Skip to content

Migrate Gentoo importer to advisory V2#2090

Open
ziadhany wants to merge 9 commits intoaboutcode-org:mainfrom
ziadhany:gentoo-migration
Open

Migrate Gentoo importer to advisory V2#2090
ziadhany wants to merge 9 commits intoaboutcode-org:mainfrom
ziadhany:gentoo-migration

Conversation

@ziadhany
Copy link
Collaborator

@ziadhany ziadhany commented Dec 30, 2025
edited
Loading

@ziadhany ziadhany changed the title Add initial migration to Gentoo importer v2 Migrate Gentoo importer to advisory V2 Dec 30, 2025
@ziadhany ziadhany marked this pull request as ready for review January 1, 2026 13:58
@ziadhany
Copy link
Collaborator Author

ziadhany commented Jan 1, 2026
edited
Loading

gentoo importer V2 logs:

/home/ziad-hany/PycharmProjects/vulnerablecode/venv/bin/python /home/ziad-hany/PycharmProjects/vulnerablecode/manage.py import localhost:8000 --all 
INFO 2026-02-02 17:54:38.166692 UTC Pipeline [GentooImporterPipeline] starting
INFO 2026-02-02 17:54:38.166802 UTC Step [clone] starting
INFO 2026-02-02 17:54:38.166832 UTC Cloning `git+https://anongit.gentoo.org/git/data/glsa.git`
Importing data using gentoo_importer_v2
INFO 2026-02-02 17:54:43.419509 UTC Step [clone] completed in 5 seconds
INFO 2026-02-02 17:54:43.419620 UTC Step [collect_and_store_advisories] starting
INFO 2026-02-02 17:54:43.447538 UTC Collecting 3,814 advisories
INFO 2026-02-02 17:54:47.695981 UTC Progress: 10% (382/3814) ETA: 38 seconds
INFO 2026-02-02 17:54:51.021923 UTC InvalidVersion constraints version: 1.3* error:'1.3*' is not a valid <class 'univers.versions.GentooVersion'>
INFO 2026-02-02 17:54:51.826717 UTC Progress: 20% (763/3814) ETA: 34 seconds
INFO 2026-02-02 17:54:56.169353 UTC Progress: 30% (1145/3814) ETA: 30 seconds
INFO 2026-02-02 17:54:58.417666 UTC InvalidVersion constraints version: 3.24.48:3 error:'3.24.48:3' is not a valid <class 'univers.versions.GentooVersion'>
INFO 2026-02-02 17:54:58.417815 UTC InvalidVersion constraints version: 3.24.48:3 error:'3.24.48:3' is not a valid <class 'univers.versions.GentooVersion'>
INFO 2026-02-02 17:55:00.338608 UTC Progress: 40% (1526/3814) ETA: 25 seconds
INFO 2026-02-02 17:55:04.620972 UTC Progress: 50% (1907/3814) ETA: 21 seconds
INFO 2026-02-02 17:55:06.363401 UTC InvalidVersion constraints version: 7.4* error:'7.4*' is not a valid <class 'univers.versions.GentooVersion'>
INFO 2026-02-02 17:55:06.363539 UTC InvalidVersion constraints version: 7.3* error:'7.3*' is not a valid <class 'univers.versions.GentooVersion'>
INFO 2026-02-02 17:55:08.923560 UTC Progress: 60% (2289/3814) ETA: 17 seconds
INFO 2026-02-02 17:55:09.268841 UTC InvalidVersion constraints version: 7.4* error:'7.4*' is not a valid <class 'univers.versions.GentooVersion'>
INFO 2026-02-02 17:55:11.946939 UTC InvalidVersion constraints version: 6.9.3:6 error:'6.9.3:6' is not a valid <class 'univers.versions.GentooVersion'>
INFO 2026-02-02 17:55:11.947075 UTC InvalidVersion constraints version: 6.9.3:6 error:'6.9.3:6' is not a valid <class 'univers.versions.GentooVersion'>
INFO 2026-02-02 17:55:12.803704 UTC InvalidVersion constraints version: 7.4* error:'7.4*' is not a valid <class 'univers.versions.GentooVersion'>
INFO 2026-02-02 17:55:12.803886 UTC InvalidVersion constraints version: 7.3* error:'7.3*' is not a valid <class 'univers.versions.GentooVersion'>
INFO 2026-02-02 17:55:13.023839 UTC Progress: 70% (2670/3814) ETA: 13 seconds
INFO 2026-02-02 17:55:14.632720 UTC InvalidVersion constraints version: 7.4* error:'7.4*' is not a valid <class 'univers.versions.GentooVersion'>
INFO 2026-02-02 17:55:14.632854 UTC InvalidVersion constraints version: 7.3* error:'7.3*' is not a valid <class 'univers.versions.GentooVersion'>
INFO 2026-02-02 17:55:16.977535 UTC Progress: 80% (3052/3814) ETA: 8 seconds
INFO 2026-02-02 17:55:21.247673 UTC Progress: 90% (3433/3814) ETA: 4 seconds
INFO 2026-02-02 17:55:25.279534 UTC Progress: 100% (3814/3814)
INFO 2026-02-02 17:55:25.291572 UTC Successfully collected 3,814 advisories
INFO 2026-02-02 17:55:25.291680 UTC Step [collect_and_store_advisories] completed in 42 seconds
INFO 2026-02-02 17:55:25.291715 UTC Step [clean_downloads] starting
INFO 2026-02-02 17:55:25.291739 UTC Removing cloned repository
INFO 2026-02-02 17:55:25.328524 UTC Step [clean_downloads] completed in 0 seconds
INFO 2026-02-02 17:55:25.328685 UTC Pipeline completed in 47 seconds

Process finished with exit code 0

from vulnerabilities.models import AdvisoryV2
from django.db.models import Count
duplicates = (
    AdvisoryV2.objects
    .values('avid')
    .annotate(count=Count('id'))
    .filter(count__gt=1)
)
len(duplicates)
Out[2]: 0
AdvisoryV2.objects.count()
Out[3]: 3814

gentoo importer V1 logs:

Importing data using vulnerabilities.importers.gentoo.GentooImporter
Invalid safe_version 3.24.48:3 - error: '3.24.48:3' is not a valid <class 'univers.versions.GentooVersion'>
Invalid safe_version 6.9.3:6 - error: '6.9.3:6' is not a valid <class 'univers.versions.GentooVersion'>
Successfully imported data using vulnerabilities.importers.gentoo.GentooImporter

@ziadhany
Copy link
Collaborator Author

ziadhany commented Jan 1, 2026

Related issue:

@ziadhany ziadhany force-pushed the gentoo-migration branch 2 times, most recently from 76f65a8 to 0bed9dd Compare January 12, 2026 23:46
@ziadhany ziadhany mentioned this pull request Jan 13, 2026
Open
@ziadhany ziadhany requested a review from TG1999 January 13, 2026 23:31
@ziadhany
Add initial migration to Gentoo importer v2
1f3ad4d 
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany
Add a test for gentoo importer v2
f3bec2a 
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany
Fix Gentoo importer v1
ea7434f 
Update the Gentoo get_safe_and_affected_versions function in advisory v2

Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany
Fix code style
f416c5d 
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany
Avoid duplicate affected_packages
002300d 
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany
Avoid skipping some versions in Gentoo importer
5ef6840 
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany
Update gentoo importer to include rle, rgt, and rge versions.
a5e7bd4 
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany
Remove invalid logger and use the pipeline logger
df9077b 
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@TG1999 TG1999 requested a review from keshav-space February 4, 2026 12:06
keshav-space
keshav-space requested changes Feb 5, 2026
View reviewed changes
Copy link
Member

@keshav-space keshav-space left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ziadhany Thanks, see some feedback below.

vulnerabilities/pipelines/v2_importers/gentoo_importer.py Outdated
cves = []
summary = ""
xml_root = ET.parse(file).getroot()
id = xml_root.attrib.get("id")
Copy link
Member

@keshav-space keshav-space Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
id = xml_root.attrib.get("id")
id = xml_root.attrib.get("id", "")

vulnerabilities/pipelines/v2_importers/gentoo_importer.py

affected_package = AffectedPackageV2(
package=purl,
affected_version_range=EbuildVersionRange(constraints=[constraint]),
Copy link
Member

@keshav-space keshav-space Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does not make sense to report unaffected range in affected_version_range.

vulnerabilities/pipelines/v2_importers/gentoo_importer.py Outdated
Comment on lines 111 to 113
url=f"https://security.gentoo.org/glsa/{id}"
if id
else "https://security.gentoo.org/glsa",
Copy link
Member

@keshav-space keshav-space Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should suffice

Suggested change
url=f"https://security.gentoo.org/glsa/{id}"
if id
else "https://security.gentoo.org/glsa",
url=f"https://security.gentoo.org/glsa/{id}",

vulnerabilities/pipelines/v2_importers/gentoo_importer.py
Comment on lines +144 to +145
if invert:
constraint = constraint.invert()
Copy link
Member

@keshav-space keshav-space Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ziadhany why do we invert fixed range, we should report fixed range as is.

Copy link
Collaborator Author

@ziadhany ziadhany Feb 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@keshav-space we have two type of package version

  • unaffected
  • vulnerable
GLSA-201405-01 , CVE-2014-0004
  <affected>
    <package name="sys-fs/udisks" auto="yes" arch="*">
      <unaffected range="rge">1.0.5</unaffected>
      <unaffected range="ge">2.1.3</unaffected>
      <vulnerable range="lt">2.1.3</vulnerable>
    </package>
  </affected>

we invert the unaffected (safe_version) to get the affected version if it isn’t specified.
see line: 159, 162

the main question is that does the unaffected mean fixed range, if yes I should update this

Copy link
Member

@keshav-space keshav-space Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the main question is that does the unaffected mean fixed range, if yes I should update this

@ziadhany Yes, unaffected is fixed range see resolution section here https://security.gentoo.org/glsa/201405-01 so if we get unaffected range it should be treated as fixed range.

Also rge means revision greater than equals and rgt means revision greater than lets mention this in comments.

<unaffected range="ge">2.1.3</unaffected> is pretty straight forward it translates to fixed range vers:ebuild/>=2.1.3. But revision range are bit tricky here <unaffected range="rge">1.0.5</unaffected> translates to vers:ebuild/>=1.0.5|<1.1 see the interpretation here https://security.gentoo.org/glsa/201405-01

similarly for this advisory https://security.gentoo.org/glsa/202004-13 we have these unaffected range

<unaffected range="rge">2.23.3</unaffected>
<unaffected range="rge">2.24.3</unaffected>
<unaffected range="rge">2.25.4</unaffected>
<unaffected range="rge">2.26.2</unaffected>

and these would be interpreted as fixed range

vers:ebuild/>=2.23.3|<2.24
vers:ebuild/>=2.24.3|<2.25
vers:ebuild/>=2.25.4|<2.26
vers:ebuild/>=2.26.2|<2.27

vulnerabilities/tests/test_data/gentoo_v2/glsa-201709-09-expected.json
Comment on lines +37 to +50
{
"package": {
"type": "ebuild",
"namespace": "dev-vcs",
"name": "subversion",
"version": "",
"qualifiers": "",
"subpath": ""
},
"affected_version_range": "vers:ebuild/<=1.8.18",
"fixed_version_range": null,
"introduced_by_commit_patches": [],
"fixed_by_commit_patches": []
}
Copy link
Member

@keshav-space keshav-space Feb 5, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not right, for the unaffected range <unaffected range="ge">1.9.7</unaffected> and <unaffected range="rgt">1.8.18</unaffected> we should report vers:ebuild/>1.8.18 and vers:ebuild/1.9.7 as fixed version range and do not invert these and report it as affected vers.

@ziadhany
Fix minor issue related to advisory url and safe default for id
b9c28b8 
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@keshav-space keshav-space keshav-space requested changes

@TG1999 TG1999 Awaiting requested review from TG1999

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ziadhany @keshav-space