Return CVEs from Errata Details endpoint

lib/trento_web/controllers/fallback_controller.ex

@@ -124,6 +124,13 @@ defmodule TrentoWeb.FallbackController do
     |> render(:"422", reason: "Unable to retrieve errata details for this advisory.")
   end
 
+  def call(conn, {:error, :error_getting_cves}) do
+    conn
+    |> put_status(:unprocessable_entity)
+    |> put_view(ErrorView)
+    |> render(:"422", reason: "Unable to retrieve CVEs for this advisory.")
+  end
+
   def call(conn, {:error, :error_getting_fixes}) do
     conn
     |> put_status(:unprocessable_entity)

lib/trento_web/controllers/v1/suse_manager_controller.ex

@@ -95,8 +95,9 @@ defmodule TrentoWeb.V1.SUSEManagerController do
   @spec errata_details(Plug.Conn.t(), any) :: Plug.Conn.t()
   def errata_details(conn, %{advisory_name: advisory_name}) do
     with {:ok, errata_details} <- Discovery.get_errata_details(advisory_name),
+         {:ok, cves} <- Discovery.get_cves(advisory_name),
          {:ok, fixes} <- Discovery.get_bugzilla_fixes(advisory_name) do
-      render(conn, %{errata_details: errata_details, fixes: fixes})
+      render(conn, %{errata_details: errata_details, cves: cves, fixes: fixes})
     end
   end
 end

lib/trento_web/openapi/v1/schema/available_software_updates.ex

@@ -172,6 +172,21 @@ defmodule TrentoWeb.OpenApi.V1.Schema.AvailableSoftwareUpdates do
     })
   end
 
+  defmodule CVEs do
+    @moduledoc false
+    OpenApiSpex.schema(%{
+      title: "CVEs",
+      description: "List of CVEs applicable to the errata with the given advisory name.",
+      type: :array,
+      additionalProperties: false,
+      items: %Schema{
+        title: "CVE",
+        description: "A fix for a publicly known security vulnerability",
+        type: :string
+      }
+    })
+  end
+
   defmodule AdvisoryFixes do
     @moduledoc false
     OpenApiSpex.schema(%{
@@ -191,6 +206,7 @@ defmodule TrentoWeb.OpenApi.V1.Schema.AvailableSoftwareUpdates do
       additionalProperties: false,
       properties: %{
         errata_details: ErrataDetails,
+        cves: CVEs,
         fixes: AdvisoryFixes
       }
     })

lib/trento_web/views/v1/suse_manager_view.ex

@@ -65,13 +65,15 @@ defmodule TrentoWeb.V1.SUSEManagerView do
 
   def render("errata_details.json", %{
         errata_details: errata_details = %{errataFrom: errataFrom},
+        cves: cves,
         fixes: fixes
       }),
       do: %{
         errata_details:
           errata_details
           |> Map.drop([:errataFrom])
           |> Map.put(:errata_from, errataFrom),
+        cves: cves,
         fixes: fixes
       }
 end

test/trento/infrastructure/software_updates/suma_test.exs

@@ -274,8 +274,7 @@ defmodule Trento.Infrastructure.SoftwareUpdates.SumaTest do
         {:ok, %HTTPoison.Response{status_code: 200, body: Jason.encode!(suma_response_body)}}
       end)
 
-      assert {:ok, ^cves} =
-               Suma.get_cves(advisory_name)
+      assert {:ok, ^cves} = Suma.get_cves(advisory_name)
     end
 
     test "should return a proper error when getting CVEs for a patch fails" do

test/trento_web/controllers/v1/suse_manager_controller_test.exs

@@ -172,6 +172,12 @@ defmodule TrentoWeb.V1.SUSEManagerControllerTest do
         {:ok, errata_details}
       end)
 
+      cves = generate_cves(10)
+
+      expect(Trento.SoftwareUpdates.Discovery.Mock, :get_cves, 1, fn _ ->
+        {:ok, cves}
+      end)
+
       fixes = build(:bugzilla_fix)
 
       expect(Trento.SoftwareUpdates.Discovery.Mock, :get_bugzilla_fixes, 1, fn _ ->
@@ -185,6 +191,8 @@ defmodule TrentoWeb.V1.SUSEManagerControllerTest do
 
       %{"fixes" => json_fixes} = json
 
+      # The returned struct from `assert_schema/3` empties the dynamic Map in `fixes`.
+      # Assert on the JSON response that the `fixes` Map contains entries.
       assert fixes |> Map.keys() |> length == json_fixes |> Map.keys() |> length
 
       result = assert_schema(json, "ErrataDetailsResponse", api_spec)
@@ -209,7 +217,8 @@ defmodule TrentoWeb.V1.SUSEManagerControllerTest do
           solution: ^solution,
           reboot_suggested: ^reboot_suggested,
           restart_suggested: ^restart_suggested
-        }
+        },
+        cves: ^cves
       } = result
     end
 
@@ -223,6 +232,36 @@ defmodule TrentoWeb.V1.SUSEManagerControllerTest do
         {:error, :error_getting_errata_details}
       end)
 
+      expect(Trento.SoftwareUpdates.Discovery.Mock, :get_cves, 1, fn _ ->
+        {:ok, generate_cves(10)}
+      end)
+
+      expect(Trento.SoftwareUpdates.Discovery.Mock, :get_bugzilla_fixes, 1, fn _ ->
+        {:ok, build(:bugzilla_fix)}
+      end)
+
+      advisory_name = Faker.Pokemon.name()
+
+      conn
+      |> get("/api/v1/software_updates/errata_details/#{advisory_name}")
+      |> json_response(:unprocessable_entity)
+      |> assert_schema("UnprocessableEntity", api_spec)
+    end
+
+    test "should return 422 when advisory CVEs are not found", %{
+      conn: conn,
+      api_spec: api_spec
+    } do
+      insert_software_updates_settings()
+
+      expect(Trento.SoftwareUpdates.Discovery.Mock, :get_errata_details, 1, fn _ ->
+        {:ok, build(:errata_details)}
+      end)
+
+      expect(Trento.SoftwareUpdates.Discovery.Mock, :get_cves, 1, fn _ ->
+        {:error, :error_getting_cves}
+      end)
+
       expect(Trento.SoftwareUpdates.Discovery.Mock, :get_bugzilla_fixes, 1, fn _ ->
         {:ok, build(:bugzilla_fix)}
       end)
@@ -245,6 +284,10 @@ defmodule TrentoWeb.V1.SUSEManagerControllerTest do
         {:ok, build(:errata_details)}
       end)
 
+      expect(Trento.SoftwareUpdates.Discovery.Mock, :get_cves, 1, fn _ ->
+        {:ok, generate_cves(10)}
+      end)
+
       expect(Trento.SoftwareUpdates.Discovery.Mock, :get_bugzilla_fixes, 1, fn _ ->
         {:error, :error_getting_fixes}
       end)
@@ -257,4 +300,15 @@ defmodule TrentoWeb.V1.SUSEManagerControllerTest do
       |> assert_schema("UnprocessableEntity", api_spec)
     end
   end
+
+  defp generate_cves(n) do
+    Enum.map(
+      1..n,
+      fn _ ->
+        year = Enum.random(1_991..2_024)
+        id = Enum.random(0..9_999)
+        "CVE-#{year}-#{id}"
+      end
+    )
+  end
 end

test/trento_web/views/v1/suse_manager_view_test.exs

@@ -23,6 +23,17 @@ defmodule TrentoWeb.V1.SUSEManagerViewTest do
   describe "renders errata_details.json" do
     test "should render relevant fields" do
       %{errataFrom: errata_from} = errata_details = build(:errata_details)
+
+      cves =
+        Enum.map(
+          1..10,
+          fn _ ->
+            year = Enum.random(1_991..2_024)
+            id = Enum.random(0..9_999)
+            "CVE-#{year}-#{id}"
+          end
+        )
+
       fixes = build(:bugzilla_fix)
 
       errata_details_sans_errata_from = Map.delete(errata_details, :errataFrom)
@@ -32,11 +43,13 @@ defmodule TrentoWeb.V1.SUSEManagerViewTest do
 
       assert %{
                errata_details: ^expected_errata_details,
+               cves: ^cves,
                fixes: ^fixes
              } =
                render(SUSEManagerView, "errata_details.json", %{
                  errata_details:
                    Map.put(errata_details_sans_errata_from, :errataFrom, errata_from),
+                 cves: cves,
                  fixes: fixes
                })
     end