From 10d69775c1807d2cf44612a39340b4621a79cc62 Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Sat, 21 May 2022 18:13:28 +0530 Subject: [PATCH] Add firstPatchedVersion in github API Signed-off-by: Tushar Goel --- vulnerabilities/importers/github.py | 30 +++++++++++-------- .../github_api/composer-expected.json | 2 +- .../tests/test_data/github_api/composer.json | 3 ++ .../test_data/github_api/gem-expected.json | 2 +- .../tests/test_data/github_api/gem.json | 3 ++ .../test_data/github_api/golang-expected.json | 2 +- .../tests/test_data/github_api/golang.json | 3 ++ .../test_data/github_api/maven-expected.json | 2 +- .../tests/test_data/github_api/maven.json | 3 ++ .../test_data/github_api/nuget-expected.json | 2 +- .../tests/test_data/github_api/nuget.json | 3 ++ .../test_data/github_api/pypi-expected.json | 2 +- .../tests/test_data/github_api/pypi.json | 3 ++ vulnerabilities/utils.py | 4 +-- 14 files changed, 43 insertions(+), 21 deletions(-) diff --git a/vulnerabilities/importers/github.py b/vulnerabilities/importers/github.py index 5cd72146b..c755c7fb0 100644 --- a/vulnerabilities/importers/github.py +++ b/vulnerabilities/importers/github.py @@ -30,6 +30,7 @@ from dateutil import parser as dateparser from django.db.models.query import QuerySet from packageurl import PackageURL +from univers.version_range import RANGE_CLASS_BY_SCHEMES from univers.version_range import build_range_from_github_advisory_constraint from vulnerabilities import severity_systems @@ -153,6 +154,9 @@ severity publishedAt } + firstPatchedVersion{ + identifier + } package { name } @@ -236,7 +240,6 @@ def process_response(resp: dict, package_type: str) -> Iterable[AdvisoryData]: return for vulnerability in vulnerabilities: - affected_packages = [] aliases = set() github_advisory = get_item(vulnerability, "node") if not github_advisory: @@ -249,28 +252,29 @@ def process_response(resp: dict, package_type: str) -> Iterable[AdvisoryData]: continue purl = get_purl(pkg_type=package_type, github_name=name) - if not purl: - continue - vulnerable_range = get_item(github_advisory, "vulnerableVersionRange") - if not vulnerable_range: - logger.error(f"No affected range found in {github_advisory!r}") - continue - + fixed_version = get_item(github_advisory, "firstPatchedVersion", "identifier") affected_range = None try: affected_range = build_range_from_github_advisory_constraint( package_type, vulnerable_range ) - except InvalidVersionRange: - logger.error(f"Could not parse affected range {vulnerable_range!r}") - continue - - if affected_range != NotImplementedError: + except InvalidVersionRange as e: + logger.error(f"Could not parse affected range {vulnerable_range!r} {e!r}") + affected_range = None + if fixed_version: + try: + RANGE_CLASS_BY_SCHEMES[package_type].version_class(fixed_version) + except Exception as e: + logger.error(f"Invalid fixed version {fixed_version!r} {e!r}") + fixed_version = None + affected_packages = [] + if purl and (affected_range or fixed_version): affected_packages.append( AffectedPackage( package=purl, affected_version_range=affected_range, + fixed_version=fixed_version, ) ) diff --git a/vulnerabilities/tests/test_data/github_api/composer-expected.json b/vulnerabilities/tests/test_data/github_api/composer-expected.json index 4da9122cb..bb33f3d76 100644 --- a/vulnerabilities/tests/test_data/github_api/composer-expected.json +++ b/vulnerabilities/tests/test_data/github_api/composer-expected.json @@ -163,7 +163,7 @@ "subpath": null }, "affected_version_range": "vers:composer/<22.1.0", - "fixed_version": null + "fixed_version": "22.1.0" } ], "references": [ diff --git a/vulnerabilities/tests/test_data/github_api/composer.json b/vulnerabilities/tests/test_data/github_api/composer.json index 72e6bc701..2079c2d0f 100644 --- a/vulnerabilities/tests/test_data/github_api/composer.json +++ b/vulnerabilities/tests/test_data/github_api/composer.json @@ -150,6 +150,9 @@ "package": { "name": "librenms/librenms" }, + "firstPatchedVersion": { + "identifier" :"22.1.0" + }, "vulnerableVersionRange": "< 22.1.0" } } diff --git a/vulnerabilities/tests/test_data/github_api/gem-expected.json b/vulnerabilities/tests/test_data/github_api/gem-expected.json index 07d98054b..d5aee434b 100644 --- a/vulnerabilities/tests/test_data/github_api/gem-expected.json +++ b/vulnerabilities/tests/test_data/github_api/gem-expected.json @@ -16,7 +16,7 @@ "subpath": null }, "affected_version_range": "vers:gem/<=1.3.1", - "fixed_version": null + "fixed_version": "1.3.2" } ], "references": [ diff --git a/vulnerabilities/tests/test_data/github_api/gem.json b/vulnerabilities/tests/test_data/github_api/gem.json index db91c7eda..4df89cd29 100644 --- a/vulnerabilities/tests/test_data/github_api/gem.json +++ b/vulnerabilities/tests/test_data/github_api/gem.json @@ -57,6 +57,9 @@ "package": { "name": "webrick" }, + "firstPatchedVersion": { + "identifier" :"1.3.2" + }, "vulnerableVersionRange": "<= 1.3.1" } }, diff --git a/vulnerabilities/tests/test_data/github_api/golang-expected.json b/vulnerabilities/tests/test_data/github_api/golang-expected.json index a06494b32..f4bbfd396 100644 --- a/vulnerabilities/tests/test_data/github_api/golang-expected.json +++ b/vulnerabilities/tests/test_data/github_api/golang-expected.json @@ -16,7 +16,7 @@ "subpath": null }, "affected_version_range": "vers:golang/<1.3.3", - "fixed_version": null + "fixed_version": "1.3.3" } ], "references": [ diff --git a/vulnerabilities/tests/test_data/github_api/golang.json b/vulnerabilities/tests/test_data/github_api/golang.json index 03d9005d1..21e53268e 100644 --- a/vulnerabilities/tests/test_data/github_api/golang.json +++ b/vulnerabilities/tests/test_data/github_api/golang.json @@ -45,6 +45,9 @@ "package": { "name": "github.com/moby/moby" }, + "firstPatchedVersion": { + "identifier" :"1.3.3" + }, "vulnerableVersionRange": "< 1.3.3" } }, diff --git a/vulnerabilities/tests/test_data/github_api/maven-expected.json b/vulnerabilities/tests/test_data/github_api/maven-expected.json index 2ad169b4f..ca45ae433 100644 --- a/vulnerabilities/tests/test_data/github_api/maven-expected.json +++ b/vulnerabilities/tests/test_data/github_api/maven-expected.json @@ -152,7 +152,7 @@ "subpath": null }, "affected_version_range": "vers:maven/>=9.0.0|<9.0.31", - "fixed_version": null + "fixed_version": "9.0.1" } ], "references": [ diff --git a/vulnerabilities/tests/test_data/github_api/maven.json b/vulnerabilities/tests/test_data/github_api/maven.json index 147962df4..13e1621a4 100644 --- a/vulnerabilities/tests/test_data/github_api/maven.json +++ b/vulnerabilities/tests/test_data/github_api/maven.json @@ -139,6 +139,9 @@ "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core" }, + "firstPatchedVersion": { + "identifier" :"9.0.1" + }, "vulnerableVersionRange": ">= 9.0.0, < 9.0.31" } } diff --git a/vulnerabilities/tests/test_data/github_api/nuget-expected.json b/vulnerabilities/tests/test_data/github_api/nuget-expected.json index d88a02235..fa3df350a 100644 --- a/vulnerabilities/tests/test_data/github_api/nuget-expected.json +++ b/vulnerabilities/tests/test_data/github_api/nuget-expected.json @@ -16,7 +16,7 @@ "subpath": null }, "affected_version_range": "vers:nuget/<=4.5.1-alpha001", - "fixed_version": null + "fixed_version": "4.5.1" } ], "references": [ diff --git a/vulnerabilities/tests/test_data/github_api/nuget.json b/vulnerabilities/tests/test_data/github_api/nuget.json index 4d5d60354..09ba73c54 100644 --- a/vulnerabilities/tests/test_data/github_api/nuget.json +++ b/vulnerabilities/tests/test_data/github_api/nuget.json @@ -33,6 +33,9 @@ "package": { "name": "RazorEngine" }, + "firstPatchedVersion": { + "identifier" :"4.5.1" + }, "vulnerableVersionRange": "<= 4.5.1-alpha001" } }, diff --git a/vulnerabilities/tests/test_data/github_api/pypi-expected.json b/vulnerabilities/tests/test_data/github_api/pypi-expected.json index 5f37bf59a..6469325eb 100644 --- a/vulnerabilities/tests/test_data/github_api/pypi-expected.json +++ b/vulnerabilities/tests/test_data/github_api/pypi-expected.json @@ -15,7 +15,7 @@ "subpath": null }, "affected_version_range": "vers:pypi/<9.0.0", - "fixed_version": null + "fixed_version": "9.0.0" } ], "references": [ diff --git a/vulnerabilities/tests/test_data/github_api/pypi.json b/vulnerabilities/tests/test_data/github_api/pypi.json index 2f63948e2..eb4e0b4e0 100644 --- a/vulnerabilities/tests/test_data/github_api/pypi.json +++ b/vulnerabilities/tests/test_data/github_api/pypi.json @@ -29,6 +29,9 @@ "package": { "name": "Pillow" }, + "firstPatchedVersion": { + "identifier" :"9.0.0" + }, "vulnerableVersionRange": "< 9.0.0" } }, diff --git a/vulnerabilities/utils.py b/vulnerabilities/utils.py index dd1b985c2..95e54b9b1 100644 --- a/vulnerabilities/utils.py +++ b/vulnerabilities/utils.py @@ -217,9 +217,9 @@ def get_item(dictionary: dict, *attributes): 'd' >>> assert(get_item({'a': {'b': {'c': 'd'}}}, 'a', 'b', 'e')) == None """ - if not dictionary: - return for attribute in attributes: + if not dictionary: + return if attribute not in dictionary: logger.error(f"Missing attribute {attribute} in {dictionary}") return None