aboutcode-org
diff --git a/‎Makefile‎
Lines changed: 4 additions & 0 deletions b/‎Makefile‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎docker-compose.yml‎
Lines changed: 2 additions & 0 deletions b/‎docker-compose.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎etc/postgresql/postgresql.conf‎
Lines changed: 12 additions & 0 deletions b/‎etc/postgresql/postgresql.conf‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎requirements.txt‎
Lines changed: 2 additions & 2 deletions b/‎requirements.txt‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎vulnerabilities/api_v2.py‎
Lines changed: 107 additions & 4 deletions b/‎vulnerabilities/api_v2.py‎
Lines changed: 107 additions & 4 deletions
diff --git a/‎vulnerabilities/importer.py‎
Lines changed: 1 addition & 1 deletion b/‎vulnerabilities/importer.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎vulnerabilities/importers/__init__.py‎
Lines changed: 2 additions & 2 deletions b/‎vulnerabilities/importers/__init__.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎vulnerabilities/importers/apache_httpd.py‎
Lines changed: 100 additions & 0 deletions b/‎vulnerabilities/importers/apache_httpd.py‎
Lines changed: 100 additions & 0 deletions
@@ -42,6 +42,10 @@ else
 	SUDO_POSTGRES=
 endif
 
+ifeq ($(UNAME), Darwin)
+	GET_SECRET_KEY=`head /dev/urandom | base64 | head -c50`
+endif
+
 virtualenv:
 	@echo "-> Bootstrap the virtualenv with PYTHON_EXE=${PYTHON_EXE}"
 	@${PYTHON_EXE} ${VIRTUALENV_PYZ} --never-download --no-periodic-update ${VENV}
 
@@ -3,10 +3,12 @@ version: "3"
 services:
   db:
     image: postgres:13
+    command: -c config_file=/etc/postgresql/postgresql.conf
     env_file:
       - docker.env
     volumes:
       - db_data:/var/lib/postgresql/data/
+      - ./etc/postgresql/postgresql.conf:/etc/postgresql/postgresql.conf
 
   vulnerablecode:
     build: .
 
@@ -0,0 +1,12 @@
+# Default configuration for development build
+# DB Version: 13
+# OS Type: linux
+# DB Type: development
+# Data Storage: local
+
+listen_addresses = '*'
+max_connections = 100
+shared_buffers = 128MB
+dynamic_shared_memory_type = posix
+max_wal_size = 1GB
+min_wal_size = 80MB
@@ -27,7 +27,7 @@ dateparser==1.1.1
 decorator==5.1.1
 defusedxml==0.7.1
 distro==1.7.0
-Django==4.2.16
+Django==4.2.17
 django-crispy-forms==2.3
 django-environ==0.11.2
 django-filter==24.3
@@ -53,7 +53,7 @@ ipython==8.10.0
 isort==5.10.1
 itypes==1.2.0
 jedi==0.18.1
-Jinja2==3.1.4
+Jinja2==3.1.5
 jsonschema==3.2.0
 license-expression==30.3.1
 lxml==4.9.1
 
@@ -8,6 +8,7 @@
 #
 
 
+from django.db.models import Prefetch
 from django_filters import rest_framework as filters
 from drf_spectacular.utils import OpenApiParameter
 from drf_spectacular.utils import extend_schema
@@ -20,8 +21,7 @@
 from rest_framework.response import Response
 from rest_framework.reverse import reverse
 
-from vulnerabilities.api import PackageFilterSet
-from vulnerabilities.api import VulnerabilitySeveritySerializer
+from vulnerabilities.models import CodeFix
 from vulnerabilities.models import Package
 from vulnerabilities.models import Vulnerability
 from vulnerabilities.models import VulnerabilityReference
@@ -195,7 +195,31 @@ class Meta:
         ]
 
     def get_affected_by_vulnerabilities(self, obj):
-        return [vuln.vulnerability_id for vuln in obj.affected_by_vulnerabilities.all()]
+        """
+        Return a dictionary with vulnerabilities as keys and their details, including fixed_by_packages.
+        """
+        result = {}
+        request = self.context.get("request")
+        for vuln in getattr(obj, "prefetched_affected_vulnerabilities", []):
+            fixed_by_package = vuln.fixed_by_packages.first()
+            purl = None
+            if fixed_by_package:
+                purl = fixed_by_package.package_url
+            # Get code fixed for a vulnerability
+            code_fixes = CodeFix.objects.filter(
+                affected_package_vulnerability__vulnerability=vuln
+            ).distinct()
+            code_fix_urls = [
+                reverse("codefix-detail", args=[code_fix.id], request=request)
+                for code_fix in code_fixes
+            ]
+
+            result[vuln.vulnerability_id] = {
+                "vulnerability_id": vuln.vulnerability_id,
+                "fixed_by_packages": purl,
+                "code_fixes": code_fix_urls,
+            }
+        return result
 
     def get_fixing_vulnerabilities(self, obj):
         # Ghost package should not fix any vulnerability.
@@ -233,7 +257,13 @@ class PackageV2FilterSet(filters.FilterSet):
 
 
 class PackageV2ViewSet(viewsets.ReadOnlyModelViewSet):
-    queryset = Package.objects.all()
+    queryset = Package.objects.all().prefetch_related(
+        Prefetch(
+            "affected_by_vulnerabilities",
+            queryset=Vulnerability.objects.prefetch_related("fixed_by_packages"),
+            to_attr="prefetched_affected_vulnerabilities",
+        )
+    )
     serializer_class = PackageV2Serializer
     filter_backends = (filters.DjangoFilterBackend,)
     filterset_class = PackageV2FilterSet
@@ -503,3 +533,76 @@ def lookup(self, request):
 
         qs = self.get_queryset().for_purls([purl]).with_is_vulnerable()
         return Response(PackageV2Serializer(qs, many=True, context={"request": request}).data)
+
+
+class CodeFixSerializer(serializers.ModelSerializer):
+    """
+    Serializer for the CodeFix model.
+    Provides detailed information about a code fix.
+    """
+
+    affected_vulnerability_id = serializers.CharField(
+        source="affected_package_vulnerability.vulnerability.vulnerability_id",
+        read_only=True,
+        help_text="ID of the affected vulnerability.",
+    )
+    affected_package_purl = serializers.CharField(
+        source="affected_package_vulnerability.package.package_url",
+        read_only=True,
+        help_text="PURL of the affected package.",
+    )
+    fixed_package_purl = serializers.CharField(
+        source="fixed_package_vulnerability.package.package_url",
+        read_only=True,
+        help_text="PURL of the fixing package (if available).",
+    )
+    created_at = serializers.DateTimeField(
+        format="%Y-%m-%dT%H:%M:%SZ",
+        read_only=True,
+        help_text="Timestamp when the code fix was created.",
+    )
+    updated_at = serializers.DateTimeField(
+        format="%Y-%m-%dT%H:%M:%SZ",
+        read_only=True,
+        help_text="Timestamp when the code fix was last updated.",
+    )
+
+    class Meta:
+        model = CodeFix
+        fields = [
+            "id",
+            "commits",
+            "pulls",
+            "downloads",
+            "patch",
+            "affected_vulnerability_id",
+            "affected_package_purl",
+            "fixed_package_purl",
+            "notes",
+            "references",
+            "is_reviewed",
+            "created_at",
+            "updated_at",
+        ]
+        read_only_fields = ["created_at", "updated_at"]
+
+
+class CodeFixViewSet(viewsets.ReadOnlyModelViewSet):
+    """
+    API endpoint that allows viewing CodeFix entries.
+    """
+
+    queryset = CodeFix.objects.all()
+    serializer_class = CodeFixSerializer
+
+    def get_queryset(self):
+        """
+        Optionally filter by vulnerability ID.
+        """
+        queryset = super().get_queryset()
+        vulnerability_id = self.request.query_params.get("vulnerability_id")
+        if vulnerability_id:
+            queryset = queryset.filter(
+                affected_package_vulnerability__vulnerability__vulnerability_id=vulnerability_id
+            )
+        return queryset
@@ -111,7 +111,7 @@ def to_dict(self):
     def from_dict(cls, ref: dict):
         return cls(
             reference_id=ref["reference_id"],
-            reference_type=ref["reference_type"],
+            reference_type=ref.get("reference_type") or "",
             url=ref["url"],
             severities=[
                 VulnerabilitySeverity.from_dict(severity) for severity in ref["severities"]
 
@@ -7,7 +7,6 @@
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
 
-from vulnerabilities.importers import alpine_linux
 from vulnerabilities.importers import apache_httpd
 from vulnerabilities.importers import apache_kafka
 from vulnerabilities.importers import apache_tomcat
@@ -36,6 +35,7 @@
 from vulnerabilities.importers import xen
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipeline
 from vulnerabilities.pipelines import almalinux_importer
+from vulnerabilities.pipelines import alpine_linux_importer
 from vulnerabilities.pipelines import github_importer
 from vulnerabilities.pipelines import gitlab_importer
 from vulnerabilities.pipelines import nginx_importer
@@ -45,7 +45,6 @@
 from vulnerabilities.pipelines import pysec_importer
 
 IMPORTERS_REGISTRY = [
-    alpine_linux.AlpineImporter,
     openssl.OpensslImporter,
     redhat.RedhatImporter,
     debian.DebianImporter,
@@ -80,6 +79,7 @@
     nvd_importer.NVDImporterPipeline,
     pysec_importer.PyPIImporterPipeline,
     almalinux_importer.AlmalinuxImporterPipeline,
+    alpine_linux_importer.AlpineLinuxImporterPipeline,
 ]
 
 IMPORTERS_REGISTRY = {
 
@@ -8,6 +8,7 @@
 #
 
 import logging
+import re
 import urllib
 
 import requests
@@ -23,6 +24,8 @@
 from vulnerabilities.importer import Reference
 from vulnerabilities.importer import VulnerabilitySeverity
 from vulnerabilities.severity_systems import APACHE_HTTPD
+from vulnerabilities.utils import create_weaknesses_list
+from vulnerabilities.utils import cwe_regex
 from vulnerabilities.utils import get_item
 
 logger = logging.getLogger(__name__)
@@ -102,11 +105,14 @@ def to_advisory(self, data):
                 )
             )
 
+        weaknesses = get_weaknesses(data)
+
         return AdvisoryData(
             aliases=[alias],
             summary=description or "",
             affected_packages=affected_packages,
             references=[reference],
+            weaknesses=weaknesses,
             url=reference.url,
         )
 
@@ -152,3 +158,97 @@ def fetch_links(url):
             continue
         links.append(urllib.parse.urljoin(url, link))
     return links
+
+
+def get_weaknesses(cve_data):
+    """
+    Extract CWE IDs from CVE data.
+
+    Args:
+        cve_data (dict): The CVE data in a dictionary format.
+
+    Returns:
+        List[int]: A list of unique CWE IDs.
+
+    Examples:
+        >>> mock_cve_data1 = {
+        ...     "containers": {
+        ...         "cna": {
+        ...             "providerMetadata": {
+        ...                 "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+        ...             },
+        ...             "title": "mod_macro buffer over-read",
+        ...             "problemTypes": [
+        ...                 {
+        ...                     "descriptions": [
+        ...                         {
+        ...                             "description": "CWE-125 Out-of-bounds Read",
+        ...                             "lang": "en",
+        ...                             "cweId": "CWE-125",
+        ...                             "type": "CWE"
+        ...                         }
+        ...                     ]
+        ...                 }
+        ...             ]
+        ...         }
+        ...     }
+        ... }
+        >>> mock_cve_data2 = {
+        ...     "data_type": "CVE",
+        ...     "data_format": "MITRE",
+        ...     "data_version": "4.0",
+        ...     "generator": {
+        ...         "engine": "Vulnogram 0.0.9"
+        ...     },
+        ...     "CVE_data_meta": {
+        ...         "ID": "CVE-2022-28614",
+        ...         "ASSIGNER": "security@apache.org",
+        ...         "TITLE": "read beyond bounds via ap_rwrite() ",
+        ...         "STATE": "PUBLIC"
+        ...     },
+        ...     "problemtype": {
+        ...         "problemtype_data": [
+        ...             {
+        ...                 "description": [
+        ...                     {
+        ...                         "lang": "eng",
+        ...                         "value": "CWE-190 Integer Overflow or Wraparound"
+        ...                     }
+        ...                 ]
+        ...             },
+        ...             {
+        ...                 "description": [
+        ...                     {
+        ...                         "lang": "eng",
+        ...                         "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
+        ...                     }
+        ...                 ]
+        ...             }
+        ...         ]
+        ...     }
+        ... }
+
+        >>> get_weaknesses(mock_cve_data1)
+        [125]
+
+        >>> get_weaknesses(mock_cve_data2)
+        [190, 200]
+    """
+    alias = get_item(cve_data, "CVE_data_meta", "ID")
+    cwe_strings = []
+    if alias:
+        problemtype_data = get_item(cve_data, "problemtype", "problemtype_data") or []
+        for problem in problemtype_data:
+            for desc in problem.get("description", []):
+                value = desc.get("value", "")
+                cwe_id_string_list = re.findall(cwe_regex, value)
+                cwe_strings.extend(cwe_id_string_list)
+    else:
+        problemTypes = cve_data.get("containers", {}).get("cna", {}).get("problemTypes", [])
+        descriptions = problemTypes[0].get("descriptions", []) if len(problemTypes) > 0 else []
+        for description in descriptions:
+            cwe_id_string = description.get("cweId", "")
+            cwe_strings.append(cwe_id_string)
+
+    weaknesses = create_weaknesses_list(cwe_strings)
+    return weaknesses