Add gitlab importer and use NginxVersion instead of SemverVersion in …

…Nginx importer and improver Signed-off-by: Tushar Goel <[email protected]>
aboutcode-org · May 13, 2022 · 2b393d8 · 2b393d8
1 parent 9548943
commit 2b393d8
Show file tree

Hide file tree

Showing 7 changed files with 80 additions and 16 deletions.
diff --git a/requirements.txt b/requirements.txt
@@ -107,7 +107,7 @@ toml==0.10.2
 tomli==2.0.1
 traitlets==5.1.1
 typing_extensions==4.1.1
-univers==30.6.0
+univers==30.7.0
 urllib3==1.26.9
 wcwidth==0.2.5
 websocket-client==0.59.0

diff --git a/vulnerabilities/importers/gitlab.py b/vulnerabilities/importers/gitlab.py
@@ -35,8 +35,8 @@
 from fetchcode.vcs import fetch_via_vcs
 from packageurl import PackageURL
 from univers.version_range import RANGE_CLASS_BY_SCHEMES
-from univers.version_range import GitLabVersionRange
 from univers.version_range import VersionRange
+from univers.version_range import from_gitlab_native
 from univers.versions import Version
 
 from vulnerabilities.helpers import AffectedPackage as LegacyAffectedPackage
@@ -58,7 +58,7 @@
 logger = logging.getLogger(__name__)
 
 
-PURL_TYPE_BY_ECOSYSTEM = {
+PURL_TYPE_BY_GITLAB_SCHEME = {
     "gem": "gem",
     "go": "golang",
     "maven": "maven",
@@ -69,6 +69,9 @@
 }
 
 
+GITLAB_SCHEME_BY_PURL_TYPE = {v: k for k, v in PURL_TYPE_BY_GITLAB_SCHEME.items()}
+
+
 def fork_and_get_dir(url):
     return fetch_via_vcs(url).dest_dir
 
@@ -113,22 +116,23 @@ def get_purl(package_slug):
     """
     parts = package_slug.split("/")
     parts = list(filter(not_empty, parts))
-    type = parts[0]
-    if type == "go":
+    gitlab_scheme = parts[0]
+    purl_type = PURL_TYPE_BY_GITLAB_SCHEME[gitlab_scheme]
+    if gitlab_scheme == "go":
         name = "/".join(parts[1:])
-        return PackageURL(type=PURL_TYPE_BY_ECOSYSTEM[type], namespace=None, name=name)
+        return PackageURL(type=purl_type, namespace=None, name=name)
     # if package slug is of the form:
     # "nuget/NuGet.Core"
     if len(parts) == 2:
         name = parts[1]
-        return PackageURL(type=PURL_TYPE_BY_ECOSYSTEM[type], name=name)
+        return PackageURL(type=purl_type, name=name)
     # if package slug is of the form:
     # "nuget/github/user/abc/NuGet.Core"
     if len(parts) >= 3:
-        type = parts[0]
+        gitlab_scheme = parts[0]
         name = parts[-1]
         namespace = "/".join(parts[1:-1])
-        return PackageURL(type=PURL_TYPE_BY_ECOSYSTEM[type], namespace=namespace, name=name)
+        return PackageURL(type=purl_type, namespace=namespace, name=name)
     logger.error(f"get_purl: package_slug can not be parsed: {package_slug!r}")
     return None
 
@@ -177,11 +181,12 @@ def parse_yaml_file(file):
         )
     vrc: VersionRange = RANGE_CLASS_BY_SCHEMES[purl.type]
     version_class = vrc.version_class
-    gitlab_native_schemes = ["pypi", "gem", "npm"]
+    gitlab_native_schemes = ["pypi", "gem", "npm", "go", "packagist"]
+    gitlab_scheme = GITLAB_SCHEME_BY_PURL_TYPE[purl.type]
     try:
-        if purl.type in gitlab_native_schemes:
+        if gitlab_scheme in gitlab_native_schemes:
             affected_version_range = (
-                GitLabVersionRange.from_gitlab_native(purl.type, affected_range)
+                from_gitlab_native(gitlab_scheme=gitlab_scheme, string=affected_range)
                 if affected_range
                 else None
             )

diff --git a/vulnerabilities/package_managers.py b/vulnerabilities/package_managers.py
@@ -384,7 +384,7 @@ def cleaned_version(version):
     """
     Return a ``version`` string stripped from leading "v" prefix.
     """
-    return (version.lstrip("vV"),)
+    return version.lstrip("vV")
 
 
 class ComposerVersionAPI(VersionAPI):

diff --git a/vulnerabilities/tests/test_data/gitlab/composer-expected.json b/vulnerabilities/tests/test_data/gitlab/composer-expected.json
@@ -3,7 +3,20 @@
     "GMS-2018-26"
   ],
   "summary": "Incorrect header injection check",
-  "affected_packages": [],
+  "affected_packages": [
+    {
+      "package": {
+        "type": "composer",
+        "namespace": "amphp",
+        "name": "http",
+        "version": null,
+        "qualifiers": null,
+        "subpath": null
+      },
+      "affected_version_range": "vers:composer/<1.0.1",
+      "fixed_version": "1.0.1"
+    }
+  ],
   "references": [
     {
       "reference_id": "",

diff --git a/vulnerabilities/tests/test_data/gitlab/composer-improver-expected.json b/vulnerabilities/tests/test_data/gitlab/composer-improver-expected.json
@@ -7,7 +7,14 @@
     "confidence": 100,
     "summary": "Incorrect header injection check",
     "affected_purls": [],
-    "fixed_purl": null,
+    "fixed_purl": {
+      "type": "composer",
+      "namespace": "amphp",
+      "name": "http",
+      "version": "1.0.1",
+      "qualifiers": null,
+      "subpath": null
+    },
     "references": [
       {
         "reference_id": "",

diff --git a/vulnerabilities/tests/test_data/gitlab/golang-expected.json b/vulnerabilities/tests/test_data/gitlab/golang-expected.json
@@ -14,7 +14,7 @@
         "qualifiers": null,
         "subpath": null
       },
-      "affected_version_range": null,
+      "affected_version_range": "vers:golang/<3.7.1",
       "fixed_version": "3.7.1"
     }
   ],

diff --git a/vulnerabilities/tests/test_data/gitlab/golang-improver-expected.json b/vulnerabilities/tests/test_data/gitlab/golang-improver-expected.json
@@ -1,4 +1,43 @@
 [
+  {
+    "vulnerability_id": null,
+    "aliases": [
+      "GHSA-x5c7-x7m2-rhmf",
+      "GMS-2021-107"
+    ],
+    "confidence": 100,
+    "summary": "Local directory executable lookup in sops (Windows-only)",
+    "affected_purls": [
+      {
+        "type": "golang",
+        "namespace": null,
+        "name": "go.mozilla.org/sops/v3",
+        "version": "3.7.0",
+        "qualifiers": null,
+        "subpath": null
+      }
+    ],
+    "fixed_purl": {
+      "type": "golang",
+      "namespace": null,
+      "name": "go.mozilla.org/sops/v3",
+      "version": "3.7.1",
+      "qualifiers": null,
+      "subpath": null
+    },
+    "references": [
+      {
+        "reference_id": "GHSA-x5c7-x7m2-rhmf",
+        "url": "https://github.com/mozilla/sops/security/advisories/GHSA-x5c7-x7m2-rhmf",
+        "severities": []
+      },
+      {
+        "reference_id": "GHSA-x5c7-x7m2-rhmf",
+        "url": "https://github.com/advisories/GHSA-x5c7-x7m2-rhmf",
+        "severities": []
+      }
+    ]
+  },
   {
     "vulnerability_id": null,
     "aliases": [