Teeny weeny fixes

Fixes are in accordance with the final review for this PR done at :
#525 (review)

Signed-off-by: Hritik Vijay <hritikxx8@gmail.com>
Co-authored-by: Philippe Ombredanne <pombredanne@gmail.com>

vulnerabilities/data_source.py

@@ -158,7 +158,6 @@ def merge(cls, affected_packages: Iterable):
                 fixed_versions.add(pkg.fixed_version)
             purls.add(pkg.package)
         if len(purls) > 1:
-            print(affected_packages)
             raise TypeError("Cannot merge with different purls", purls)
         return purls.pop(), affected_version_ranges, fixed_versions
 

vulnerabilities/importers/nginx.py

@@ -58,7 +58,7 @@ class NginxDataSourceConfiguration(DataSourceConfiguration):
 class NginxDataSource(DataSource):
     CONFIG_CLASS = NginxDataSourceConfiguration
 
-    url = "http://nginx.org/en/security_advisories.html"
+    url = "https://nginx.org/en/security_advisories.html"
 
     def advisory_data(self) -> Iterable[AdvisoryData]:
         data = requests.get(self.url).content
@@ -239,7 +239,7 @@ def set_api(self):
         while self.version_api.cache["nginx/nginx"]:
             version = self.version_api.cache["nginx/nginx"].pop()
             normalized_version = Version(
-                version.value.replace("release-", ""), version.release_date
+                value=version.value.replace("release-", ""), release_date=version.release_date
             )
             normalized_versions.add(normalized_version)
         self.version_api.cache["nginx/nginx"] = normalized_versions

vulnerabilities/improve_runner.py

@@ -16,7 +16,8 @@
 
 
 class ImproveRunner:
-    """ImproveRunner is responsible for populating the database with any
+    """
+    ImproveRunner is responsible for populating the database with any
     consumable data. It does so in its ``run`` method by invoking the given
     improver and parsing the returned Inferences into proper database fields
     """
@@ -102,14 +103,14 @@ def process_inferences(inferences: List[Inference], advisory: Advisory, improver
 def _get_or_create_package(p: PackageURL) -> Tuple[models.Package, bool]:
     query_kwargs = {}
     # TODO: this should be revisited as this should best be a model or manager method... and possibly streamlined
-    for key, val in p.to_dict().items():
-        if not val:
-            if key == "qualifiers":
-                query_kwargs[key] = {}
-            else:
-                query_kwargs[key] = ""
-        else:
-            query_kwargs[key] = val
+    query_kwargs = dict(
+        type=p.type or "",
+        namespace=p.namespace or "",
+        name=p.name or "",
+        version=p.version or "",
+        qualifiers=p.qualifiers or {},
+        subpath=p.subpath or "",
+    )
 
     return models.Package.objects.get_or_create(**query_kwargs)
 

vulnerabilities/improvers/__init__.py

@@ -1,5 +1,5 @@
-from . import default
-from .. import importers
+from vulnerabilities.improvers import default
+from vulnerabilities import importers
 
 IMPROVER_REGISTRY = [default.DefaultImprover, importers.nginx.NginxBasicImprover]
 

vulnerabilities/improvers/default.py

@@ -40,7 +40,7 @@ def get_inferences(self, advisory_data: AdvisoryData) -> Iterable[Inference]:
 
 def get_exact_purls(affected_package: AffectedPackage) -> (List[PackageURL], PackageURL):
     """
-    Return purls for fixed and affected packages contained in the given
+    Return a list of affected purls and the fixed package found in the ``affected_package``
     AffectedPackage disregarding any ranges.
 
     Only exact version constraints (ie with an equality) are considered
@@ -52,18 +52,26 @@ def get_exact_purls(affected_package: AffectedPackage) -> (List[PackageURL], Pac
     ...     "affected_version_range": vers,
     ...     "fixed_version": "5.0.0"
     ... })
-    >>> get_exact_purls(affected_package)
-    ([PackageURL(type='turtle', namespace=None, name='green', version='2.0.0', qualifiers={}, subpath=None)], PackageURL(type='turtle', namespace=None, name='green', version='5.0.0', qualifiers={}, subpath=None))
+    >>> got = get_exact_purls(affected_package)
+    >>> expected = (
+    ...     [PackageURL(type='turtle', namespace=None, name='green', version='2.0.0', qualifiers={}, subpath=None)],
+    ...      PackageURL(type='turtle', namespace=None, name='green', version='5.0.0', qualifiers={}, subpath=None)
+    ... )
+    >>> assert expected == got
     """
-    affected_purls = set()
-    all_constraints = affected_package.affected_version_range.constraints
-    for constraint in all_constraints:
-        if constraint.comparator in ["=", "<=", ">="]:
-            affected_purl = affected_package.package._replace(version=str(constraint.version))
-            affected_purls.add(affected_purl)
-    affected_purls = list(affected_purls)
 
-    fixed_version = affected_package.fixed_version
-    fixed_purl = affected_package.package._replace(version=str(fixed_version))
+    vr = affected_package.affected_version_range
+    # We need ``if c`` below because univers returns None as version
+    # in case of vers:nginx/*
+    # TODO: Revisit after https://github.com/nexB/univers/issues/33
+    range_versions = [c.version for c in vr.constraints if c]
+    resolved_versions = [v for v in range_versions if v and v in vr]
+
+    affected_purls = []
+    for version in resolved_versions:
+        affected_purl = affected_package.package._replace(version=str(version))
+        affected_purls.append(affected_purl)
+
+    fixed_purl = affected_package.get_fixed_purl()
 
     return affected_purls, fixed_purl

vulnerabilities/management/commands/improve.py

@@ -65,10 +65,8 @@ def handle(self, *args, **options):
         self.improve_data(valid_sources(sources))
 
     def list_sources(self):
-        improvers = [
-            f"{improver.__module__}.{improver.__qualname__}" for improver in IMPROVER_REGISTRY
-        ]
-        self.stdout.write("Vulnerability data can be processed by these available improvers:")
+        improvers = [improver.qualified_name() for improver in IMPROVER_REGISTRY]
+        self.stdout.write("Vulnerability data can be processed by these available improvers:\n")
         self.stdout.write("\n".join(improvers))
 
     def improve_data(self, improvers):

vulnerabilities/models.py

@@ -48,8 +48,8 @@
 
 class Vulnerability(models.Model):
     """
-    A software vulnerability with minimal information. Identifiers other than CVE ID are stored as
-    VulnerabilityReference.
+    A software vulnerability with minimal information. Unique identifiers are
+    stored as ``Alias``.
     """
 
     vulnerability_id = models.UUIDField(
@@ -114,7 +114,11 @@ def severities(self):
         return VulnerabilitySeverity.objects.filter(reference=self.id)
 
     class Meta:
-        unique_together = ("vulnerability", "url", "reference_id")
+        unique_together = (
+            "vulnerability",
+            "url",
+            "reference_id",
+        )
 
     def __str__(self):
         reference_id = " {self.reference_id}" if self.reference_id else ""
@@ -229,7 +233,7 @@ def update_or_create(self):
         Create if doesn't exist
         """
         try:
-            existing = self.__class__.objects.get(
+            existing = PackageRelatedVulnerability.objects.get(
                 vulnerability=self.vulnerability, package=self.package
             )
             if self.confidence > existing.confidence:
@@ -244,7 +248,7 @@ def update_or_create(self):
                 )
 
         except self.DoesNotExist:
-            self.__class__.objects.create(
+            PackageRelatedVulnerability.objects.create(
                 vulnerability=self.vulnerability,
                 created_by=self.created_by,
                 package=self.package,