Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for global advisories and unify some shared logic with repository advisories #2702

Merged
merged 18 commits into from
Nov 26, 2023
Merged

Add support for global advisories and unify some shared logic with repository advisories #2702

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
5efef3c
Add support for global advisories and unify some shared logic with re…
crimsonknave Jul 28, 2023
91bafcf
Updating copyright headers for edited files
crimsonknave Jul 28, 2023
4926945
Fix linting and actually test the CVSS class
crimsonknave Jul 28, 2023
a0b829f
Updating header
crimsonknave Jul 28, 2023
7f444f6
One more lint fix
crimsonknave Jul 28, 2023
8262d07
More tests, fixed global advisory filters
crimsonknave Jul 29, 2023
4a590ed
Merge branch 'main' into security-advisories
crimsonknave Aug 3, 2023
6c184df
Adding tests for an advisory with less complete data
crimsonknave Aug 11, 2023
4e683ce
Merge branch 'security-advisories' of github.com:crimsonknave/PyGithu…
crimsonknave Aug 11, 2023
ee12988
Merge branch 'main' into security-advisories
crimsonknave Aug 11, 2023
32bff42
Cleaning up type assertions and adding global advisory methods to mai…
crimsonknave Aug 22, 2023
aed8a85
Merge remote-tracking branch 'upstream/main' into security-advisories
crimsonknave Aug 22, 2023
d2c2126
Correctly setting type hints for the optional parameters
crimsonknave Aug 22, 2023
e3a1732
Merge branch 'main' into security-advisories
crimsonknave Aug 29, 2023
dd4dab6
Merge branch 'main' into security-advisories
crimsonknave Nov 20, 2023
01ad805
Adding type hints from deleted .pyi files
crimsonknave Nov 20, 2023
804ba7e
Merge branch 'security-advisories' of github.com:crimsonknave/PyGithu…
crimsonknave Nov 20, 2023
489e0a2
Fixing linting
crimsonknave Nov 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
156 changes: 156 additions & 0 deletions github/AdvisoryBase.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
############################ Copyrights and license ############################
# #
# Copyright 2023 crimsonknave <crimsonknave@github.com> #
# #
# This file is part of PyGithub. #
# http://pygithub.readthedocs.io/ #
# #
# PyGithub is free software: you can redistribute it and/or modify it under #
# the terms of the GNU Lesser General Public License as published by the Free #
# Software Foundation, either version 3 of the License, or (at your option) #
# any later version. #
# #
# PyGithub is distributed in the hope that it will be useful, but WITHOUT ANY #
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS #
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more #
# details. #
# #
# You should have received a copy of the GNU Lesser General Public License #
# along with PyGithub. If not, see <http://www.gnu.org/licenses/>. #
# #
################################################################################

from __future__ import annotations

from datetime import datetime
from typing import Any

from github.AdvisoryVulnerability import AdvisoryVulnerability
from github.CVSS import CVSS
from github.CWE import CWE
from github.GithubObject import Attribute, NonCompletableGithubObject, NotSet


class AdvisoryBase(NonCompletableGithubObject):
"""
This class represents a the shared attributes between GlobalAdvisory and RepositoryAdvisory
https://docs.github.com/en/rest/security-advisories/global-advisories
https://docs.github.com/en/rest/security-advisories/repository-advisories
"""

def _initAttributes(self) -> None:
self._cve_id: Attribute[str] = NotSet
self._cvss: Attribute[CVSS] = NotSet
self._cwes: Attribute[list[CWE]] = NotSet
self._description: Attribute[str] = NotSet
self._ghsa_id: Attribute[str] = NotSet
self._html_url: Attribute[str] = NotSet
self._identifiers: Attribute[list[dict]] = NotSet
self._published_at: Attribute[datetime] = NotSet
self._severity: Attribute[str] = NotSet
self._summary: Attribute[str] = NotSet
self._updated_at: Attribute[datetime] = NotSet
self._url: Attribute[str] = NotSet
self._vulnerabilities: Attribute[list[AdvisoryVulnerability]] = NotSet
self._withdrawn_at: Attribute[datetime] = NotSet

def __repr__(self) -> str:
return self.get__repr__({"ghsa_id": self.ghsa_id, "summary": self.summary})

@property
def cve_id(self) -> str:
return self._cve_id.value

@property
def cvss(self) -> CVSS:
return self._cvss.value

@property
def cwes(self) -> list[CWE]:
return self._cwes.value

@property
def description(self) -> str:
return self._description.value

@property
def ghsa_id(self) -> str:
return self._ghsa_id.value

@property
def html_url(self) -> str:
return self._html_url.value

@property
def identifiers(self) -> list[dict]:
return self._identifiers.value

@property
def published_at(self) -> datetime:
return self._published_at.value

@property
def severity(self) -> str:
return self._severity.value

@property
def summary(self) -> str:
return self._summary.value

@property
def updated_at(self) -> datetime:
return self._updated_at.value

@property
def url(self) -> str:
return self._url.value

@property
def vulnerabilities(self) -> list[AdvisoryVulnerability]:
return self._vulnerabilities.value

@property
def withdrawn_at(self) -> datetime:
return self._withdrawn_at.value

def _useAttributes(self, attributes: dict[str, Any]) -> None:
if "cve_id" in attributes: # pragma no branch
self._cve_id = self._makeStringAttribute(attributes["cve_id"])
if "cvss" in attributes: # pragma no branch
self._cvss = self._makeClassAttribute(CVSS, attributes["cvss"])
if "cwes" in attributes: # pragma no branch
self._cwes = self._makeListOfClassesAttribute(CWE, attributes["cwes"])
if "description" in attributes: # pragma no branch
self._description = self._makeStringAttribute(attributes["description"])
if "ghsa_id" in attributes: # pragma no branch
self._ghsa_id = self._makeStringAttribute(attributes["ghsa_id"])
if "html_url" in attributes: # pragma no branch
self._html_url = self._makeStringAttribute(attributes["html_url"])
if "identifiers" in attributes: # pragma no branch
self._identifiers = self._makeListOfDictsAttribute(attributes["identifiers"])
if "published_at" in attributes: # pragma no branch
assert attributes["published_at"] is None or isinstance(attributes["published_at"], str), attributes[
"published_at"
]
self._published_at = self._makeDatetimeAttribute(attributes["published_at"])
if "severity" in attributes: # pragma no branch
self._severity = self._makeStringAttribute(attributes["severity"])
if "summary" in attributes: # pragma no branch
self._summary = self._makeStringAttribute(attributes["summary"])
if "updated_at" in attributes: # pragma no branch
assert attributes["updated_at"] is None or isinstance(attributes["updated_at"], str), attributes[
"updated_at"
]
self._updated_at = self._makeDatetimeAttribute(attributes["updated_at"])
if "url" in attributes: # pragma no branch
self._url = self._makeStringAttribute(attributes["url"])
if "vulnerabilities" in attributes: # pragma no branch
self._vulnerabilities = self._makeListOfClassesAttribute(
AdvisoryVulnerability,
attributes["vulnerabilities"],
)
if "withdrawn_at" in attributes: # pragma no branch
assert attributes["withdrawn_at"] is None or isinstance(attributes["withdrawn_at"], str), attributes[
"withdrawn_at"
]
self._withdrawn_at = self._makeDatetimeAttribute(attributes["withdrawn_at"])
11 changes: 6 additions & 5 deletions github/RepositoryAdvisoryCredit.py → github/AdvisoryCredit.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
############################ Copyrights and license ############################
# #
# Copyright 2023 Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> #
EnricoMi marked this conversation as resolved.
Show resolved Hide resolved
# Copyright 2023 crimsonknave <crimsonknave@github.com> #
# #
# This file is part of PyGithub. #
# http://pygithub.readthedocs.io/ #
Expand All @@ -19,6 +19,7 @@
# along with PyGithub. If not, see <http://www.gnu.org/licenses/>. #
# #
################################################################################

from __future__ import annotations

from typing import Any, Union
Expand All @@ -38,10 +39,10 @@ class SimpleCredit(TypedDict):
type: str


Credit = Union[SimpleCredit, "RepositoryAdvisoryCredit"]
Credit = Union[SimpleCredit, "AdvisoryCredit"]


class RepositoryAdvisoryCredit(NonCompletableGithubObject):
class AdvisoryCredit(NonCompletableGithubObject):
"""
This class represents a credit that is assigned to a SecurityAdvisory.
The reference can be found here https://docs.github.com/en/rest/security-advisories/repository-advisories
Expand Down Expand Up @@ -73,7 +74,7 @@ def _useAttributes(self, attributes: dict[str, Any]) -> None:

@staticmethod
def _validate_credit(credit: Credit) -> None:
assert isinstance(credit, (dict, RepositoryAdvisoryCredit)), credit
assert isinstance(credit, (dict, AdvisoryCredit)), credit
if isinstance(credit, dict):
assert "login" in credit, credit
assert "type" in credit, credit
Expand All @@ -85,7 +86,7 @@ def _validate_credit(credit: Credit) -> None:

@staticmethod
def _to_github_dict(credit: Credit) -> SimpleCredit:
assert isinstance(credit, (dict, RepositoryAdvisoryCredit)), credit
assert isinstance(credit, (dict, AdvisoryCredit)), credit
if isinstance(credit, dict):
assert "login" in credit, credit
assert "type" in credit, credit
Expand Down
5 changes: 3 additions & 2 deletions github/RepositoryAdvisoryCreditDetailed.py → github/AdvisoryCreditDetailed.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
############################ Copyrights and license ############################
# #
# Copyright 2023 Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> #
# Copyright 2023 crimsonknave <crimsonknave@github.com> #
# #
# This file is part of PyGithub. #
# http://pygithub.readthedocs.io/ #
Expand All @@ -19,6 +19,7 @@
# along with PyGithub. If not, see <http://www.gnu.org/licenses/>. #
# #
################################################################################

from __future__ import annotations

from typing import Any
Expand All @@ -27,7 +28,7 @@
from github.GithubObject import Attribute, NonCompletableGithubObject, NotSet


class RepositoryAdvisoryCreditDetailed(NonCompletableGithubObject):
class AdvisoryCreditDetailed(NonCompletableGithubObject):
"""
This class represents a credit that is assigned to a SecurityAdvisory.
The reference can be found here https://docs.github.com/en/rest/security-advisories/repository-advisories
Expand Down
26 changes: 13 additions & 13 deletions github/RepositoryAdvisoryVulnerability.py → github/AdvisoryVulnerability.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
############################ Copyrights and license ############################
# #
# Copyright 2023 Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> #
# Copyright 2023 crimsonknave <crimsonknave@github.com> #
# #
# This file is part of PyGithub. #
# http://pygithub.readthedocs.io/ #
Expand All @@ -19,17 +19,18 @@
# along with PyGithub. If not, see <http://www.gnu.org/licenses/>. #
# #
################################################################################

from __future__ import annotations

from typing import TYPE_CHECKING, Any, Union

from typing_extensions import TypedDict

import github.RepositoryAdvisoryVulnerabilityPackage
import github.AdvisoryVulnerabilityPackage
from github.GithubObject import Attribute, NonCompletableGithubObject, NotSet

if TYPE_CHECKING:
from github.RepositoryAdvisoryVulnerabilityPackage import RepositoryAdvisoryVulnerabilityPackage
from github.AdvisoryVulnerabilityPackage import AdvisoryVulnerabilityPackage


class SimpleAdvisoryVulnerabilityPackage(TypedDict):
Expand All @@ -52,10 +53,10 @@ class SimpleAdvisoryVulnerability(TypedDict):
vulnerable_version_range: str | None


AdvisoryVulnerability = Union[SimpleAdvisoryVulnerability, "RepositoryAdvisoryVulnerability"]
AdvisoryVulnerabilityInput = Union[SimpleAdvisoryVulnerability, "AdvisoryVulnerability"]


class RepositoryAdvisoryVulnerability(NonCompletableGithubObject):
class AdvisoryVulnerability(NonCompletableGithubObject):
"""
This class represents a package that is vulnerable to a parent SecurityAdvisory.
The reference can be found here https://docs.github.com/en/rest/security-advisories/repository-advisories
Expand All @@ -64,9 +65,9 @@ class RepositoryAdvisoryVulnerability(NonCompletableGithubObject):
@property
def package(
self,
) -> RepositoryAdvisoryVulnerabilityPackage:
) -> AdvisoryVulnerabilityPackage:
"""
:type: :class:`github.RepositoryAdvisoryVulnerability.RepositoryAdvisoryVulnerability`
:type: :class:`github.AdvisoryVulnerability.AdvisoryVulnerability`
"""
return self._package.value

Expand All @@ -92,15 +93,15 @@ def vulnerable_version_range(self) -> str | None:
return self._vulnerable_version_range.value

def _initAttributes(self) -> None:
self._package: Attribute[RepositoryAdvisoryVulnerabilityPackage] = NotSet
self._package: Attribute[AdvisoryVulnerabilityPackage] = NotSet
self._patched_versions: Attribute[str] = NotSet
self._vulnerable_functions: Attribute[list[str]] = NotSet
self._vulnerable_version_range: Attribute[str] = NotSet

def _useAttributes(self, attributes: dict[str, Any]) -> None:
if "package" in attributes: # pragma no branch
self._package = self._makeClassAttribute(
github.RepositoryAdvisoryVulnerabilityPackage.RepositoryAdvisoryVulnerabilityPackage,
github.AdvisoryVulnerabilityPackage.AdvisoryVulnerabilityPackage,
attributes["package"],
)
if "patched_versions" in attributes: # pragma no branch
Expand All @@ -111,7 +112,7 @@ def _useAttributes(self, attributes: dict[str, Any]) -> None:
self._vulnerable_version_range = self._makeStringAttribute(attributes["vulnerable_version_range"])

@classmethod
def _validate_vulnerability(cls, vulnerability: AdvisoryVulnerability) -> None:
def _validate_vulnerability(cls, vulnerability: AdvisoryVulnerabilityInput) -> None:
assert isinstance(vulnerability, (dict, cls)), vulnerability
if isinstance(vulnerability, dict):
assert "package" in vulnerability, vulnerability
Expand All @@ -136,13 +137,12 @@ def _validate_vulnerability(cls, vulnerability: AdvisoryVulnerability) -> None:

else:
assert (
vulnerability.package
is github.RepositoryAdvisoryVulnerabilityPackage.RepositoryAdvisoryVulnerabilityPackage
vulnerability.package is github.AdvisoryVulnerabilityPackage.AdvisoryVulnerabilityPackage
), vulnerability

@staticmethod
def _to_github_dict(
vulnerability: AdvisoryVulnerability,
vulnerability: AdvisoryVulnerabilityInput,
) -> SimpleAdvisoryVulnerability:
if isinstance(vulnerability, dict):
vulnerability_package: SimpleAdvisoryVulnerabilityPackage = vulnerability["package"]
Expand Down
5 changes: 3 additions & 2 deletions ...RepositoryAdvisoryVulnerabilityPackage.py → github/AdvisoryVulnerabilityPackage.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
############################ Copyrights and license ############################
# #
# Copyright 2023 Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> #
# Copyright 2023 crimsonknave <crimsonknave@github.com> #
# #
# This file is part of PyGithub. #
# http://pygithub.readthedocs.io/ #
Expand All @@ -19,14 +19,15 @@
# along with PyGithub. If not, see <http://www.gnu.org/licenses/>. #
# #
################################################################################

from __future__ import annotations

from typing import Any

from github.GithubObject import Attribute, NonCompletableGithubObject, NotSet


class RepositoryAdvisoryVulnerabilityPackage(NonCompletableGithubObject):
class AdvisoryVulnerabilityPackage(NonCompletableGithubObject):
"""
This class represents an identifier for a package that is vulnerable tao parent SecurityAdvisory.
The reference can be found here https://docs.github.com/en/rest/security-advisories/repository-advisories
Expand Down