Collect existing fix commits for Linux Kernel

vulnerabilities/importers/__init__.py

@@ -51,6 +51,7 @@
 from vulnerabilities.pipelines.v2_importers import github_osv_importer as github_osv_importer_v2
 from vulnerabilities.pipelines.v2_importers import gitlab_importer as gitlab_importer_v2
 from vulnerabilities.pipelines.v2_importers import istio_importer as istio_importer_v2
+from vulnerabilities.pipelines.v2_importers import linux_kernel_importer as linux_kernel_importer_v2
 from vulnerabilities.pipelines.v2_importers import mozilla_importer as mozilla_importer_v2
 from vulnerabilities.pipelines.v2_importers import npm_importer as npm_importer_v2
 from vulnerabilities.pipelines.v2_importers import nvd_importer as nvd_importer_v2
@@ -83,6 +84,7 @@
         github_osv_importer_v2.GithubOSVImporterPipeline,
         redhat_importer_v2.RedHatImporterPipeline,
         aosp_importer_v2.AospImporterPipeline,
+        linux_kernel_importer_v2.LinuxKernelPipeline,
         nvd_importer.NVDImporterPipeline,
         github_importer.GitHubAPIImporterPipeline,
         gitlab_importer.GitLabImporterPipeline,

vulnerabilities/pipelines/v2_importers/linux_kernel_importer.py

@@ -0,0 +1,137 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+from pathlib import Path
+
+from fetchcode.vcs import fetch_via_vcs
+
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AffectedPackageV2
+from vulnerabilities.importer import PackageCommitPatchData
+from vulnerabilities.importer import PatchData
+from vulnerabilities.importer import ReferenceV2
+from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
+from vulnerabilities.pipes.advisory import classify_patch_source
+from vulnerabilities.utils import commit_regex
+from vulnerabilities.utils import cve_regex
+from vulnerabilities.utils import get_advisory_url
+from vulnerabilities.utils import is_commit
+
+
+class LinuxKernelPipeline(VulnerableCodeBaseImporterPipelineV2):
+    """
+    Pipeline to collect Linux Kernel Pipeline:
+    """
+
+    pipeline_id = "linux_kernel_cves_fix_commits"
+    spdx_license_expression = "Apache-2.0"
+    license_url = "https://github.com/nluedtke/linux_kernel_cves/blob/master/LICENSE"
+    importer_name = "linux_kernel_cves_fix_commits"
+    qualified_name = "linux_kernel_cves_fix_commits"
+
+    @classmethod
+    def steps(cls):
+        return (
+            cls.clone,
+            cls.collect_and_store_advisories,
+            cls.clean_downloads,
+        )
+
+    def advisories_count(self):
+        root = Path(self.vcs_response.dest_dir)
+        return sum(1 for _ in root.rglob("data/*.txt"))
+
+    def clone(self):
+        self.repo_url = "git+https://github.com/nluedtke/linux_kernel_cves"
+        self.log(f"Cloning `{self.repo_url}`")
+        self.vcs_response = fetch_via_vcs(self.repo_url)
+
+    def collect_advisories(self):
+        self.log(f"Processing linux kernel fix commits.")
+        base_path = Path(self.vcs_response.dest_dir) / "data"
+        for file_path in base_path.rglob("*.txt"):
+            if "_CVEs.txt" in file_path.name:
+                continue
+
+            if "_security.txt" in file_path.name:
+                patches = []
+                affected_packages = []
+                references = []
+                for vulnerability_id, commit_hash in self.parse_commits_file(file_path):
+                    patch_url = f"https://github.com/torvalds/linux/commit/{commit_hash}"
+                    if not commit_hash:
+                        continue
+
+                    base_purl, patch_objs = classify_patch_source(
+                        url=patch_url,
+                        commit_hash=commit_hash,
+                        patch_text=None,
+                    )
+
+                    for patch_obj in patch_objs:
+                        if isinstance(patch_obj, PackageCommitPatchData):
+                            fixed_commit = patch_obj
+                            affected_package = AffectedPackageV2(
+                                package=base_purl,
+                                fixed_by_commit_patches=[fixed_commit],
+                            )
+                            affected_packages.append(affected_package)
+                        elif isinstance(patch_obj, PatchData):
+                            patches.append(patch_obj)
+                        elif isinstance(patch_obj, ReferenceV2):
+                            references.append(patch_obj)
+
+                    advisory_url = get_advisory_url(
+                        file=file_path,
+                        base_path=self.vcs_response.dest_dir,
+                        url="https://github.com/nluedtke/linux_kernel_cves/blob/master/",
+                    )
+
+                    yield AdvisoryData(
+                        advisory_id=vulnerability_id,
+                        references_v2=references,
+                        affected_packages=affected_packages,
+                        patches=patches,
+                        url=advisory_url,
+                    )
+
+    def parse_commits_file(self, file_path):
+        """Extract CVE-ID and commit hashes from a text file"""
+        with open(file_path, "r", encoding="utf-8") as f:
+            for line in f:
+                parts = line.strip().split(":", 2)
+
+                if len(parts) < 2:
+                    continue
+
+                cve_part = parts[0]
+                commit_part = parts[1]
+
+                cve_match = cve_regex.search(cve_part)
+                if not cve_match:
+                    continue
+
+                cve = cve_match.group(0)
+
+                sha1_match = commit_regex.search(commit_part)
+                commit_hash = sha1_match.group(0) if sha1_match else None
+
+                if not commit_hash or not is_commit(commit_hash):
+                    continue
+
+                yield cve, commit_hash
+
+    def clean_downloads(self):
+        """Cleanup any temporary repository data."""
+        if self.vcs_response:
+            self.log("Removing cloned repository")
+            self.vcs_response.delete()
+
+    def on_failure(self):
+        """Ensure cleanup is always performed on failure."""
+        self.clean_downloads()

vulnerabilities/tests/pipelines/v2_importers/test_linux_pipelines_v2.py

@@ -0,0 +1,28 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import os
+from pathlib import Path
+from unittest.mock import Mock
+
+import pytest
+
+from vulnerabilities.pipelines.v2_importers.linux_kernel_importer import LinuxKernelPipeline
+from vulnerabilities.tests import util_tests
+
+TEST_DATA = Path(__file__).parent.parent.parent / "test_data" / "linux_kernel"
+
+
+@pytest.mark.django_db
+def test_linux_kernel_advisories():
+    expected_file = os.path.join(TEST_DATA, "expected-linux-kernel-advisory.json")
+    pipeline = LinuxKernelPipeline()
+    pipeline.vcs_response = Mock(dest_dir=TEST_DATA)
+    result = [adv.to_dict() for adv in pipeline.collect_advisories()]
+    util_tests.check_results_against_json(result, expected_file)

vulnerabilities/tests/test_data/linux_kernel/data/3.12/3.12_security.txt

@@ -0,0 +1,31 @@
+
+CVEs fixed in 3.12:
+  CVE-2013-4511: 201f99f170df14ba52ea4c52847779042b7a623b uml: check length in exitcode_proc_write()
+  CVE-2013-4512: 201f99f170df14ba52ea4c52847779042b7a623b uml: check length in exitcode_proc_write()
+  CVE-2013-4513: c2c65cd2e14ada6de44cb527e7f1990bede24e15 staging: ozwpan: prevent overflow in oz_cdev_write()
+  CVE-2013-4514: b5e2f339865fb443107e5b10603e53bbc92dc054 staging: wlags49_h2: buffer overflow setting station name
+  CVE-2013-4515: 8d1e72250c847fa96498ec029891de4dc638a5ba Staging: bcm: info leak in ioctl
+  CVE-2013-4516: a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 Staging: sb105x: info leak in mp_get_count()
+  CVE-2013-6383: f856567b930dfcdbc3323261bf77240ccdde01f5 aacraid: missing capable() check in compat ioctl
+
+CVEs fixed in 3.12.1:
+  CVE-2013-4348: cec64fecff2eff7dd701b883ed3f5f6faf1aab92 net: flow_dissector: fail on evil iph->ihl
+
+CVEs fixed in 3.12.2:
+  CVE-2013-2929: 9d4dd888b4b5799ecadfb0d8c9adda7a76779806 exec/ptrace: fix get_dumpable() incorrect tests
+  CVE-2013-2930: 539ddb09c46389cc22d35543e40ccde2c2e20244 perf/ftrace: Fix paranoid level for enabling function tracer
+  CVE-2013-4345: 8ea7fffd97835f4e3ffd5f757df152a79835f65f crypto: ansi_cprng - Fix off by one error in non-block size request
+  CVE-2013-6378: 0f6ff65ed8d3630118c3149a4fbc493dd3b8fdc4 libertas: potential oops in debugfs
+  CVE-2013-6380: 12cc2209deeda65c963c84a5e6aaf0c39aca8e6d aacraid: prevent invalid pointer dereference
+  CVE-2013-7026: dd272212175ad47ee84cf38e9d5f99502df2d930 ipc,shm: fix shm_file deletion races
+
+CVE-2024-26791: (unk) btrfs: dev-replace: properly validate device names
+CVE-2024-26793: (unk) gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
+CVE-2024-26797: (unk) drm/amd/display: Prevent potential buffer overflow in map_hw_resources
+CVE-2024-26798: (unk) fbcon: always restore the old font data in fbcon_do_set_font()
+CVE-2024-26802: (unk) stmmac: Clear variable when destroying workqueue
+CVE-2024-26803: (unk) net: veth: clear GRO when clearing XDP even when down
+CVE-2024-26804: (unk) net: ip_tunnel: prevent perpetual headroom growth
+CVE-2024-26806: (unk) spi: cadence-qspi: remove system-wide suspend helper calls from runtime PM hooks
+CVE-2024-26808: (unk) netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain
+CVE-2024-26809: (unk) netfilter: nft_set_pipapo: release elements in clone only from destroy path