Add Eclipse Foundation security advisories importer#2219
Add Eclipse Foundation security advisories importer#2219NucleiAv wants to merge 3 commits intoaboutcode-org:mainfrom
Conversation
Signed-off-by: Anmol Vats <anmolvats2003@gmail.com>
Signed-off-by: Anmol Vats <anmolvats2003@gmail.com>
| summary_obj = entry.get("summary") | ||
| summary = summary_obj.get("content") or "" if isinstance(summary_obj, dict) else "" |
There was a problem hiding this comment.
I think something like this is simpler.
| summary_obj = entry.get("summary") | |
| summary = summary_obj.get("content") or "" if isinstance(summary_obj, dict) else "" | |
| summary_obj = entry.get("summary", {}) | |
| summary = summary_obj.get("content") or "" |
There was a problem hiding this comment.
Used entry.get("summary") or {} instead of the suggested entry.get("summary", {}) because the API actually returns "summary": null for some entries (CVE-2024-2212 in the sample data). When the key exists but its value is null, .get("summary", {}) still returns None, which makes None.get("content") blow up. The or {} handles both the missing key and the null case cleanly.
|
|
||
| severities = [] | ||
| cvss = entry.get("cvss") | ||
| if cvss is not None: |
There was a problem hiding this comment.
| if cvss is not None: | |
| if cvss: |
| if not advisory_id: | ||
| return None |
There was a problem hiding this comment.
Do we have any examples of this? If yes, please log this, if no, please remove it.
| if not advisory_id: | |
| return None |
There was a problem hiding this comment.
I removed it since I did not find any instances in API data
|
|
||
|
|
||
| class TestParseAdvisory(TestCase): |
There was a problem hiding this comment.
Please change this to test against the file instead of running parse_advisory for every attribute.
There was a problem hiding this comment.
Replaced the whole class with a single test_parse_advisories() that runs all three sample entries and checks against an expected JSON file using util_tests.check_results_against_json. Also dropped test_collect_advisories_skips_on_http_error as it had assert not hasattr(...) or True which is always true and wasn't actually testing anything.
Signed-off-by: Anmol Vats <anmolvats2003@gmail.com>
2 participants
Closes #1495
HTML parsing the Eclipse website at https://www.eclipse.org/security/known.php would return nothing useful because the CVE-ID links in the table redirect to NVD and the project links return a 404. Instead I found that the website renders its advisory table entirely via JavaScript from a JSON API endpoint. By inspecting the JS bundle, I found https://api.eclipse.org/cve which returns all 197 advisories as a clean JSON array with no auth and no pagination required. So I choose API approach, since its clean and consistent.
Each entry provides details like CVE ID, publish date, Eclipse project name, summary, CVSS score, and reference URLs (CVE Mitre link, Eclipse bugtracker ticket, GitHub CVE pull request where applicable).
API does not provide CVSS vector string or version (only a bare float score, stored using GENERIC scoring system), CWE weaknesses, and affected or fixed package versions. These fields are left empty.