Update the model to store commit hash if unsupported

Signed-off-by: ziad hany <ziadhany2016@gmail.com>

Author: ziadhany

vulnerabilities/models.py

@@ -2664,13 +2664,15 @@ class AdvisoryReference(models.Model):
 
     ADVISORY = "advisory"
     EXPLOIT = "exploit"
+    COMMIT = "commit"
     MAILING_LIST = "mailing_list"
     BUG = "bug"
     OTHER = "other"
 
     REFERENCE_TYPES = [
         (ADVISORY, "Advisory"),
         (EXPLOIT, "Exploit"),
+        (COMMIT, "Commit"),
         (MAILING_LIST, "Mailing List"),
         (BUG, "Bug"),
         (OTHER, "Other"),

vulnerabilities/pipelines/v2_importers/aosp_importer.py

@@ -19,6 +19,7 @@
 from vulnerabilities.importer import AffectedPackageV2
 from vulnerabilities.importer import PackageCommitPatchData
 from vulnerabilities.importer import PatchData
+from vulnerabilities.importer import ReferenceV2
 from vulnerabilities.importer import VulnerabilitySeverity
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 from vulnerabilities.pipes.advisory import classify_patch_source
@@ -84,26 +85,28 @@ def collect_advisories(self):
 
                 patches = []
                 affected_packages = []
+                references = []
                 for commit_data in vulnerability_data.get("fixes", []):
                     patch_url = commit_data.get("patchUrl")
                     commit_id = commit_data.get("commitId")
 
-                    base_purl, patch_obj_list = classify_patch_source(
-                        vcs_url=None,
+                    base_purl, patch_obj = classify_patch_source(
+                        url=patch_url,
                         commit_hash=commit_id,
-                        patch_url=patch_url,
                         patch_text=None,
                     )
-                    for patch_obj in patch_obj_list:
-                        if isinstance(patch_obj, PackageCommitPatchData):
-                            fixed_commit = patch_obj
-                            affected_package = AffectedPackageV2(
-                                package=base_purl,
-                                fixed_by_commit_patches=[fixed_commit],
-                            )
-                            affected_packages.append(affected_package)
-                        elif isinstance(patch_obj, PatchData):
-                            patches.append(patch_obj)
+
+                    if isinstance(patch_obj, PackageCommitPatchData):
+                        fixed_commit = patch_obj
+                        affected_package = AffectedPackageV2(
+                            package=base_purl,
+                            fixed_by_commit_patches=[fixed_commit],
+                        )
+                        affected_packages.append(affected_package)
+                    elif isinstance(patch_obj, PatchData):
+                        patches.append(patch_obj)
+                    elif isinstance(patch_obj, ReferenceV2):
+                        references.append(patch_obj)
 
                 url = (
                     "https://raw.githubusercontent.com/quarkslab/aosp_dataset/refs/heads/master/cves/"
@@ -116,6 +119,7 @@ def collect_advisories(self):
                     affected_packages=affected_packages,
                     severities=severities,
                     patches=patches,
+                    references_v2=references,
                     date_published=date_published,
                     url=url,
                 )

vulnerabilities/pipes/advisory.py

@@ -27,6 +27,7 @@
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importer import PackageCommitPatchData
 from vulnerabilities.importer import PatchData
+from vulnerabilities.importer import ReferenceV2
 from vulnerabilities.improver import MAX_CONFIDENCE
 from vulnerabilities.models import Advisory
 from vulnerabilities.models import AdvisoryAlias
@@ -174,61 +175,31 @@ def get_or_create_advisory_patches(
 VCS_URLS_SUPPORTED_TYPES = {"github", "bitbucket", "gitlab"}
 
 
-def classify_patch_source(vcs_url, commit_hash, patch_text, patch_url):
+def classify_patch_source(url, commit_hash, patch_text):
     """Classify a patch as a PackageCommitPatchData or PatchData using provided args."""
-    purl = None
+    if not url:
+        if not patch_text:
+            return
 
-    if patch_url:
-        purl = url2purl(patch_url)
+        return None, PatchData(patch_text=patch_text)
 
-    if not purl or (purl.type not in VCS_URLS_SUPPORTED_TYPES) or (not purl.version and vcs_url):
-        purl = url2purl(vcs_url)
-
-    if not purl:
-        return None, [
-            PatchData(
-                patch_text=patch_text,
-                patch_url=patch_url,
+    purl = url2purl(url)
+    if not purl or (purl.type not in VCS_URLS_SUPPORTED_TYPES):
+        if commit_hash:
+            return None, ReferenceV2(
+                reference_id=commit_hash, reference_type=AdvisoryReference.COMMIT, url=url
             )
-        ]
+        return None, PatchData(patch_url=url, patch_text=patch_text)
+
+    if not commit_hash and not purl.version:
+        return None, PatchData(patch_url=url, patch_text=patch_text or None)
 
     base_purl = get_core_purl(purl)
-    purl_string = base_purl.to_string()
-
-    vcs_url_p = purl2url(purl_string)
-    commit_hash_p = purl.version
-
-    final_vcs_url = vcs_url or vcs_url_p
-    final_commit_hash = commit_hash or commit_hash_p
-
-    if (
-        final_vcs_url
-        and final_commit_hash
-        and is_commit(final_commit_hash)
-        and purl.type in VCS_URLS_SUPPORTED_TYPES
-    ):
-        purl = PackageURL(
-            type=purl.type, namespace=purl.namespace, name=purl.name, version=final_commit_hash
-        )
-        final_patch_url = patch_url or purl2url(str(purl))
-        return base_purl, [
-            PackageCommitPatchData(
-                vcs_url=final_vcs_url,
-                commit_hash=final_commit_hash,
-                patch_text=patch_text,
-            ),
-            PatchData(
-                patch_text=patch_text,
-                patch_url=final_patch_url,
-            ),
-        ]
-
-    return None, [
-        PatchData(
-            patch_url=patch_url or final_vcs_url,
-            patch_text=patch_text,
-        )
-    ]
+    base_purl_str = base_purl.to_string()
+    base_url = purl2url(base_purl_str)
+    return base_purl, PackageCommitPatchData(
+        vcs_url=base_url, commit_hash=purl.version or commit_hash, patch_text=patch_text or None
+    )
 
 
 def insert_advisory(advisory: AdvisoryData, pipeline_id: str, logger: Callable = None):

vulnerabilities/tests/test_data/aosp/CVE-aosp_test2-expected.json

@@ -4,14 +4,14 @@
     "aliases": [],
     "summary": "Remote Code Execution Vulnerability",
     "affected_packages": [],
-    "references_v2": [],
-    "patches": [
+    "references_v2": [
       {
-        "patch_url": "https://android.googlesource.com/platform/system/bt/+/6ecbbc093f4383e90cbbf681cd55da1303a8ef94",
-        "patch_text": null,
-        "patch_checksum": null
+        "reference_id": "6ecbbc093f4383e90cbbf681cd55da1303a8ef94",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/platform/system/bt/+/6ecbbc093f4383e90cbbf681cd55da1303a8ef94"
       }
     ],
+    "patches": [],
     "severities": [
       {
         "system": "generic_textual",

vulnerabilities/tests/test_data/aosp/CVE-aosp_test3-expected.json

@@ -27,13 +27,7 @@
       }
     ],
     "references_v2": [],
-    "patches": [
-      {
-        "patch_url": "https://github.com/torvalds/linux/commit/0048b4837affd153897ed1222283492070027aa9",
-        "patch_text": null,
-        "patch_checksum": null
-      }
-    ],
+    "patches": [],
     "severities": [
       {
         "system": "generic_textual",

vulnerabilities/tests/test_data/aosp/CVE-aosp_test4-expected.json

@@ -4,64 +4,64 @@
     "aliases": [],
     "summary": "Elevation of Privilege Vulnerability",
     "affected_packages": [],
-    "references_v2": [],
-    "patches": [
+    "references_v2": [
       {
-        "patch_url": "https://android.googlesource.com/kernel/common/+/c22e479e335628ce8766cfbf06e2ba17e8f9a1bb",
-        "patch_text": null,
-        "patch_checksum": null
+        "reference_id": "c22e479e335628ce8766cfbf06e2ba17e8f9a1bb",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/c22e479e335628ce8766cfbf06e2ba17e8f9a1bb"
       },
       {
-        "patch_url": "https://android.googlesource.com/kernel/common/+/1b627d4e5e61e89b840f77abb3ca6711ad6ffbeb",
-        "patch_text": null,
-        "patch_checksum": null
+        "reference_id": "1b627d4e5e61e89b840f77abb3ca6711ad6ffbeb",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/1b627d4e5e61e89b840f77abb3ca6711ad6ffbeb"
       },
       {
-        "patch_url": "https://android.googlesource.com/kernel/common/+/4c941665c7368a34b146929b31949555e680a4ee",
-        "patch_text": null,
-        "patch_checksum": null
+        "reference_id": "4c941665c7368a34b146929b31949555e680a4ee",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/4c941665c7368a34b146929b31949555e680a4ee"
       },
       {
-        "patch_url": "https://android.googlesource.com/kernel/common/+/758f0dac9104b46016af98304656a0268ac3e105",
-        "patch_text": null,
-        "patch_checksum": null
+        "reference_id": "758f0dac9104b46016af98304656a0268ac3e105",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/758f0dac9104b46016af98304656a0268ac3e105"
       },
       {
-        "patch_url": "https://android.googlesource.com/kernel/common/+/44d057a37868a60bc2eb6e7d1dcea701f234d56a",
-        "patch_text": null,
-        "patch_checksum": null
+        "reference_id": "44d057a37868a60bc2eb6e7d1dcea701f234d56a",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/44d057a37868a60bc2eb6e7d1dcea701f234d56a"
       },
       {
-        "patch_url": "https://android.googlesource.com/kernel/common/+/b9b9f908c8ae82b73b9d75181982028b6bc06c2b",
-        "patch_text": null,
-        "patch_checksum": null
+        "reference_id": "b9b9f908c8ae82b73b9d75181982028b6bc06c2b",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/b9b9f908c8ae82b73b9d75181982028b6bc06c2b"
       },
       {
-        "patch_url": "https://android.googlesource.com/kernel/common/+/e068734f9e7344997a61022629b92d142a985ab3",
-        "patch_text": null,
-        "patch_checksum": null
+        "reference_id": "e068734f9e7344997a61022629b92d142a985ab3",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/e068734f9e7344997a61022629b92d142a985ab3"
       },
       {
-        "patch_url": "https://android.googlesource.com/kernel/common/+/fdc6c1052bc7d89a5826904fbb4318677e8442ce",
-        "patch_text": null,
-        "patch_checksum": null
+        "reference_id": "fdc6c1052bc7d89a5826904fbb4318677e8442ce",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/fdc6c1052bc7d89a5826904fbb4318677e8442ce"
       },
       {
-        "patch_url": "https://android.googlesource.com/kernel/common/+/211d59c0034ec9d88690c750ccd6da27f6952dc5",
-        "patch_text": null,
-        "patch_checksum": null
+        "reference_id": "211d59c0034ec9d88690c750ccd6da27f6952dc5",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/211d59c0034ec9d88690c750ccd6da27f6952dc5"
       },
       {
-        "patch_url": "https://android.googlesource.com/kernel/common/+/c9e31d5a4747e9967ace6d05896c78516c4c0850",
-        "patch_text": null,
-        "patch_checksum": null
+        "reference_id": "c9e31d5a4747e9967ace6d05896c78516c4c0850",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/c9e31d5a4747e9967ace6d05896c78516c4c0850"
       },
       {
-        "patch_url": "https://android.googlesource.com/kernel/common/+/e01834bfbafd25fd392bf10014451c4e5f34f829",
-        "patch_text": null,
-        "patch_checksum": null
+        "reference_id": "e01834bfbafd25fd392bf10014451c4e5f34f829",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/kernel/common/+/e01834bfbafd25fd392bf10014451c4e5f34f829"
       }
     ],
+    "patches": [],
     "severities": [
       {
         "system": "generic_textual",

vulnerabilities/tests/test_data/aosp/CVE-aosp_test5-expected.json

@@ -4,13 +4,14 @@
     "aliases": [],
     "summary": "Elevation of Privilege Vulnerability",
     "affected_packages": [],
-    "references_v2": [],
-    "patches": [
+    "references_v2": [
       {
-        "patch_url": "https://android.googlesource.com/platform/external/wpa_supplicant_8/+/c66556ca2473620df9751e73eb97ec50a40ffd3e",
-        "patch_text": null,
-        "patch_checksum": null
-      },
+        "reference_id": "c66556ca2473620df9751e73eb97ec50a40ffd3e",
+        "reference_type": "commit",
+        "url": "https://android.googlesource.com/platform/external/wpa_supplicant_8/+/c66556ca2473620df9751e73eb97ec50a40ffd3e"
+      }
+    ],
+    "patches": [
       {
         "patch_url": "https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=776f17c87599fae3202e69bb5718ac9062f14695",
         "patch_text": null,