Refactor PURL and status handling

Signed-off-by: Sampurna Pyne <sampurnapyne1710@gmail.com>

Author: Samk1710

vulnerabilities/pipelines/v2_importers/tuxcare_importer.py

@@ -1,3 +1,12 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
 import json
 import logging
 from typing import Iterable
@@ -39,46 +48,108 @@ def advisories_count(self) -> int:
         return len(self.response)
 
     def _create_purl(self, project_name: str, os_name: str) -> PackageURL:
+        normalized_os = os_name.lower().replace(" ", "-")
+        os_lower = os_name.lower()
+
+        os_mapping = {
+            "ubuntu": ("deb", "ubuntu"),
+            "debian": ("deb", "debian"),
+            "centos": ("rpm", "centos"),
+            "almalinux": ("rpm", "almalinux"),
+            "rhel": ("rpm", "rhel"),
+            "oracle": ("rpm", "oracle"),
+            "cloudlinux": ("rpm", "cloudlinux"),
+            "alpine": ("apk", "alpine"),
+            "unknown": ("generic", "tuxcare"),
+            "tuxcare": ("generic", "tuxcare"),
+        }
+
+        pkg_type = "generic"
+        namespace = "tuxcare"
+
+        for keyword, (ptype, pns) in os_mapping.items():
+            if keyword in os_lower:
+                pkg_type = ptype
+                namespace = pns
+                break
+        else:
+            return None
+
         qualifiers = {}
-        if os_name:
-            qualifiers["distro"] = os_name
+        if normalized_os:
+            qualifiers["distro"] = normalized_os
 
         return PackageURL(
-            type="generic", namespace="tuxcare", name=project_name, qualifiers=qualifiers
+            type=pkg_type, namespace=namespace, name=project_name, qualifiers=qualifiers
         )
 
     def collect_advisories(self) -> Iterable[AdvisoryData]:
         for record in self.response:
             cve_id = record.get("cve", "").strip()
             if not cve_id or not cve_id.startswith("CVE-"):
+                logger.warning(f"Skipping record with invalid CVE ID: {cve_id}")
                 continue
 
             os_name = record.get("os_name", "").strip()
             project_name = record.get("project_name", "").strip()
             version = record.get("version", "").strip()
             score = record.get("score", "").strip()
             severity = record.get("severity", "").strip()
+            status = record.get("status", "").strip()
             last_updated = record.get("last_updated", "").strip()
 
-            advisory_id = cve_id
+            if not all([os_name, project_name, version, status]):
+                logger.warning(f"Skipping {cve_id} - missing required fields")
+                continue
 
-            affected_packages = []
-            if project_name:
-                purl = self._create_purl(project_name, os_name)
+            # See https://docs.tuxcare.com/els-for-os/#cve-status-definition
+            non_affected_statuses = ["Not Vulnerable"]
+            affected_statuses = [
+                "Ignored",
+                "Needs Triage",
+                "In Testing",
+                "In Progress",
+                "In Rollout",
+            ]
+            fixed_statuses = ["Released", "Already Fixed"]
+
+            # Skip CVEs that are not vulnerable
+            if status in non_affected_statuses:
+                continue
 
-                affected_version_range = None
-                if version:
-                    try:
-                        affected_version_range = GenericVersionRange.from_versions([version])
-                    except ValueError as e:
-                        logger.warning(f"Failed to parse version {version} for {cve_id}: {e}")
+            if status not in affected_statuses and status not in fixed_statuses:
+                logger.warning(f"Skipping {cve_id} - unknown status: {status}")
+                continue
 
-                affected_packages.append(
-                    AffectedPackageV2(
-                        package=purl,
-                        affected_version_range=affected_version_range,
-                    )
+            normalized_os = os_name.lower().replace(" ", "-")
+            advisory_id = f"{cve_id}-{normalized_os}-{project_name.lower()}-{version}"
+
+            purl = self._create_purl(project_name, os_name)
+            if not purl:
+                logger.warning(f"Skipping {cve_id} - unexpected OS type: '{os_name}'")
+                continue
+
+            try:
+                version_range = GenericVersionRange.from_versions([version])
+            except ValueError as e:
+                logger.warning(f"Failed to parse version {version} for {cve_id}: {e}")
+                continue
+
+            affected_version_range = None
+            fixed_version_range = None
+
+            if status in affected_statuses:
+                affected_version_range = version_range
+            elif status in fixed_statuses:
+                fixed_version_range = version_range
+
+            affected_packages = [
+                AffectedPackageV2(
+                    package=purl,
+                    affected_version_range=affected_version_range,
+                    fixed_version_range=fixed_version_range,
                 )
+            ]
 
             severities = []
             if severity and score:
@@ -99,6 +170,7 @@ def collect_advisories(self) -> Iterable[AdvisoryData]:
 
             yield AdvisoryData(
                 advisory_id=advisory_id,
+                aliases=[cve_id],
                 affected_packages=affected_packages,
                 severities=severities,
                 date_published=date_published,

vulnerabilities/tests/pipelines/v2_importers/test_tuxcare_importer_v2.py

@@ -35,4 +35,4 @@ def test_collect_advisories(self, mock_fetch):
         expected_file = TEST_DATA / "expected.json"
         util_tests.check_results_against_json(advisories, expected_file)
 
-        assert pipeline.advisories_count() == 5
+        assert pipeline.advisories_count() == 13

vulnerabilities/tests/test_data/tuxcare/data.json

@@ -48,5 +48,85 @@
     "severity": "HIGH",
     "status": "In Progress",
     "last_updated": "2025-12-23 08:55:06.706873"
+  },
+  {
+    "cve": "CVE-2024-39502",
+    "os_name": "Unknown OS",
+    "project_name": "kernel",
+    "version": "2.6.32",
+    "score": "7.8",
+    "severity": "HIGH",
+    "status": "Needs Triage",
+    "last_updated": "2025-09-20 06:03:30.551756"
+  },
+  {
+    "cve": "CVE-2024-40927",
+    "os_name": "Unknown OS",
+    "project_name": "kernel",
+    "version": "2.6.32",
+    "score": "7.8",
+    "severity": "HIGH",
+    "status": "Needs Triage",
+    "last_updated": "2025-09-20 06:03:26.132106"
+  },
+  {
+    "cve": "CVE-2025-4517",
+    "os_name": "CentOS 8.4 ELS",
+    "project_name": "python2",
+    "version": "2.7.18",
+    "score": "7.6",
+    "severity": "HIGH",
+    "status": "Not Vulnerable",
+    "last_updated": "2025-12-22 16:43:49.287021"
+  },
+  {
+    "cve": "CVE-2025-43392",
+    "os_name": "TuxCare 9.6 ESU",
+    "project_name": "webkit2gtk3",
+    "version": "2.50.1",
+    "score": "6.5",
+    "severity": "MEDIUM",
+    "status": "In Testing",
+    "last_updated": "2025-12-20 04:26:48.737089"
+  },
+  {
+    "cve": "CVE-2023-50868",
+    "os_name": "CloudLinux 7 ELS",
+    "project_name": "dhcp",
+    "version": "4.2.5",
+    "score": "7.5",
+    "severity": "HIGH",
+    "status": "Already Fixed",
+    "last_updated": "2025-12-23 01:56:28.627699"
+  },
+  {
+    "cve": "CVE-2021-33193",
+    "os_name": "Unknown OS",
+    "project_name": "httpd",
+    "version": "2.2.15",
+    "score": "7.5",
+    "severity": "HIGH",
+    "status": "Ignored",
+    "last_updated": "2025-09-19 21:21:01.425783"
+  },
+  {
+    "cve": "CVE-2025-50093",
+    "os_name": "AlmaLinux 9.2 ESU",
+    "project_name": "mysql",
+    "version": "8.0.32",
+    "score": "4.9",
+    "severity": "MEDIUM",
+    "status": "Released",
+    "last_updated": "2025-12-22 17:11:15.409148"
+  },
+  {
+    "cve": "CVE-2025-64505",
+    "os_name": "CentOS 7 ELS",
+    "project_name": "libpng",
+    "version": "1.5.13",
+    "score": "4.4",
+    "severity": "MEDIUM",
+    "status": "In Rollout",
+    "last_updated": "2025-12-20 04:34:51.112485"
   }
 ]