Merge branch 'main' into advisory_id

TG1999 · web-flow · commit 1a657cad5948 · 2025-04-15T14:43:23.000+05:30
diff --git a/requirements.txt b/requirements.txt
@@ -27,7 +27,7 @@ dateparser==1.1.1
 decorator==5.1.1
 defusedxml==0.7.1
 distro==1.7.0
-Django==4.2.17
+Django==4.2.20
 django-crispy-forms==2.3
 django-environ==0.11.2
 django-filter==24.3
diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py
@@ -44,10 +44,25 @@
 from vulnerabilities.pipelines import pysec_importer
 
 IMPORTERS_REGISTRY = [
+    nvd_importer.NVDImporterPipeline,
+    github_importer.GitHubAPIImporterPipeline,
+    gitlab_importer.GitLabImporterPipeline,
+    github_osv.GithubOSVImporter,
+    pypa_importer.PyPaImporterPipeline,
+    npm_importer.NpmImporterPipeline,
+    nginx_importer.NginxImporterPipeline,
+    pysec_importer.PyPIImporterPipeline,
+    apache_tomcat.ApacheTomcatImporter,
+    postgresql.PostgreSQLImporter,
+    debian.DebianImporter,
+    curl.CurlImporter,
+    epss.EPSSImporter,
+    vulnrichment.VulnrichImporter,
+    alpine_linux_importer.AlpineLinuxImporterPipeline,
+    ruby.RubyImporter,
+    apache_kafka.ApacheKafkaImporter,
     openssl.OpensslImporter,
     redhat.RedhatImporter,
-    debian.DebianImporter,
-    postgresql.PostgreSQLImporter,
     archlinux.ArchlinuxImporter,
     ubuntu.UbuntuImporter,
     debian_oval.DebianOvalImporter,
@@ -59,25 +74,10 @@
     project_kb_msr2019.ProjectKBMSRImporter,
     suse_scores.SUSESeverityScoreImporter,
     elixir_security.ElixirSecurityImporter,
-    apache_tomcat.ApacheTomcatImporter,
     xen.XenImporter,
     ubuntu_usn.UbuntuUSNImporter,
     fireeye.FireyeImporter,
-    apache_kafka.ApacheKafkaImporter,
     oss_fuzz.OSSFuzzImporter,
-    ruby.RubyImporter,
-    github_osv.GithubOSVImporter,
-    curl.CurlImporter,
-    epss.EPSSImporter,
-    vulnrichment.VulnrichImporter,
-    pypa_importer.PyPaImporterPipeline,
-    npm_importer.NpmImporterPipeline,
-    nginx_importer.NginxImporterPipeline,
-    gitlab_importer.GitLabImporterPipeline,
-    github_importer.GitHubAPIImporterPipeline,
-    nvd_importer.NVDImporterPipeline,
-    pysec_importer.PyPIImporterPipeline,
-    alpine_linux_importer.AlpineLinuxImporterPipeline,
 ]
 
 IMPORTERS_REGISTRY = {
diff --git a/vulnerabilities/importers/osv.py b/vulnerabilities/importers/osv.py
@@ -220,7 +220,14 @@ def get_affected_purl(affected_pkg, raw_id):
                 f"No PackageURL possible: {purl!r} for affected_pkg {affected_pkg} for OSV id: {raw_id}"
             )
             return
-    return PackageURL.from_string(str(purl))
+    try:
+        package_url = PackageURL.from_string(str(purl))
+        return package_url
+    except:
+        logger.error(
+            f"Invalid PackageURL: {purl!r} for affected_pkg {affected_pkg} for OSV id: {raw_id}"
+        )
+        return None
 
 
 def get_affected_version_range(affected_pkg, raw_id, supported_ecosystem):
diff --git a/vulnerabilities/improvers/__init__.py b/vulnerabilities/improvers/__init__.py
@@ -18,6 +18,7 @@
 from vulnerabilities.pipelines import enhance_with_kev
 from vulnerabilities.pipelines import enhance_with_metasploit
 from vulnerabilities.pipelines import flag_ghost_packages
+from vulnerabilities.pipelines import populate_vulnerability_summary_pipeline
 from vulnerabilities.pipelines import remove_duplicate_advisories
 
 IMPROVERS_REGISTRY = [
@@ -47,6 +48,7 @@
     collect_commits.CollectFixCommitsPipeline,
     add_cvss31_to_CVEs.CVEAdvisoryMappingPipeline,
     remove_duplicate_advisories.RemoveDuplicateAdvisoriesPipeline,
+    populate_vulnerability_summary_pipeline.PopulateVulnerabilitySummariesPipeline,
 ]
 
 IMPROVERS_REGISTRY = {
diff --git a/vulnerabilities/pipelines/alpine_linux_importer.py b/vulnerabilities/pipelines/alpine_linux_importer.py
@@ -202,7 +202,8 @@ def load_advisories(
                     level=logging.DEBUG,
                 )
             continue
-
+        # fixed_vulns is a list of strings and each string is a space-separated
+        # list of aliases and CVES
         for vuln_ids in fixed_vulns:
             if not isinstance(vuln_ids, str):
                 if logger:
@@ -211,15 +212,16 @@ def load_advisories(
                         level=logging.DEBUG,
                     )
                 continue
-            vuln_ids = vuln_ids.split()
-            aliases = []
-            vuln_id = vuln_ids[0]
-            # check for valid vuln ID, if there is valid vuln ID then iterate over
-            # the remaining elements of the list else iterate over the whole list
-            # and also check if the initial element is a reference or not
-            if is_cve(vuln_id):
-                aliases = [vuln_id]
-                vuln_ids = vuln_ids[1:]
+            vuln_ids = vuln_ids.strip().split()
+            if not vuln_ids:
+                if logger:
+                    logger(
+                        f"{vuln_ids!r} is empty",
+                        level=logging.DEBUG,
+                    )
+                continue
+            aliases = vuln_ids
+
             references = []
             for reference_id in vuln_ids:
 
@@ -232,6 +234,10 @@ def load_advisories(
                 elif reference_id.startswith("wnpa-sec"):
                     references.append(WireSharkReference.from_id(wnpa_sec_id=reference_id))
 
+                elif not reference_id.startswith("CVE"):
+                    if logger:
+                        logger(f"Unknown reference id {reference_id!r}", level=logging.DEBUG)
+
             qualifiers = {
                 "distroversion": distroversion,
                 "reponame": reponame,
diff --git a/vulnerabilities/pipelines/populate_vulnerability_summary_pipeline.py b/vulnerabilities/pipelines/populate_vulnerability_summary_pipeline.py
@@ -0,0 +1,71 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import logging
+
+from aboutcode.pipeline import LoopProgress
+from django.db.models import Q
+
+from vulnerabilities.models import Advisory
+from vulnerabilities.models import Vulnerability
+from vulnerabilities.pipelines import VulnerableCodePipeline
+
+
+class PopulateVulnerabilitySummariesPipeline(VulnerableCodePipeline):
+    """Pipeline to populate missing vulnerability summaries from advisories."""
+
+    pipeline_id = "populate_vulnerability_summaries"
+
+    @classmethod
+    def steps(cls):
+        return (cls.populate_missing_summaries,)
+
+    def populate_missing_summaries(self):
+        """Find vulnerabilities with missing summaries and populate them using advisories with the same aliases."""
+        vulnerabilities_qs = Vulnerability.objects.filter(summary="")
+        self.log(
+            f"Processing {vulnerabilities_qs.count()} vulnerabilities without summaries",
+            level=logging.INFO,
+        )
+
+        progress = LoopProgress(total_iterations=vulnerabilities_qs.count(), logger=self.log)
+
+        vulnerabilities_to_be_updated = []
+
+        for vulnerability in progress.iter(vulnerabilities_qs.iterator()):
+            cve_alias = vulnerability.aliases.filter(alias__startswith="CVE-").first()
+
+            if not cve_alias:
+                self.log(
+                    f"Vulnerability {vulnerability.vulnerability_id} has no CVE alias",
+                    level=logging.DEBUG,
+                )
+                continue
+
+            matching_advisories = Advisory.objects.filter(
+                aliases=cve_alias, created_by="nvd_importer"
+            ).exclude(summary="")
+
+            if matching_advisories.exists():
+                best_advisory = matching_advisories.order_by("-date_collected").first()
+                # Note: we filtered above to only get non-empty summaries
+                vulnerability.summary = best_advisory.summary
+                vulnerabilities_to_be_updated.append(vulnerability)
+                self.log(
+                    f"Updated summary for vulnerability {vulnerability.vulnerability_id}",
+                    level=logging.INFO,
+                )
+            else:
+                self.log(f"No advisory found for alias {cve_alias}", level=logging.DEBUG)
+        Vulnerability.objects.bulk_update(vulnerabilities_to_be_updated, ["summary"])
+        self.log(
+            f"Successfully populated {len(vulnerabilities_to_be_updated)} vulnerabilities with summary",
+            level=logging.INFO,
+        )
+        self.log("Pipeline completed", level=logging.INFO)
diff --git a/vulnerabilities/tests/pipelines/test_alpine_linux_importer_pipeline.py b/vulnerabilities/tests/pipelines/test_alpine_linux_importer_pipeline.py
@@ -31,7 +31,7 @@ def test_process_record():
     logger = TestLogger()
     expected_advisories = [
         AdvisoryData(
-            aliases=[],
+            aliases=["XSA-248"],
             summary="",
             affected_packages=[
                 AffectedPackage(
@@ -138,7 +138,7 @@ def test_process_record():
             url="https://secdb.alpinelinux.org/v3.11/",
         ),
         AdvisoryData(
-            aliases=["CVE-2018-7540"],
+            aliases=["CVE-2018-7540", "XSA-252"],
             summary="",
             affected_packages=[
                 AffectedPackage(
diff --git a/vulnerabilities/tests/pipelines/test_populate_vulnerability_summary_pipeline.py b/vulnerabilities/tests/pipelines/test_populate_vulnerability_summary_pipeline.py
@@ -0,0 +1,160 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import datetime
+from pathlib import Path
+
+import pytz
+from django.test import TestCase
+
+from vulnerabilities.models import Advisory
+from vulnerabilities.models import Alias
+from vulnerabilities.models import Vulnerability
+from vulnerabilities.pipelines.populate_vulnerability_summary_pipeline import (
+    PopulateVulnerabilitySummariesPipeline,
+)
+
+
+class PopulateVulnerabilitySummariesPipelineTest(TestCase):
+    def setUp(self):
+        self.data = Path(__file__).parent.parent / "test_data"
+
+    def test_populate_missing_summaries_from_nvd(self):
+        """
+        Test that vulnerabilities without summaries get them from NVD advisories.
+        """
+
+        # Create a vulnerability without a summary
+        vulnerability = Vulnerability.objects.create(
+            vulnerability_id="VCID-1234",
+            summary="",
+        )
+        alias = Alias.objects.create(alias="CVE-2024-1234", vulnerability=vulnerability)
+
+        # Create an NVD advisory with a summary
+        adv = Advisory.objects.create(
+            summary="Test vulnerability summary",
+            created_by="nvd_importer",
+            date_collected=datetime.datetime(2024, 1, 1, tzinfo=pytz.UTC),
+            unique_content_id="Test",
+        )
+        adv.aliases.add(alias)
+
+        # Run the pipeline
+        pipeline = PopulateVulnerabilitySummariesPipeline()
+        pipeline.populate_missing_summaries()
+
+        # Check that the vulnerability now has a summary
+        vulnerability.refresh_from_db()
+        self.assertEqual(vulnerability.summary, "Test vulnerability summary")
+
+    def test_no_matching_advisory(self):
+        """
+        Test handling of vulnerabilities that have no matching NVD advisory.
+        """
+        # Create a vulnerability without a summary
+        vulnerability = Vulnerability.objects.create(
+            vulnerability_id="VCID-1234",
+            summary="",
+        )
+        Alias.objects.create(alias="CVE-2024-1234", vulnerability=vulnerability)
+
+        # Run the pipeline
+        pipeline = PopulateVulnerabilitySummariesPipeline()
+        pipeline.populate_missing_summaries()
+
+        # Check that the vulnerability still has no summary
+        vulnerability.refresh_from_db()
+        self.assertEqual(vulnerability.summary, "")
+
+    def test_vulnerability_without_alias(self):
+        """
+        Test handling of vulnerabilities that have no aliases.
+        """
+
+        # Create a vulnerability without a summary or alias
+        vulnerability = Vulnerability.objects.create(
+            vulnerability_id="VCID-1234",
+            summary="",
+        )
+
+        # Run the pipeline
+        pipeline = PopulateVulnerabilitySummariesPipeline()
+        pipeline.populate_missing_summaries()
+
+        # Check that the vulnerability still has no summary
+        vulnerability.refresh_from_db()
+        self.assertEqual(vulnerability.summary, "")
+
+    def test_non_nvd_advisory_ignored(self):
+        """
+        Test that advisories from sources other than NVD are ignored.
+        """
+
+        # Create a vulnerability without a summary
+        vulnerability = Vulnerability.objects.create(
+            vulnerability_id="VCID-1234",
+            summary="",
+        )
+        alias = Alias.objects.create(alias="CVE-2024-1234", vulnerability=vulnerability)
+
+        # Create a non-NVD advisory with a summary
+        adv = Advisory.objects.create(
+            summary="Test vulnerability summary",
+            created_by="other_importer",
+            date_collected=datetime.datetime(2024, 1, 1, tzinfo=pytz.UTC),
+            unique_content_id="Test",
+        )
+
+        adv.aliases.add(alias)
+
+        # Run the pipeline
+        pipeline = PopulateVulnerabilitySummariesPipeline()
+        pipeline.populate_missing_summaries()
+
+        # Check that the vulnerability still has no summary
+        vulnerability.refresh_from_db()
+        self.assertEqual(vulnerability.summary, "")
+
+    def test_multiple_matching_advisories(self):
+        """
+        Test that the most recent matching advisory is used when there are multiple.
+        """
+        vulnerability = Vulnerability.objects.create(
+            vulnerability_id="VCID-1234",
+            summary="",
+        )
+        alias = Alias.objects.create(alias="CVE-2024-1234", vulnerability=vulnerability)
+
+        # Create two NVD advisories with the same alias
+        adv1 = Advisory.objects.create(
+            summary="First matching advisory",
+            created_by="nvd_importer",
+            date_collected=datetime.datetime(2024, 1, 1, tzinfo=pytz.UTC),
+            unique_content_id="Test",
+        )
+
+        adv1.aliases.add(alias)
+
+        adv2 = Advisory.objects.create(
+            summary="Second matching advisory",
+            created_by="nvd_importer",
+            date_collected=datetime.datetime(2024, 1, 2, tzinfo=pytz.UTC),
+            unique_content_id="Test-1",
+        )
+
+        adv2.aliases.add(alias)
+
+        # Run the pipeline
+        pipeline = PopulateVulnerabilitySummariesPipeline()
+        pipeline.populate_missing_summaries()
+
+        # Check that the vulnerability now has the most recent summary
+        vulnerability.refresh_from_db()
+        self.assertEqual(vulnerability.summary, "Second matching advisory")
