Add fixed version for NPM advisory

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>

vulnerabilities/importers/npm.py

@@ -50,6 +50,7 @@ def advisory_data(self) -> Iterable[AdvisoryData]:
 
     def to_advisory_data(self, file: Path) -> AdvisoryData:
         data = load_json(file)
+        id = data.get("id")
         description = data.get("overview") or ""
         summary = data.get("title") or ""
         date_published = parse(data.get("created_at")).replace(tzinfo=pytz.UTC)
@@ -71,39 +72,76 @@ def to_advisory_data(self, file: Path) -> AdvisoryData:
                     value=cvss_score,
                 )
             )
+
+        advisory_reference = Reference(
+            url=f"https://github.com/nodejs/security-wg/blob/main/vuln/npm/{id}.json",
+            reference_id=id,
+            severities=severities,
+        )
+
         for ref in data.get("references") or []:
             references.append(
                 Reference(
                     url=ref,
                     severities=severities,
                 )
             )
+
+        if advisory_reference not in references:
+            references.append(advisory_reference)
+
         package_name = data.get("module_name")
         affected_packages = []
         if package_name:
-            vulnerable_range = data.get("vulnerable_versions")
-            affected_packages.append(
-                AffectedPackage(
-                    package=PackageURL(
-                        type="npm",
-                        name=package_name,
-                    ),
-                    affected_version_range=NpmVersionRange.from_native(vulnerable_range),
-                    # fixed_version= ??
-                )
-            )
-        for alias in data.get("cves", []):
-            print(AdvisoryData(
-                summary=build_description(summary=summary, description=description),
-                references=references,
-                date_published=date_published,
-                affected_packages=affected_packages,
-                aliases=[alias],
-            ))
+            affected_packages.append(self.get_affected_package(data, package_name))
+        advsisory_aliases = data.get("cves") or []
+        advsisory_aliases.append(f"NPM-{id}")
+        for alias in advsisory_aliases:
             yield AdvisoryData(
                 summary=build_description(summary=summary, description=description),
                 references=references,
                 date_published=date_published,
                 affected_packages=affected_packages,
                 aliases=[alias],
             )
+
+    def get_affected_package(self, data, package_name):
+        vulnerable_range = data.get("vulnerable_versions") or ""
+
+        # https://github.com/nodejs/security-wg/blob/main/vuln/npm/213.json#L14
+        if vulnerable_range == "<=99.999.99999":
+            vulnerable_range = "*"
+
+        affected_version_range = (
+            NpmVersionRange.from_native(vulnerable_range) if vulnerable_range else None
+        )
+
+        if vulnerable_range == "*":
+            return AffectedPackage(
+                package=PackageURL(
+                    type="npm",
+                    name=package_name,
+                ),
+                affected_version_range=affected_version_range,
+            )
+
+        patched_range = data.get("patched_versions") or ""
+
+        unaffected_version_range = (
+            NpmVersionRange.from_native(patched_range) if patched_range else None
+        )
+        fixed_version = None
+
+        if unaffected_version_range and len(unaffected_version_range.constraints) == 1:
+            constraint = unaffected_version_range.constraints[0]
+            if constraint.comparator == ">=":
+                fixed_version = constraint.version
+
+        return AffectedPackage(
+            package=PackageURL(
+                type="npm",
+                name=package_name,
+            ),
+            affected_version_range=affected_version_range,
+            fixed_version=fixed_version,
+        )