Refactor the code for postgresql_live importer

Signed-off-by: ziad hany <ziadhany2016@gmail.com>

Author: ziadhany

vulnerabilities/importers/__init__.py

@@ -67,13 +67,13 @@
 from vulnerabilities.pipelines.v2_importers import oss_fuzz as oss_fuzz_v2
 from vulnerabilities.pipelines.v2_importers import postgresql_importer as postgresql_importer_v2
 from vulnerabilities.pipelines.v2_importers import (
-    project_kb_msr2019_importer as project_kb_msr2019_importer_v2,
+    postgresql_live_importer as postgresql_live_importer_v2,
 )
 from vulnerabilities.pipelines.v2_importers import (
-    project_kb_statements_importer as project_kb_statements_importer_v2,
+    project_kb_msr2019_importer as project_kb_msr2019_importer_v2,
 )
 from vulnerabilities.pipelines.v2_importers import (
-    postgresql_live_importer as postgresql_live_importer_v2,
+    project_kb_statements_importer as project_kb_statements_importer_v2,
 )
 from vulnerabilities.pipelines.v2_importers import pypa_importer as pypa_importer_v2
 from vulnerabilities.pipelines.v2_importers import pysec_importer as pysec_importer_v2

vulnerabilities/pipelines/v2_importers/postgresql_live_importer.py

@@ -9,10 +9,10 @@
 from typing import Iterable
 
 from packageurl import PackageURL
-from univers.versions import GenericVersion
+from univers.versions import InvalidVersion
 from univers.versions import SemverVersion
 
-from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AdvisoryDataV2
 from vulnerabilities.pipelines.v2_importers.postgresql_importer import PostgreSQLImporterPipeline
 
 logger = logging.getLogger(__name__)
@@ -49,54 +49,29 @@ def get_purl_inputs(self):
                 f"PURL: {purl!s} is not among the supported package types {self.supported_types!r}"
             )
 
-        if purl.name != "postgresql":
-            raise ValueError(f"PURL: {purl!s} is expected to be for 'postgresql'")
-
         if not purl.version:
             raise ValueError(f"PURL: {purl!s} is expected to have a version")
-
         self.purl = purl
 
-    def collect_advisories(self) -> Iterable[AdvisoryData]:
+    def collect_advisories(self) -> Iterable[AdvisoryDataV2]:
         for advisory in super().collect_advisories():
-            if self._advisory_affects_purl(advisory):
+            if self._advisory_related_purl(advisory):
                 yield advisory
 
-    def _advisory_affects_purl(self, advisory: AdvisoryData) -> bool:
+    def _advisory_related_purl(self, advisory: AdvisoryDataV2) -> bool:
         if not advisory.affected_packages:
             return False
 
         try:
-            package_semver_version = SemverVersion(self.purl.version)
-            package_generic_version = GenericVersion(self.purl.version)
-        except Exception as e:
+            package_version = SemverVersion(self.purl.version)
+        except InvalidVersion as e:
             logger.debug(f"Invalid PURL version {self.purl.version!r}: {e}")
             return False
 
         for ap in advisory.affected_packages:
-            if ap.package.type != "generic" or ap.package.name != "postgresql":
-                continue
-
-            purl_q = self.purl.qualifiers or None
-            ap_q = ap.package.qualifiers or None
-
-            if purl_q is None and ap_q is None:
-                qualifiers_match = True
-            else:
-                qualifiers_match = all(ap_q.get(k) == v for k, v in purl_q.items())
-
-            if not qualifiers_match:
-                continue
-
-            try:
-                if getattr(ap, "affected_version_range", None):
-                    if package_semver_version in ap.affected_version_range:
-                        return True
-                elif getattr(ap, "fixed_version", None):
-                    if package_generic_version < ap.fixed_version:
-                        return True
-            except Exception as e:
-                logger.debug(f"Version comparison failed for {package_semver_version}: {e}")
-                continue
+            if (ap.affected_version_range and package_version in ap.affected_version_range) or (
+                ap.fixed_version_range and package_version in ap.fixed_version_range
+            ):
+                return True
 
         return False

vulnerabilities/tests/pipelines/v2_importers/test_postgresql_live_importer_v2.py

@@ -8,7 +8,6 @@
 import requests
 from packageurl import PackageURL
 
-from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.pipelines.v2_importers.postgresql_live_importer import (
     PostgreSQLLiveImporterPipeline,
 )
@@ -48,55 +47,69 @@ def test_affected_version(monkeypatch):
     pipeline = PostgreSQLLiveImporterPipeline(purl=purl)
     pipeline.get_purl_inputs()
     advisories = list(pipeline.collect_advisories())
-
-    assert len(advisories) == 1
-    adv = advisories[0]
-    assert isinstance(adv, AdvisoryData)
-    assert adv.advisory_id == "CVE-2022-1234"
+    assert [adv.to_dict() for adv in advisories] == [
+        {
+            "advisory_id": "CVE-2022-1234",
+            "affected_packages": [
+                {
+                    "affected_version_range": "vers:generic/10.0.0|10.1.0",
+                    "fixed_by_commit_patches": [],
+                    "fixed_version_range": "vers:generic/10.2.0",
+                    "introduced_by_commit_patches": [],
+                    "package": {
+                        "name": "postgresql",
+                        "namespace": "",
+                        "qualifiers": "",
+                        "subpath": "",
+                        "type": "generic",
+                        "version": "",
+                    },
+                }
+            ],
+            "aliases": [],
+            "date_published": None,
+            "patches": [],
+            "references": [
+                {
+                    "reference_id": "",
+                    "reference_type": "",
+                    "url": "https://www.postgresql.org/support/security/CVE-2022-1234/",
+                },
+                {
+                    "reference_id": "",
+                    "reference_type": "",
+                    "url": "https://www.postgresql.org/about/news/postgresql-175-169-1513-1418-and-1321-released-3072/",
+                },
+            ],
+            "severities": [
+                {
+                    "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+                    "system": "cvssv3",
+                    "value": "9.8",
+                }
+            ],
+            "summary": "Issue affects all",
+            "url": "https://www.postgresql.org/support/security/",
+            "weaknesses": [],
+        }
+    ]
 
 
 def test_unaffected_version(monkeypatch):
     html = HTML_BASE.format(affected="10.0, 10.1", fixed="10.2", summary="Issue affects all")
     monkeypatch.setattr(requests, "get", lambda url: DummyResponse(html))
 
-    purl = PackageURL(type="generic", name="postgresql", version="10.2")
+    purl = PackageURL(type="generic", name="postgresql", version="14.3")
     pipeline = PostgreSQLLiveImporterPipeline(purl=purl)
     pipeline.get_purl_inputs()
     advisories = list(pipeline.collect_advisories())
 
     assert len(advisories) == 0
 
 
-def test_qualifier_filtering(monkeypatch):
-    html = HTML_BASE.format(affected="12.0, 12.1", fixed="12.2", summary="Windows-specific issue")
-    monkeypatch.setattr(requests, "get", lambda url: DummyResponse(html))
-
-    purl = PackageURL(
-        type="generic", name="postgresql", version="12.1", qualifiers={"os": "windows"}
-    )
-    pipeline = PostgreSQLLiveImporterPipeline(purl=purl)
-    pipeline.get_purl_inputs()
-    advisories = list(pipeline.collect_advisories())
-    assert len(advisories) == 1
-
-    purl = PackageURL(type="generic", name="postgresql", version="12.1", qualifiers={"os": "linux"})
-    pipeline = PostgreSQLLiveImporterPipeline(purl=purl)
-    pipeline.get_purl_inputs()
-    advisories = list(pipeline.collect_advisories())
-    assert len(advisories) == 0
-
-
 def test_invalid_purl():
     pipeline = PostgreSQLLiveImporterPipeline()
 
     pipeline.inputs = {"purl": "pkg:pypi/postgresql@10.1"}
     with pytest.raises(ValueError):
         pipeline.get_purl_inputs()
-
-    pipeline.inputs = {"purl": "pkg:generic/notpostgresql@10.1"}
-    with pytest.raises(ValueError):
-        pipeline.get_purl_inputs()
-
-    pipeline.inputs = {"purl": "pkg:generic/postgresql"}
-    with pytest.raises(ValueError):
-        pipeline.get_purl_inputs()