimum width\nspecifier, the resulting output could be larger than reasonably expected\nby a caller that computed a tight bound on the buffer size.  The\nresulting larger than expected output could result in a buffer overflow\nin the printf family of functions.",
+    "affected_packages": [
+      {
+        "package": {
+          "type": "sid",
+          "namespace": "gnu.org",
+          "name": "glibc",
+          "version": "",
+          "qualifiers": "",
+          "subpath": ""
+        },
+        "affected_version_range": "vers:generic/2.37.0",
+        "fixed_version_range": "vers:generic/2.37.0-4|2.38.0",
+        "introduced_by_commit_patches": [
+          {
+            "vcs_url": "https://sourceware.org/git/glibc.git",
+            "commit_hash": "e88b9f0e5cc50cab57a299dc7efe1a4eb385161d",
+            "patch_text": null,
+            "patch_checksum": null
+          }
+        ],
+        "fixed_by_commit_patches": [
+          {
+            "vcs_url": "https://sourceware.org/git/glibc.git",
+            "commit_hash": "c980549cc6a1c03c23cc2fe3e7b0fe626a0364b0",
+            "patch_text": null,
+            "patch_checksum": null
+          },
+          {
+            "vcs_url": "https://sourceware.org/git/glibc.git",
+            "commit_hash": "07b9521fc6369d000216b96562ff7c0ed32a16c4",
+            "patch_text": null,
+            "patch_checksum": null
+          }
+        ]
+      }
+    ],
+    "references": [],
+    "patches": [],
+    "severities": [],
+    "date_published": "2023-02-02T00:00:00+00:00",
+    "weaknesses": [],
+    "url": "https://sourceware.org/git/glibc.git"
+  }
+]
diff --git a/vulnerabilities/tests/test_data/glibc/advisories/GLIBC-SA-2025-0004 b/vulnerabilities/tests/test_data/glibc/advisories/GLIBC-SA-2025-0004
@@ -0,0 +1,29 @@
+power10: strncmp fails to save and restore nonvolatile vector registers
+
+The Power 10 implementation of strncmp in
+sysdeps/powerpc/powerpc64/le/power10/strncmp.S failed to save/restore
+nonvolatile vector registers in the 32-byte aligned loop path.  This
+results in callers reading content from those registers in a different
+context, potentially altering program logic.
+
+There could be a program context where a user controlled string could
+leak through strncmp into program code, thus altering its logic.  There
+is also a potential for sensitive strings passed into strncmp leaking
+through the clobbered registers into parts of the calling program that
+should otherwise not have had access to those strings.
+
+The impact of this flaw is limited to applications running on Power 10
+hardware that use the nonvolatile vector registers, i.e. v20 to v31
+assuming that they have been treated in accordance with the OpenPower
+psABI.  It is possible to work around the issue for those specific
+applications by setting the glibc.cpu.hwcaps tunable to "-arch_3_1" like
+so:
+
+    export GLIBC_TUNABLES=glibc.cpu.hwcaps=-arch_3_1
+
+CVE-Id: CVE-2025-5745
+Public-Date: 2025-06-05
+Vulnerable-Commit: 23f0d81608d0ca6379894ef81670cf30af7fd081 (2.40)
+Fix-Commit: 63c60101ce7c5eac42be90f698ba02099b41b965 (2.42)
+Fix-Commit: 84bdbf8a6f2fdafd3661489dbb7f79835a52da82 (2.41-57)
+Fix-Commit: 42a5a940c974d02540c8da26d6374c744d148cb9 (2.40-136)
diff --git a/vulnerabilities/tests/test_data/glibc/advisories/GLIBC-SA-2025-0004-expected.json b/vulnerabilities/tests/test_data/glibc/advisories/GLIBC-SA-2025-0004-expected.json
@@ -0,0 +1,57 @@
+[
+  {
+    "advisory_id": "GLIBC-SA-2025-0004",
+    "aliases": [
+      "CVE-2025-5745"
+    ],
+    "summary": "power10: strncmp fails to save and restore nonvolatile vector registers\nThe Power 10 implementation of strncmp in\nsysdeps/powerpc/powerpc64/le/power10/strncmp.S failed to save/restore\nnonvolatile vector registers in the 32-byte aligned loop path.  This\nresults in callers reading content from those registers in a different\ncontext, potentially altering program logic.",
+    "affected_packages": [
+      {
+        "package": {
+          "type": "sid",
+          "namespace": "gnu.org",
+          "name": "glibc",
+          "version": "",
+          "qualifiers": "",
+          "subpath": ""
+        },
+        "affected_version_range": "vers:generic/2.40.0",
+        "fixed_version_range": "vers:generic/2.40.0-136|2.41.0-57|2.42.0",
+        "introduced_by_commit_patches": [
+          {
+            "vcs_url": "https://sourceware.org/git/glibc.git",
+            "commit_hash": "23f0d81608d0ca6379894ef81670cf30af7fd081",
+            "patch_text": null,
+            "patch_checksum": null
+          }
+        ],
+        "fixed_by_commit_patches": [
+          {
+            "vcs_url": "https://sourceware.org/git/glibc.git",
+            "commit_hash": "63c60101ce7c5eac42be90f698ba02099b41b965",
+            "patch_text": null,
+            "patch_checksum": null
+          },
+          {
+            "vcs_url": "https://sourceware.org/git/glibc.git",
+            "commit_hash": "84bdbf8a6f2fdafd3661489dbb7f79835a52da82",
+            "patch_text": null,
+            "patch_checksum": null
+          },
+          {
+            "vcs_url": "https://sourceware.org/git/glibc.git",
+            "commit_hash": "42a5a940c974d02540c8da26d6374c744d148cb9",
+            "patch_text": null,
+            "patch_checksum": null
+          }
+        ]
+      }
+    ],
+    "references": [],
+    "patches": [],
+    "severities": [],
+    "date_published": "2025-06-05T00:00:00+00:00",
+    "weaknesses": [],
+    "url": "https://sourceware.org/git/glibc.git"
+  }
+]
diff --git a/vulnerabilities/tests/test_data/glibc/advisories/GLIBC-SA-2026-0002 b/vulnerabilities/tests/test_data/glibc/advisories/GLIBC-SA-2026-0002
diff --git a/vulnerabilities/tests/test_data/glibc/advisories/GLIBC-SA-2026-0002-expected.json b/vulnerabilities/tests/test_data/glibc/advisories/GLIBC-SA-2026-0002-expected.json
