Address Ziad review on eclipse importer

Signed-off-by: Anmol Vats <anmolvats2003@gmail.com>

Author: NucleiAv

vulnerabilities/pipelines/v2_importers/eclipse_importer.py

@@ -58,8 +58,6 @@ def collect_advisories(self) -> Iterable[AdvisoryDataV2]:
 
 def parse_advisory(entry: dict):
     advisory_id = entry.get("id") or ""
-    if not advisory_id:
-        return None
 
     date_published = None
     raw_date = entry.get("date_published") or ""
@@ -71,8 +69,8 @@ def parse_advisory(entry: dict):
         if date_published is None:
             logger.warning("Could not parse date %r for %s", raw_date, advisory_id)
 
-    summary_obj = entry.get("summary")
-    summary = summary_obj.get("content") or "" if isinstance(summary_obj, dict) else ""
+    summary_obj = entry.get("summary") or {}
+    summary = summary_obj.get("content") or ""
 
     references = []
     for url in [
@@ -85,7 +83,7 @@ def parse_advisory(entry: dict):
 
     severities = []
     cvss = entry.get("cvss")
-    if cvss is not None:
+    if cvss:
         severities.append(VulnerabilitySeverity(system=GENERIC, value=str(cvss)))
 
     advisory_url = entry.get("live_link") or ""

vulnerabilities/tests/pipelines/v2_importers/test_eclipse_importer.py

@@ -7,83 +7,25 @@
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
 
-import json
 from pathlib import Path
 from unittest import TestCase
 from unittest.mock import MagicMock
 from unittest.mock import patch
 
-import requests
-
 from vulnerabilities.pipelines.v2_importers.eclipse_importer import EclipseImporterPipeline
 from vulnerabilities.pipelines.v2_importers.eclipse_importer import parse_advisory
+from vulnerabilities.tests import util_tests
+from vulnerabilities.utils import load_json
 
 TEST_DATA = Path(__file__).parent.parent.parent / "test_data" / "eclipse"
 
-with open(TEST_DATA / "eclipse_api_sample.json") as f:
-    SAMPLE_DATA = json.load(f)
-
-ENTRY_WITH_CVSS = SAMPLE_DATA[0]
-ENTRY_WITHOUT_CVSS = SAMPLE_DATA[1]
-ENTRY_WITHOUT_SUMMARY = SAMPLE_DATA[2]
-
-
-class TestParseAdvisory(TestCase):
-    def test_parses_id_and_summary(self):
-        advisory = parse_advisory(ENTRY_WITH_CVSS)
-        assert advisory.advisory_id == "CVE-2017-7649"
-        assert "Kura" in advisory.summary
-
-    def test_parses_date(self):
-        advisory = parse_advisory(ENTRY_WITH_CVSS)
-        assert advisory.date_published is not None
-        assert advisory.date_published.year == 2017
-
-    def test_cvss_stored_as_generic_severity(self):
-        advisory = parse_advisory(ENTRY_WITH_CVSS)
-        assert len(advisory.severities) == 1
-        assert advisory.severities[0].value == "9.8"
-
-    def test_missing_cvss_yields_empty_severities(self):
-        advisory = parse_advisory(ENTRY_WITHOUT_CVSS)
-        assert advisory.severities == []
-
-    def test_missing_summary_yields_empty_string(self):
-        advisory = parse_advisory(ENTRY_WITHOUT_SUMMARY)
-        assert advisory.summary == ""
+SAMPLE_DATA = load_json(TEST_DATA / "eclipse_api_sample.json")
 
-    def test_references_populated(self):
-        advisory = parse_advisory(ENTRY_WITH_CVSS)
-        urls = [r.url for r in advisory.references]
-        assert "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7649" in urls
-        assert "https://bugs.eclipse.org/bugs/show_bug.cgi?id=514681" in urls
 
-    def test_cve_pull_request_added_as_reference(self):
-        advisory = parse_advisory(ENTRY_WITHOUT_CVSS)
-        urls = [r.url for r in advisory.references]
-        assert "https://github.com/CVEProject/cvelist/pull/932" in urls
-
-    def test_empty_cve_pull_request_not_added(self):
-        advisory = parse_advisory(ENTRY_WITH_CVSS)
-        urls = [r.url for r in advisory.references]
-        assert "" not in urls
-
-    def test_missing_id_returns_none(self):
-        assert parse_advisory({}) is None
-        assert parse_advisory({"id": ""}) is None
-
-    def test_original_advisory_text_is_json(self):
-        advisory = parse_advisory(ENTRY_WITH_CVSS)
-        parsed = json.loads(advisory.original_advisory_text)
-        assert parsed["id"] == "CVE-2017-7649"
-
-    def test_affected_packages_empty(self):
-        advisory = parse_advisory(ENTRY_WITH_CVSS)
-        assert advisory.affected_packages == []
-
-    def test_weaknesses_empty(self):
-        advisory = parse_advisory(ENTRY_WITH_CVSS)
-        assert advisory.weaknesses == []
+def test_parse_advisories():
+    results = [parse_advisory(entry).to_dict() for entry in SAMPLE_DATA]
+    expected_file = TEST_DATA / "expected_eclipse_output.json"
+    util_tests.check_results_against_json(results, expected_file)
 
 
 class TestEclipseImporterPipeline(TestCase):
@@ -105,12 +47,3 @@ def test_fetch_stores_advisories_data(self, mock_get):
         mock_get.return_value = mock_resp
         self.pipeline.fetch()
         assert self.pipeline.advisories_data == SAMPLE_DATA
-
-    @patch("vulnerabilities.pipelines.v2_importers.eclipse_importer.requests.get")
-    def test_collect_advisories_skips_on_http_error(self, mock_get):
-        mock_get.side_effect = requests.RequestException("timeout")
-        try:
-            self.pipeline.fetch()
-        except Exception:
-            pass
-        assert not hasattr(self.pipeline, "advisories_data") or True

vulnerabilities/tests/test_data/eclipse/expected_eclipse_output.json

@@ -0,0 +1,82 @@
+[
+  {
+    "advisory_id": "CVE-2017-7649",
+    "aliases": [],
+    "summary": "The network enabled distribution of Kura before 2.1.0 takes control over the device's firewall...",
+    "affected_packages": [],
+    "references": [
+      {
+        "reference_id": "",
+        "reference_type": "",
+        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7649"
+      },
+      {
+        "reference_id": "",
+        "reference_type": "",
+        "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=514681"
+      }
+    ],
+    "patches": [],
+    "severities": [
+      {
+        "system": "generic_textual",
+        "value": "9.8",
+        "scoring_elements": ""
+      }
+    ],
+    "date_published": "2017-04-14T00:00:00+00:00",
+    "weaknesses": [],
+    "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7649"
+  },
+  {
+    "advisory_id": "CVE-2018-12537",
+    "aliases": [],
+    "summary": "Moderate severity vulnerability that affects io.vertx:vertx-core",
+    "affected_packages": [],
+    "references": [
+      {
+        "reference_id": "",
+        "reference_type": "",
+        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12537"
+      },
+      {
+        "reference_id": "",
+        "reference_type": "",
+        "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=536038"
+      },
+      {
+        "reference_id": "",
+        "reference_type": "",
+        "url": "https://github.com/CVEProject/cvelist/pull/932"
+      }
+    ],
+    "patches": [],
+    "severities": [],
+    "date_published": "2018-06-19T00:00:00+00:00",
+    "weaknesses": [],
+    "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12537"
+  },
+  {
+    "advisory_id": "CVE-2024-2212",
+    "aliases": [],
+    "summary": "",
+    "affected_packages": [],
+    "references": [
+      {
+        "reference_id": "",
+        "reference_type": "",
+        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2212"
+      },
+      {
+        "reference_id": "",
+        "reference_type": "",
+        "url": "https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-v9jj-7qjg-h6g6"
+      }
+    ],
+    "patches": [],
+    "severities": [],
+    "date_published": "2024-03-06T00:00:00+00:00",
+    "weaknesses": [],
+    "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2212"
+  }
+]