Add istio importer and tests #336
Conversation
vulnerabilities/importers/istio.py
Outdated
|
|
||
| safe_pkg_versions = [] | ||
| vuln_pkg_versions = [] | ||
| all_version_list = self.version_api.get("istio/istio") |
There was a problem hiding this comment.
what do you gain from suffixing your variable names with a type? Would not versions or all_version be better than all_version_list?
There was a problem hiding this comment.
Sure, I would change them.
vulnerabilities/importers/istio.py
Outdated
| cve_id = cve_id | ||
|
|
||
| safe_purls = { | ||
| PackageURL(name="istio", type="golang", version=version) |
There was a problem hiding this comment.
In the logical order of fields, type would go first
vulnerabilities/importers/istio.py
Outdated
| } | ||
|
|
||
| vuln_purls = { | ||
| PackageURL(name="istio", type="golang", version=version) |
There was a problem hiding this comment.
What about also creating github type purls?
There was a problem hiding this comment.
@pombredanne I am still unable to understand how to create two package types for a single purl. Can you explain it a bit.
There was a problem hiding this comment.
@tushar912 sorry if I was not clear: I meant to have multiple purls: one pkg:/golang and one pkg:github since the project has both personalities
|
@pombredanne @sbs2001 I have made some changes as per the suggestions made by you. Please review again. |
tushar912
changed the title
vulnerabilities/importers/istio.py
Outdated
| safe_pkg_versions = [] | ||
| vuln_pkg_versions = [] | ||
| all_version_list = self.version_api.get("istio/istio") | ||
| if not version_range_list: |
There was a problem hiding this comment.
the condition and all_version should be at top. We don't want to create objects just to have them destroyed.
vulnerabilities/importers/istio.py
Outdated
| all_version_list = self.version_api.get("istio/istio") | ||
| if not version_range_list: | ||
| return all_version_list, [] | ||
| version_ranges = {RangeSpecifier(r) for r in version_range_list} |
There was a problem hiding this comment.
@pombredanne The codebase has (over) use of sets all over the place mostly because we were paranoid of duplicates and order didn't matter.
@tushar912 use a list, if that's ok ?
vulnerabilities/importers/istio.py
Outdated
| ubound = "<=" + release[2] | ||
| releases.append(lbound + "," + ubound) | ||
|
|
||
| data["releases"] = releases |
There was a problem hiding this comment.
This a list of string version ranges now, change the key name here to something that reflects that
vulnerabilities/importers/istio.py
Outdated
| safe_purls = [] | ||
| vuln_purls = [] | ||
|
|
||
| cve_id = cve_id |
There was a problem hiding this comment.
Oh, I should remove this
tushar912
force-pushed
the
istio
branch
7 times, most recently
from
73b81f6 to
e2ad923
Compare
|
@sbs2001 I have made the changes. |
vulnerabilities/importers/istio.py
Outdated
| safe_pkg_versions, vuln_pkg_versions = self.get_versions_for_pkg_from_range_list( | ||
| data["release_ranges"]) | ||
|
|
||
| safe_purls = [] |
There was a problem hiding this comment.
Is there a need to declare this here, since you are assigning them the union below ?
There was a problem hiding this comment.
I should remove it.
vulnerabilities/importers/istio.py
Outdated
| advisories.extend(processed_data) | ||
| return self.batch_advisories(advisories) | ||
|
|
||
| def get_versions_for_pkg_from_range_list(self, version_range_list): |
There was a problem hiding this comment.
The function name is too verbose. How about get_pkg_versions_from_ranges ?
|
@sbs2001 I have made the changes, also can you answer #336 (comment). |
vulnerabilities/importers/istio.py
Outdated
| ubound = "<=" + release[2] | ||
| releases.append(lbound + "," + ubound) | ||
| # If it is a single release | ||
| elif isinstance(release, int): |
There was a problem hiding this comment.
Could you point me to an example of this ?
There was a problem hiding this comment.
There was a problem hiding this comment.
Could this be done without using isinstance ? This is going to fail in case the release is of form 1.x.y . Maybe some string check ?
There was a problem hiding this comment.
Should I use a regex check?
There was a problem hiding this comment.
I would try to avoid regex unless absolutely needed, because those are very cryptic when reading.
If there's no other way could you do something like https://github.com/nexB/vulnerablecode/blob/f81816fcd95d00736dc17c9aaad20e91cb6ce201/vulnerabilities/helpers.py#L81 ?
There was a problem hiding this comment.
That way atleast, it would be easy to understand what the regex is trying to do without going into the details.
There was a problem hiding this comment.
@tushar912 thanks this almost at a stage to be merged, please see my comments inline.
|
@tushar912 Due to recent model changes, you would need to rename |
tushar912
force-pushed
the
istio
branch
3 times, most recently
from
d90ab42 to
b1f563a
Compare
vulnerabilities/importers/istio.py
Outdated
| as parameter and returns a tuple of safe package versions and | ||
| vulnerable package versions""" | ||
| all_version = self.version_api.get("istio/istio") | ||
| # if not version_range_list: |
There was a problem hiding this comment.
I guess this can be removed now ?
There was a problem hiding this comment.
Oh I missed this. I will remove it.
Signed-off-by: Tushar912 <[email protected]>
Signed-off-by: Tushar912 <[email protected]>
Also add github as package type Signed-off-by: Tushar912 <[email protected]>
tushar912
force-pushed
the
istio
branch
3 times, most recently
from
d8e4ec3 to
5b6c5dd
Compare
|
@sbs2001 Sorry for the delay. I have added a better check for single release using regex. |
assign cve to empty string if its N/A Signed-off-by: Tushar912 <[email protected]>
| ubound = "<=" + release[2] | ||
| releases.append(lbound + "," + ubound) | ||
| # If it is a single release | ||
| elif is_release(release): |
Description
Added importer and tests for istio
Also added test files in
test_data/istioFixes #302