Add Grafana security advisory importer#2200
Open
NucleiAv wants to merge 5 commits intoaboutcode-org:mainfrom
Open
Add Grafana security advisory importer#2200NucleiAv wants to merge 5 commits intoaboutcode-org:mainfrom
NucleiAv wants to merge 5 commits intoaboutcode-org:mainfrom
Conversation
NucleiAv
force-pushed
the
fix/grafana-importer-1462
branch
from
765808c to
918f85b
Compare
Adds GrafanaImporterPipeline using the GitHub Security Advisory REST API. Covers grafana/grafana, grafana/loki, credativ/plutono and credativ/vali. - Parses GHSA IDs, CVE aliases, CVSS v3.1 scores, CWE weaknesses and version ranges from the API response - Normalizes space-separated version constraints to comma-separated format before passing to build_range_from_github_advisory_constraint - Skips advisories without a parseable version range rather than raising - Registers GrafanaImporterPipeline in IMPORTERS_REGISTRY - Includes JSON test fixtures and unit tests for parse_advisory_data Closes aboutcode-org#1462 Signed-off-by: newklei <magmacicada@proton.me>
Signed-off-by: newklei <magmacicada@proton.me>
NucleiAv
force-pushed
the
fix/grafana-importer-1462
branch
from
4d0aae7 to
481fb5b
Compare
Signed-off-by: newklei <magmacicada@proton.me>
Signed-off-by: newklei <magmacicada@proton.me>
NucleiAv
force-pushed
the
fix/grafana-importer-1462
branch
from
c803224 to
60e258f
Compare
…importer - Removed repo_url class attribute (not part of the base class contract) - Replaced datetime.strptime + timezone.utc with dateparser.parse() for consistency with the ZDI importer and flexibility with date formats - Removed unused datetime and timezone stdlib imports Signed-off-by: newklei <magmacicada@proton.me>
NucleiAv
force-pushed
the
fix/grafana-importer-1462
branch
from
60e258f to
4c8780c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds GrafanaImporterPipeline to collect published security advisories from the GitHub Security Advisory REST API for four repos: grafana/grafana, grafana/loki, credativ/plutono, and credativ/vali.
What this adds:
vulnerabilities/pipelines/v2_importers/grafana_importer.pyvulnerabilities/tests/test_grafana_importer.py(5 tests, all passing)vulnerabilities/tests/test_data/grafana/(mock input + expected output fixtures)GrafanaImporterPipelineinIMPORTERS_REGISTRYDesign notes:
The importer is in
pipelines/v2_importers/(notimporters/) because it uses the v2 pipeline architecture (VulnerableCodeBaseImporterPipelineV2), matching mattermost, curl, nginx, and all other v2 importers. Tests are intests/(not next to the source) following the same convention used by every other importer in the project.Parsing details:
advisory_idis the GHSA ID, CVE goes intoaliasesonly>=9.2.0 <9.2.10), normalized to comma-separated before passing tobuild_range_from_github_advisory_constraintaffected_packagesrather than raising an errorseverities, CWE IDs inweaknessesCloses #1462