aboutcode-org
diff --git a/‎vulnerabilities/importers/__init__.py‎
Lines changed: 2 additions & 2 deletions b/‎vulnerabilities/importers/__init__.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎vulnerabilities/pipelines/v2_importers/aosp_importer.py‎
Lines changed: 68 additions & 58 deletions b/‎vulnerabilities/pipelines/v2_importers/aosp_importer.py‎
Lines changed: 68 additions & 58 deletions
diff --git a/‎vulnerabilities/tests/test_data/aosp/aosp_advisoryv2-expected.json‎
Lines changed: 145 additions & 1 deletion b/‎vulnerabilities/tests/test_data/aosp/aosp_advisoryv2-expected.json‎
Lines changed: 145 additions & 1 deletion
diff --git a/‎vulnerabilities/tests/test_data/aosp/cves/CVE-aosp_test3.json‎
Lines changed: 14 additions & 0 deletions b/‎vulnerabilities/tests/test_data/aosp/cves/CVE-aosp_test3.json‎
Lines changed: 14 additions & 0 deletions
@@ -41,7 +41,7 @@
 from vulnerabilities.pipelines import nvd_importer
 from vulnerabilities.pipelines import pypa_importer
 from vulnerabilities.pipelines import pysec_importer
-from vulnerabilities.pipelines.v2_importers import aosp_importer
+from vulnerabilities.pipelines.v2_importers import aosp_importer as aosp_importer_v2
 from vulnerabilities.pipelines.v2_importers import apache_httpd_importer as apache_httpd_v2
 from vulnerabilities.pipelines.v2_importers import archlinux_importer as archlinux_importer_v2
 from vulnerabilities.pipelines.v2_importers import curl_importer as curl_importer_v2
@@ -82,7 +82,7 @@
         mozilla_importer_v2.MozillaImporterPipeline,
         github_osv_importer_v2.GithubOSVImporterPipeline,
         redhat_importer_v2.RedHatImporterPipeline,
-        aosp_importer.AospImporterPipeline,
+        aosp_importer_v2.AospImporterPipeline,
         nvd_importer.NVDImporterPipeline,
         github_importer.GitHubAPIImporterPipeline,
         gitlab_importer.GitLabImporterPipeline,
 
@@ -8,18 +8,24 @@
 #
 
 import json
-import shutil
 from datetime import timezone
 from pathlib import Path
+from urllib.parse import quote
 
 import dateparser
 from fetchcode.vcs import fetch_via_vcs
+from packageurl.contrib.url2purl import url2purl
 
+from aboutcode.hashid import get_core_purl
 from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AffectedPackageV2
+from vulnerabilities.importer import CodePatchData
 from vulnerabilities.importer import ReferenceV2
 from vulnerabilities.importer import VulnerabilitySeverity
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 from vulnerabilities.severity_systems import GENERIC
+from vulnerabilities.utils import VCS_URLS_SUPPORTED_TYPES
+from vulnerabilities.utils import parse_commit_url
 
 
 class AospImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
@@ -60,71 +66,75 @@ def collect_advisories(self):
             with open(file_path) as f:
                 vulnerability_data = json.load(f)
 
-            vulnerability_id = vulnerability_data.get("cveId", [])
-            if (
-                not vulnerability_id or "," in vulnerability_id
-            ):  # escape invalid multiple CVE-2017-13077, CVE-2017-13078
-                continue
-
-            summary = vulnerability_data.get("vulnerabilityType")
-            date_reported = vulnerability_data.get("dateReported")
-            date_published = dateparser.parse(date_reported) if date_reported else None
-            if date_published and not date_published.tzinfo:
-                date_published = date_published.replace(tzinfo=timezone.utc)
-
-            severities = []
-            severity_value = vulnerability_data.get("severity")
-            if severity_value:
-                severities.append(
-                    VulnerabilitySeverity(
-                        system=GENERIC,
-                        value=severity_value,
-                    )
-                )
-
-            references = []
-            for commit_data in vulnerability_data.get("fixes", []):
-                vcs_url = commit_data.get("patchUrl")
-                commit_id = commit_data.get("commitId")
-
-                """
-                https://us.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=17bfaf64ad503d2e6607d2d3e0956f25bf07eb43
-                http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f54e18f1b831c92f6512d2eedb224cd63d607d3d
-                https://android.googlesource.com/platform/system/bt/+/514139f4b40cbb035bb92f3e24d5a389d75db9e6
-                https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=b108c651cae9913da1ab163cb4e5f7f2db87b747
-                
-                Check if commit in the url split based on it to get the commit hash and the vcs url 
-                if not split base on /+/
-                """
-
-                if not vcs_url:
+            vulnerability_ids = vulnerability_data.get("cveId", "")
+            for vulnerability_id in vulnerability_ids.split(","):
+                if not vulnerability_id:
                     continue
 
-                fixed_by_commits = []
-                repo_url, commit_id = url.split("/+/")
+                summary = vulnerability_data.get("vulnerabilityType")
+                date_reported = vulnerability_data.get("dateReported")
+                date_published = dateparser.parse(date_reported) if date_reported else None
+                if date_published and not date_published.tzinfo:
+                    date_published = date_published.replace(tzinfo=timezone.utc)
+
+                severities = []
+                severity_value = vulnerability_data.get("severity")
+                if severity_value:
+                    severities.append(
+                        VulnerabilitySeverity(
+                            system=GENERIC,
+                            value=severity_value,
+                        )
+                    )
 
-                fixed_commit = CodeCommitData(
-                    commit_hash=commit_hash,
-                    url=vcs_url,
+                references = []
+                affected_packages = []
+                for commit_data in vulnerability_data.get("fixes", []):
+                    commit_url = commit_data.get("patchUrl")
+                    commit_id = commit_data.get("commitId")
+
+                    purl = url2purl(commit_url)
+                    base_purl = get_core_purl(purl)
+
+                    if base_purl and base_purl.type in VCS_URLS_SUPPORTED_TYPES:
+                        vcs_url, commit_hash = parse_commit_url(url=commit_url)
+
+                        fixed_commit = CodePatchData(
+                            commit_hash=commit_hash,
+                            vcs_url=vcs_url,
+                        )
+
+                        affected_package = AffectedPackageV2(
+                            package=base_purl,
+                            fixed_by_commits=[fixed_commit],
+                        )
+                        affected_packages.append(affected_package)
+                    else:
+                        ref = ReferenceV2(
+                            reference_id=commit_id, reference_type="commit", url=commit_url
+                        )
+                        references.append(ref)
+
+                url = (
+                    "https://raw.githubusercontent.com/quarkslab/aosp_dataset/refs/heads/master/cves/"
+                    f"{quote(file_path.name)}"
                 )
 
-                fixed_by_commits.append(fixed_commit)
-
-            yield AdvisoryData(
-                advisory_id=vulnerability_id,
-                summary=summary,
-                references_v2=references,
-                severities=severities,
-                fixed_by_commits=fixed_by_commits,
-                date_published=date_published,
-                url=f"https://raw.githubusercontent.com/quarkslab/aosp_dataset/refs/heads/master/cves/{file_path.name}",
-            )
+                yield AdvisoryData(
+                    advisory_id=vulnerability_id,
+                    summary=summary,
+                    affected_packages=affected_packages,
+                    references_v2=references,
+                    severities=severities,
+                    date_published=date_published,
+                    url=url,
+                )
 
     def clean_downloads(self):
         """Cleanup any temporary repository data."""
-        self.log("Cleaning up local repository resources.")
-        if hasattr(self, "repo") and self.repo.working_dir:
-            shutil.rmtree(path=self.repo.working_dir)
+        if self.vcs_response:
+            self.log(f"Removing cloned repository")
+            self.vcs_response.delete()
 
     def on_failure(self):
         """Ensure cleanup is always performed on failure."""
 
@@ -22,14 +22,120 @@
     "weaknesses": [],
     "url": "https://raw.githubusercontent.com/quarkslab/aosp_dataset/refs/heads/master/cves/CVE-aosp_test1.json"
   },
+  {
+    "advisory_id": "CVE-2017-13077",
+    "aliases": [],
+    "summary": "Elevation of Privilege Vulnerability",
+    "affected_packages": [],
+    "references_v2": [
+      {
+        "reference_id": "c66556ca2473620df9751e73eb97ec50a40ffd3e",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/platform/external/wpa_supplicant_8/+/c66556ca2473620df9751e73eb97ec50a40ffd3e"
+      },
+      {
+        "reference_id": "",
+        "reference_type": "commit",
+        "url": "https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=776f17c87599fae3202e69bb5718ac9062f14695"
+      },
+      {
+        "reference_id": "",
+        "reference_type": "commit",
+        "url": "https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=edb507885fc47cf3cdf061bfba1dc77451a6a332"
+      }
+    ],
+    "severities": [
+      {
+        "system": "generic_textual",
+        "value": "High",
+        "scoring_elements": ""
+      }
+    ],
+    "date_published": "2017-10-17T00:00:00+00:00",
+    "weaknesses": [],
+    "url": "https://raw.githubusercontent.com/quarkslab/aosp_dataset/refs/heads/master/cves/CVE-aosp_test5.json"
+  },
+  {
+    "advisory_id": "CVE-2014-9322",
+    "aliases": [],
+    "summary": "Elevation of Privilege Vulnerability",
+    "affected_packages": [],
+    "references_v2": [
+      {
+        "reference_id": "c22e479e335628ce8766cfbf06e2ba17e8f9a1bb",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/c22e479e335628ce8766cfbf06e2ba17e8f9a1bb"
+      },
+      {
+        "reference_id": "1b627d4e5e61e89b840f77abb3ca6711ad6ffbeb",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/1b627d4e5e61e89b840f77abb3ca6711ad6ffbeb"
+      },
+      {
+        "reference_id": "4c941665c7368a34b146929b31949555e680a4ee",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/4c941665c7368a34b146929b31949555e680a4ee"
+      },
+      {
+        "reference_id": "758f0dac9104b46016af98304656a0268ac3e105",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/758f0dac9104b46016af98304656a0268ac3e105"
+      },
+      {
+        "reference_id": "44d057a37868a60bc2eb6e7d1dcea701f234d56a",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/44d057a37868a60bc2eb6e7d1dcea701f234d56a"
+      },
+      {
+        "reference_id": "b9b9f908c8ae82b73b9d75181982028b6bc06c2b",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/b9b9f908c8ae82b73b9d75181982028b6bc06c2b"
+      },
+      {
+        "reference_id": "e068734f9e7344997a61022629b92d142a985ab3",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/e068734f9e7344997a61022629b92d142a985ab3"
+      },
+      {
+        "reference_id": "fdc6c1052bc7d89a5826904fbb4318677e8442ce",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/fdc6c1052bc7d89a5826904fbb4318677e8442ce"
+      },
+      {
+        "reference_id": "211d59c0034ec9d88690c750ccd6da27f6952dc5",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/211d59c0034ec9d88690c750ccd6da27f6952dc5"
+      },
+      {
+        "reference_id": "c9e31d5a4747e9967ace6d05896c78516c4c0850",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/c9e31d5a4747e9967ace6d05896c78516c4c0850"
+      },
+      {
+        "reference_id": "e01834bfbafd25fd392bf10014451c4e5f34f829",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/e01834bfbafd25fd392bf10014451c4e5f34f829"
+      }
+    ],
+    "severities": [
+      {
+        "system": "generic_textual",
+        "value": "Critical",
+        "scoring_elements": ""
+      }
+    ],
+    "date_published": "2015-12-25T00:00:00+00:00",
+    "weaknesses": [],
+    "url": "https://raw.githubusercontent.com/quarkslab/aosp_dataset/refs/heads/master/cves/CVE-aosp_test4.json"
+  },
   {
     "advisory_id": "CVE-2017-13282",
     "aliases": [],
     "summary": "Remote Code Execution Vulnerability",
     "affected_packages": [],
     "references_v2": [
       {
-        "reference_id": "",
+        "reference_id": "6ecbbc093f4383e90cbbf681cd55da1303a8ef94",
         "reference_type": "commit",
         "url": "https://android.googlesource.com/platform/system/bt/+/6ecbbc093f4383e90cbbf681cd55da1303a8ef94"
       }
@@ -44,5 +150,43 @@
     "date_published": "2018-04-04T00:00:00+00:00",
     "weaknesses": [],
     "url": "https://raw.githubusercontent.com/quarkslab/aosp_dataset/refs/heads/master/cves/CVE-aosp_test2.json"
+  },
+  {
+    "advisory_id": "CVE-2015-9016",
+    "aliases": [],
+    "summary": "Elevation of Privilege Vulnerability",
+    "affected_packages": [
+      {
+        "package": {
+          "type": "github",
+          "namespace": "torvalds",
+          "name": "linux",
+          "version": "",
+          "qualifiers": "",
+          "subpath": ""
+        },
+        "affected_version_range": null,
+        "fixed_version_range": null,
+        "introduced_by_commits": [],
+        "fixed_by_commits": [
+          {
+            "commit_hash": "0048b4837affd153897ed1222283492070027aa9",
+            "vcs_url": "https://github.com/torvalds/linux.git",
+            "commit_patch": null
+          }
+        ]
+      }
+    ],
+    "references_v2": [],
+    "severities": [
+      {
+        "system": "generic_textual",
+        "value": "High",
+        "scoring_elements": ""
+      }
+    ],
+    "date_published": "2018-04-05T00:00:00+00:00",
+    "weaknesses": [],
+    "url": "https://raw.githubusercontent.com/quarkslab/aosp_dataset/refs/heads/master/cves/CVE-aosp_test3.json"
   }
 ]
@@ -0,0 +1,14 @@
+{
+  "cveId": "CVE-2015-9016",
+  "dateReported": "2018-04-05",
+  "vulnerabilityType": "Elevation of Privilege Vulnerability",
+  "language": "unknown",
+  "fixes": [
+    {
+      "commitId": "",
+      "patchUrl": "https://github.com/torvalds/linux/commit/0048b4837affd153897ed1222283492070027aa9"
+    }
+  ],
+  "severity": "High",
+  "component": "Kernel Multi-queue block IO"
+}