Add tests for purl creation and use AdvisoryV2

Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>

Author: Samk1710

requirements.txt

@@ -118,7 +118,7 @@ toml==0.10.2
 tomli==2.0.1
 traitlets==5.1.1
 typing_extensions==4.1.1
-univers==30.12.0
+git+https://github.com/aboutcode-org/univers.git@5e28f2cd0fbee81a2b1268e88916a52a208bb672#egg=univers
 urllib3==1.26.19
 wcwidth==0.2.5
 websocket-client==0.59.0

vulnerabilities/importers/__init__.py

@@ -78,8 +78,8 @@
 from vulnerabilities.pipelines.v2_importers import redhat_importer as redhat_importer_v2
 from vulnerabilities.pipelines.v2_importers import retiredotnet_importer as retiredotnet_importer_v2
 from vulnerabilities.pipelines.v2_importers import ruby_importer as ruby_importer_v2
-from vulnerabilities.pipelines.v2_importers import tuxcare_importer as tuxcare_importer_v2
 from vulnerabilities.pipelines.v2_importers import suse_score_importer as suse_score_importer_v2
+from vulnerabilities.pipelines.v2_importers import tuxcare_importer as tuxcare_importer_v2
 from vulnerabilities.pipelines.v2_importers import ubuntu_osv_importer as ubuntu_osv_importer_v2
 from vulnerabilities.pipelines.v2_importers import vulnrichment_importer as vulnrichment_importer_v2
 from vulnerabilities.pipelines.v2_importers import xen_importer as xen_importer_v2

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

@@ -14,9 +14,8 @@
 from packageurl import PackageURL
 from pytz import UTC
 from univers.version_range import RANGE_CLASS_BY_SCHEMES
-from univers.version_range import AlpineLinuxVersionRange
 
-from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AdvisoryDataV2
 from vulnerabilities.importer import AffectedPackageV2
 from vulnerabilities.importer import VulnerabilitySeverity
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
@@ -28,13 +27,6 @@
 AFFECTED_STATUSES = ["Ignored", "Needs Triage", "In Testing", "In Progress", "In Rollout"]
 FIXED_STATUSES = ["Released", "Already Fixed"]
 
-VERSION_RANGE_BY_PURL_TYPE = {
-    "rpm": RANGE_CLASS_BY_SCHEMES["rpm"],
-    "deb": RANGE_CLASS_BY_SCHEMES["deb"],
-    "apk": AlpineLinuxVersionRange,
-    "generic": RANGE_CLASS_BY_SCHEMES["generic"],
-}
-
 
 class TuxCareImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
     pipeline_id = "tuxcare_importer_v2"
@@ -45,6 +37,7 @@ class TuxCareImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
     def steps(cls):
         return (
             cls.fetch,
+            cls.group_records_by_cve,
             cls.collect_and_store_advisories,
         )
 
@@ -53,13 +46,12 @@ def fetch(self) -> None:
         self.log(f"Fetching `{url}`")
         response = fetch_response(url)
         self.response = response.json() if response else []
-        self._grouped = self._group_records_by_cve()
 
-    def _group_records_by_cve(self) -> dict:
+    def group_records_by_cve(self):
         """
         A single CVE can appear in multiple records across different operating systems, distributions, or package versions. This method groups all records with the same CVE together and skips entries that are invalid or marked as not affected. The result is a dictionary keyed by CVE ID, with each value containing the related records.
         """
-        grouped = {}
+        self.cve_to_records = {}
         skipped_invalid = 0
         skipped_non_affected = 0
 
@@ -90,20 +82,19 @@ def _group_records_by_cve(self) -> dict:
                 skipped_invalid += 1
                 continue
 
-            if cve_id not in grouped:
-                grouped[cve_id] = []
-            grouped[cve_id].append(record)
+            if cve_id not in self.cve_to_records:
+                self.cve_to_records[cve_id] = []
+            self.cve_to_records[cve_id].append(record)
 
         total_skipped = skipped_invalid + skipped_non_affected
         self.log(
-            f"Grouped {len(self.response):,d} records into {len(grouped):,d} unique CVEs "
+            f"Grouped {len(self.response):,d} records into {len(self.cve_to_records):,d} unique CVEs "
             f"(skipped {total_skipped:,d}: {skipped_invalid:,d} invalid, "
             f"{skipped_non_affected:,d} non-affected)"
         )
-        return grouped
 
     def advisories_count(self) -> int:
-        return len(self._grouped)
+        return len(self.cve_to_records)
 
     def _create_purl(self, project_name: str, os_name: str) -> PackageURL:
         normalized_os = os_name.lower().replace(" ", "-")
@@ -136,10 +127,8 @@ def _create_purl(self, project_name: str, os_name: str) -> PackageURL:
             type=pkg_type, namespace=namespace, name=project_name, qualifiers=qualifiers
         )
 
-    def collect_advisories(self) -> Iterable[AdvisoryData]:
-        grouped_by_cve = self._grouped
-
-        for cve_id, records in grouped_by_cve.items():
+    def collect_advisories(self) -> Iterable[AdvisoryDataV2]:
+        for cve_id, records in self.cve_to_records.items():
             affected_packages = []
             severities = []
             date_published = None
@@ -161,7 +150,7 @@ def collect_advisories(self) -> Iterable[AdvisoryData]:
                     )
                     continue
 
-                version_range_class = VERSION_RANGE_BY_PURL_TYPE.get(purl.type)
+                version_range_class = RANGE_CLASS_BY_SCHEMES.get(purl.type)
 
                 try:
                     version_range = version_range_class.from_versions([version])
@@ -209,7 +198,7 @@ def collect_advisories(self) -> Iterable[AdvisoryData]:
                 self.log(f"Skipping {cve_id} - no valid affected packages")
                 continue
 
-            yield AdvisoryData(
+            yield AdvisoryDataV2(
                 advisory_id=cve_id,
                 affected_packages=affected_packages,
                 severities=severities,

vulnerabilities/tests/pipelines/v2_importers/test_tuxcare_importer_v2.py

@@ -29,10 +29,39 @@ def test_collect_advisories(self, mock_fetch):
 
         pipeline = TuxCareImporterPipeline()
         pipeline.fetch()
+        pipeline.group_records_by_cve()
 
         advisories = [data.to_dict() for data in list(pipeline.collect_advisories())]
 
         expected_file = TEST_DATA / "expected.json"
         util_tests.check_results_against_json(advisories, expected_file)
 
         assert len(advisories) == 14
+
+    def test_create_purl(self):
+        pipeline = TuxCareImporterPipeline()
+
+        cases = [
+            ("squid", "CloudLinux 7 ELS", "rpm", "cloudlinux", "cloudlinux-7-els"),
+            ("squid", "Oracle Linux 7 ELS", "rpm", "oracle", "oracle-linux-7-els"),
+            ("kernel", "CentOS 8.5 ELS", "rpm", "centos", "centos-8.5-els"),
+            ("squid", "CentOS Stream 8 ELS", "rpm", "centos", "centos-stream-8-els"),
+            ("libpng", "CentOS 7 ELS", "rpm", "centos", "centos-7-els"),
+            ("java-11-openjdk", "RHEL 7 ELS", "rpm", "rhel", "rhel-7-els"),
+            ("mysql", "AlmaLinux 9.2 ESU", "rpm", "almalinux", "almalinux-9.2-esu"),
+            ("linux", "Ubuntu 16.04 ELS", "deb", "ubuntu", "ubuntu-16.04-els"),
+            ("samba", "Debian 10 ELS", "deb", "debian", "debian-10-els"),
+            ("dpkg", "Alpine Linux 3.18 ELS", "apk", "alpine", "alpine-linux-3.18-els"),
+            ("kernel", "Unknown OS", "generic", "tuxcare", "unknown-os"),
+            ("webkit2gtk3", "TuxCare 9.6 ESU", "generic", "tuxcare", "tuxcare-9.6-esu"),
+        ]
+
+        for name, os_name, expected_type, expected_ns, expected_distro in cases:
+            purl = pipeline._create_purl(name, os_name)
+            assert purl is not None, f"Expected purl for os_name={os_name!r}"
+            assert purl.type == expected_type
+            assert purl.namespace == expected_ns
+            assert purl.qualifiers == {"distro": expected_distro}
+
+        #Invalid PURL 
+        assert pipeline._create_purl("foo", "Foo 123") is None

vulnerabilities/tests/test_data/tuxcare/expected.json

@@ -61,7 +61,7 @@
         "fixed_by_commit_patches": []
       }
     ],
-    "references_v2": [],
+    "references": [],
     "patches": [],
     "severities": [
       {
@@ -94,7 +94,7 @@
         "fixed_by_commit_patches": []
       }
     ],
-    "references_v2": [],
+    "references": [],
     "patches": [],
     "severities": [
       {
@@ -127,7 +127,7 @@
         "fixed_by_commit_patches": []
       }
     ],
-    "references_v2": [],
+    "references": [],
     "patches": [],
     "severities": [
       {
@@ -160,7 +160,7 @@
         "fixed_by_commit_patches": []
       }
     ],
-    "references_v2": [],
+    "references": [],
     "patches": [],
     "severities": [
       {
@@ -193,7 +193,7 @@
         "fixed_by_commit_patches": []
       }
     ],
-    "references_v2": [],
+    "references": [],
     "patches": [],
     "severities": [
       {
@@ -226,7 +226,7 @@
         "fixed_by_commit_patches": []
       }
     ],
-    "references_v2": [],
+    "references": [],
     "patches": [],
     "severities": [
       {
@@ -259,7 +259,7 @@
         "fixed_by_commit_patches": []
       }
     ],
-    "references_v2": [],
+    "references": [],
     "patches": [],
     "severities": [
       {
@@ -292,7 +292,7 @@
         "fixed_by_commit_patches": []
       }
     ],
-    "references_v2": [],
+    "references": [],
     "patches": [],
     "severities": [
       {
@@ -325,7 +325,7 @@
         "fixed_by_commit_patches": []
       }
     ],
-    "references_v2": [],
+    "references": [],
     "patches": [],
     "severities": [
       {
@@ -358,7 +358,7 @@
         "fixed_by_commit_patches": []
       }
     ],
-    "references_v2": [],
+    "references": [],
     "patches": [],
     "severities": [
       {
@@ -391,7 +391,7 @@
         "fixed_by_commit_patches": []
       }
     ],
-    "references_v2": [],
+    "references": [],
     "patches": [],
     "severities": [
       {
@@ -424,7 +424,7 @@
         "fixed_by_commit_patches": []
       }
     ],
-    "references_v2": [],
+    "references": [],
     "patches": [],
     "severities": [
       {
@@ -457,7 +457,7 @@
         "fixed_by_commit_patches": []
       }
     ],
-    "references_v2": [],
+    "references": [],
     "patches": [],
     "severities": [],
     "date_published": "2025-12-22T16:58:13.189255+00:00",
@@ -484,7 +484,7 @@
         "fixed_by_commit_patches": []
       }
     ],
-    "references_v2": [],
+    "references": [],
     "patches": [],
     "severities": [],
     "date_published": "2025-12-19T05:00:40.874276+00:00",