Add firstPatchedVersion in github API

Signed-off-by: Tushar Goel <[email protected]>

vulnerabilities/importers/github.py

@@ -30,6 +30,7 @@
 from dateutil import parser as dateparser
 from django.db.models.query import QuerySet
 from packageurl import PackageURL
+from univers.version_range import RANGE_CLASS_BY_SCHEMES
 from univers.version_range import build_range_from_github_advisory_constraint
 
 from vulnerabilities import severity_systems
@@ -153,6 +154,9 @@
                     severity
                     publishedAt
                 }
+                firstPatchedVersion{
+                    identifier
+                }
                 package {
                     name
                 }
@@ -236,43 +240,42 @@ def process_response(resp: dict, package_type: str) -> Iterable[AdvisoryData]:
         return
 
     for vulnerability in vulnerabilities:
-        affected_packages = []
         aliases = set()
         github_advisory = get_item(vulnerability, "node")
         if not github_advisory:
             logger.error(f"No node found in {vulnerability!r}")
             continue
-
         name = get_item(github_advisory, "package", "name")
-        if not name:
-            logger.error(f"No name found in {github_advisory!r}")
-            continue
-
-        purl = get_purl(pkg_type=package_type, github_name=name)
-        if not purl:
-            continue
-
-        vulnerable_range = get_item(github_advisory, "vulnerableVersionRange")
-        if not vulnerable_range:
-            logger.error(f"No affected range found in {github_advisory!r}")
-            continue
-
-        affected_range = None
-        try:
-            affected_range = build_range_from_github_advisory_constraint(
-                package_type, vulnerable_range
-            )
-        except InvalidVersionRange:
-            logger.error(f"Could not parse affected range {vulnerable_range!r}")
-            continue
-
-        if affected_range != NotImplementedError:
-            affected_packages.append(
-                AffectedPackage(
-                    package=purl,
-                    affected_version_range=affected_range,
+        if name:
+            purl = get_purl(pkg_type=package_type, github_name=name)
+        if purl:
+            affected_range = get_item(github_advisory, "vulnerableVersionRange")
+            fixed_version = get_item(github_advisory, "firstPatchedVersion", "identifier")
+            if affected_range:
+                try:
+                    affected_range = build_range_from_github_advisory_constraint(
+                        package_type, affected_range
+                    )
+                except InvalidVersionRange as e:
+                    logger.error(f"Could not parse affected range {affected_range!r} {e!r}")
+                    affected_range = None
+            if fixed_version:
+                try:
+                    fixed_version = RANGE_CLASS_BY_SCHEMES[package_type].version_class(
+                        fixed_version
+                    )
+                except Exception as e:
+                    logger.error(f"Invalid fixed version {fixed_version!r} {e!r}")
+                    fixed_version = None
+            affected_packages = []
+            if affected_range or fixed_version:
+                affected_packages.append(
+                    AffectedPackage(
+                        package=purl,
+                        affected_version_range=affected_range,
+                        fixed_version=fixed_version,
+                    )
                 )
-            )
 
         advisory = get_item(github_advisory, "advisory")
         if not advisory:

vulnerabilities/tests/test_data/github_api/composer-expected.json

@@ -163,7 +163,7 @@
           "subpath": null
         },
         "affected_version_range": "vers:composer/<22.1.0",
-        "fixed_version": null
+        "fixed_version": "22.1.0"
       }
     ],
     "references": [

vulnerabilities/tests/test_data/github_api/composer.json

@@ -150,6 +150,9 @@
             "package": {
               "name": "librenms/librenms"
             },
+            "firstPatchedVersion": {
+              "identifier" :"22.1.0"
+            },
             "vulnerableVersionRange": "< 22.1.0"
           }
         }

vulnerabilities/tests/test_data/github_api/gem-expected.json

@@ -16,7 +16,7 @@
           "subpath": null
         },
         "affected_version_range": "vers:gem/<=1.3.1",
-        "fixed_version": null
+        "fixed_version": "1.3.2"
       }
     ],
     "references": [

vulnerabilities/tests/test_data/github_api/gem.json

@@ -57,6 +57,9 @@
             "package": {
               "name": "webrick"
             },
+            "firstPatchedVersion": {
+              "identifier" :"1.3.2"
+            },
             "vulnerableVersionRange": "<= 1.3.1"
           }
         },

vulnerabilities/tests/test_data/github_api/golang-expected.json

@@ -16,7 +16,7 @@
           "subpath": null
         },
         "affected_version_range": "vers:golang/<1.3.3",
-        "fixed_version": null
+        "fixed_version": "1.3.3"
       }
     ],
     "references": [

vulnerabilities/tests/test_data/github_api/golang.json

@@ -45,6 +45,9 @@
             "package": {
               "name": "github.com/moby/moby"
             },
+            "firstPatchedVersion": {
+              "identifier" :"1.3.3"
+            },
             "vulnerableVersionRange": "< 1.3.3"
           }
         },

vulnerabilities/tests/test_data/github_api/maven-expected.json

@@ -152,7 +152,7 @@
           "subpath": null
         },
         "affected_version_range": "vers:maven/>=9.0.0|<9.0.31",
-        "fixed_version": null
+        "fixed_version": "9.0.1"
       }
     ],
     "references": [

vulnerabilities/tests/test_data/github_api/maven.json

@@ -139,6 +139,9 @@
             "package": {
               "name": "org.apache.tomcat.embed:tomcat-embed-core"
             },
+            "firstPatchedVersion": {
+              "identifier" :"9.0.1"
+            },
             "vulnerableVersionRange": ">= 9.0.0, < 9.0.31"
           }
         }

vulnerabilities/tests/test_data/github_api/nuget-expected.json

@@ -16,7 +16,7 @@
           "subpath": null
         },
         "affected_version_range": "vers:nuget/<=4.5.1-alpha001",
-        "fixed_version": null
+        "fixed_version": "4.5.1"
       }
     ],
     "references": [

vulnerabilities/tests/test_data/github_api/nuget.json

@@ -33,6 +33,9 @@
             "package": {
               "name": "RazorEngine"
             },
+            "firstPatchedVersion": {
+              "identifier" :"4.5.1"
+            },
             "vulnerableVersionRange": "<= 4.5.1-alpha001"
           }
         },

vulnerabilities/tests/test_data/github_api/pypi-expected.json

@@ -15,7 +15,7 @@
           "subpath": null
         },
         "affected_version_range": "vers:pypi/<9.0.0",
-        "fixed_version": null
+        "fixed_version": "9.0.0"
       }
     ],
     "references": [

vulnerabilities/tests/test_data/github_api/pypi.json

@@ -29,6 +29,9 @@
             "package": {
               "name": "Pillow"
             },
+            "firstPatchedVersion": {
+              "identifier" :"9.0.0"
+            },
             "vulnerableVersionRange": "< 9.0.0"
           }
         },

vulnerabilities/utils.py

@@ -217,9 +217,9 @@ def get_item(dictionary: dict, *attributes):
     'd'
     >>> assert(get_item({'a': {'b': {'c': 'd'}}}, 'a', 'b', 'e')) == None
     """
-    if not dictionary:
-        return
     for attribute in attributes:
+        if not dictionary:
+            return
         if attribute not in dictionary:
             logger.error(f"Missing attribute {attribute} in {dictionary}")
             return None