Jenkins parser

[shubhbapna]

Fixes #7

Added jenkins advisory parser.

2 notable difficulties:

• Translating impact to cvss3 score was difficult since for a given impact it there might be 2 different cvss3 score for 2 different advisory. However, on their advisory page they have hyperlinked each impact for each advisory to a cvss3 calculator website. I was able to get the cvss3 vector from that url and used the cvss library to translate that into a score.
• Getting the information for the affected plugins was also difficult. For each advisory, they mention the affected plugins in multiple formats. However, they only mention the fixed version of these plugins in the description of each advisory or together for all advisories in a list called Fix at the bottom of the page. I choose to extract the fixed version from this list instead of description since there is no consistent format for description. The problem with this is that the plugin name in this list differs from the plugin name in the affected-plugins field for each advisory. So for now if the plugin name in the affected-plugins list does not match then I add it as a warning

[guitos]

Hi Shubh,

I was able to test this PR and it's working very well. However, I have a couple of points I would like you to know.

The tests I did were using the usage script[1] using a Jenkins advisories as the URL argument. Let me know if there is a better way to test this. The comments below were based on the parsing result of this advisory[2].

The summary of CVEs should contain a prefix such as 'jenkins' or 'jenkins-plugins' and the name of the plugin. The name of the plugin is available in the 'Affected Plugin:' entry of each CVE. Using CVE-2023-32977 as example:

Currently the summary is:
"Stored XSS vulnerability in Pipeline: Job Plugin"

A better summary would be:
"jenkins-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin"

Some CVEs are not being parsed, for example, the CVE-2023-32979 and CVE-2023-32980 are present in the advisory but not in the parser output.

Let me know if I can help you with anything else.

[1]. https://github.com/RedHatProductSecurity/advisory-parser/blob/master/usage.py#L9
[2]. https://www.jenkins.io/security/advisory/2023-05-16/

[shubhbapna]

Hi @guitos, thanks for the review!

I have fixed the missing CVE cases. It was because jenkins published advisories with same security id and differentiated it by adding a number at the end of it. For eg: "SECURITY-3088 (1), "SECURITY-3088 (2)".

For the prefix part, I have added the prefix "jenkins-plugin". I didn't add the affected plugin yet because there are some advisories which have multiple affected plugins - https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-3075

In this case would you like the summary to be something like this:
"jenkins-plugin: kubernetes, azure-keyvault, thycotic-devops-secrets-vault: Improper masking of credentials in multiple plugins"

Let me know and I will accordingly implement the summary prefix.

[guitos]

Hi,

Thanks for the update.

For the prefix part, I have added the prefix "jenkins-plugin". I didn't add the affected plugin yet because there are some advisories which have multiple affected plugins - https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-3075

In this case would you like the summary to be something like this: "jenkins-plugin: kubernetes, azure-keyvault, thycotic-devops-secrets-vault: Improper masking of credentials in multiple plugins"

Let me know and I will accordingly implement the summary prefix.

I think it will be good to have all the affected plugins in the summary, like the example you provided.

[shubhbapna]

@guitos done!