Add Grafana security advisory importer#2200
Open
NucleiAv wants to merge 6 commits intoaboutcode-org:mainfrom
Open
Add Grafana security advisory importer#2200NucleiAv wants to merge 6 commits intoaboutcode-org:mainfrom
NucleiAv wants to merge 6 commits intoaboutcode-org:mainfrom
Conversation
NucleiAv
force-pushed
the
fix/grafana-importer-1462
branch
from
765808c to
918f85b
Compare
Adds GrafanaImporterPipeline using the GitHub Security Advisory REST API. Covers grafana/grafana, grafana/loki, credativ/plutono and credativ/vali. - Parses GHSA IDs, CVE aliases, CVSS v3.1 scores, CWE weaknesses and version ranges from the API response - Normalizes space-separated version constraints to comma-separated format before passing to build_range_from_github_advisory_constraint - Skips advisories without a parseable version range rather than raising - Registers GrafanaImporterPipeline in IMPORTERS_REGISTRY - Includes JSON test fixtures and unit tests for parse_advisory_data Closes aboutcode-org#1462 Signed-off-by: newklei <magmacicada@proton.me>
Signed-off-by: newklei <magmacicada@proton.me>
NucleiAv
force-pushed
the
fix/grafana-importer-1462
branch
from
4d0aae7 to
481fb5b
Compare
Signed-off-by: newklei <magmacicada@proton.me>
Signed-off-by: newklei <magmacicada@proton.me>
NucleiAv
force-pushed
the
fix/grafana-importer-1462
branch
from
c803224 to
60e258f
Compare
…importer - Removed repo_url class attribute (not part of the base class contract) - Replaced datetime.strptime + timezone.utc with dateparser.parse() for consistency with the ZDI importer and flexibility with date formats - Removed unused datetime and timezone stdlib imports Signed-off-by: newklei <magmacicada@proton.me>
NucleiAv
force-pushed
the
fix/grafana-importer-1462
branch
from
60e258f to
4c8780c
Compare
Signed-off-by: newklei <magmacicada@proton.me>
NucleiAv
force-pushed
the
fix/grafana-importer-1462
branch
from
3976236 to
af8756a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #1462
It collects published security advisories for grafana/grafana, grafana/loki, credativ/plutono, and credativ/vali via the GitHub Security Advisory REST API.
The GHSA ID is the advisory_id; any associated CVE goes into aliases. Version ranges from the API come in as space-separated constraints like >=9.2.0 <9.2.10, which get normalized to comma-separated before passing to build_range_from_github_advisory_constraint. Advisories with no parseable range just produce empty affected_packages rather than erroring out. CVSS v3.1 vector and score go into severities, CWE IDs into weaknesses.
New files are grafana_importer.py, test_grafana_importer.py, fixtures under test_data/grafana/, and registration in IMPORTERS_REGISTRY.