Add patched package #436
Add patched package #436
Conversation
sbs2001
force-pushed
the
add-patched-pkg
branch
4 times, most recently
from
c342565
to
25c6972
Compare
|
|
||
| # FIXME: The fixture code is duplicated. setUpClass is not working with the pytest mark. | ||
| @pytest.mark.django_db | ||
| class TestPackageRelatedVulnerablity(TestCase): |
There was a problem hiding this comment.
@tdruez these are the tests
vulnerabilities/data_source.py
Outdated
| @@ -87,17 +88,16 @@ class Advisory: | |||
|
|
|||
| summary: str | |||
| vulnerability_id: Optional[str] = None | |||
| impacted_package_urls: Iterable[PackageURL] = dataclasses.field(default_factory=list) | |||
| resolved_package_urls: Iterable[PackageURL] = dataclasses.field(default_factory=list) | |||
| affected_packages_with_patched_package: List[ | |||
There was a problem hiding this comment.
Could you survey the words use to depict affected/patched in other tools?
- kaybee/vulas
- dependencycheck and dependency track (and OWASP)
- in general all the data source we use
...
with these listed here we can make a good pick together!
There was a problem hiding this comment.
The general renaming should be tracked in a separate ticket IMHO, not here.
Beyond this, what about affected_packages or just impacted_packages?
vulnerabilities/helpers.py
Outdated
|
|
||
|
|
||
| @dataclasses.dataclass(order=True, frozen=True) | ||
| class AffectedPackageWithPatchedPackage: |
There was a problem hiding this comment.
This will be moved somewhere else in another PR
There was a problem hiding this comment.
Use AffectedPackageWithPatch
There was a problem hiding this comment.
Or just AffectedPackage ?
vulnerabilities/helpers.py
Outdated
| """ | ||
| Return True if the input 'string' contains any alphabet | ||
| """ | ||
| def nearest_patched_package(vulnerable_packages, resolved_packages): |
There was a problem hiding this comment.
This is where the magic happens, again it has poor naming. Help.
There was a problem hiding this comment.
we will fix that in a separate ticket.
| @@ -51,7 +51,7 @@ class PackageAdmin(admin.ModelAdmin): | |||
|
|
|||
| @admin.register(PackageRelatedVulnerability) | |||
| class PackageRelatedVulnerabilityAdmin(admin.ModelAdmin): | |||
| list_filter = ("is_vulnerable", "package__type", "package__namespace") | |||
| list_filter = ("package__type", "package__namespace") | |||
There was a problem hiding this comment.
Is there anything that could replace is_vulnerable?
There was a problem hiding this comment.
that should be patched_package adding it.
vulnerabilities/data_source.py
Outdated
| @@ -87,17 +88,16 @@ class Advisory: | |||
|
|
|||
| summary: str | |||
| vulnerability_id: Optional[str] = None | |||
| impacted_package_urls: Iterable[PackageURL] = dataclasses.field(default_factory=list) | |||
| resolved_package_urls: Iterable[PackageURL] = dataclasses.field(default_factory=list) | |||
| affected_packages_with_patched_package: List[ | |||
There was a problem hiding this comment.
Could you survey the words use to depict affected/patched in other tools?
- kaybee/vulas
- dependencycheck and dependency track (and OWASP)
- in general all the data source we use
...
with these listed here we can make a good pick together!
| is_cve = re.compile(r"CVE-\d{4}-\d{4,7}", re.IGNORECASE).match | ||
| def contains_alpha(string): | ||
| """ | ||
| Return True if the input 'string' contains any alphabet |
There was a problem hiding this comment.
| Return True if the input 'string' contains any alphabet | |
| Return True if the input 'string' contains any alphanumeric character``` |
vulnerabilities/helpers.py
Outdated
| Return True if the input 'string' contains any alphabet | ||
| """ | ||
| def nearest_patched_package(vulnerable_packages, resolved_packages): | ||
| # This class is used to get around bisect module's lack of supplying custom |
There was a problem hiding this comment.
This should be a docstring
| ) | ||
|
|
||
| resolved_package_count = len(resolved_packages) | ||
| affected_package_with_patched_package_objects = [] |
There was a problem hiding this comment.
Why the _objects suffix?
| affected_package_with_patched_package_objects = [] | |
| affected_package_with_patched_packages = [] |
There was a problem hiding this comment.
I'm aware of the principle of not specifying the type. The problem here is this list contains instances of AffectedPackageWithPatchedPackage . I don't know how to pluralise that,
affected_package_with_patched_packages -> is it one one affected package with multiple patched packages
affected_packages_with_patched_package -> vice versa
This is a mess :(
There was a problem hiding this comment.
Based on other review, affected_package would be a better name for now.
| "data_source": "SUSEBackportsDataSource", | ||
| "data_source_cfg": {"url": "http://ftp.suse.com/pub/projects/security/yaml/", "etags": {}}, | ||
| }, | ||
| # { |
There was a problem hiding this comment.
Why is this disabled?
There was a problem hiding this comment.
We probably want to get rid of that importer, since it only contains (vulnerability, fixed/backported package)
|
@pombredanne here's a high level overview: This PR removes the notion of On a lower level, this required :
a. Sort both the lists , ie the packages are now in ascending order wrt their versions. c. If there exists such a package in (b) we bind this safe package with |
sbs2001
force-pushed
the
add-patched-pkg
branch
2 times, most recently
from
39fe25b
to
efeea4f
Compare
vulnerabilities/data_source.py
Outdated
| @@ -87,17 +88,16 @@ class Advisory: | |||
|
|
|||
| summary: str | |||
| vulnerability_id: Optional[str] = None | |||
| impacted_package_urls: Iterable[PackageURL] = dataclasses.field(default_factory=list) | |||
| resolved_package_urls: Iterable[PackageURL] = dataclasses.field(default_factory=list) | |||
| affected_packages_with_patched_package: List[ | |||
There was a problem hiding this comment.
The general renaming should be tracked in a separate ticket IMHO, not here.
Beyond this, what about affected_packages or just impacted_packages?
vulnerabilities/helpers.py
Outdated
|
|
||
|
|
||
| @dataclasses.dataclass(order=True, frozen=True) | ||
| class AffectedPackageWithPatchedPackage: |
There was a problem hiding this comment.
Or just AffectedPackage ?
| @dataclasses.dataclass(order=True, frozen=True) | ||
| class AffectedPackageWithPatchedPackage: | ||
| vulnerable_package: PackageURL | ||
| patched_package: Optional[PackageURL] = None |
There was a problem hiding this comment.
What about:
| patched_package: Optional[PackageURL] = None | |
| patched_version: Optional[str] = None |
vulnerabilities/helpers.py
Outdated
| """ | ||
| Return True if the input 'string' contains any alphabet | ||
| """ | ||
| def nearest_patched_package(vulnerable_packages, resolved_packages): |
There was a problem hiding this comment.
we will fix that in a separate ticket.
| # This class is used to get around bisect module's lack of supplying custom | ||
| # compartor. Get rid of this once we use python 3.10 which supports this. | ||
| # See https://github.com/python/cpython/pull/20556 | ||
| class PackageURLWithVersionComparator: |
There was a problem hiding this comment.
Are you missing a @total_ordering there?
Also you should mention this is only to compare packages of the same type OR you could implement comparison and sorting across types.
There was a problem hiding this comment.
You may want to check that the type/ns/name are the same too
| ) | ||
|
|
||
| resolved_package_count = len(resolved_packages) | ||
| affected_package_with_patched_package_objects = [] |
There was a problem hiding this comment.
Based on other review, affected_package would be a better name for now.
Notes about migrations : - Remove the is_vulnerable flag from PackageRelatedVulnerability model - Add the patched_package fk in PackageRelatedVulnerability model - Add data migrations to populate the patched_package Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
…stances Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
sbs2001
force-pushed
the
add-patched-pkg
branch
from
ff833e4
to
cc5bbb4
Compare
Fixes #375
I've done a terrible job at naming things here(see review comments), need help there.
We would want to move all the intermediate data structures to one place. That will be done in another PR.
See high level overview at #436 (comment)