-
-
Notifications
You must be signed in to change notification settings - Fork 309
Conversation
Signed-off-by: Anmol Vats <anmolvats2003@gmail.com>
Signed-off-by: Anmol Vats <anmolvats2003@gmail.com>
@ziadhany
ziadhany
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@NucleiAv Good start, see some comments there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think something like this is simpler.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Used entry.get("summary") or {} instead of the suggested entry.get("summary", {}) because the API actually returns "summary": null for some entries (CVE-2024-2212 in the sample data). When the key exists but its value is null, .get("summary", {}) still returns None, which makes None.get("content") blow up. The or {} handles both the missing key and the null case cleanly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have any examples of this? If yes, please log this, if no, please remove it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed it since I did not find any instances in API data
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please change this to test against the file instead of running parse_advisory for every attribute.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replaced the whole class with a single test_parse_advisories() that runs all three sample entries and checks against an expected JSON file using util_tests.check_results_against_json. Also dropped test_collect_advisories_skips_on_http_error as it had assert not hasattr(...) or True which is always true and wasn't actually testing anything.
Signed-off-by: Anmol Vats <anmolvats2003@gmail.com>
keshav-space
commented
Apr 20, 2026
I doubt there is any benefit in having this importer if there is not much information to import. There is not even a complete summary. We just have CVE and a link to the corresponding GHSA advisory, which we are already importing.
For instance, let us take a look at one of those entries in https://api.eclipse.org/cve.
{
"id": "CVE-2026-1605",
"date_published": "2026年03月05日",
"project": "rt.jetty",
"request_link": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/79",
"cve_pull_request": "",
"status": "PUBLIC",
"summary": {
"content": "The Eclipse Jetty Server Artifact has a Gzip request memory leak ",
"source": "https://api.github.com/advisories?cve_id=CVE-2026-1605"
},
"cvss": 7.5,
"live_link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1605"
},We do not have anything substantial here to import. Also we already have much better data for this vulnerability from GHSA, see https://public.vulnerablecode.io/advisories/github_osv_importer_v2/GHSA-xxh7-fcf3-rj7f.
Uh oh!
There was an error while loading. Please reload this page.
Closes #1495
HTML parsing the Eclipse website at https://www.eclipse.org/security/known.php would return nothing useful because the CVE-ID links in the table redirect to NVD and the project links return a 404. Instead I found that the website renders its advisory table entirely via JavaScript from a JSON API endpoint. By inspecting the JS bundle, I found https://api.eclipse.org/cve which returns all 197 advisories as a clean JSON array with no auth and no pagination required. So I choose API approach, since its clean and consistent.
Each entry provides details like CVE ID, publish date, Eclipse project name, summary, CVSS score, and reference URLs (CVE Mitre link, Eclipse bugtracker ticket, GitHub CVE pull request where applicable).
API does not provide CVSS vector string or version (only a bare float score, stored using GENERIC scoring system), CWE weaknesses, and affected or fixed package versions. These fields are left empty.