Comments (4)
Ocramius
commented on May 28, 2024
1
Yes, but there is no guarantee from the publisher that the syntax stays
stable. It needs to be an official source, with stable DSL. This is what
PSR-9 is about, if you are interested in designing a proper XSD/DTD for
security-related ATOM feeds.
…On Thu, 6 Dec 2018, 00:14 Russ Michell ***@***.*** wrote:
I beg to differ. In a few lines of Python, I can parse that feed and
compare with a project's composer.lock.
#!/usr/bin/python
#
# Russell Michell 2018 ***@***.***>
#
# What is this?
#
# Parses the SilverStripe Security Releases RSS feed for vulnerabilities in the current project's
# composer.lock file.
#
# Requirements:
#
# Feedparser: pip install feedparser
# BeautifulSoup: apt-get install python-bs4
from bs4 import BeautifulSoup
import json, sys, feedparser, re
feed_url = 'https://www.silverstripe.org/download/security-releases/rss'
# We use this pseudo constant when no package is given in the RSS advisories
DEFAULT_PACKAGE = 'silverstripe/framework'
# Clean up version constraints
def clean_version(input):
return re.sub('[^[\d.]', '', input)
# Cleanup package-names
def clean_package(input):
return input.strip(' :')
with open('./composer.lock', 'r') as composerLockFile:
json = json.load(composerLockFile)
feed = feedparser.parse(feed_url)
if feed.channel == None:
print 'No feed data found.'
sys.exit(1)
for package in json['packages']:
c_package = package['name']
c_version = clean_version(package['version'])
for item in feed['items']:
soup = BeautifulSoup(item['description'], 'html.parser')
# All entity-encoded <dd> HTML elements found within an RSS <description> element
allDDs = soup.find_all('dd')
# TODO Can also use BS4 to access via class="foo" rather than as a dict/numeric-index
severity = allDDs[0].string
identifier = allDDs[1].string
versionsAffected = allDDs[2].string
versionsFixed = allDDs[3].string
advisory_link = item.link
# Advisories sometimes exclude the package name. Assume this means "silverstripe/framework"
# Advisories are formatted slightly differently (with/without colon-separated spaces between <package><version>)
package = re.sub("[\s:]?((>=?)?\s?)?(\d\.?)+(-rc\d)?,?", '', versionsFixed)
version = re.sub("([^\/]\w+\/[\w-]+(?=[\s:]))+", '', versionsFixed)
f_package = clean_package(package)
f_version = clean_version(version)
# Basic test to see if a package has been stipulated. If not, we assume: "silverstripe/framework"
if f_package is None or '/' not in f_package:
f_package = DEFAULT_PACKAGE
if c_package != f_package:
continue
for fixed_version in f_version.split(','):
is_vulnerable = c_version < fixed_version
if is_vulnerable:
print '[ALERT] %s version %s has a security advisory: %s' % (c_package, c_version, advisory_link)
# Break so no further versions need to be checked
break
sys.exit(1)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#340 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAJakHYpfzWVGAXc9gi2Yc6Ne1CnWx2Fks5u2FM6gaJpZM4ZDoe9>
.
from security-advisories.
Ocramius
commented on May 28, 2024
web-APIs and RSS feeds where available
Those feeds are designed for human consumption, not for machine consumption.
from security-advisories.
phptek
commented on May 28, 2024
In a few lines of Python, I can parse that feed and compare with a project's composer.lock.
#!/usr/bin/python
#
# Russell Michell 2018 <[email protected]>
#
# What is this?
#
# Parses the SilverStripe Security Releases RSS feed for vulnerabilities in the current project's
# composer.lock file.
#
# Requirements:
#
# Feedparser: pip install feedparser
# BeautifulSoup: apt-get install python-bs4
from bs4 import BeautifulSoup
import json, sys, feedparser, re
feed_url = 'https://www.silverstripe.org/download/security-releases/rss'
# We use this pseudo constant when no package is given in the RSS advisories
DEFAULT_PACKAGE = 'silverstripe/framework'
# Clean up version constraints
def clean_version(input):
return re.sub('[^[\d.]', '', input)
# Cleanup package-names
def clean_package(input):
return input.strip(' :')
with open('./composer.lock', 'r') as composerLockFile:
json = json.load(composerLockFile)
feed = feedparser.parse(feed_url)
if feed.channel == None:
print 'No feed data found.'
sys.exit(1)
for package in json['packages']:
c_package = package['name']
c_version = clean_version(package['version'])
for item in feed['items']:
soup = BeautifulSoup(item['description'], 'html.parser')
# All entity-encoded <dd> HTML elements found within an RSS <description> element
allDDs = soup.find_all('dd')
# TODO Can also use BS4 to access via class="foo" rather than as a dict/numeric-index
severity = allDDs[0].string
identifier = allDDs[1].string
versionsAffected = allDDs[2].string
versionsFixed = allDDs[3].string
advisory_link = item.link
# Advisories sometimes exclude the package name. Assume this means "silverstripe/framework"
# Advisories are formatted slightly differently (with/without colon-separated spaces between <package><version>)
package = re.sub("[\s:]?((>=?)?\s?)?(\d\.?)+(-rc\d)?,?", '', versionsFixed)
version = re.sub("([^\/]\w+\/[\w-]+(?=[\s:]))+", '', versionsFixed)
f_package = clean_package(package)
f_version = clean_version(version)
# Basic test to see if a package has been stipulated. If not, we assume: "silverstripe/framework"
if f_package is None or '/' not in f_package:
f_package = DEFAULT_PACKAGE
if c_package != f_package:
continue
for fixed_version in f_version.split(','):
is_vulnerable = c_version < fixed_version
if is_vulnerable:
print '[ALERT] %s version %s has a security advisory: %s' % (c_package, c_version, advisory_link)
# Break so no further versions need to be checked
break
sys.exit(1)
from security-advisories.
fabpot
commented on May 28, 2024
I'm going to close this one as we don't have any resources to maintain such a script and it is not our responsibility to create entries for all PHP projects out there. It's a contribution based effort from the community. Now, if the Silverstripe community wants to automate the process of submitting their advisories info, they can do so of course.
from security-advisories.
Related Issues (20)
- TYPO3 extension advisories HOT 4
- Using exact version constraint without boundaries are faling the validation HOT 5
- Advisories didn't pushed
- simplesamlphp v1.17.8 reported as insecure HOT 2
- alterphp/easyadmin-extension-bundle/2018-10-02.yaml HOT 2
- Would it be possible to add TYPO3 Extensions as well? HOT 8
- Consider adding a vulnerability id for non CVEs HOT 2
- Mr
- Add level of severity for PHP Security Advisories HOT 3
- Flag unsupported versions HOT 1
- propel: 2.0.0-alpha11 HOT 11
- Laravel 5.8 marked as insecure when it's not in fact vulnerable to CVE-2021-3129 HOT 4
- Work with Github to fix their Advisory Database importer? HOT 3
- facade/ignition seems to be fixed in 2.4.2 HOT 3
- [Discussion] Adopt OSV unified vulnerability schema for open source HOT 1
- Typosquatting Malware symfont/process HOT 3
- Import advisories from the Github security vulnerability database automatically HOT 10
- PHP Deprecated: Return type of Composer\Repository\ArrayRepository::count() should either be compatible with Countable::count() HOT 2
- Support for Composer 1 is deprecated and some packages will not be available. HOT 5
- Missing api-platform CVE HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-advisories.