From ca28026a334043cd8e48091b9c7288b8de22b8da Mon Sep 17 00:00:00 2001 From: Jitka Obselkova Date: Wed, 11 Dec 2024 12:51:01 +0100 Subject: [PATCH 1/4] Rename whitelist and blacklist to allowlist and blocklist --- collectors/cveorg/keywords.py | 48 ++++++++++++------------ collectors/cveorg/tests/test_keywords.py | 10 ++--- 2 files changed, 29 insertions(+), 29 deletions(-) diff --git a/collectors/cveorg/keywords.py b/collectors/cveorg/keywords.py index e84b86e18..0525abe8b 100644 --- a/collectors/cveorg/keywords.py +++ b/collectors/cveorg/keywords.py @@ -1,6 +1,6 @@ import re -WHITELIST = [ +ALLOWLIST = [ "GIMP", "Spring", "dotnet", @@ -9,9 +9,9 @@ # r'\b\.NET\b' does not match properly because word boundary \b does not cooperate well # with dot. -WHITELIST_SPECIAL_CASES = [r"(?:\W|^)\.NET\b"] +ALLOWLIST_SPECIAL_CASES = [r"(?:\W|^)\.NET\b"] -BLACKLIST = [ +BLOCKLIST = [ r"(HPE|Hewlett Packard Enterprise).*(IceWall|FlexNetwork|FlexFabric|OneView|Nimble)", r"(Industrial Edge Management|Nucleus NET|SINEC).*[\n]*.*siemens", r"(Jfinal|Final)[ _]CMS", @@ -772,34 +772,34 @@ "zzcms", ] -BLACKLIST_CASE_SENSITIVE = ["iOS"] +BLOCKLIST_CASE_SENSITIVE = ["iOS"] -KEYWORD_WHITELIST = [ - re.compile(rf"\b{keyword}\b", re.IGNORECASE) for keyword in WHITELIST -] + [re.compile(keyword) for keyword in WHITELIST_SPECIAL_CASES] +KEYWORD_ALLOWLIST = [ + re.compile(rf"\b{keyword}\b", re.IGNORECASE) for keyword in ALLOWLIST +] + [re.compile(keyword) for keyword in ALLOWLIST_SPECIAL_CASES] -KEYWORD_BLACKLIST = [ - re.compile(rf"\b{keyword}\b", re.IGNORECASE) for keyword in BLACKLIST -] + [re.compile(rf"\b{keyword}\b") for keyword in BLACKLIST_CASE_SENSITIVE] +KEYWORD_BLOCKLIST = [ + re.compile(rf"\b{keyword}\b", re.IGNORECASE) for keyword in BLOCKLIST +] + [re.compile(rf"\b{keyword}\b") for keyword in BLOCKLIST_CASE_SENSITIVE] def check_keywords(text): """ Checks if a specified text is relevant or not based on found keywords. - Returns tuple of matched blacklisted and whitelisted keywords. + Returns tuple of matched blocklisted and allowlisted keywords. """ - whitelist = [] - for word in (regex.search(text) for regex in KEYWORD_WHITELIST): + allowlist = [] + for word in (regex.search(text) for regex in KEYWORD_ALLOWLIST): if word is not None: - whitelist.append(word.group().strip()) + allowlist.append(word.group().strip()) - blacklist = [] - for word in (regex.search(text) for regex in KEYWORD_BLACKLIST): + blocklist = [] + for word in (regex.search(text) for regex in KEYWORD_BLOCKLIST): if word is not None: - blacklist.append(word.group()) + blocklist.append(word.group()) - return sorted(blacklist), sorted(whitelist) + return sorted(blocklist), sorted(allowlist) def should_create_snippet(text): @@ -807,17 +807,17 @@ def should_create_snippet(text): Returns True if a snippet should be created, False otherwise. Snippet should be created if: - words in `text` are in both whitelist and blacklist ([x], [x]) - words in `text` are in whitelist only ([x], []) - words in `text` are not in whitelist or blacklist ([], []) + words in `text` are in both allowlist and blocklist ([x], [x]) + words in `text` are in allowlist only ([x], []) + words in `text` are not in allowlist or blocklist ([], []) Snippet should not be created if: - words in `text` are in blacklist only ([], [x]) + words in `text` are in blocklist only ([], [x]) `text` is empty """ if not text: return False - blacklist, whitelist = check_keywords(text) + blocklist, allowlist = check_keywords(text) - return False if (blacklist and not whitelist) else True + return False if (blocklist and not allowlist) else True diff --git a/collectors/cveorg/tests/test_keywords.py b/collectors/cveorg/tests/test_keywords.py index f3560773a..4c261e8b2 100644 --- a/collectors/cveorg/tests/test_keywords.py +++ b/collectors/cveorg/tests/test_keywords.py @@ -8,7 +8,7 @@ [ ("Internet is a great thing!", ([], [])), ("IBM Tivoli is blue and red.", (["IBM Tivoli"], [])), - ("we want to whitelist kernel", ([], ["kernel"])), + ("we want to allowlist kernel", ([], ["kernel"])), ], ) def test_check_keywords(text, expected_output): @@ -85,13 +85,13 @@ def test_check_keywords_wordpress(text, expected_output): @pytest.mark.parametrize( "text, should_create", [ - # in both blacklist and whitelist + # in both blocklist and allowlist ("kernel and iOS in description", True), - # in whitelist only + # in allowlist only ("kernel and ios in description", True), - # not in whitelist or blacklist + # not in allowlist or blocklist ("something else in description", True), - # in blacklist only + # in blocklist only ("iOS in description", False), # nothing to check (None, False), From 9417550ec5472cd3c5e72218e86271b359bd6ce2 Mon Sep 17 00:00:00 2001 From: Jitka Obselkova Date: Wed, 11 Dec 2024 12:55:28 +0100 Subject: [PATCH 2/4] Collect keywords from ps-constants --- collectors/cveorg/migrations/0001_initial.py | 23 + collectors/cveorg/migrations/__init__.py | 0 collectors/cveorg/models.py | 23 + collectors/ps_constants/core.py | 26 + collectors/ps_constants/tasks.py | 10 + ...ntsCollection.test_fetch_ps_constants.yaml | 847 ++++++------------ collectors/ps_constants/tests/test_core.py | 52 ++ 7 files changed, 416 insertions(+), 565 deletions(-) create mode 100644 collectors/cveorg/migrations/0001_initial.py create mode 100644 collectors/cveorg/migrations/__init__.py create mode 100644 collectors/cveorg/models.py diff --git a/collectors/cveorg/migrations/0001_initial.py b/collectors/cveorg/migrations/0001_initial.py new file mode 100644 index 000000000..82fe398a1 --- /dev/null +++ b/collectors/cveorg/migrations/0001_initial.py @@ -0,0 +1,23 @@ +# Generated by Django 4.2.16 on 2024-12-10 14:05 + +from django.db import migrations, models +import uuid + + +class Migration(migrations.Migration): + + initial = True + + dependencies = [ + ] + + operations = [ + migrations.CreateModel( + name='Keyword', + fields=[ + ('uuid', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)), + ('keyword', models.CharField(max_length=255, unique=True)), + ('type', models.CharField(choices=[('ALLOWLIST', 'Allowlist'), ('ALLOWLIST_SPECIAL_CASE', 'Allowlist Special Case'), ('BLOCKLIST', 'Blocklist'), ('BLOCKLIST_SPECIAL_CASE', 'Blocklist Special Case')], max_length=25)), + ], + ), + ] diff --git a/collectors/cveorg/migrations/__init__.py b/collectors/cveorg/migrations/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/collectors/cveorg/models.py b/collectors/cveorg/models.py new file mode 100644 index 000000000..095296ba4 --- /dev/null +++ b/collectors/cveorg/models.py @@ -0,0 +1,23 @@ +import uuid + +from django.db import models + + +class Keyword(models.Model): + """ + An instance of this model represents a keyword of a given type + collected from `data/cveorg_keywords.yml` in the `ps-constants` repository. + + These keywords determine whether the CVEorg collector should create a flaw. + """ + + class Type(models.TextChoices): + ALLOWLIST = "ALLOWLIST" + ALLOWLIST_SPECIAL_CASE = "ALLOWLIST_SPECIAL_CASE" + BLOCKLIST = "BLOCKLIST" + BLOCKLIST_SPECIAL_CASE = "BLOCKLIST_SPECIAL_CASE" + + # internal primary key + uuid = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False) + keyword = models.CharField(max_length=255, unique=True) + type = models.CharField(choices=Type.choices, max_length=25) diff --git a/collectors/ps_constants/core.py b/collectors/ps_constants/core.py index 0c2612cae..207a41e5f 100644 --- a/collectors/ps_constants/core.py +++ b/collectors/ps_constants/core.py @@ -8,6 +8,7 @@ from apps.sla.models import SLA, SLAPolicy from apps.trackers.models import JiraBugIssuetype +from collectors.cveorg.models import Keyword from osidb.models import SpecialConsiderationPackage logger = logging.getLogger(__name__) @@ -68,3 +69,28 @@ def sync_jira_bug_issuetype(source_dict): JiraBugIssuetype.objects.all().delete() for project in list(source_dict.values())[0]: JiraBugIssuetype.objects.get_or_create(project=project) + + +@transaction.atomic +def sync_cveorg_keywords(source: dict) -> None: + """ + Sync CVEorg keywords in the database + """ + try: + keywords = [ + (Keyword.Type.ALLOWLIST, source["allowlist"]), + (Keyword.Type.ALLOWLIST_SPECIAL_CASE, source["allowlist_special_cases"]), + (Keyword.Type.BLOCKLIST, source["blocklist"]), + (Keyword.Type.BLOCKLIST_SPECIAL_CASE, source["blocklist_special_cases"]), + ] + except KeyError: + raise KeyError( + "The ps-constants repository does not contain the expected CVEorg keyword sections." + ) + + # Delete and recreate keywords + Keyword.objects.all().delete() + for keyword_type, data in keywords: + for entry in data: + keyword = Keyword(keyword=entry, type=keyword_type) + keyword.save() diff --git a/collectors/ps_constants/tasks.py b/collectors/ps_constants/tasks.py index c9cd3b45a..6b55e05d7 100644 --- a/collectors/ps_constants/tasks.py +++ b/collectors/ps_constants/tasks.py @@ -12,6 +12,7 @@ from .constants import PS_CONSTANTS_REPO_BRANCH, PS_CONSTANTS_REPO_URL from .core import ( fetch_ps_constants, + sync_cveorg_keywords, sync_jira_bug_issuetype, sync_sla_policies, sync_special_consideration_packages, @@ -46,7 +47,12 @@ def collect_step_1_fetch(): logger.info(f"Fetching PS Constants (Jira Bug issuetype) from '{url}'") jira_bug_issuetype = fetch_ps_constants(url) + url = f"{PS_CONSTANTS_BASE_URL}/cveorg_keywords.yml" + logger.info(f"Fetching CVEorg keywords from '{url}'") + cveorg_keywords = fetch_ps_constants(url) + return ( + cveorg_keywords, sc_packages, sla_policies, jira_bug_issuetype, @@ -54,10 +60,12 @@ def collect_step_1_fetch(): def collect_step_2_sync( + cveorg_keywords, sc_packages, sla_policies, jira_bug_issuetype, ): + sync_cveorg_keywords(cveorg_keywords) sync_special_consideration_packages(sc_packages) sync_sla_policies(sla_policies) sync_jira_bug_issuetype(jira_bug_issuetype) @@ -83,6 +91,7 @@ def ps_constants_collector(collector_obj) -> str: """ps constants collector""" ( + cveorg_keywords, sc_packages, sla_policies, jira_bug_issuetype, @@ -96,6 +105,7 @@ def ps_constants_collector(collector_obj) -> str: ) collect_step_2_sync( + cveorg_keywords, sc_packages, sla_policies, jira_bug_issuetype, diff --git a/collectors/ps_constants/tests/cassettes/test_core/TestPsConstantsCollection.test_fetch_ps_constants.yaml b/collectors/ps_constants/tests/cassettes/test_core/TestPsConstantsCollection.test_fetch_ps_constants.yaml index a77a67733..60c48e4ea 100644 --- a/collectors/ps_constants/tests/cassettes/test_core/TestPsConstantsCollection.test_fetch_ps_constants.yaml +++ b/collectors/ps_constants/tests/cassettes/test_core/TestPsConstantsCollection.test_fetch_ps_constants.yaml @@ -9,416 +9,52 @@ interactions: Connection: - keep-alive User-Agent: - - python-requests/2.31.0 + - python-requests/2.32.3 method: GET - uri: https://example.com/prodsec-dev/ps-constants/-/raw/master/data/compliance_priority.yml?job=build - response: - body: - string: "# list of packages / components that are in the scope of the compliance - priority special handling and where a dedicated SLAs are applied\n# separate - list provided for each primary product, keys need to match ps module names\n# - https://example.com/browse/OSIDB-1316\n# For any component from the below - list in the particular product the following SLA are applicable:\n# Critical - = 7 days\n# Important = 21 days\n# Moderate = 50 days\n# Low = 180 days\n#\n# - File structure based on the rhel8 example:\n#\n# rhel-8: (name of the ps_module)\n# - \ components: (list of the components, can be left empty as components: - [] what would mean ALL components in that ps_module)\n# streams: (list of - product streams where the compliance priority rules will be applied, this - object CANNOT be empty)\n#\n# The key values (ps_module) must be unique across - this document, duplicates are not allowed.\n#\n\nrhel-8:\n components:\n - \ - acl\n - adcli\n - attr\n - audit\n - authselect\n - avahi\n - basesystem\n - \ - bash\n - bash-completion\n - bind\n - binutils\n - brotli\n - bubblewrap\n - \ - bzip2\n - c-ares\n - ca-certificates\n - checkpolicy\n - chkconfig\n - \ - chrony\n - cifs-utils\n - clevis\n - cloud-utils-growpart\n - compat-openssl10\n - \ - conntrack-tools\n - coreutils\n - cpio\n - cracklib\n - cri-tools\n - \ - crypto-policies\n - cryptsetup\n - cups\n - curl\n - cyrus-sasl\n - \ - dbus\n - dbus-glib\n - dbus-python\n - device-mapper-multipath\n - - device-mapper-persistent-data\n - diffutils\n - ding-libs\n - dmidecode\n - \ - dnf\n - dnf-plugins-core\n - dnsmasq\n - dosfstools\n - dracut\n - - dtc\n - e2fsprogs\n - edk2\n - efi-rpm-macros\n - efibootmgr\n - efivar\n - \ - elfutils\n - emacs\n - ethtool\n - expat\n - file\n - filesystem\n - \ - findutils\n - firewalld\n - freetype\n - fstrm\n - fuse\n - fwupd\n - \ - gawk\n - gcab\n - gcc\n - gdb\n - gdbm\n - gdisk\n - geolite2\n - \ - gettext\n - git\n - glib2\n - glibc\n - glusterfs\n - gmp\n - gnupg2\n - \ - gnutls\n - gobject-introspection\n - gpgme\n - grep\n - groff\n - - grub2\n - gssproxy\n - gzip\n - haproxy\n - hardlink\n - hdparm\n - - hostname\n - hwdata\n - icu\n - ima-evm-utils\n - initscripts\n - iproute\n - \ - iptables\n - iputils\n - ipxe\n - irqbalance\n - iscsi-initiator-utils\n - \ - isns-utils\n - jansson\n - jose\n - jq\n - json-c\n - json-glib\n - \ - kata-containers\n - kbd\n - kernel\n - kexec-tools\n - keyutils\n - \ - kmod\n - krb5\n - langpacks\n - less\n - libaio\n - libarchive\n - \ - libassuan\n - libbpf\n - libcap\n - libcap-ng\n - libcomps\n - libcroco\n - \ - libdaemon\n - libdb\n - libdnf\n - libdrm\n - libedit\n - libestr\n - \ - libevent\n - libfastjson\n - libffi\n - libgcrypt\n - libgpg-error\n - \ - libgudev\n - libgusb\n - libidn2\n - libkcapi\n - libksba\n - libldb\n - \ - libmaxminddb\n - libmetalink\n - libmicrohttpd\n - libmnl\n - libmodulemd\n - \ - libmspack\n - libndp\n - libnet\n - libnetfilter_conntrack\n - libnetfilter_cthelper\n - \ - libnetfilter_cttimeout\n - libnetfilter_queue\n - libnfnetlink\n - - libnftnl\n - libnl3\n - libnsl2\n - libpcap\n - libpciaccess\n - libpeas\n - \ - libpng\n - libpsl\n - libpwquality\n - libqb\n - librepo\n - libreport\n - \ - librhsm\n - librtas\n - libseccomp\n - libsecret\n - libselinux\n - \ - libsemanage\n - libsepol\n - libsigsegv\n - libsmbios\n - libsolv\n - \ - libssh\n - libtalloc\n - libtasn1\n - libtdb\n - libteam\n - libtevent\n - \ - libtirpc\n - libtool\n - libunistring\n - libusbx\n - libuser\n - - libutempter\n - libverto\n - libxcrypt\n - libxkbcommon\n - libxml2\n - \ - libxmlb\n - libxslt\n - libyaml\n - linux-firmware\n - lmdb\n - logrotate\n - \ - lsof\n - lua\n - luksmeta\n - lvm2\n - lz4\n - lzo\n - make\n - - mdadm\n - memstrack\n - microcode_ctl\n - microdnf\n - mokutil\n - mozjs60\n - \ - mpfr\n - nano\n - ncurses\n - net-tools\n - nettle\n - NetworkManager\n - \ - newt\n - nfs-utils\n - nftables\n - nghttp2\n - nmap\n - npth\n - - nss-altfiles\n - numactl\n - nvme-cli\n - oniguruma\n - open-vm-tools\n - \ - openldap\n - openshift\n - openshift-clients\n - openssh\n - openssl\n - \ - openssl-pkcs11\n - os-prober\n - ostree\n - p11-kit\n - pam\n - passwd\n - \ - pciutils\n - pcre\n - pcre2\n - perl\n - perl-Carp\n - perl-constant\n - \ - perl-Data-Dumper\n - perl-Digest\n - perl-Digest-MD5\n - perl-Encode\n - \ - perl-Error\n - perl-Exporter\n - perl-File-Path\n - perl-File-Temp\n - \ - perl-Getopt-Long\n - perl-HTTP-Tiny\n - perl-IO-Socket-IP\n - perl-IO-Socket-SSL\n - \ - perl-libnet\n - perl-MIME-Base64\n - perl-Mozilla-CA\n - perl-Net-SSLeay\n - \ - perl-parent\n - perl-PathTools\n - perl-Pod-Escapes\n - perl-Pod-Perldoc\n - \ - perl-Pod-Simple\n - perl-Pod-Usage\n - perl-podlators\n - perl-Scalar-List-Utils\n - \ - perl-Socket\n - perl-Storable\n - perl-Term-ANSIColor\n - perl-Term-Cap\n - \ - perl-TermReadKey\n - perl-Text-ParseWords\n - perl-Text-Tabs+Wrap\n - \ - perl-threads\n - perl-threads-shared\n - perl-Time-Local\n - perl-Unicode-Normalize\n - \ - perl-URI\n - pigz\n - pinentry\n - pixman\n - pkgconf\n - pmdk\n - \ - policycoreutils\n - polkit\n - polkit-pkla-compat\n - popt\n - procps-ng\n - \ - protobuf\n - protobuf-c\n - psmisc\n - publicsuffix-list\n - pygobject3\n - \ - python-chardet\n - python-dateutil\n - python-decorator\n - python-dmidecode\n - \ - python-ethtool\n - python-idna\n - python-iniparse\n - python-inotify\n - \ - python-linux-procfs\n - python-pip\n - python-ply\n - python-pysocks\n - \ - python-pyudev\n - python-requests\n - python-setuptools\n - python-six\n - \ - python-systemd\n - python-urllib3\n - python3\n - python36\n - PyYAML\n - \ - qemu-kvm\n - quota\n - rdma-core\n - readline\n - redhat-release\n - \ - rootfiles\n - rpcbind\n - rpm\n - rpm-ostree\n - rsync\n - rsyslog\n - \ - samba\n - seabios\n - sed\n - selinux-policy\n - setools\n - setup\n - \ - sg3_utils\n - sgabios\n - shadow-utils\n - shared-mime-info\n - shim\n - \ - slang\n - snappy\n - socat\n - sqlite\n - squashfs-tools\n - sssd\n - \ - stalld\n - strace\n - subscription-manager\n - subscription-manager-rhsm-certificates\n - \ - sudo\n - systemd\n - tar\n - tcpdump\n - texinfo\n - timedatex\n - \ - tmux\n - tpm2-tools\n - tpm2-tss\n - tree\n - trousers\n - tuna\n - \ - tuned\n - tzdata\n - unbound\n - usbguard\n - usermode\n - userspace-rcu\n - \ - util-linux\n - vim\n - virt-what\n - WALinuxAgent\n - wget\n - which\n - \ - xfsprogs\n - xkeyboard-config\n - xmlsec1\n - xz\n - yajl\n - zlib\n - \ - zstd\n - abattis-cantarell-fonts\n - adwaita-icon-theme\n - alsa-lib\n - \ - at-spi2-atk\n - at-spi2-core\n - atk\n - bc\n - cairo\n - cmake\n - \ - colord\n - copy-jdk-configs\n - dconf\n - dejavu-fonts\n - environment-modules\n - \ - fontconfig\n - fontpackages\n - fribidi\n - gdk-pixbuf2\n - git-lfs\n - \ - glib-networking\n - graphite2\n - grubby\n - gsettings-desktop-schemas\n - \ - gtk2\n - gtk3\n - harfbuzz\n - hicolor-icon-theme\n - jasper\n - - java-1.8.0-openjdk\n - java-11-openjdk\n - javapackages-runtime:201801/javapackages-tools\n - \ - jbigkit\n - lcms2\n - libdatrie\n - libepoxy\n - libfontenc\n - libjpeg-turbo\n - \ - libmodman\n - libpipeline\n - libproxy\n - libsoup\n - libthai\n - - libtiff\n - libuv\n - libX11\n - libXau\n - libxcb\n - libXcomposite\n - \ - libXcursor\n - libXdamage\n - libXext\n - libXfixes\n - libXft\n - - libXi\n - libXinerama\n - libXrandr\n - libXrender\n - libXtst\n - lksctp-tools\n - \ - man-db\n - nspr\n - nss\n - nss_wrapper\n - pango\n - perl-libwww-perl\n - \ - postgresql:15/postgresql\n - rest\n - scl-utils\n - tcl\n - ttmkfdir\n - \ - unzip\n - uuid\n - wayland\n - xmlstarlet\n - xorg-x11-font-utils\n - \ - xorg-x11-fonts\n - zip\n streams:\n - rhel-8.6.0.z\n - rhel-8.9.0.z\n# - IMPORTANT NOTE: starting from \"zlib\" component there are components from - the IBM FedRAMP environment\n\n# the \"openshift-golang-builder-container\" - in the openshift-4 components list is a special entry to help RHEL Golang - team with with prioritization\nopenshift-4:\n components:\n - cluster-etcd-operator-container\n - \ - cluster-monitoring-operator-container\n - cluster-network-operator-container\n - \ - cluster-node-tuning-operator-container\n - conmon\n - console-login-helper-messages\n - \ - container-selinux\n - containernetworking-plugins\n - containers-common\n - \ - coredns-container\n - coreos-installer\n - cri-o\n - criu\n - crun\n - \ - csi-attacher-container\n - csi-livenessprobe-container\n - csi-node-driver-registrar-container\n - \ - csi-provisioner-container\n - fuse-overlayfs\n - golang-github-openshift-oauth-proxy-container\n - \ - golang-github-prometheus-alertmanager-container\n - golang-github-prometheus-node_exporter-container\n - \ - golang-github-prometheus-prometheus-container\n - ignition\n - kube-rbac-proxy-container\n - \ - kube-state-metrics-container\n - libslirp\n - marketplace-operator-container\n - \ - multus-cni-container\n - oauth-server-container\n - openshift-enterprise-builder-container\n - \ - openshift-enterprise-cli-container\n - openshift-enterprise-console-container\n - \ - openshift-enterprise-console-operator-container\n - openshift-enterprise-haproxy-router-container\n - \ - openshift-enterprise-hyperkube-container\n - openshift-enterprise-registry-container\n - \ - openshift-state-metrics-container\n - openshift-golang-builder-container\n - \ - openvswitch-selinux-extra-policy\n - openvswitch2.13\n - openvswitch2.17\n - \ - operator-lifecycle-manager-container\n - ose-aws-ebs-csi-driver-container\n - \ - ose-aws-ebs-csi-driver-operator-container\n - ose-aws-pod-identity-webhook-container\n - \ - ose-cli-artifacts-container\n - ose-cloud-credential-operator-container\n - \ - ose-cloud-network-config-controller-container\n - ose-cluster-authentication-operator-container\n - \ - ose-cluster-autoscaler-operator-container\n - ose-cluster-baremetal-operator-container\n - \ - ose-cluster-cloud-controller-manager-operator-container\n - ose-cluster-config-operator-container\n - \ - ose-cluster-csi-snapshot-controller-operator-container\n - ose-cluster-dns-operator-container\n - \ - ose-cluster-image-registry-operator-container\n - ose-cluster-ingress-operator-container\n - \ - ose-cluster-kube-apiserver-operator-container\n - ose-cluster-kube-controller-manager-operator-container\n - \ - ose-cluster-kube-scheduler-operator-container\n - ose-cluster-kube-storage-version-migrator-operator-container\n - \ - ose-cluster-machine-approver-container\n - ose-cluster-openshift-apiserver-operator-container\n - \ - ose-cluster-openshift-controller-manager-operator-container\n - ose-cluster-samples-operator-container\n - \ - ose-cluster-storage-operator-container\n - ose-csi-external-resizer-container\n - \ - ose-csi-external-snapshotter-container\n - ose-csi-snapshot-controller-container\n - \ - ose-csi-snapshot-validation-webhook-container\n - ose-etcd-container\n - \ - ose-insights-operator-container\n - ose-kube-storage-version-migrator-container\n - \ - ose-machine-api-operator-container\n - ose-machine-api-provider-aws-container\n - \ - ose-machine-config-operator-container\n - ose-multus-admission-controller-container\n - \ - ose-network-metrics-daemon-container\n - ose-node-container\n - ose-oauth-apiserver-container\n - \ - ose-openshift-apiserver-container\n - ose-openshift-controller-manager-container\n - \ - ose-prometheus-adapter-container\n - ose-service-ca-operator-container\n - \ - ose-thanos-container\n - podman\n - prom-label-proxy-container\n - - prometheus-config-reloader-container\n - prometheus-operator-admission-webhook-container\n - \ - prometheus-operator-container\n - runc\n - rust-afterburn\n - rust-bootupd\n - \ - skopeo\n - slirp4netns\n - telemeter-container\n - toolbox\n streams:\n - \ - openshift-4.12.z\n\nfdp-el8-ovs:\n components:\n - openvswitch-selinux-extra-policy\n - \ - openvswitch2.13\n - openvswitch2.17\n streams:\n - fdp-el8-ovs\n\n# - IBM FedRAMP components\nocp-tools-4:\n components:\n - jenkins\n - jenkins-2-plugins\n - \ - jenkins-agent-base-rhel8-container\n - openshift-jenkins-2-container\n - \ streams:\n - ocp-tools-4.14\n\n# IBM FedRAMP components\nrhel-9:\n components:\n - \ - alsa-lib\n - chkconfig\n - audit\n - avahi\n - basesystem\n - bash\n - \ - bzip2\n - ca-certificates\n - copy-jdk-configs\n - coreutils\n - crypto-policies\n - \ - cups\n - curl\n - cyrus-sasl\n - dbus\n - dejavu-fonts\n - dnf\n - \ - expat\n - file\n - filesystem\n - findutils\n - fonts-rpm-macros\n - \ - gawk\n - gdbm\n - glib2\n - glibc\n - gmp\n - gnupg2\n - gnutls\n - \ - gobject-introspection\n - gpgme\n - grep\n - java-17-openjdk\n - javapackages-tools\n - \ - json-c\n - json-glib\n - keyutils\n - krb5\n - langpacks\n - acl\n - \ - libarchive\n - libassuan\n - attr\n - util-linux\n - libcap\n - libcap-ng\n - \ - e2fsprogs\n - libdnf\n - libevent\n - libffi\n - gcc\n - libgcrypt\n - \ - libgpg-error\n - libidn2\n - libksba\n - libmodulemd\n - nghttp2\n - \ - libpeas\n - librepo\n - libreport\n - librhsm\n - libselinux\n - - libsemanage\n - libsepol\n - libsigsegv\n - libsolv\n - libtasn1\n - - libunistring\n - libusbx\n - libverto\n - libxcrypt\n - libxml2\n - libyaml\n - \ - zstd\n - lksctp-tools\n - lua\n - lua-posix\n - lz4\n - microdnf\n - \ - mpfr\n - ncurses\n - nettle\n - npth\n - nss\n - openldap\n - openssl\n - \ - p11-kit\n - pcre\n - pcre2\n - popt\n - python3.9\n - python-pip\n - \ - python-setuptools\n - readline\n - redhat-release\n - rootfiles\n - - rpm\n - sed\n - setup\n - shadow-utils\n - sqlite\n - systemd\n - tzdata\n - \ - xz\n - zlib\n streams:\n - rhel-9.3.0.z\n\n\n# Red Hat Build of Keycloak - 22 components\nrhbk:\n components:\n - aesh\n - agroal-api\n - agroal-narayana\n - \ - agroal-pool\n - angus-activation\n - angus-mail\n - annotations\n - - antlr4-runtime\n - aopalliance\n - apache-mime4j-core\n - apache-mime4j-dom\n - \ - apache-mime4j-storage\n - apiguardian-api\n - arc\n - arc-processor\n - \ - asm\n - asm-analysis\n - asm-commons\n - asm-tree\n - asm-util\n - - asyncutil\n - awaitility\n - bcpkix-jdk18on\n - bcprov-jdk18on\n - bcutil-jdk18on\n - \ - btf\n - byte-buddy\n - caffeine\n - cockroachdb\n - codemodel\n - - commons-cli\n - commons-codec\n - commons-collections4\n - commons-compress\n - \ - commons-io\n - commons-lang3\n - commons-logging-jboss-logging\n - - core\n - database-commons\n - docker-java-api\n - docker-java-transport\n - \ - docker-java-transport-zerodep\n - duct-tape\n - failureaccess\n - freemarker\n - \ - gizmo\n - graal-sdk\n - guava\n - guice\n - hamcrest-core\n - hibernate-commons-annotations\n - \ - hibernate-core\n - hibernate-graalvm\n - httpclient\n - httpcore\n - \ - importmap\n - infinispan-cachestore-remote\n - infinispan-client-hotrod-jakarta\n - \ - infinispan-commons-jakarta\n - infinispan-core-jakarta\n - infinispan-jboss-marshalling\n - \ - infinispan-query-dsl\n - infinispan-remote-query-client\n - istack-commons-runtime\n - \ - istack-commons-tools\n - jackson-annotations\n - jackson-core\n - jackson-coreutils\n - \ - jackson-databind\n - jackson-dataformat-cbor\n - jackson-dataformat-yaml\n - \ - jackson-datatype-jdk8\n - jackson-datatype-jsr310\n - jackson-jakarta-rs-base\n - \ - jackson-jakarta-rs-json-provider\n - jackson-module-jakarta-xmlbind-annotations\n - \ - jackson-module-parameter-names\n - jakarta.activation\n - jakarta.activation-api\n - \ - jakarta.annotation-api\n - jakarta.ejb-api\n - jakarta.el-api\n - jakarta.enterprise.cdi-api\n - \ - jakarta.enterprise.lang-model\n - jakarta.inject-api\n - jakarta.interceptor-api\n - \ - jakarta.json-api\n - jakarta.mail-api\n - jakarta.persistence-api\n - \ - jakarta.resource-api\n - jakarta.servlet-api\n - jakarta.transaction-api\n - \ - jakarta.validation-api\n - jakarta.ws.rs-api\n - jakarta.xml.bind-api\n - \ - jakarta.xml.soap-api\n - jandex\n - jansi\n - javase\n - javassist\n - \ - javax.activation-api\n - javax.annotation-api\n - javax.inject\n - - jaxb-api\n - jaxb-core\n - jaxb-jxc\n - jaxb-runtime\n - jaxb-xjc\n - - jboss-invocation\n - jboss-logging\n - jboss-logging-annotations\n - jboss-logmanager-embedded\n - \ - jboss-marshalling\n - jboss-marshalling-river\n - jboss-metadata-common\n - \ - jboss-metadata-web\n - jboss-threads\n - jboss-transaction-spi\n - - jdbc\n - jgroups\n - jna\n - jna-platform\n - json-patch\n - jts-core\n - \ - junit\n - junit-jupiter\n - junit-jupiter-api\n - junit-jupiter-engine\n - \ - junit-jupiter-params\n - junit-platform-commons\n - junit-platform-engine\n - \ - junit-platform-launcher\n - kerby-asn1\n - keycloak-account-ui\n - - keycloak-admin-cli\n - keycloak-admin-ui\n - keycloak-authz-policy-common\n - \ - keycloak-client-cli-dist\n - keycloak-client-registration-cli\n - keycloak-common\n - \ - keycloak-config-api\n - keycloak-core\n - keycloak-crypto-default\n - \ - keycloak-crypto-fips1402\n - keycloak-js-adapter-jar\n - keycloak-kerberos-federation\n - \ - keycloak-ldap-federation\n - keycloak-model-infinispan\n - keycloak-model-jpa\n - \ - keycloak-model-legacy\n - keycloak-model-legacy-private\n - keycloak-model-legacy-services\n - \ - keycloak-model-map\n - keycloak-model-map-file\n - keycloak-model-map-hot-rod\n - \ - keycloak-model-map-jpa\n - keycloak-quarkus-dist\n - keycloak-quarkus-server\n - \ - keycloak-quarkus-server-app\n - keycloak-rest-admin-ui-ext\n - keycloak-saml-core\n - \ - keycloak-saml-core-public\n - keycloak-server-spi\n - keycloak-server-spi-private\n - \ - keycloak-services\n - keycloak-sssd-federation\n - keycloak-themes\n - \ - liquibase-core\n - logstash-gelf\n - mariadb\n - mariadb-java-client\n - \ - maven-api-meta\n - maven-api-xml\n - maven-artifact\n - maven-builder-support\n - \ - maven-core\n - maven-embedder\n - maven-model\n - maven-model-builder\n - \ - maven-plugin-api\n - maven-repository-metadata\n - maven-resolver-api\n - \ - maven-resolver-connector-basic\n - maven-resolver-impl\n - maven-resolver-named-locks\n - \ - maven-resolver-provider\n - maven-resolver-spi\n - maven-resolver-transport-http\n - \ - maven-resolver-transport-wagon\n - maven-resolver-util\n - maven-settings\n - \ - maven-settings-builder\n - maven-shared-utils\n - maven-xml-impl\n - - micrometer-commons\n - micrometer-core\n - micrometer-observation\n - micrometer-registry-prometheus\n - \ - microprofile-config\n - microprofile-config-api\n - microprofile-context-propagation-api\n - \ - microprofile-health-api\n - microprofile-openapi-api\n - microprofile-reactive-streams-operators-api\n - \ - msg-simple\n - mssql-jdbc\n - mssqlserver\n - mutiny\n - mutiny-smallrye-context-propagation\n - \ - mutiny-zero-flow-adapters\n - mxparser\n - mysql\n - mysql-connector-java\n - \ - narayana-jta\n - narayana-jts-integration\n - nashorn-core\n - netty-buffer\n - \ - netty-codec\n - netty-codec-dns\n - netty-codec-haproxy\n - netty-codec-http\n - \ - netty-codec-http2\n - netty-codec-socks\n - netty-common\n - netty-handler\n - \ - netty-handler-proxy\n - netty-resolver\n - netty-resolver-dns\n - netty-transport\n - \ - netty-transport-classes-epoll\n - netty-transport-native-epoll\n - netty-transport-native-unix-common\n - \ - ojdbc11\n - opencsv\n - opentest4j\n - orai18n\n - org-crac\n - org.eclipse.sisu.inject\n - \ - org.eclipse.sisu.plexus\n - owasp-java-html-sanitizer\n - parsson\n - \ - picocli\n - plexus-cipher\n - plexus-classworlds\n - plexus-component-annotations\n - \ - plexus-interpolation\n - plexus-sec-dispatcher\n - plexus-utils\n - - plexus-xml\n - postgresql\n - protoparser\n - protostream\n - protostream-types\n - \ - quarkus-agroal\n - quarkus-agroal-deployment\n - quarkus-agroal-spi\n - \ - quarkus-arc\n - quarkus-arc-deployment\n - quarkus-bootstrap-app-model\n - \ - quarkus-bootstrap-core\n - quarkus-bootstrap-gradle-resolver\n - quarkus-bootstrap-maven-resolver\n - \ - quarkus-bootstrap-runner\n - quarkus-builder\n - quarkus-caffeine\n - \ - quarkus-caffeine-deployment\n - quarkus-class-change-agent\n - quarkus-core\n - \ - quarkus-core-deployment\n - quarkus-credentials\n - quarkus-credentials-deployment\n - \ - quarkus-datasource\n - quarkus-datasource-common\n - quarkus-datasource-deployment\n - \ - quarkus-datasource-deployment-spi\n - quarkus-development-mode-spi\n - \ - quarkus-devtools-utilities\n - quarkus-fs-util\n - quarkus-hibernate-orm\n - \ - quarkus-hibernate-orm-deployment\n - quarkus-hibernate-orm-deployment-spi\n - \ - quarkus-hibernate-validator-spi\n - quarkus-http-core\n - quarkus-http-http-core\n - \ - quarkus-http-servlet\n - quarkus-ide-launcher\n - quarkus-jackson\n - \ - quarkus-jackson-deployment\n - quarkus-jackson-spi\n - quarkus-jaxrs-spi-deployment\n - \ - quarkus-jdbc-h2\n - quarkus-jdbc-h2-deployment\n - quarkus-jdbc-mariadb\n - \ - quarkus-jdbc-mariadb-deployment\n - quarkus-jdbc-mssql\n - quarkus-jdbc-mssql-deployment\n - \ - quarkus-jdbc-mysql\n - quarkus-jdbc-mysql-deployment\n - quarkus-jdbc-oracle\n - \ - quarkus-jdbc-oracle-deployment\n - quarkus-jdbc-postgresql\n - quarkus-jdbc-postgresql-deployment\n - \ - quarkus-jsonp\n - quarkus-jsonp-deployment\n - quarkus-junit5\n - quarkus-junit5-internal\n - \ - quarkus-junit5-properties\n - quarkus-kubernetes-service-binding-spi\n - \ - quarkus-kubernetes-spi\n - quarkus-local-cache\n - quarkus-logging-gelf\n - \ - quarkus-logging-gelf-deployment\n - quarkus-logging-json\n - quarkus-logging-json-deployment\n - \ - quarkus-micrometer\n - quarkus-micrometer-deployment\n - quarkus-micrometer-registry-prometheus\n - \ - quarkus-micrometer-registry-prometheus-deployment\n - quarkus-mutiny\n - \ - quarkus-mutiny-deployment\n - quarkus-narayana-jta\n - quarkus-narayana-jta-deployment\n - \ - quarkus-netty\n - quarkus-netty-deployment\n - quarkus-panache-common\n - \ - quarkus-panache-common-deployment\n - quarkus-panache-hibernate-common\n - \ - quarkus-panache-hibernate-common-deployment\n - quarkus-reactive-routes\n - \ - quarkus-reactive-routes-deployment\n - quarkus-resteasy\n - quarkus-resteasy-common\n - \ - quarkus-resteasy-common-deployment\n - quarkus-resteasy-common-spi\n - \ - quarkus-resteasy-deployment\n - quarkus-resteasy-jackson\n - quarkus-resteasy-jackson-deployment\n - \ - quarkus-resteasy-reactive-server-spi-deployment\n - quarkus-resteasy-reactive-spi-deployment\n - \ - quarkus-resteasy-server-common\n - quarkus-resteasy-server-common-deployment\n - \ - quarkus-resteasy-server-common-spi\n - quarkus-security\n - quarkus-security-runtime-spi\n - \ - quarkus-security-spi\n - quarkus-smallrye-context-propagation\n - quarkus-smallrye-context-propagation-deployment\n - \ - quarkus-smallrye-context-propagation-spi\n - quarkus-smallrye-health\n - \ - quarkus-smallrye-health-deployment\n - quarkus-smallrye-health-spi\n - \ - quarkus-smallrye-openapi-spi\n - quarkus-test-common\n - quarkus-transaction-annotations\n - \ - quarkus-undertow-spi\n - quarkus-vertx\n - quarkus-vertx-deployment\n - \ - quarkus-vertx-http\n - quarkus-vertx-http-deployment\n - quarkus-vertx-http-deployment-spi\n - \ - quarkus-vertx-http-dev-console-runtime-spi\n - quarkus-vertx-http-dev-console-spi\n - \ - quarkus-vertx-http-dev-ui-spi\n - quarkus-vertx-latebound-mdc-provider\n - \ - qute-core\n - reactive-streams\n - readline\n - relaxng-datatype\n - \ - resteasy-cdi\n - resteasy-core\n - resteasy-core-spi\n - resteasy-jackson2-provider\n - \ - resteasy-jaxb-provider\n - resteasy-multipart-provider\n - resteasy-reactive\n - \ - resteasy-reactive-common\n - resteasy-reactive-common-processor\n - - resteasy-reactive-common-types\n - resteasy-reactive-processor\n - rngom\n - \ - rxjava\n - saaj-impl\n - shrinkwrap-api\n - shrinkwrap-depchain\n - - simpleclient\n - simpleclient_common\n - simpleclient_tracer_common\n - - simpleclient_tracer_otel\n - simpleclient_tracer_otel_agent\n - slf4j-api\n - \ - slf4j-jboss-logmanager\n - smallrye-beanbag\n - smallrye-beanbag-maven\n - \ - smallrye-beanbag-sisu\n - smallrye-common-annotation\n - smallrye-common-classloader\n - \ - smallrye-common-constraint\n - smallrye-common-expression\n - smallrye-common-function\n - \ - smallrye-common-io\n - smallrye-common-os\n - smallrye-common-vertx-context\n - \ - smallrye-config\n - smallrye-config-common\n - smallrye-config-core\n - \ - smallrye-config-source-keystore\n - smallrye-context-propagation\n - - smallrye-context-propagation-api\n - smallrye-context-propagation-jta\n - - smallrye-context-propagation-storage\n - smallrye-fault-tolerance-vertx\n - \ - smallrye-health\n - smallrye-health-api\n - smallrye-health-provided-checks\n - \ - smallrye-health-ui\n - smallrye-mutiny-vertx-auth-common\n - smallrye-mutiny-vertx-bridge-common\n - \ - smallrye-mutiny-vertx-core\n - smallrye-mutiny-vertx-runtime\n - smallrye-mutiny-vertx-uri-template\n - \ - smallrye-mutiny-vertx-web\n - smallrye-mutiny-vertx-web-common\n - smallrye-open-api-core\n - \ - smallrye-reactive-converter-api\n - smallrye-reactive-converter-mutiny\n - \ - snakeyaml\n - snakeyaml-engine\n - stax-ex\n - testcontainers\n - - twitter4j-core\n - txw2\n - uap-java\n - vertx-auth-common\n - vertx-bridge-common\n - \ - vertx-codegen\n - vertx-core\n - vertx-mutiny-generator\n - vertx-web\n - \ - vertx-web-common\n - waffle-jna\n - wagon-file\n - wagon-http\n - - wagon-http-shared\n - wagon-provider-api\n - webauthn4j-core\n - webauthn4j-util\n - \ - weld-api\n - wildfly-elytron-asn1\n - wildfly-elytron-auth\n - wildfly-elytron-auth-server\n - \ - wildfly-elytron-base\n - wildfly-elytron-credential\n - wildfly-elytron-http\n - \ - wildfly-elytron-keystore\n - wildfly-elytron-mechanism\n - wildfly-elytron-mechanism-digest\n - \ - wildfly-elytron-mechanism-gssapi\n - wildfly-elytron-mechanism-oauth2\n - \ - wildfly-elytron-mechanism-scram\n - wildfly-elytron-password-impl\n - - wildfly-elytron-permission\n - wildfly-elytron-provider-util\n - wildfly-elytron-sasl\n - \ - wildfly-elytron-sasl-digest\n - wildfly-elytron-sasl-external\n - wildfly-elytron-sasl-gs2\n - \ - wildfly-elytron-sasl-gssapi\n - wildfly-elytron-sasl-oauth2\n - wildfly-elytron-sasl-plain\n - \ - wildfly-elytron-sasl-scram\n - wildfly-elytron-security-manager-action\n - \ - wildfly-elytron-ssl\n - wildfly-elytron-util\n - wildfly-elytron-x500\n - \ - wildfly-elytron-x500-cert\n - wildfly-elytron-x500-cert-util\n - xmlpull\n - \ - xmlsec\n - xsom\n - xstream\n streams:\n - rhbk-22\n" - headers: - Cache-Control: - - max-age=60, public, must-revalidate, stale-while-revalidate=60, stale-if-error=300, - s-maxage=60 - Connection: - - keep-alive - Content-Disposition: - - inline - Content-Type: - - text/plain; charset=utf-8 - Date: - - Mon, 11 Mar 2024 14:44:09 GMT - Etag: - - W/"b64753605007cc8644a5d5d16a207709" - Permissions-Policy: - - interest-cohort=() - Referrer-Policy: - - strict-origin-when-cross-origin - Server: - - nginx - Strict-Transport-Security: - - max-age=63072000 - Transfer-Encoding: - - chunked - Vary: - - Accept-Encoding - - Accept - X-Content-Type-Options: - - nosniff - X-Download-Options: - - noopen - X-Frame-Options: - - SAMEORIGIN - X-Gitlab-Meta: - - '{"correlation_id":"01HRPZH4PYSQXYZ2BP6QVB8AQS","version":"1"}' - X-Permitted-Cross-Domain-Policies: - - none - X-Request-Id: - - 01HRPZH4PYSQXYZ2BP6QVB8AQS - X-Runtime: - - '0.091745' - X-Ua-Compatible: - - IE=edge - X-Xss-Protection: - - 1; mode=block - content-length: - - '25125' - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - '*/*' - Accept-Encoding: - - gzip, deflate - Connection: - - keep-alive - User-Agent: - - python-requests/2.31.0 - method: GET - uri: https://example.com/prodsec-dev/ps-constants/-/raw/master/data/contract_priority.yml?job=build + uri: https://example.com/prodsec-dev/ps-constants/-/raw/master/data/special_consideration_packages.yml?job=build response: body: - string: '# list of update streams that are in the scope of the contract priority - special handling + string: '# list of special consideration packages + + # https://example.com/pages/viewpage.action?pageId=93525528 + + - bind + + - dnf + + - glibc + + - gnutls + + - httpd + + - kernel - # keys need to match PS update stream names from product definitions + - kernel-rt + + - libgcrypt - # https://example.com/browse/OSIDB-1707 + - libvirt + + - nss - # + - ntp - # when creating a tracker with any PS update stream from the below list we - add contract-priority Jira label + - openssh + - openssl - openshift-4: + - qemu-kvm - - openshift-4.12.z + - rpm - - openshift-4.14.z + - squid + - sudo - rhel-8: + - systemd - - rhel-8.8.0.z + - yum ' headers: @@ -432,121 +68,9 @@ interactions: Content-Type: - text/plain; charset=utf-8 Date: - - Mon, 11 Mar 2024 14:44:09 GMT + - Mon, 09 Dec 2024 11:41:59 GMT Etag: - - W/"b213fc4391a512d06e735dc7a67b3d91" - Permissions-Policy: - - interest-cohort=() - Referrer-Policy: - - strict-origin-when-cross-origin - Server: - - nginx - Strict-Transport-Security: - - max-age=63072000 - Transfer-Encoding: - - chunked - Vary: - - Accept-Encoding - - Accept - X-Content-Type-Options: - - nosniff - X-Download-Options: - - noopen - X-Frame-Options: - - SAMEORIGIN - X-Gitlab-Meta: - - '{"correlation_id":"01HRPZH5B1GNAG6BDABH4Y691Y","version":"1"}' - X-Permitted-Cross-Domain-Policies: - - none - X-Request-Id: - - 01HRPZH5B1GNAG6BDABH4Y691Y - X-Runtime: - - '0.102553' - X-Ua-Compatible: - - IE=edge - X-Xss-Protection: - - 1; mode=block - content-length: - - '390' - status: - code: 200 - message: OK -- request: - body: null - headers: - Accept: - - '*/*' - Accept-Encoding: - - gzip, deflate - Connection: - - keep-alive - User-Agent: - - python-requests/2.31.0 - method: GET - uri: https://example.com/prodsec-dev/ps-constants/-/raw/master/data/ubi_packages.yml?job=build - response: - body: - string: "# This list of packages is used to indicate the UBI flag in the SFM2. - \n# This list is NOT used to calculate SLA.\n\n\n# list of packages / components - in UBI images\n# separate list provided for each RHEL version, keys need to - match ps module\n# names\n# https://example.com/browse/PSIRT-730\n# https://example.com/browse/PSDEVOPS-2076\n\nrhel-8:\n- - acl\n- attr\n- audit\n- basesystem\n- bash\n- brotli\n- bzip2\n- ca-certificates\n- - chkconfig\n- coreutils\n- cracklib\n- crypto-policies\n- cryptsetup\n- curl\n- - cyrus-sasl\n- dbus\n- dbus-glib\n- dbus-python\n- dmidecode\n- dnf\n- dnf-plugins-core\n- - e2fsprogs\n- elfutils\n- expat\n- file\n- filesystem\n- findutils\n- gawk\n- - gcc\n- gdb\n- gdbm\n- glib2\n- glibc\n- gmp\n- gnupg2\n- gnutls\n- gobject-introspection\n- - gpgme\n- grep\n- gzip\n- ima-evm-utils\n- json-c\n- json-glib\n- keyutils\n- - kmod\n- krb5\n- langpacks\n- libarchive\n- libassuan\n- libcap\n- libcap-ng\n- - libcomps\n- libdb\n- libdnf\n- libffi\n- libgcrypt\n- libgpg-error\n- libidn2\n- - libksba\n- libmodulemd\n- libnl3\n- libnsl2\n- libpeas\n- libpsl\n- libpwquality\n- - librepo\n- libreport\n- librhsm\n- libseccomp\n- libselinux\n- libsemanage\n- - libsepol\n- libsigsegv\n- libsolv\n- libssh\n- libtasn1\n- libtirpc\n- libunistring\n- - libusbx\n- libuser\n- libutempter\n- libverto\n- libxcrypt\n- libxml2\n- libyaml\n- - lua\n- lvm2\n- lz4\n- microdnf\n- mpfr\n- ncurses\n- nettle\n- nghttp2\n- - npth\n- openldap\n- openssl\n- p11-kit\n- pam\n- passwd\n- pcre\n- pcre2\n- - popt\n- procps-ng\n- publicsuffix-list\n- pygobject3\n- python-chardet\n- - python-dateutil\n- python-decorator\n- python-ethtool\n- python-idna\n- python-iniparse\n- - python-inotify\n- python-pip\n- python-pysocks\n- python-requests\n- python-setuptools\n- - python-six\n- python-systemd\n- python-urllib3\n- python3\n- readline\n- redhat-release\n- - rootfiles\n- rpm\n- sed\n- setup\n- shadow-utils\n- sqlite\n- subscription-manager\n- - subscription-manager-rhsm-certificates\n- systemd\n- tar\n- texinfo\n- tpm2-tss\n- - tzdata\n- usermode\n- util-linux\n- vim\n- virt-what\n- which\n- xz\n- zlib\n- - zstd\n\nrhel-9:\n- acl\n- attr\n- audit\n- basesystem\n- bash\n- bzip2\n- - ca-certificates\n- chkconfig\n- coreutils\n- cracklib\n- crypto-policies\n- - curl\n- cyrus-sasl\n- dbus\n- dbus-broker\n- dbus-python\n- dejavu-fonts\n- - dmidecode\n- dnf\n- dnf-plugins-core\n- e2fsprogs\n- elfutils\n- expat\n- - file\n- filesystem\n- findutils\n- fonts-rpm-macros\n- gawk\n- gcc\n- gdb\n- - gdbm\n- glib2\n- glibc\n- gmp\n- gnupg2\n- gnutls\n- gobject-introspection\n- - gpgme\n- grep\n- gzip\n- ima-evm-utils\n- iproute\n- json-c\n- json-glib\n- - keyutils\n- kmod\n- krb5\n- langpacks\n- libarchive\n- libassuan\n- libbpf\n- - libcap\n- libcap-ng\n- libcomps\n- libdb\n- libdnf\n- libeconf\n- libevent\n- - libffi\n- libgcrypt\n- libgpg-error\n- libidn2\n- libksba\n- libmnl\n- libmodulemd\n- - libpeas\n- libpwquality\n- librepo\n- libreport\n- librhsm\n- libseccomp\n- - libselinux\n- libsemanage\n- libsepol\n- libsigsegv\n- libsolv\n- libtasn1\n- - libunistring\n- libusbx\n- libuser\n- libutempter\n- libverto\n- libxcrypt\n- - libxml2\n- libyaml\n- lua\n- lz4\n- microdnf\n- mpfr\n- ncurses\n- nettle\n- - nghttp2\n- npth\n- openldap\n- openssl\n- p11-kit\n- pam\n- passwd\n- pcre\n- - pcre2\n- popt\n- procps-ng\n- psmisc\n- pygobject3\n- python-chardet\n- python-dateutil\n- - python-decorator\n- python-idna\n- python-iniparse\n- python-inotify\n- python-pip\n- - python-pysocks\n- python-requests\n- python-setuptools\n- python-six\n- python-systemd\n- - python-urllib3\n- python3.9\n- readline\n- redhat-release\n- rootfiles\n- - rpm\n- sed\n- setup\n- shadow-utils\n- sqlite\n- subscription-manager\n- subscription-manager-rhsm-certificates\n- - systemd\n- tar\n- tpm2-tss\n- tzdata\n- usermode\n- util-linux\n- vim\n- virt-what\n- - which\n- xz\n- zlib\n- zstd\n\n" - headers: - Cache-Control: - - max-age=60, public, must-revalidate, stale-while-revalidate=60, stale-if-error=300, - s-maxage=60 - Connection: - - keep-alive - Content-Disposition: - - inline - Content-Type: - - text/plain; charset=utf-8 - Date: - - Mon, 11 Mar 2024 14:44:10 GMT - Etag: - - W/"4ce2e18af50d11b4c912fd6d020ee9db" + - W/"e421bf00158b35d34131f5f4673f888e" Permissions-Policy: - interest-cohort=() Referrer-Policy: @@ -567,19 +91,19 @@ interactions: X-Frame-Options: - SAMEORIGIN X-Gitlab-Meta: - - '{"correlation_id":"01HRPZH5KRTF302WVJXCA98PJV","version":"1"}' + - '{"correlation_id":"01JENKKSTEA7WFM6E0JRW1KNWM","version":"1"}' X-Permitted-Cross-Domain-Policies: - none X-Request-Id: - - 01HRPZH5KRTF302WVJXCA98PJV + - 01JENKKSTEA7WFM6E0JRW1KNWM X-Runtime: - - '0.094147' + - '0.079601' X-Ua-Compatible: - IE=edge X-Xss-Protection: - 1; mode=block content-length: - - '3562' + - '278' status: code: 200 message: OK @@ -593,54 +117,247 @@ interactions: Connection: - keep-alive User-Agent: - - python-requests/2.31.0 + - python-requests/2.32.3 method: GET - uri: https://example.com/prodsec-dev/ps-constants/-/raw/master/data/special_consideration_packages.yml?job=build + uri: https://example.com/prodsec-dev/ps-constants/-/raw/master/data/cveorg_keywords.yml?job=build response: body: - string: '# list of special consideration packages - - # https://example.com/pages/viewpage.action?pageId=93525528 - - - bind - - - dnf - - - glibc - - - gnutls - - - httpd - - - kernel - - - kernel-rt - - - libgcrypt - - - libvirt - - - nss - - - ntp - - - openssh - - - openssl - - - qemu-kvm - - - rpm - - - squid - - - sudo - - - systemd - - - yum - - ' + string: "# The keywords defined below are used in the CVEorg collector to determine\n# + whether a flaw should be created based on its `title` and `comment_zero`.\n# + If at least one of `title` or `comment_zero` contains only blocklisted and + not allowlisted keywords\n# (i.e. keywords only in `blocklist` or `blocklist_special_cases`), + a flaw is not created.\n# Otherwise, a flaw is created.\n#\n# All keywords + are evaluated as a Python regular expression.\n# `blocklist` and `allowlist` + are meant for case-insensitive matching,\n# `blocklist_special_cases` and + `allowlist_special_cases` for case-sensitive matching.\n#\n# For more information + about how the keywords are used in OSIDB, see\n# https://example.com/RedHatProductSecurity/osidb/blob/master/collectors/cveorg/keywords.py\n\n\nallowlist:\n + \ - GIMP\n - Spring\n - dotnet\n - kernel\n\n# '\\b\\.NET\\b' does not + match properly because word boundary \\b does not cooperate well with dot\nallowlist_special_cases:\n + \ - (?:\\W|^)\\.NET\\b\n\nblocklist:\n - (HPE|Hewlett Packard Enterprise).*(IceWall|FlexNetwork|FlexFabric|OneView|Nimble)\n + \ - (Industrial Edge Management|Nucleus NET|SINEC).*[\\n]*.*siemens\n - (Jfinal|Final)[ + _]CMS\n - (Pinniped Supervisor|VMware Cloud Foundation).*[\\n]*.*vmware.*\n + \ - (SIMATIC|Mendix|Parasolid|Opcenter Quality|SCALANCE).*[\\n]*.*siemens\n + \ - (Simcenter Femap|LOGO!|Solid Edge|APOGEE).*[\\n]*.*siemens\n - .*plugin.*for + WordPress\n - 1Password\n - 72crm\n - 74cmsSE\n - ABB e-Design\n - ABB + netCADOPS\n - ACEweb Online Portal\n - AEF CMS\n - ALPS ALPINE touchpad + driver\n - APNGDis\n - ASANHAMAYESH CMS\n - Academy Learning Management + System\n - Accusoft ImageGear\n - Acronis Cyber Backup\n - Acronis True + Image\n - Adobe Acrobat Reader\n - Adobe Acrobat and Reader\n - Adobe Animate\n + \ - Adobe Bridge\n - Adobe Campaign\n - Adobe Character Animator\n - Adobe + Commerce\n - Adobe Dimension\n - Adobe Experience Manager\n - Adobe FrameMaker\n + \ - Adobe Illustrator\n - Adobe InCopy\n - Adobe InDesign\n - Adobe Lightroom\n + \ - Adobe Media Encoder\n - Adobe Photoshop\n - Adobe Premiere Elements\n + \ - Adobe RoboHelp\n - Advanced SystemCare Ultimate\n - Advantech\n - AeroCMS\n + \ - Afian FileRun\n - AirWave\n - Ajenti\n - AnchorCMS\n - AntSword\n + \ - Anuko Time Tracker\n - Apache Geode\n - Apache NiFi\n - Apache OpenMeetings\n + \ - Apache ShenYu\n - Apache Syncope\n - Apache Wicket\n - Apartment Visitor + Management System\n - Apexis\n - AppFormix\n - ArcGIS Server\n - Arista + EOS\n - ArsenoL\n - Artica Web Proxy\n - Aruba (ClearPass|EdgeConnect|Networks)\n + \ - ArubaOS\n - Atlassian Bamboo\n - Atlassian Confluence\n - Atlassian + Crucible\n - Atlassian Fisheye\n - Atlassian JIRA\n - Aurea Jive\n - Automation + License Manager\n - Automotive Shop Management System\n - Avaya\n - Avira\n + \ - Avolve Software ProjectDox\n - AxxonSoft\n - AyaCMS\n - BEESCMS\n - + BMC Medical\n - BMC Remedy AR System\n - BMC Remedy Action Request\n - + Backdrop CMS\n - Badminton Center Management\n - Bagecms\n - Barco Control + Room Management\n - BaserCMS\n - Bento4\n - Best Student Result Management + System\n - BigBlueButton\n - BigTree CMS\n - Billing System Project\n - + Bitcoin Core\n - Bitdefender Antivirus\n - Bitdefender Engines\n - BlackBerry + QNX Software Development Platform\n - BlackBerry UEM Management Console\n + \ - BlackCat CMS\n - Bludit\n - BlueSpice\n - Bookme Control Panel\n - + Bravo Tejari\n - Brocade Fabric OS\n - Brocade Fibre\n - Brocade SANnav\n + \ - BtiTracker\n - CCN-lite\n - CMS Made Simple\n - CMSuno\n - CODESYS\n + \ - CSZCMS\n - CactusVPN\n - Call for Papers\n - Campcodes Advanced Online + Voting System\n - Canteen Management System\n - Car Rental Management\n + \ - Carbon Black\n - Carel pCOWeb\n - Centum CS\n - Chamilo LMS\n - Chaoji + CMS\n - ChatBot App with Suggestion\n - ChemCMS\n - Cisco\n - Citrix NetScaler\n + \ - Clansphere CMS\n - Classcms\n - Claymore Dual Miner\n - Clinic's Patient + Management System\n - CloudMe\n - CloudVision Portal\n - Clustered Data + ONTAP\n - CoDeSys Runtime\n - Codoforum\n - College Management System\n + \ - Combodo iTop\n - Complete Online Job Search\n - Composr CMS\n - Contiki-NG\n + \ - Converse\\.js\n - CoverCMS\n - Cozy\n - Craft CMS\n - CraftCMS\n - + Creditwest Bank CMS\n - Cybozu Garoon\n - D-LINK DIR.*\n - D-LINK.*(DIR|COVR|DAP).*\n + \ - D-LINK.*(DIR|COVR|DAP|DSL|DCS).*\n - DIAEnergie\n - DIR.*[\\n]*.*dlink.com.*\n + \ - Dataiku DSS\n - DedeCMS\n - Dell (Client )?BIOS\n - Dell (Hybrid Client|GeoDrive)\n + \ - Dell Container Storage\n - Dell EMC\n - Dell NetWorker\n - Dell PowerScale\n + \ - Dell SonicWALL Scrutinizer\n - Dell Storage Manager\n - Dell Wyse Management + Suite\n - Delta Electronics\n - Delta Industrial Automation\n - Desigo\n + \ - Digital Guardian Managment Console\n - DiliCMS\n - DiligentCMS\n - + Discuz\n - Disk Savvy Enterprise\n - DocuTrac QuicDoc\n - Dolibarr\n - + DolphinPHP\n - DomainMOD\n - Doufoxcms\n - DrayTek\n - Dreamer CMS\n - + EGavilan Media\n - EMC Data Protection Advisor\n - EPIC MyChart\n - ESPCMS\n + \ - EasyCMS\n - Eaton's\n - Edimax\n - Emlog Pro\n - Enalean Tuleap\n + \ - Enhancesoft osTicket\n - Epson Airprint\n - Eshtery CMS\n - EspoCRM\n + \ - Expense Management System\n - Explzh\n - Exponent CMS\n - Exponent-CMS\n + \ - EyouCMS\n - F-Secure Atlant\n - F5 BIG-IP\n - FATEK FvDesigner\n - + FUDforum\n - FUEL-CMS\n - FactoryTalk\n - Fast Food Ordering System\n - + FastAdmin\n - FastCMS\n - FeMiner.*wms\n - Feehi CMS\n - FeehiCMS\n - + FeiFeiCMS\n - FiberHome\n - FlatCore-CMS\n - Flexense DiskBoss\n - Flexense + DiskPulse\n - Flexense DiskSavvy\n - Flexense DiskSorter\n - Flexense DupScout\n + \ - Flexense SyncBreeze\n - Flexense VX Search\n - Food Ordering Management + System\n - ForgeRock\n - FortiADC|FortiMail\n - FortiAnalyzer\n - FortiClient\n + \ - FortiNAC\n - FortiOS\n - FortiSOAR\n - Fortinet\n - Foxit .*PDF reader\n + \ - Frog CMS\n - Fuji Electric\n - FusionCompute\n - FusionSphere OpenStack\n + \ - GE D60\n - GPAC\n - GSKit\n - GXCMS\n - Galileo CMS\n - Gallagher + Command Centre\n - Garage Management System\n - Geist WatchDog Console\n + \ - Gemini-Net\n - GeniXCMS\n - GetSimple CMS\n - GetSimpleCMS\n - GilaCMS\n + \ - Gleez CMS\n - Grandstream\n - GreenCMS\n - Gxlcms\n - Gym Management + System\n - H3C (Magic|H200|GR[0-9-]+|B5 Mini)\n - HCL (iNotes|Commerce|Workload + Automation|Digital Experience)\n - HP Security\n - HPE Aruba AirWave Glass\n + \ - HPE Aruba ClearPass Policy Manager\n - HPE Business Process Monitor\n + \ - HPE Cloud Optimizer\n - HPE Data Protector\n - HPE Diagnostics\n - + HPE Helion Eucalyptus\n - HPE IceWall Federation Agent\n - HPE Insight Control\n + \ - HPE Integrated Lights-Out\n - HPE Intelligent Management Center\n - + HPE LoadRunner\n - HPE Matrix Operating Environment\n - HPE Network Automation\n + \ - HPE Network Node Manager\n - HPE NonStop Server\n - HPE NonStop Software + Essentials\n - HPE OfficeConnect Network Switches\n - HPE OpenCall Media + Platform\n - HPE Operations Bridge Analytics\n - HPE Operations Orchestration + Community\n - HPE Pay Per Use\n - HPE Project and Portfolio Management\n + \ - HPE SiteScope\n - HPE Smart Storage Administrator\n - HPE StoreVirtual\n + \ - HPE Systems Insight Manager\n - HPE UCMDB\n - HPE Version Control Repository + Manager\n - HPE Vertica Analytics\n - HPE iMC PLAT\n - HashiCorp Terraform\n + \ - Helmet Store Showroom\n - Hewlett Packard Enterprise Intelligent Management + Center\n - Hewlett Packard Enterprise Moonshot Provisioning Manager\n - + Hirschmann.*[\\n]*.*belden\n - Honeywell\n - HongCMS\n - Horizon Client + for Windows\n - Hospital Management System\n - Hotel Management System\n + \ - HotelDruid\n - Human Resource Management System\n - I, Librarian\n - + I-librarian\n - IBM AIX\n - IBM API Connect\n - IBM App Connect Enterprise\n + \ - IBM AppScan\n - IBM Aspera\n - IBM Aspera Web Application\n - IBM BigFix\n + \ - IBM Business Automation Content Analyzer\n - IBM Business Automation + Workflow\n - IBM Business Process Manager\n - IBM CICS\n - IBM Campaign\n + \ - IBM Capacity Management Analytics\n - IBM Cloud Pak\n - IBM CloudPak\n + \ - IBM Cognos\n - IBM Connections\n - IBM Content Manager\n - IBM Content + Navigator\n - IBM Curam\n - IBM Daeja ViewONE\n - IBM Data Risk Manager\n + \ - IBM DataPower Gateway\n - IBM Db2\n - IBM Db2U\n - IBM Domino\n - + IBM Doors\n - IBM Emptoris\n - IBM Endpoint Manager\n - IBM Engineering + Lifecycle Optimization\n - IBM Event Streams\n - IBM Financial Transaction + Manager\n - IBM Flex System\n - IBM Forms Experience Builder\n - IBM Forms + Server\n - IBM InfoSphere\n - IBM Jazz\n - IBM Jazz Foundation\n - IBM + Jazz Reporting Service\n - IBM MQ\n - IBM MQ Appliance\n - IBM Maximo\n + \ - IBM Notes\n - IBM Planning Analytics\n - IBM Power Hardware Management + Console\n - IBM Publishing Engine\n - IBM QRadar\n - IBM RSA DM\n - IBM + Rational\n - IBM Rhapsody\n - IBM Robotic\n - IBM Sametime\n - IBM Secure + External Authentication Server\n - IBM Security Access Manager\n - IBM Security + Guardium\n - IBM Security Identity Governance and Intelligence\n - IBM Security + Key Lifecycle Manager\n - IBM Security QRadar\n - IBM Security Secret Server\n + \ - IBM Security SiteProtector\n - IBM Security Trusteer Pinpoint Detect\n + \ - IBM Security Verify Access\n - IBM Security Verify Governance\n - IBM + Security Verify Information Queue\n - IBM SiteProtector Appliance\n - IBM + Spectrum\n - IBM Spectrum Protect Plus\n - IBM Spectrum Scale\n - IBM Sterling + B2B Integrator\n - IBM Sterling Connect:Direct\n - IBM Sterling File Gateway\n + \ - IBM Sterling Partner Engagement Manager\n - IBM Sterling Secure Proxy\n + \ - IBM TRIRIGA\n - IBM Tealeaf\n - IBM Tivoli\n - IBM UrbanCode Deploy\n + \ - IBM Watson\n - IBM WebSphere\n - IBM XIV Storage\n - IBM i\n - IBM + i2 iBase\n - INTELBRAS\n - IOBit Malware Fighter\n - ImageWorsener\n - + Imagely NextGEN Gallery\n - InHand Networks\n - Ingredients Stock Management + System\n - InspIRCd\n - Insurance Management System\n - Intel (R) LED Manager + for NUC\n - Intel Server Boards\n - Intel(R) Graphics Drivers\n - Intel(R) + PAC with Arria(R)\n - Intel(R) Server Boards\n - Intelbras TELEFONE IP\n + \ - InventoryManagementSystem\n - Invision Power Board\n - IonizeCMS\n - + Ipswitch WhatsUp Gold\n - Ivanti Endpoint Security\n - JEXTN\n - JFrog + Artifactory\n - JT2Go\n - Jeecg-boot\n - JerryScript\n - Jiangmin Antivirus\n + \ - Jirafeau\n - Jizhicms\n - Joomla!\n - Joyent SmartOS\n - Judging Management + System\n - JupyterHub OAuthenticator\n - Kaspersky Secure Mail\n - Kentico\n + \ - Kingsoft Internet Security\n - KiteCMS\n - Kiwi TCMS\n - Kliqqi CMS\n + \ - LAquis SCADA\n - LJCMS\n - Library Management System\n - LibreNMS\n + \ - Liferay Portal\n - LogicalDoc\n - Loway QueueMetrics\n - M-Files Server\n + \ - MB CONNECT LINE\n - MDaemon\n - MKCMS\n - MOXA NPort\n - MP Form Mail\n + \ - MTS Simple Booking\n - MZ Automation\n - Magnolia CMS\n - Mahara\n + \ - Mailbutler Shimo\n - MalwareFox AntiMalware\n - Malwarebytes Anti-Malware\n + \ - ManageEngine OpManager\n - ManageEngine Service Desk Plus\n - March + Hare WINCVS\n - McAfee Network Security Management\n - McAfee VirusScan + Enterprise\n - Merchandise Online Store\n - MetInfo\n - Micro Focus ArcSight\n + \ - Micro Focus ArcSight Management Center\n - Micro Focus Operations Bridge\n + \ - Micro Focus Project\n - Micro Focus UCMDB\n - Micro Focus Universal + CMDB\n - Micro Focus ZENworks\n - Micropoint proactive\n - Microsoft\n + \ - Microweber\n - MikroTik's RouterOS\n - Mikrotik RouterOs\n - Ming-Soft/MCMS\n + \ - MiniCMS\n - Mitel ST\n - Mitsubishi E-Designer\n - Mitsubishi Electric\n + \ - Mobotix\n - Money Transfer Management System\n - MonstaFTP\n - Monstra + CMS\n - Moxa OnCell\n - NETGEAR\n - NVIDIA GeForce NOW\n - Navarino Infinity\n + \ - NetEx HyperIP\n - NetIQ Access Manager\n - NetIQ Identity Manager\n + \ - NetIQ Identity Reporting\n - NetIQ iManager\n - Nginx NJS\n - Niagara\n + \ - Nokia\n - NoneCms\n - NordVPN\n - Nortek Linear\n - Novel-Plus\n - + NukeViet CMS\n - OPTILINK OP\n - OSIsoft PI\n - OTCMS\n - OXID eShop\n + \ - October CMS\n - Octopus Deploy\n - Omron CX-One\n - Omron CX-Supervisor\n + \ - Online Car Wash Booking System\n - Online Diagnostic Lab Management System\n + \ - Online Examination System\n - Online Fire Reporting System\n - Online + Food Ordering System\n - Online Leave Management System\n - Online Ordering + System\n - Online Pet Shop We App\n - Online Railway Reservation System\n + \ - Online Sports Complex Booking System\n - Online Student Rate System\n + \ - Online Tours & Travels Management System\n - Open Source SACCO Management + System\n - Open-AudIT Professional\n - OpenBMC\n - OpenEMR\n - OpenHarmony\n + \ - OpenLiteSpeed\n - OpenMRS\n - OpenScape Deployment Service\n - Opencast\n + \ - Ozeki NG SMS Gateway\n - PAN-OS\n - PHP Scripts Mall\n - PHPGurukul\n + \ - PHPJabbers Class Scheduling System\n - POSCMS\n - Paessler PRTG Network + Monitor\n - Pagekit CMS\n - Pandora FMS\n - Parallels Remote Application + Server\n - PayPal\n - PbootCMS\n - Pega Platform\n - Pegasystems Pega + Platform\n - Pharmacy Management System\n - Philips Intellispace Portal\n + \ - PicturesPro Photo Cart\n - Piwigo\n - Pixar OpenUSD\n - Plixer Scrutinizer\n + \ - Plone CMS\n - Pluck\n - PowerCMS\n - PrestaShop\n - PrivateVPN\n - + Project-Pier\n - Promise Technology\n - PublicCMS\n - Pulse Connect Secure\n + \ - Pulse Secure Desktop Client\n - PureVPN\n - PyroCMS\n - QNAP QTS\n + \ - Quest NetVault\n - QuickTime\n - RPCMS\n - RUGGEDCOM\n - Rapid Software + LLC Rapid SCADA\n - Red Discord Bot\n - Rescue Dispatch Management\n - + Restaurant POS System\n - Robustel R1510\n - Rocket.Chat\n - Rockwell Automation\n + \ - RosarioSIS\n - Ruckus Networks\n - Rukovoditel\n - SAP 3D Visual Enterprise + Viewer\n - SAP Adaptive Server Enterprise\n - SAP BASIS\n - SAP Banking + Services\n - SAP Business Objects Business Intelligence Platform\n - SAP + Commerce versions\n - SAP Data Hub\n - SAP ERP\n - SAP Fiori Launchpad\n + \ - SAP Marketing\n - SAP NetWeaver\n - SEMCMS\n - SICAM\n - SIMATIC.*(PCS|CP)\n + \ - Sagemcom\n - Sandoba CP:Shop\n - Sanitization Management System\n - + Saperion Web Client\n - Schneider Electric\n - School Activity Updates with + SMS Notification\n - SeaCms\n - Seagate Media Server\n - Secomea (GateManager|SiteManager)\n + \ - SeedDMS\n - Shimmie\n - Shirne CMS\n - ShopXO\n - Shopwind\n - Silverstripe\n + \ - Simple Bus Ticket Booking System\n - Simple Client Management System\n + \ - Simple Cold Storage Management System\n - Simple Customer Relationship + Management\n - Simple E-Learning System\n - Simple Image Gallery System\n + \ - Simple Inventory System\n - Simple Online Book Store System\n - Simple + Online Public Access Catalog\n - Simple Task Scheduling System\n - Sinsiu + Sinsiu Enterprise Website System\n - SmartVista\n - SnapCreek Duplicator\n + \ - SolarView Compact\n - Solutions Atlantic Regulatory Reporting System\n + \ - SonicWall SMA100\n - Sophos Endpoint Protection\n - Sophos Firewall\n + \ - SourceCodester\n - SpamTitan\n - SpiderControl MicroBrowser\n - Square + 9 GlobalForms\n - Stock Management System\n - Stormshield Network Security\n + \ - Student Clearance System\n - Student Information System\n - Subrion + CMS\n - SugarCRM\n - Sumatra PDF\n - Symantec\n - Synacor Zimbra\n - + Synology DiskStation Manager\n - Synology Photo\n - Synology Router Manager\n + \ - Synology Surveillance Station\n - SysAid Help Desk\n - Sysax Multi Server\n + \ - TIBCO DataSynapse GridServer Manager\n - TOTOLINK\n - TP-Link.*(TL|AX10v1|Tapo)\n + \ - TRENDNet\n - Taocms\n - Telegram Desktop\n - Tenda AC15\n - Tenda + AC9\n - Tenda( |_.*)\n - Textpattern CMS\n - Train Scheduler App\n - TreasuryXpress\n + \ - Trend Micro\n - TuziCMS\n - Twonky Server\n - UCMS\n - UJCMS\n - + Ubiquiti Networks EdgeOS\n - Unisphere for PowerMax\n - Unisys ClearPath\n + \ - Unisys Stealth SVG\n - United Planet Intrexx Professional\n - Unitrends + Backup\n - Untis WebUntis\n - Userscape HelpSpot\n - VIDEOJET.*[\\n]*.*psirt\n + \ - VMware ESXi and vCenter Server\n - VMware Fusion\n - VMware Workstation\n + \ - Vehicle Booking System\n - Verint Workforce Optimization\n - Veritas + NetBackup\n - Verizon 5G Home\n - Vesta Control Panel\n - Victor CMS\n + \ - VirtueMart\n - WBCE CMS\n - WECON LeviStudioU\n - WPS Office\n - WSO2 + Enterprise Integrator\n - WTCMS\n - WUZHI CMS\n - WatchDog Anti-Malware\n + \ - Wavlink\n - Web Based Quiz System\n - WebDynpro Java\n - Weblication + CMS\n - Wedding Management System\n - Wedding Planner\n - Weeny Audio Cutter\n + \ - Wellcms\n - Western Bridge Cobub Razor\n - Western Digital My Cloud\n + \ - Winmail\n - Wireless IP Camera 360\n - WoWonder\n - WonderCMS\n - + WordPress theme\n - WordPress.*plugin\n - Wowza Streaming\n - XYHCMS\n + \ - Xiaomi.*phones\n - Xiuno BBS\n - XunRuiCMS\n - Yab Quarx\n - Yahoo!\n + \ - Yxcms\n - YxtCMF\n - YzmCMS\n - Z-BlogPHP\n - Zenario CMS\n - Zikula + Application Framework\n - Zoho ManageEngine\n - ZoneAlarm\n - ZoneMinder\n + \ - Zoo Management System\n - Zulip Desktop\n - Zyxel\n - baijiacms\n - + bootstrap-table\n - chatwoot\n - cmseasy\n - comforte SWAP\n - concretecms\n + \ - dotCMS\n - drawio\n - eDNA Enterprise Data Historian\n - ebCMS\n - + ednareporting\\.asmx\n - elitecms\n - emoncms\n - enhavo CMS\n - htmly\n + \ - https://example.com/oufu/ofcms/\n - https://example.com/cesanta/mjs/\n + \ - https://example.com/kabirkhyrul/HMS/\n - https://example.com/vapor/vapor/\n + \ - https://example.com/wp-plugins\n - https://example.com/support/\n - + https://example.com/\n - https://example.com/\n - iDashboards\n - iPayPal\n + \ - iRedMail\n - iScripts SupportDesk\n - iScripts UberforX\n - iScripts + eSwap\n - iTunes\n - iota All-In-One Security Kit\n - ismartgate PRO\n + \ - joyplus-cms\n - lyadmin\n - madlib-object-utils\n - mySCADA myPRO|Measuresoft + ScadaPro\n - open5gs\n - perfex crm\n - phpjs\n - pimcore\n - plugin + <= [0-9\\.]+ at WordPress\n - plugins.*wordpress\n - portfolioCMS\n - prime-jwt\n + \ - publify\n - puppyCMS\n - rap2hpoutre Laravel Log Viewer\n - rdiffweb\n + \ - siteserver (CMS|SSCMS)\n - swftools\n - totaljs\n - trudesk\n - usememos/memos\n + \ - vBulletin\n - win32k\\.sys\n - wityCMS\n - wuzhicms\n - yetiforcecrm\n + \ - zzcms\n\nblocklist_special_cases:\n - iOS\n" headers: Cache-Control: - max-age=60, public, must-revalidate, stale-while-revalidate=60, stale-if-error=300, @@ -652,9 +369,9 @@ interactions: Content-Type: - text/plain; charset=utf-8 Date: - - Mon, 11 Mar 2024 14:44:10 GMT + - Mon, 09 Dec 2024 11:42:00 GMT Etag: - - W/"e421bf00158b35d34131f5f4673f888e" + - W/"48e0ae6cbf8bab278ff58f985d5de3d2" Permissions-Policy: - interest-cohort=() Referrer-Policy: @@ -675,19 +392,19 @@ interactions: X-Frame-Options: - SAMEORIGIN X-Gitlab-Meta: - - '{"correlation_id":"01HRPZH69JW7772HSYAFHSPER3","version":"1"}' + - '{"correlation_id":"01JENKKV3Q34SGF6BFJEYNY246","version":"1"}' X-Permitted-Cross-Domain-Policies: - none X-Request-Id: - - 01HRPZH69JW7772HSYAFHSPER3 + - 01JENKKV3Q34SGF6BFJEYNY246 X-Runtime: - - '0.077396' + - '0.074996' X-Ua-Compatible: - IE=edge X-Xss-Protection: - 1; mode=block content-length: - - '278' + - '17708' status: code: 200 message: OK diff --git a/collectors/ps_constants/tests/test_core.py b/collectors/ps_constants/tests/test_core.py index d7497530b..c2290b389 100644 --- a/collectors/ps_constants/tests/test_core.py +++ b/collectors/ps_constants/tests/test_core.py @@ -1,8 +1,10 @@ import pytest from apps.trackers.models import JiraBugIssuetype +from collectors.cveorg.models import Keyword from collectors.ps_constants.core import ( fetch_ps_constants, + sync_cveorg_keywords, sync_jira_bug_issuetype, sync_special_consideration_packages, ) @@ -40,6 +42,16 @@ def test_fetch_ps_constants(self, ps_constant_base_url): sc_packages = fetch_ps_constants(url) assert "dnf" in sc_packages + keywords_url = f"{ps_constant_base_url}/cveorg_keywords.yml" + keywords = fetch_ps_constants(keywords_url) + assert len(keywords) == 4 + assert [*keywords.keys()] == [ + "allowlist", + "allowlist_special_cases", + "blocklist", + "blocklist_special_cases", + ] + # TODO: Record cassette for jira_bug_issuetype, tracked in OSIDB-2980 def test_sync_special_consideration_packages(self): @@ -71,3 +83,43 @@ def test_sync_jira_bug_issuetype(self): "PROJ2", "PROJ3", ] + + def test_sync_cveorg_keywords(self): + """ + Test that CVEorg keywords are correctly synced in the database. + """ + mock_keywords = { + "allowlist": ["kernel"], + "allowlist_special_cases": [r"(?:\W|^)\.NET\b"], + "blocklist": [".*plugin.*for WordPress", "Cisco", "IBM Tivoli", "iTunes"], + "blocklist_special_cases": ["iOS"], + } + + sync_cveorg_keywords(mock_keywords) + + assert Keyword.objects.filter(type=Keyword.Type.ALLOWLIST).count() == 1 + assert ( + Keyword.objects.filter(type=Keyword.Type.ALLOWLIST_SPECIAL_CASE).count() + == 1 + ) + assert Keyword.objects.filter(type=Keyword.Type.BLOCKLIST).count() == 4 + assert ( + Keyword.objects.filter(type=Keyword.Type.BLOCKLIST_SPECIAL_CASE).count() + == 1 + ) + + def test_failed_sync_cveorg_keywords(self): + """ + Test that CVEorg keywords without expected groups raise an error. + """ + mock_keywords = { + "allowlist": ["kernel"], + "allowlist_special_cases": [r"(?:\W|^)\.NET\b"], + "blocklist": [".*plugin.*for WordPress", "Cisco", "IBM Tivoli", "iTunes"], + # "blocklist_special_cases" is missing + } + + with pytest.raises(KeyError): + sync_cveorg_keywords(mock_keywords) + + assert Keyword.objects.count() == 0 From fded07c9782bd4baae28514ec584bbb165b31031 Mon Sep 17 00:00:00 2001 From: Jitka Obselkova Date: Wed, 11 Dec 2024 12:56:55 +0100 Subject: [PATCH 3/4] Use keywords from ps-constants in CVEorg collector --- collectors/cveorg/keywords.py | 812 +-------------------- collectors/cveorg/tests/conftest.py | 15 + collectors/cveorg/tests/test_collectors.py | 8 +- collectors/cveorg/tests/test_keywords.py | 26 +- docs/CHANGELOG.md | 4 + 5 files changed, 74 insertions(+), 791 deletions(-) diff --git a/collectors/cveorg/keywords.py b/collectors/cveorg/keywords.py index 0525abe8b..ab6c64cbe 100644 --- a/collectors/cveorg/keywords.py +++ b/collectors/cveorg/keywords.py @@ -1,786 +1,12 @@ import re -ALLOWLIST = [ - "GIMP", - "Spring", - "dotnet", - "kernel", -] +from django.db.models import QuerySet -# r'\b\.NET\b' does not match properly because word boundary \b does not cooperate well -# with dot. -ALLOWLIST_SPECIAL_CASES = [r"(?:\W|^)\.NET\b"] +from collectors.cveorg.models import Keyword -BLOCKLIST = [ - r"(HPE|Hewlett Packard Enterprise).*(IceWall|FlexNetwork|FlexFabric|OneView|Nimble)", - r"(Industrial Edge Management|Nucleus NET|SINEC).*[\n]*.*siemens", - r"(Jfinal|Final)[ _]CMS", - r"(Pinniped Supervisor|VMware Cloud Foundation).*[\n]*.*vmware.*", - r"(SIMATIC|Mendix|Parasolid|Opcenter Quality|SCALANCE).*[\n]*.*siemens", - r"(Simcenter Femap|LOGO!|Solid Edge|APOGEE).*[\n]*.*siemens", - r".*plugin.*for WordPress", - "1Password", - "72crm", - "74cmsSE", - "ABB e-Design", - "ABB netCADOPS", - "ACEweb Online Portal", - "AEF CMS", - "ALPS ALPINE touchpad driver", - "APNGDis", - "ASANHAMAYESH CMS", - "Academy Learning Management System", - "Accusoft ImageGear", - "Acronis Cyber Backup", - "Acronis True Image", - "Adobe Acrobat Reader", - "Adobe Acrobat and Reader", - "Adobe Animate", - "Adobe Bridge", - "Adobe Campaign", - "Adobe Character Animator", - "Adobe Commerce", - "Adobe Dimension", - "Adobe Experience Manager", - "Adobe FrameMaker", - "Adobe Illustrator", - "Adobe InCopy", - "Adobe InDesign", - "Adobe Lightroom", - "Adobe Media Encoder", - "Adobe Photoshop", - "Adobe Premiere Elements", - "Adobe RoboHelp", - "Advanced SystemCare Ultimate", - "Advantech", - "AeroCMS", - "Afian FileRun", - "AirWave", - "Ajenti", - "AnchorCMS", - "AntSword", - "Anuko Time Tracker", - "Apache Geode", - "Apache NiFi", - "Apache OpenMeetings", - "Apache ShenYu", - "Apache Syncope", - "Apache Wicket", - "Apartment Visitor Management System", - "Apexis", - "AppFormix", - "ArcGIS Server", - "Arista EOS", - "ArsenoL", - "Artica Web Proxy", - "Aruba (ClearPass|EdgeConnect|Networks)", - "ArubaOS", - "Atlassian Bamboo", - "Atlassian Confluence", - "Atlassian Crucible", - "Atlassian Fisheye", - "Atlassian JIRA", - "Aurea Jive", - "Automation License Manager", - "Automotive Shop Management System", - "Avaya", - "Avira", - "Avolve Software ProjectDox", - "AxxonSoft", - "AyaCMS", - "BEESCMS", - "BMC Medical", - "BMC Remedy AR System", - "BMC Remedy Action Request", - "Backdrop CMS", - "Badminton Center Management", - "Bagecms", - "Barco Control Room Management", - "BaserCMS", - "Bento4", - "Best Student Result Management System", - "BigBlueButton", - "BigTree CMS", - "Billing System Project", - "Bitcoin Core", - "Bitdefender Antivirus", - "Bitdefender Engines", - "BlackBerry QNX Software Development Platform", - "BlackBerry UEM Management Console", - "BlackCat CMS", - "Bludit", - "BlueSpice", - "Bookme Control Panel", - "Bravo Tejari", - "Brocade Fabric OS", - "Brocade Fibre", - "Brocade SANnav", - "BtiTracker", - "CCN-lite", - "CMS Made Simple", - "CMSuno", - "CODESYS", - "CSZCMS", - "CactusVPN", - "Call for Papers", - "Campcodes Advanced Online Voting System", - "Canteen Management System", - "Car Rental Management", - "Carbon Black", - "Carel pCOWeb", - "Centum CS", - "Chamilo LMS", - "Chaoji CMS", - "ChatBot App with Suggestion", - "ChemCMS", - "Cisco", - "Citrix NetScaler", - "Clansphere CMS", - "Classcms", - "Claymore Dual Miner", - "Clinic's Patient Management System", - "CloudMe", - "CloudVision Portal", - "Clustered Data ONTAP", - "CoDeSys Runtime", - "Codoforum", - "College Management System", - "Combodo iTop", - "Complete Online Job Search", - "Composr CMS", - "Contiki-NG", - r"Converse\.js", - "CoverCMS", - "Cozy", - "Craft CMS", - "CraftCMS", - "Creditwest Bank CMS", - "Cybozu Garoon", - r"D-LINK DIR.*", - r"D-LINK.*(DIR|COVR|DAP).*", - r"D-LINK.*(DIR|COVR|DAP|DSL|DCS).*", - "DIAEnergie", - r"DIR.*[\n]*.*dlink.com.*", - "Dataiku DSS", - "DedeCMS", - "Dell (Client )?BIOS", - "Dell (Hybrid Client|GeoDrive)", - "Dell Container Storage", - "Dell EMC", - "Dell NetWorker", - "Dell PowerScale", - "Dell SonicWALL Scrutinizer", - "Dell Storage Manager", - "Dell Wyse Management Suite", - "Delta Electronics", - "Delta Industrial Automation", - "Desigo", - "Digital Guardian Managment Console", - "DiliCMS", - "DiligentCMS", - "Discuz", - "Disk Savvy Enterprise", - "DocuTrac QuicDoc", - "Dolibarr", - "DolphinPHP", - "DomainMOD", - "Doufoxcms", - "DrayTek", - "Dreamer CMS", - "EGavilan Media", - "EMC Data Protection Advisor", - "EPIC MyChart", - "ESPCMS", - "EasyCMS", - "Eaton's", - "Edimax", - "Emlog Pro", - "Enalean Tuleap", - "Enhancesoft osTicket", - "Epson Airprint", - "Eshtery CMS", - "EspoCRM", - "Expense Management System", - "Explzh", - "Exponent CMS", - "Exponent-CMS", - "EyouCMS", - "F-Secure Atlant", - "F5 BIG-IP", - "FATEK FvDesigner", - "FUDforum", - "FUEL-CMS", - "FactoryTalk", - "Fast Food Ordering System", - "FastAdmin", - "FastCMS", - r"FeMiner.*wms", - "Feehi CMS", - "FeehiCMS", - "FeiFeiCMS", - "FiberHome", - "FlatCore-CMS", - "Flexense DiskBoss", - "Flexense DiskPulse", - "Flexense DiskSavvy", - "Flexense DiskSorter", - "Flexense DupScout", - "Flexense SyncBreeze", - "Flexense VX Search", - "Food Ordering Management System", - "ForgeRock", - r"FortiADC|FortiMail", - "FortiAnalyzer", - "FortiClient", - "FortiNAC", - "FortiOS", - "FortiSOAR", - "Fortinet", - r"Foxit .*PDF reader", - "Frog CMS", - "Fuji Electric", - "FusionCompute", - "FusionSphere OpenStack", - "GE D60", - "GPAC ", - "GSKit", - "GXCMS", - "Galileo CMS", - "Gallagher Command Centre", - "Garage Management System", - "Geist WatchDog Console", - "Gemini-Net", - "GeniXCMS", - "GetSimple CMS", - "GetSimpleCMS", - "GilaCMS", - "Gleez CMS", - "Grandstream", - "GreenCMS", - "Gxlcms", - "Gym Management System", - r"H3C (Magic|H200|GR[0-9-]+|B5 Mini)", - r"HCL (iNotes|Commerce|Workload Automation|Digital Experience)", - "HP Security", - "HPE Aruba AirWave Glass", - "HPE Aruba ClearPass Policy Manager", - "HPE Business Process Monitor", - "HPE Cloud Optimizer", - "HPE Data Protector", - "HPE Diagnostics", - "HPE Helion Eucalyptus", - "HPE IceWall Federation Agent", - "HPE Insight Control", - "HPE Integrated Lights-Out", - "HPE Intelligent Management Center", - "HPE LoadRunner", - "HPE Matrix Operating Environment", - "HPE Network Automation", - "HPE Network Node Manager", - "HPE NonStop Server", - "HPE NonStop Software Essentials", - "HPE OfficeConnect Network Switches", - "HPE OpenCall Media Platform", - "HPE Operations Bridge Analytics", - "HPE Operations Orchestration Community", - "HPE Pay Per Use", - "HPE Project and Portfolio Management", - "HPE SiteScope", - "HPE Smart Storage Administrator", - "HPE StoreVirtual", - "HPE Systems Insight Manager", - "HPE UCMDB", - "HPE Version Control Repository Manager", - "HPE Vertica Analytics", - "HPE iMC PLAT", - "HashiCorp Terraform", - "Helmet Store Showroom", - "Hewlett Packard Enterprise Intelligent Management Center", - "Hewlett Packard Enterprise Moonshot Provisioning Manager", - r"Hirschmann.*[\n]*.*belden", - "Honeywell", - "HongCMS", - "Horizon Client for Windows", - "Hospital Management System", - "Hotel Management System", - "HotelDruid", - "Human Resource Management System", - "I, Librarian", - "I-librarian", - "IBM AIX", - "IBM API Connect", - "IBM App Connect Enterprise", - "IBM AppScan", - "IBM Aspera", - "IBM Aspera Web Application", - "IBM BigFix", - "IBM Business Automation Content Analyzer", - "IBM Business Automation Workflow", - "IBM Business Process Manager", - "IBM CICS", - "IBM Campaign", - "IBM Capacity Management Analytics", - "IBM Cloud Pak", - "IBM CloudPak", - "IBM Cognos", - "IBM Connections", - "IBM Content Manager", - "IBM Content Navigator", - "IBM Curam", - "IBM Daeja ViewONE", - "IBM Data Risk Manager", - "IBM DataPower Gateway", - "IBM Db2", - "IBM Db2U", - "IBM Domino", - "IBM Doors", - "IBM Emptoris", - "IBM Endpoint Manager", - "IBM Engineering Lifecycle Optimization", - "IBM Event Streams", - "IBM Financial Transaction Manager", - "IBM Flex System", - "IBM Forms Experience Builder", - "IBM Forms Server", - "IBM InfoSphere", - "IBM Jazz", - "IBM Jazz Foundation", - "IBM Jazz Reporting Service", - "IBM MQ", - "IBM MQ Appliance", - "IBM Maximo", - "IBM Notes", - "IBM Planning Analytics", - "IBM Power Hardware Management Console", - "IBM Publishing Engine", - "IBM QRadar", - "IBM RSA DM", - "IBM Rational", - "IBM Rhapsody", - "IBM Robotic", - "IBM Sametime", - "IBM Secure External Authentication Server", - "IBM Security Access Manager", - "IBM Security Guardium", - "IBM Security Identity Governance and Intelligence", - "IBM Security Key Lifecycle Manager", - "IBM Security QRadar", - "IBM Security Secret Server", - "IBM Security SiteProtector", - "IBM Security Trusteer Pinpoint Detect", - "IBM Security Verify Access", - "IBM Security Verify Governance", - "IBM Security Verify Information Queue", - "IBM SiteProtector Appliance", - "IBM Spectrum", - "IBM Spectrum Protect Plus", - "IBM Spectrum Scale", - "IBM Sterling B2B Integrator", - "IBM Sterling Connect:Direct", - "IBM Sterling File Gateway", - "IBM Sterling Partner Engagement Manager", - "IBM Sterling Secure Proxy", - "IBM TRIRIGA", - "IBM Tealeaf", - "IBM Tivoli", - "IBM UrbanCode Deploy", - "IBM Watson", - "IBM WebSphere", - "IBM XIV Storage", - "IBM i ", - "IBM i2 iBase", - "INTELBRAS", - "IOBit Malware Fighter", - "ImageWorsener", - "Imagely NextGEN Gallery", - "InHand Networks", - "Ingredients Stock Management System", - "InspIRCd", - "Insurance Management System", - "Intel (R) LED Manager for NUC", - "Intel Server Boards", - "Intel(R) Graphics Drivers", - "Intel(R) PAC with Arria(R)", - "Intel(R) Server Boards", - "Intelbras TELEFONE IP", - "InventoryManagementSystem", - "Invision Power Board", - "IonizeCMS", - "Ipswitch WhatsUp Gold", - "Ivanti Endpoint Security", - "JEXTN", - "JFrog Artifactory", - "JT2Go", - "Jeecg-boot", - "JerryScript", - "Jiangmin Antivirus", - "Jirafeau", - "Jizhicms", - "Joomla!", - "Joyent SmartOS", - "Judging Management System", - "JupyterHub OAuthenticator", - "Kaspersky Secure Mail", - "Kentico", - "Kingsoft Internet Security", - "KiteCMS", - "Kiwi TCMS", - "Kliqqi CMS", - "LAquis SCADA", - "LJCMS", - "Library Management System", - "LibreNMS", - "Liferay Portal", - "LogicalDoc", - "Loway QueueMetrics", - "M-Files Server", - "MB CONNECT LINE", - "MDaemon", - "MKCMS", - "MOXA NPort", - "MP Form Mail", - "MTS Simple Booking", - "MZ Automation", - "Magnolia CMS", - "Mahara", - "Mailbutler Shimo", - "MalwareFox AntiMalware", - "Malwarebytes Anti-Malware", - "ManageEngine OpManager", - "ManageEngine Service Desk Plus", - "March Hare WINCVS", - "McAfee Network Security Management", - "McAfee VirusScan Enterprise", - "Merchandise Online Store", - "MetInfo", - "Micro Focus ArcSight", - "Micro Focus ArcSight Management Center", - "Micro Focus Operations Bridge", - "Micro Focus Project", - "Micro Focus UCMDB", - "Micro Focus Universal CMDB", - "Micro Focus ZENworks", - "Micropoint proactive", - "Microsoft", - "Microweber", - "MikroTik's RouterOS", - "Mikrotik RouterOs", - "Ming-Soft/MCMS", - "MiniCMS", - "Mitel ST", - "Mitsubishi E-Designer", - "Mitsubishi Electric", - "Mobotix", - "Money Transfer Management System", - "MonstaFTP", - "Monstra CMS", - "Moxa OnCell", - "NETGEAR", - "NVIDIA GeForce NOW", - "Navarino Infinity", - "NetEx HyperIP", - "NetIQ Access Manager", - "NetIQ Identity Manager", - "NetIQ Identity Reporting", - "NetIQ iManager", - "Nginx NJS", - "Niagara", - "Nokia", - "NoneCms", - "NordVPN", - "Nortek Linear", - "Novel-Plus", - "NukeViet CMS", - "OPTILINK OP", - "OSIsoft PI", - "OTCMS", - "OXID eShop", - "October CMS", - "Octopus Deploy", - "Omron CX-One", - "Omron CX-Supervisor", - "Online Car Wash Booking System", - "Online Diagnostic Lab Management System", - "Online Examination System", - "Online Fire Reporting System", - "Online Food Ordering System", - "Online Leave Management System", - "Online Ordering System", - "Online Pet Shop We App", - "Online Railway Reservation System", - "Online Sports Complex Booking System", - "Online Student Rate System", - "Online Tours & Travels Management System", - "Open Source SACCO Management System", - "Open-AudIT Professional", - "OpenBMC", - "OpenEMR", - "OpenHarmony", - "OpenLiteSpeed", - "OpenMRS", - "OpenScape Deployment Service", - "Opencast", - "Ozeki NG SMS Gateway", - "PAN-OS", - "PHP Scripts Mall", - "PHPGurukul", - "PHPJabbers Class Scheduling System", - "POSCMS", - "Paessler PRTG Network Monitor", - "Pagekit CMS", - "Pandora FMS", - "Parallels Remote Application Server", - "PayPal", - "PbootCMS", - "Pega Platform", - "Pegasystems Pega Platform", - "Pharmacy Management System", - "Philips Intellispace Portal", - "PicturesPro Photo Cart", - "Piwigo", - "Pixar OpenUSD", - "Plixer Scrutinizer", - "Plone CMS", - "Pluck", - "PowerCMS", - "PrestaShop", - "PrivateVPN", - "Project-Pier", - "Promise Technology", - "PublicCMS", - "Pulse Connect Secure", - "Pulse Secure Desktop Client", - "PureVPN", - "PyroCMS", - "QNAP QTS", - "Quest NetVault", - "QuickTime", - "RPCMS", - "RUGGEDCOM", - "Rapid Software LLC Rapid SCADA", - "Red Discord Bot", - "Rescue Dispatch Management", - "Restaurant POS System", - "Robustel R1510", - "Rocket.Chat", - "Rockwell Automation", - "RosarioSIS", - "Ruckus Networks", - "Rukovoditel", - "SAP 3D Visual Enterprise Viewer", - "SAP Adaptive Server Enterprise", - "SAP BASIS", - "SAP Banking Services", - "SAP Business Objects Business Intelligence Platform", - "SAP Commerce versions", - "SAP Data Hub", - "SAP ERP", - "SAP Fiori Launchpad", - "SAP Marketing", - "SAP NetWeaver", - "SEMCMS", - "SICAM", - r"SIMATIC.*(PCS|CP)", - "Sagemcom", - "Sandoba CP:Shop", - "Sanitization Management System", - "Saperion Web Client", - "Schneider Electric", - "School Activity Updates with SMS Notification", - "SeaCms", - "Seagate Media Server", - r"Secomea (GateManager|SiteManager)", - "SeedDMS", - "Shimmie", - "Shirne CMS", - "ShopXO", - "Shopwind", - "Silverstripe", - "Simple Bus Ticket Booking System", - "Simple Client Management System", - "Simple Cold Storage Management System", - "Simple Customer Relationship Management", - "Simple E-Learning System", - "Simple Image Gallery System", - "Simple Inventory System", - "Simple Online Book Store System", - "Simple Online Public Access Catalog", - "Simple Task Scheduling System", - "Sinsiu Sinsiu Enterprise Website System", - "SmartVista", - "SnapCreek Duplicator", - "SolarView Compact", - "Solutions Atlantic Regulatory Reporting System", - "SonicWall SMA100", - "Sophos Endpoint Protection", - "Sophos Firewall", - "SourceCodester", - "SpamTitan", - "SpiderControl MicroBrowser", - "Square 9 GlobalForms", - "Stock Management System", - "Stormshield Network Security", - "Student Clearance System", - "Student Information System", - "Subrion CMS", - "SugarCRM", - "Sumatra PDF", - "Symantec", - "Synacor Zimbra", - "Synology DiskStation Manager", - "Synology Photo", - "Synology Router Manager", - "Synology Surveillance Station", - "SysAid Help Desk", - "Sysax Multi Server", - "TIBCO DataSynapse GridServer Manager", - "TOTOLINK", - r"TP-Link.*(TL|AX10v1|Tapo)", - "TRENDNet", - "Taocms", - "Telegram Desktop", - "Tenda AC15", - "Tenda AC9", - r"Tenda( |_.*)", - "Textpattern CMS", - "Train Scheduler App", - "TreasuryXpress", - "Trend Micro", - "TuziCMS", - "Twonky Server", - "UCMS ", - "UJCMS", - "Ubiquiti Networks EdgeOS", - "Unisphere for PowerMax", - "Unisys ClearPath", - "Unisys Stealth SVG", - "United Planet Intrexx Professional", - "Unitrends Backup", - "Untis WebUntis", - "Userscape HelpSpot", - r"VIDEOJET.*[\n]*.*psirt", - "VMware ESXi and vCenter Server", - "VMware Fusion", - "VMware Workstation", - "Vehicle Booking System", - "Verint Workforce Optimization", - "Veritas NetBackup", - "Verizon 5G Home", - "Vesta Control Panel", - "Victor CMS", - "VirtueMart", - "WBCE CMS", - "WECON LeviStudioU", - "WPS Office", - "WSO2 Enterprise Integrator", - "WTCMS", - "WUZHI CMS", - "WatchDog Anti-Malware", - "Wavlink", - "Web Based Quiz System", - "WebDynpro Java", - "Weblication CMS", - "Wedding Management System", - "Wedding Planner", - "Weeny Audio Cutter", - "Wellcms", - "Western Bridge Cobub Razor", - "Western Digital My Cloud", - "Winmail", - "Wireless IP Camera 360", - "WoWonder", - "WonderCMS", - "WordPress theme", - r"WordPress.*plugin", - "Wowza Streaming", - "XYHCMS", - "Xiaomi.*phones", - "Xiuno BBS", - "XunRuiCMS", - "Yab Quarx", - "Yahoo!", - "Yxcms", - "YxtCMF", - "YzmCMS", - "Z-BlogPHP", - "Zenario CMS", - "Zikula Application Framework", - "Zoho ManageEngine", - "ZoneAlarm", - "ZoneMinder", - "Zoo Management System", - "Zulip Desktop", - "Zyxel", - "baijiacms", - "bootstrap-table", - "chatwoot", - "cmseasy", - "comforte SWAP", - "concretecms", - "dotCMS", - "drawio", - "eDNA Enterprise Data Historian", - "ebCMS", - r"ednareporting\.asmx", - "elitecms", - "emoncms", - "enhavo CMS", - "htmly", - "https://gitee.com/oufu/ofcms/", - "https://github.com/cesanta/mjs/", - "https://github.com/kabirkhyrul/HMS/", - "https://github.com/vapor/vapor/", - "https://github.com/wp-plugins", - "https://support.zte.com.cn/support/", - "https://www.autodesk.com/", - "https://www.solarwinds.com/", - "iDashboards", - "iPayPal", - "iRedMail", - "iScripts SupportDesk", - "iScripts UberforX", - "iScripts eSwap", - "iTunes", - "iota All-In-One Security Kit", - "ismartgate PRO", - "joyplus-cms", - "lyadmin", - "madlib-object-utils", - r"mySCADA myPRO|Measuresoft ScadaPro", - "open5gs", - "perfex crm", - "phpjs", - "pimcore", - r"plugin <= [0-9\.]+ at WordPress", - r"plugins.*wordpress", - "portfolioCMS", - "prime-jwt", - "publify", - "puppyCMS", - "rap2hpoutre Laravel Log Viewer", - "rdiffweb", - r"siteserver (CMS|SSCMS)", - "swftools", - "totaljs", - "trudesk", - "usememos/memos", - "vBulletin", - r"win32k\.sys", - "wityCMS", - "wuzhicms", - "yetiforcecrm", - "zzcms", -] -BLOCKLIST_CASE_SENSITIVE = ["iOS"] - -KEYWORD_ALLOWLIST = [ - re.compile(rf"\b{keyword}\b", re.IGNORECASE) for keyword in ALLOWLIST -] + [re.compile(keyword) for keyword in ALLOWLIST_SPECIAL_CASES] - -KEYWORD_BLOCKLIST = [ - re.compile(rf"\b{keyword}\b", re.IGNORECASE) for keyword in BLOCKLIST -] + [re.compile(rf"\b{keyword}\b") for keyword in BLOCKLIST_CASE_SENSITIVE] +class MissingKeywordsException(Exception): + pass def check_keywords(text): @@ -789,13 +15,39 @@ def check_keywords(text): Returns tuple of matched blocklisted and allowlisted keywords. """ + + def get_keywords(_type: Keyword.Type) -> QuerySet: + return Keyword.objects.filter(type=_type).values_list("keyword", flat=True) + + allowlisted_keywords = [ + re.compile(rf"\b{keyword}\b", re.IGNORECASE) + for keyword in get_keywords(Keyword.Type.ALLOWLIST) + ] + [ + re.compile(keyword) + for keyword in get_keywords(Keyword.Type.ALLOWLIST_SPECIAL_CASE) + ] + + blocklisted_keywords = [ + re.compile(rf"\b{keyword}\b", re.IGNORECASE) + for keyword in get_keywords(Keyword.Type.BLOCKLIST) + ] + [ + re.compile(rf"\b{keyword}\b") + for keyword in get_keywords(Keyword.Type.BLOCKLIST_SPECIAL_CASE) + ] + + if not allowlisted_keywords or not blocklisted_keywords: + raise MissingKeywordsException( + "Allowlisted or blocklisted keywords are not present in the database. " + "Check if the ps-constants collector ran successfully." + ) + allowlist = [] - for word in (regex.search(text) for regex in KEYWORD_ALLOWLIST): + for word in (regex.search(text) for regex in allowlisted_keywords): if word is not None: allowlist.append(word.group().strip()) blocklist = [] - for word in (regex.search(text) for regex in KEYWORD_BLOCKLIST): + for word in (regex.search(text) for regex in blocklisted_keywords): if word is not None: blocklist.append(word.group()) diff --git a/collectors/cveorg/tests/conftest.py b/collectors/cveorg/tests/conftest.py index 6f619bf1e..4eb417827 100644 --- a/collectors/cveorg/tests/conftest.py +++ b/collectors/cveorg/tests/conftest.py @@ -4,6 +4,7 @@ from django.utils import timezone from collectors.cveorg.collectors import CVEorgCollector +from collectors.cveorg.models import Keyword @pytest.fixture(autouse=True) @@ -16,6 +17,20 @@ def auto_enable_sync(enable_jira_task_sync, enable_bz_sync) -> None: pass +@pytest.fixture() +def mock_keywords(monkeypatch) -> None: + """ + Set testing keywords to mock the ones from the ps-constants repository. + """ + Keyword(keyword="kernel", type=Keyword.Type.ALLOWLIST).save() + Keyword(keyword=r"(?:\W|^)\.NET\b", type=Keyword.Type.ALLOWLIST_SPECIAL_CASE).save() + Keyword(keyword=".*plugin.*for WordPress", type=Keyword.Type.BLOCKLIST).save() + Keyword(keyword="Cisco", type=Keyword.Type.BLOCKLIST).save() + Keyword(keyword="IBM Tivoli", type=Keyword.Type.BLOCKLIST).save() + Keyword(keyword="iTunes", type=Keyword.Type.BLOCKLIST).save() + Keyword(keyword="iOS", type=Keyword.Type.BLOCKLIST_SPECIAL_CASE).save() + + @pytest.fixture() def mock_repo(monkeypatch) -> None: """ diff --git a/collectors/cveorg/tests/test_collectors.py b/collectors/cveorg/tests/test_collectors.py index 30c7093b1..a818d0580 100644 --- a/collectors/cveorg/tests/test_collectors.py +++ b/collectors/cveorg/tests/test_collectors.py @@ -14,7 +14,7 @@ class TestCVEorgCollector: @pytest.mark.vcr - def test_collect_cveorg_records(self, mock_repo): + def test_collect_cveorg_records(self, mock_keywords, mock_repo): """ Test that snippets and flaws are created correctly. """ @@ -38,7 +38,7 @@ def test_collect_cveorg_records(self, mock_repo): assert snippet2 assert snippet2.flaw == flaw2 - def test_collect_cveorg_record_when_flaw_exists(self, mock_repo): + def test_collect_cveorg_record_when_flaw_exists(self, mock_keywords, mock_repo): """ Test that only a snippet is created when a flaw already exists. """ @@ -57,7 +57,7 @@ def test_collect_cveorg_record_when_flaw_exists(self, mock_repo): snippet = Snippet.objects.first() assert snippet.flaw == flaw - def test_ignored_cveorg_records(self, mock_repo): + def test_ignored_cveorg_records(self, mock_keywords, mock_repo): """ Test that snippets and flaws are not created when they do not comply with rules. """ @@ -157,7 +157,7 @@ def get_repo_changes(self): assert Snippet.objects.all().count() == 0 assert Flaw.objects.all().count() == 0 - def test_atomicity(self, monkeypatch, mock_repo): + def test_atomicity(self, monkeypatch, mock_keywords, mock_repo): """ Test that flaw and snippet are not created if any error occurs during the flaw creation. """ diff --git a/collectors/cveorg/tests/test_keywords.py b/collectors/cveorg/tests/test_keywords.py index 4c261e8b2..a716b4b47 100644 --- a/collectors/cveorg/tests/test_keywords.py +++ b/collectors/cveorg/tests/test_keywords.py @@ -1,6 +1,10 @@ import pytest -from collectors.cveorg.keywords import check_keywords, should_create_snippet +from collectors.cveorg.keywords import ( + MissingKeywordsException, + check_keywords, + should_create_snippet, +) @pytest.mark.parametrize( @@ -11,7 +15,7 @@ ("we want to allowlist kernel", ([], ["kernel"])), ], ) -def test_check_keywords(text, expected_output): +def test_check_keywords(text, expected_output, mock_keywords): assert check_keywords(text) == expected_output @@ -22,7 +26,7 @@ def test_check_keywords(text, expected_output): ("new iOS is released", (["iOS"], [])), ], ) -def test_check_keywords_case_sensitive(text, expected_output): +def test_check_keywords_case_sensitive(text, expected_output, mock_keywords): assert check_keywords(text) == expected_output @@ -39,7 +43,7 @@ def test_check_keywords_case_sensitive(text, expected_output): ("new iOS is released", (["iOS"], [])), ], ) -def test_check_keywords_word_boundary(text, expected_output): +def test_check_keywords_word_boundary(text, expected_output, mock_keywords): assert check_keywords(text) == expected_output @@ -54,7 +58,7 @@ def test_check_keywords_word_boundary(text, expected_output): ("end of sentence .NET. new sentence", ([], [".NET"])), ], ) -def test_check_keywords_dotnet_special_case(text, expected_output): +def test_check_keywords_dotnet_special_case(text, expected_output, mock_keywords): assert check_keywords(text) == expected_output @@ -78,7 +82,7 @@ def test_check_keywords_dotnet_special_case(text, expected_output): ), ], ) -def test_check_keywords_wordpress(text, expected_output): +def test_check_keywords_wordpress(text, expected_output, mock_keywords): assert check_keywords(text) == expected_output @@ -97,8 +101,16 @@ def test_check_keywords_wordpress(text, expected_output): (None, False), ], ) -def test_should_create_snippet(text, should_create): +def test_should_create_snippet(text, should_create, mock_keywords): """ Check whether a snippet should be created based on keywords in `text`. """ assert should_create_snippet(text) == should_create + + +def test_missing_keywords(): + """ + Test that missing keywords raise an error. + """ + with pytest.raises(MissingKeywordsException): + should_create_snippet("iOS in description") diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 0ab97af7d..81ac2b88a 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## Unreleased +### Changed +- Use keywords from ps-constants in CVEorg collector (OSIDB-3694) + ## [4.6.1] - 2024-12-06 ### Fixed - Fix not enough general CVE Severity/Severity error fallback (OSIDB-3767) From 375e86c35fc415835bbfc7465a45444a14ee9757 Mon Sep 17 00:00:00 2001 From: Jitka Obselkova Date: Wed, 11 Dec 2024 12:57:43 +0100 Subject: [PATCH 4/4] Remove unused constant from test --- collectors/ps_constants/tests/test_core.py | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/collectors/ps_constants/tests/test_core.py b/collectors/ps_constants/tests/test_core.py index c2290b389..0eac6bc31 100644 --- a/collectors/ps_constants/tests/test_core.py +++ b/collectors/ps_constants/tests/test_core.py @@ -13,17 +13,6 @@ pytestmark = pytest.mark.unit -SAMPLE_DATA = { - "rhel-1": [ - "test1", - "another1", - ], - "rhel-2": [ - "test2", - "another2", - ], -} - SAMPLE_JIRA_BUG_ISSUETYPE = { "bug_issuetype": [ "PROJ1",