Address review comments

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>

Author: TG1999

vulnerabilities/importers/debian.py

@@ -39,7 +39,7 @@
 
 class DebianImporter(Importer):
 
-    spdx_license_expression = "MIT"
+    spdx_license_expression = "LicenseRef-scancode-other-permissive"
     license_url = "https://www.debian.org/license"
     notice = """
     From: Tushar Goel <tgoel@nexb.com>

vulnerabilities/importers/debian_oval.py

@@ -16,7 +16,43 @@
 
 
 class DebianOvalImporter(OvalImporter):
-    spdx_license_expression = "LicenseRef-scancode-unknown"
+
+    spdx_license_expression = "LicenseRef-scancode-other-permissive"
+    license_url = "https://www.debian.org/license"
+    notice = """
+    From: Tushar Goel <tgoel@nexb.com>
+    Date: Thu, May 12, 2022 at 11:42 PM +00:00
+    Subject: Usage of Debian Security Data in VulnerableCode
+    To: <team@security.debian.org>
+    Hey,
+    We would like to integrate the debian security data in vulnerablecode
+    [1][2] which is a FOSS db of FOSS vulnerability data. We were not able
+    to know under which license the debian security data comes. We would
+    be grateful to have your acknowledgement over usage of the debian
+    security data in vulnerablecode and have some kind of licensing
+    declaration from your side.
+    [1] - https://github.com/nexB/vulnerablecode
+    [2] - https://github.com/nexB/vulnerablecode/pull/723
+    Regards,
+    From: Moritz Mühlenhoff <jmm@inutil.org>
+    Date: Wed, May 17, 2022, 19:12 PM +00:00
+    Subject: Re: Usage of Debian Security Data in VulnerableCode
+    To: Tushar Goel <tgoel@nexb.com>
+    Cc: <team@security.debian.org>
+    Am Thu, May 12, 2022 at 05:12:48PM +0530 schrieb Tushar Goel:
+    > Hey,
+    >
+    > We would like to integrate the debian security data in vulnerablecode
+    > [1][2] which is a FOSS db of FOSS vulnerability data. We were not able
+    > to know under which license the debian security data comes. We would
+    > be grateful to have your acknowledgement over usage of the debian
+    > security data in vulnerablecode and have some kind of licensing
+    > declaration from your side.
+    We don't have a specific license, but you have our endorsemen to
+    reuse the data by all means :-)
+    Cheers,
+        Moritz
+    """
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)

vulnerabilities/tests/test_github.py

@@ -26,9 +26,7 @@
 from vulnerabilities.importers.github import GitHubAPIImporter
 from vulnerabilities.importers.github import GitHubBasicImprover
 from vulnerabilities.importers.github import process_response
-from vulnerabilities.package_managers import PackageVersion
 from vulnerabilities.utils import GitHubTokenError
-from vulnerabilities.utils import resolve_version_range
 
 BASE_DIR = os.path.dirname(os.path.abspath(__file__))
 TEST_DATA = os.path.join(BASE_DIR, "test_data", "github_api")
@@ -54,35 +52,6 @@ def test_process_response_github_importer(pkg_type, regen=False):
     assert result == expected
 
 
-def test_resolve_version_range():
-    assert (["1.0.0", "2.0.0"], ["10.0.0"]) == resolve_version_range(
-        GemVersionRange(
-            constraints=(
-                VersionConstraint(comparator="<", version=RubygemsVersion(string="9.0.0")),
-            )
-        ),
-        [
-            "1.0.0",
-            "2.0.0",
-            "10.0.0",
-        ],
-        [],
-    )
-
-
-def test_resolve_version_range_failure(caplog):
-    assert ([], []) == resolve_version_range(
-        None,
-        [
-            PackageVersion(value="1.0.0"),
-            PackageVersion(value="2.0.0"),
-            PackageVersion(value="10.0.0"),
-        ],
-        [],
-    )
-    assert "affected version range is" in caplog.text
-
-
 def test_process_response_with_empty_vulnaribilities(caplog):
     list(process_response({"data": {"securityVulnerabilities": {"edges": []}}}, "maven"))
     assert "No vulnerabilities found for package_type: 'maven'" in caplog.text

vulnerabilities/tests/test_utils.py

@@ -8,10 +8,15 @@
 #
 
 from packageurl import PackageURL
+from univers.version_constraint import VersionConstraint
+from univers.version_range import GemVersionRange
+from univers.versions import RubygemsVersion
 
+from vulnerabilities.package_managers import PackageVersion
 from vulnerabilities.utils import AffectedPackage
 from vulnerabilities.utils import get_item
 from vulnerabilities.utils import nearest_patched_package
+from vulnerabilities.utils import resolve_version_range
 from vulnerabilities.utils import split_markdown_front_matter
 
 
@@ -96,3 +101,47 @@ def test_get_item():
     d5 = {"a": {"b": {"c": "d"}}}
     assert get_item(d5, "a", "b", "c", "d") == None
     assert get_item(d5, "a", "b", "c") == "d"
+
+
+def test_resolve_version_range():
+    assert (["1.0.0", "2.0.0"], ["10.0.0"]) == resolve_version_range(
+        GemVersionRange(
+            constraints=(
+                VersionConstraint(comparator="<", version=RubygemsVersion(string="9.0.0")),
+            )
+        ),
+        [
+            "1.0.0",
+            "2.0.0",
+            "10.0.0",
+        ],
+        [],
+    )
+
+
+def test_resolve_version_range_failure(caplog):
+    assert ([], []) == resolve_version_range(
+        None,
+        [
+            PackageVersion(value="1.0.0"),
+            PackageVersion(value="2.0.0"),
+            PackageVersion(value="10.0.0"),
+        ],
+        [],
+    )
+    assert "affected version range is" in caplog.text
+
+
+def test_resolve_version_range_without_ignorable_versions():
+    assert (["1.0.0", "2.0.0"], ["10.0.0"]) == resolve_version_range(
+        GemVersionRange(
+            constraints=(
+                VersionConstraint(comparator="<", version=RubygemsVersion(string="9.0.0")),
+            )
+        ),
+        [
+            "1.0.0",
+            "2.0.0",
+            "10.0.0",
+        ],
+    )

vulnerabilities/utils.py

@@ -318,7 +318,7 @@ def get_reference_id(url: str):
 def resolve_version_range(
     affected_version_range: VersionRange,
     package_versions: List[str],
-    ignorable_versions: List[str] = [],
+    ignorable_versions: List[str] = tuple(),
 ) -> Tuple[List[str], List[str]]:
     """
     Given an affected version range and a list of `package_versions`, resolve