Merge pull request #436 from sbs2001/add-patched-pkg

Add patched package
aboutcode-org · Apr 22, 2021 · fd15724 · fd15724
2 parents 525729b + cc5bbb4
commit fd15724
Show file tree

Hide file tree

Showing 67 changed files with 6,605 additions and 9,997 deletions.
diff --git a/requirements.txt b/requirements.txt
@@ -7,7 +7,7 @@ cached-property==1.5.1
 cffi==1.14.0
 contextlib2==0.5.5
 decorator==4.4.2
-univers==21.4.8
+univers==21.4.16.6
 dj-database-url==0.4.2
 Django==3.0.14
 django-filter==2.2.0

diff --git a/vulnerabilities/admin.py b/vulnerabilities/admin.py
@@ -51,7 +51,7 @@ class PackageAdmin(admin.ModelAdmin):
 
 @admin.register(PackageRelatedVulnerability)
 class PackageRelatedVulnerabilityAdmin(admin.ModelAdmin):
-    list_filter = ("is_vulnerable", "package__type", "package__namespace")
+    list_filter = ("package__type", "package__namespace")
     search_fields = ["vulnerability__vulnerability_id", "package__name"]
 
 

diff --git a/vulnerabilities/data_source.py b/vulnerabilities/data_source.py
@@ -20,7 +20,6 @@
 #  VulnerableCode is a free software code scanning tool from nexB Inc. and others.
 #  Visit https://github.com/nexB/vulnerablecode/ for support and download.
 
-import pickle
 import dataclasses
 import logging
 import os
@@ -47,6 +46,8 @@
 from vulnerabilities.oval_parser import OvalParser
 from vulnerabilities.severity_systems import ScoringSystem
 from vulnerabilities.helpers import is_cve
+from vulnerabilities.helpers import nearest_patched_package
+from vulnerabilities.helpers import AffectedPackage
 
 logger = logging.getLogger(__name__)
 
@@ -87,17 +88,14 @@ class Advisory:
 
     summary: str
     vulnerability_id: Optional[str] = None
-    impacted_package_urls: Iterable[PackageURL] = dataclasses.field(default_factory=list)
-    resolved_package_urls: Iterable[PackageURL] = dataclasses.field(default_factory=list)
+    affected_packages: List[AffectedPackage] = dataclasses.field(default_factory=list)
     references: List[Reference] = dataclasses.field(default_factory=list)
 
     def __post_init__(self):
         if self.vulnerability_id and not is_cve(self.vulnerability_id):
             raise ValueError("CVE expected, found: {}".format(self.vulnerability_id))
 
     def normalized(self):
-        impacted_package_urls = {package_url for package_url in self.impacted_package_urls}
-        resolved_package_urls = {package_url for package_url in self.resolved_package_urls}
         references = sorted(
             self.references, key=lambda reference: (reference.reference_id, reference.url)
         )
@@ -107,8 +105,7 @@ def normalized(self):
         return Advisory(
             summary=self.summary,
             vulnerability_id=self.vulnerability_id,
-            impacted_package_urls=impacted_package_urls,
-            resolved_package_urls=resolved_package_urls,
+            affected_packages=sorted(self.affected_packages),
             references=references,
         )
 
@@ -531,9 +528,8 @@ def get_data_from_xml_doc(self, xml_doc: ET.ElementTree, pkg_metadata={}) -> Lis
             # connected/linked to an OvalDefinition
             vuln_id = definition_data["vuln_id"]
             description = definition_data["description"]
-            affected_purls = set()
-            safe_purls = set()
             references = [Reference(url=url) for url in definition_data["reference_urls"]]
+            affected_packages = []
             for test_data in definition_data["test_data"]:
                 for package_name in test_data["package_list"]:
                     if package_name and len(package_name) >= 50:
@@ -552,35 +548,31 @@ def get_data_from_xml_doc(self, xml_doc: ET.ElementTree, pkg_metadata={}) -> Lis
                     # FIXME: we should not drop data this way
                     # This filter is for filtering out long versions.
                     # 50 is limit because that's what db permits atm.
-                    all_versions = set(filter(lambda x: len(x) < 50, all_versions))
+                    all_versions = [version for version in all_versions if len(version) < 50]
                     if not all_versions:
                         continue
-                    affected_versions = set(
-                        filter(lambda x: version_class(x) in affected_version_range, all_versions)
-                    )
-                    safe_versions = all_versions - affected_versions
 
-                    for version in affected_versions:
+                    affected_purls = []
+                    safe_purls = []
+                    for version in all_versions:
                         purl = self.create_purl(
                             pkg_name=package_name,
                             pkg_version=version,
                             pkg_data=pkg_metadata,
                         )
-                        affected_purls.add(purl)
+                        if version_class(version) in affected_version_range:
+                            affected_purls.append(purl)
+                        else:
+                            safe_purls.append(purl)
 
-                    for version in safe_versions:
-                        purl = self.create_purl(
-                            pkg_name=package_name,
-                            pkg_version=version,
-                            pkg_data=pkg_metadata,
-                        )
-                        safe_purls.add(purl)
+                    affected_packages.extend(
+                        nearest_patched_package(affected_purls, safe_purls),
+                    )
 
             all_adv.append(
                 Advisory(
                     summary=description,
-                    impacted_package_urls=affected_purls,
-                    resolved_package_urls=safe_purls,
+                    affected_packages=affected_packages,
                     vulnerability_id=vuln_id,
                     references=references,
                 )

diff --git a/vulnerabilities/fixtures/debian.json b/vulnerabilities/fixtures/debian.json
@@ -1,110 +1,89 @@
 [
-{
-  "model": "vulnerabilities.vulnerability",
-  "pk": 1,
-  "fields": {
-    "vulnerability_id": "CVE-2014-8242",
-    "summary": ""
-
+  {
+    "model": "vulnerabilities.vulnerability",
+    "pk": 1,
+    "fields": {
+      "vulnerability_id": "CVE-2014-8242",
+      "old_vulnerability_id": null,
+      "summary": ""
+    }
+  },
+  {
+    "model": "vulnerabilities.vulnerability",
+    "pk": 2,
+    "fields": {
+      "vulnerability_id": "CVE-2009-1382",
+      "old_vulnerability_id": null,
+      "summary": ""
+    }
+  },
+  {
+    "model": "vulnerabilities.vulnerability",
+    "pk": 3,
+    "fields": {
+      "vulnerability_id": "CVE-2009-2459",
+      "old_vulnerability_id": null,
+      "summary": ""
+    }
+  },
+  {
+    "model": "vulnerabilities.package",
+    "pk": 1,
+    "fields": {
+      "type": "deb",
+      "namespace": "debian",
+      "name": "librsync",
+      "version": "0.9.7-10",
+      "subpath": "",
+      "qualifiers": {
+        "distro": "jessie"
+      }
+    }
+  },
+  {
+    "model": "vulnerabilities.package",
+    "pk": 2,
+    "fields": {
+      "type": "deb",
+      "namespace": "debian",
+      "name": "mimetex",
+      "version": "1.74-1",
+      "subpath": "",
+      "qualifiers": {
+        "distro": "jessie"
+      }
+    }
+  },
+  {
+    "model": "vulnerabilities.package",
+    "pk": 3,
+    "fields": {
+      "type": "deb",
+      "namespace": "debian",
+      "name": "mimetex",
+      "version": "1.50-1.1",
+      "subpath": "",
+      "qualifiers": {
+        "distro": "jessie"
+      }
+    }
+  },
+  {
+    "model": "vulnerabilities.packagerelatedvulnerability",
+    "pk": 1,
+    "fields": {
+      "package": 1,
+      "vulnerability": 1,
+      "patched_package": null
+    }
+  },
+  {
+    "model": "vulnerabilities.packagerelatedvulnerability",
+    "pk": 4,
+    "fields": {
+      "package": 3,
+      "vulnerability": 3,
+      "patched_package": 2
+    }
   }
-},
-{
-  "model": "vulnerabilities.vulnerability",
-  "pk": 2,
-  "fields": {
-    "vulnerability_id": "CVE-2009-1382",
-    "summary": ""
-
-  }
-},
-{
-  "model": "vulnerabilities.vulnerability",
-  "pk": 3,
-  "fields": {
-    "vulnerability_id": "CVE-2009-2459",
-    "summary": ""
-
-  }
-},
-{
-  "model": "vulnerabilities.package",
-  "pk": 1,
-  "fields": {
-    "type": "deb",
-    "namespace": "debian",
-    "name": "librsync",
-    "version": "0.9.7-10",
-    "qualifiers": {"distro":"jessie"},
-    "subpath": ""
-  }
-},
-{
-  "model": "vulnerabilities.package",
-  "pk": 2,
-  "fields": {
-    "type": "deb",
-    "namespace": "debian",
-    "name": "mimetex",
-    "version": "1.74-1",
-    "qualifiers": {"distro":"jessie"},
-    "subpath": ""
-  }
-},
-{
-  "model": "vulnerabilities.package",
-  "pk": 3,
-  "fields": {
-    "type": "deb",
-    "namespace": "debian",
-    "name": "mimetex",
-    "version": "1.50-1.1",
-    "qualifiers": {"distro":"jessie"},
-    "subpath": ""
-  }
-},
-{
-  "model": "vulnerabilities.packagerelatedvulnerability",
-  "pk": 1,
-  "fields": {
-    "vulnerability": 1,
-    "package": 1,
-    "is_vulnerable": true
-  }
-},
-{
-  "model": "vulnerabilities.packagerelatedvulnerability",
-  "pk": 10,
-  "fields": {
-    "vulnerability": 2,
-    "package": 2,
-    "is_vulnerable": false
-  }
-},
-{
-  "model": "vulnerabilities.packagerelatedvulnerability",
-  "pk": 2,
-  "fields": {
-    "vulnerability": 2,
-    "package": 3,
-    "is_vulnerable": false
-  }
-},
-{
-  "model": "vulnerabilities.packagerelatedvulnerability",
-  "pk": 3,
-  "fields": {
-    "vulnerability": 3,
-    "package": 2,
-    "is_vulnerable": false
-  }
-},
-{
-  "model": "vulnerabilities.packagerelatedvulnerability",
-  "pk": 4,
-  "fields": {
-    "vulnerability": 3,
-    "package": 3,
-    "is_vulnerable": false
-  }
-}
-]
+]
diff --git a/vulnerabilities/fixtures/github.json b/vulnerabilities/fixtures/github.json
@@ -74,22 +74,13 @@
             "qualifiers": {}
         }
     },
-    {
-        "model": "vulnerabilities.packagerelatedvulnerability",
-        "pk": 3844,
-        "fields": {
-            "package": 3469,
-            "vulnerability": 60,
-            "is_vulnerable": false
-        }
-    },
     {
         "model": "vulnerabilities.packagerelatedvulnerability",
         "pk": 3845,
         "fields": {
             "package": 3467,
             "vulnerability": 60,
-            "is_vulnerable": true
+            "patched_package": 3469
         }
     },
     {
@@ -98,7 +89,7 @@
         "fields": {
             "package": 3468,
             "vulnerability": 60,
-            "is_vulnerable": true
+            "patched_package": 3469
         }
     },
     {