Properly handle 'github' fixed version specifiers. Fixes #61.

twu · Aug 9, 2021 · 2f14e07 · 2f14e07
1 parent bb16392
commit 2f14e07
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 3 deletions.
diff --git a/src/skjold/sources/github.py b/src/skjold/sources/github.py
@@ -58,9 +58,19 @@ def first_patched_version(self) -> str:
 
     @property
     def vulnerable_version_range(self) -> specifiers.SpecifierSet:
-        return specifiers.SpecifierSet(
-            self._json["node"]["vulnerableVersionRange"], prereleases=True
-        )
+        items = self._json["node"]["vulnerableVersionRange"].split(",")
+        if len(items) > 2:
+            raise ValueError(f"Found more than 2 version specifiers!")
+
+        vulnerable_ranges = []
+        for value in items:
+            value = value.strip()
+            if value.startswith("= "):
+                vulnerable_ranges.append(value.replace("= ", "=="))
+            else:
+                vulnerable_ranges.append(value)
+
+        return specifiers.SpecifierSet(",".join(vulnerable_ranges), prereleases=True)
 
     @property
     def vulnerable_versions(self) -> str:

diff --git a/tests/test_github.py b/tests/test_github.py
@@ -26,6 +26,54 @@ def github_advisory() -> Dict[str, Union[str, Dict]]:
     }
 
 
+@pytest.mark.parametrize(
+    "vulnerable_version_range, package_version, is_vulnerable",
+    [
+        (" = 1.4.2", "1.4.2", True),
+        ("= 1.4.2", "1.4.2", True),
+        ("==1.4.2", "1.4.2", True),
+        ("== 1.4.2", "1.4.2", True),
+        (" == 1.4.2", "1.4.2", True),
+        ("< 8.2.0", "8.1.99", True),
+        (" >= 4.0, < 4.3", "4.0", True),
+        (">= 5.0.0, < 5.2.1", "5.2.0", True),
+        (">=5.0.0,<5.2.1", "5.2.0", True),
+        (">= 5.0.0, < 5.2.1", "5.0", True),
+        (">= 4.0, < 4.3", "4.3", False),
+        ("= 1.4.2", "1.4.3", False),
+        ("= 1.4.2", "1.4.3", False),
+        ("< 8.2.0", "8.2.0", False),
+    ],
+)
+def test_ensure_is_affected_with_github_specifiers(
+    vulnerable_version_range: str, package_version: str, is_vulnerable: bool
+) -> None:
+    obj = GithubSecurityAdvisory.using(
+        {
+            "node": {
+                "vulnerableVersionRange": vulnerable_version_range,
+            },
+        }
+    )
+
+    assert len(obj.vulnerable_version_range) > 0
+    assert (
+        obj.is_affected(package_version) is is_vulnerable
+    ), f"'{package_version}' should be vulnerable given '{vulnerable_version_range}'!"
+
+
+def test_ensure_raises_when_encountering_too_many_specifiers() -> None:
+    obj = GithubSecurityAdvisory.using(
+        {
+            "node": {
+                "vulnerableVersionRange": "<1.0, = 2.0, >= 3.0",
+            },
+        }
+    )
+    with pytest.raises(ValueError):
+        obj.is_affected("2.0")
+
+
 def test_ensure_using_build_obj(github_advisory: Dict) -> None:
     obj = GithubSecurityAdvisory.using(github_advisory)