aboutcode-org · janniclas · Jun 21, 2023 · Jun 21, 2023 · Jun 21, 2023 · Jul 14, 2023
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,6 +2,14 @@ Release notes
 =============
 
 
+Version v33.0.0
+-----------------
+
+- We have dropped ``unresolved_vulnerabilities`` from /api/package endpoint API response.
+- We have added missing quotes for href values in template.
+- We have fixed merge functionality of AffectedPackage.
+
+
 Version v32.0.1
 -----------------
 

diff --git a/SOURCES.rst b/SOURCES.rst
@@ -13,7 +13,7 @@
 +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+
 |ruby            | https://github.com/rubysec/ruby-advisory-db.git                                                      |ruby gems                                           |
 +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+
-|ubuntu          | https://people.canonical.com/~ubuntu-security/oval/                                                  |ubuntu packages                                     |
+|ubuntu          |                                                                                                      |ubuntu packages                                     |
 +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+
 |retiredotnet    | https://github.com/RetireNet/Packages.git                                                            |.NET packages                                       |
 +----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+

diff --git a/setup.cfg b/setup.cfg
@@ -1,6 +1,6 @@
 [metadata]
 name = vulnerablecode
-version = 32.0.1
+version = 33.0.0
 license = Apache-2.0 AND CC-BY-SA-4.0
 
 # description must be on ONE line https://github.com/pypa/setuptools/issues/1390

diff --git a/vulnerabilities/api.py b/vulnerabilities/api.py
@@ -124,11 +124,6 @@ class PackageSerializer(serializers.HyperlinkedModelSerializer):
     Lookup software package using Package URLs
     """
 
-    def to_representation(self, instance):
-        data = super().to_representation(instance)
-        data["unresolved_vulnerabilities"] = data["affected_by_vulnerabilities"]
-        return data
-
     purl = serializers.CharField(source="package_url")
 
     affected_by_vulnerabilities = serializers.SerializerMethodField("get_affected_vulnerabilities")

diff --git a/vulnerabilities/importer.py b/vulnerabilities/importer.py
@@ -188,7 +188,7 @@ def merge(
             purls.add(pkg.package)
         if len(purls) > 1:
             raise UnMergeablePackageError("Cannot merge with different purls", purls)
-        return purls.pop(), sorted(affected_version_ranges), sorted(fixed_versions)
+        return purls.pop(), list(affected_version_ranges), sorted(fixed_versions)
 
     def to_dict(self):
         """
@@ -214,9 +214,12 @@ def from_dict(cls, affected_pkg: dict):
             affected_pkg["affected_version_range"]
             and affected_pkg["affected_version_range"] != "None"
         ):
-            affected_version_range = VersionRange.from_string(
-                affected_pkg["affected_version_range"]
-            )
+            try:
+                affected_version_range = VersionRange.from_string(
+                    affected_pkg["affected_version_range"]
+                )
+            except:
+                return None
         fixed_version = affected_pkg["fixed_version"]
         if fixed_version and affected_version_range:
             # TODO: revisit after https://github.com/nexB/univers/issues/10
@@ -270,7 +273,9 @@ def from_dict(cls, advisory_data):
             "aliases": advisory_data["aliases"],
             "summary": advisory_data["summary"],
             "affected_packages": [
-                AffectedPackage.from_dict(pkg) for pkg in advisory_data["affected_packages"]
+                AffectedPackage.from_dict(pkg)
+                for pkg in advisory_data["affected_packages"]
+                if pkg is not None
             ],
             "references": [Reference.from_dict(ref) for ref in advisory_data["references"]],
             "date_published": datetime.datetime.fromisoformat(date_published)

diff --git a/vulnerabilities/improvers/default.py b/vulnerabilities/improvers/default.py
@@ -94,11 +94,11 @@ def get_exact_purls(affected_package: AffectedPackage) -> Tuple[List[PackageURL]
     >>> assert expected == got
     """
 
-    vr = affected_package.affected_version_range
     # We need ``if c`` below because univers returns None as version
     # in case of vers:nginx/*
     # TODO: Revisit after https://github.com/nexB/univers/issues/33
     try:
+        vr = affected_package.affected_version_range
         affected_purls = []
         fixed_versions = []
         if vr:

diff --git a/vulnerabilities/models.py b/vulnerabilities/models.py
@@ -826,7 +826,9 @@ def to_advisory_data(self) -> AdvisoryData:
         return AdvisoryData(
             aliases=self.aliases,
             summary=self.summary,
-            affected_packages=[AffectedPackage.from_dict(pkg) for pkg in self.affected_packages],
+            affected_packages=[
+                AffectedPackage.from_dict(pkg) for pkg in self.affected_packages if pkg is not None
+            ],
             references=[Reference.from_dict(ref) for ref in self.references],
             date_published=self.date_published,
             weaknesses=self.weaknesses,

diff --git a/vulnerabilities/templates/package_details.html b/vulnerabilities/templates/package_details.html
@@ -66,7 +66,7 @@
                                 <td>
                                     {% for alias in vulnerability.alias %}
                                         {% if alias.url %}
-                                            <a href={{ alias.url }} target="_blank">{{ alias }}<i class="fa fa-external-link fa_link_custom"></i></a>
+                                            <a href="{{ alias.url }}" target="_blank">{{ alias }}<i class="fa fa-external-link fa_link_custom"></i></a>
                                             <br />
                                         {% else %}
                                             {{ alias }}
@@ -113,7 +113,7 @@
                                 <td>
                                     {% for alias in vulnerability.alias %}
                                         {% if alias.url %}
-                                            <a href={{ alias.url }} target="_blank">{{ alias }}<i class="fa fa-external-link fa_link_custom"></i></a>
+                                            <a href="{{ alias.url }}" target="_blank">{{ alias }}<i class="fa fa-external-link fa_link_custom"></i></a>
                                             <br />
                                         {% else %}
                                             {{ alias }}

diff --git a/vulnerabilities/templates/vulnerabilities.html b/vulnerabilities/templates/vulnerabilities.html
@@ -48,7 +48,7 @@
                             <td>
                                 {% for alias in vulnerability.alias %}
                                     {% if alias.url %}
-                                        <a href={{ alias.url }} target="_blank">{{ alias }}
+                                        <a href="{{ alias.url }}" target="_blank">{{ alias }}
                                             <i class="fa fa-external-link fa_link_custom"></i>
                                         </a>
                                     {% else %}

diff --git a/vulnerabilities/templates/vulnerability_details.html b/vulnerabilities/templates/vulnerability_details.html
@@ -68,7 +68,7 @@
                                     <td class="two-col-right">
                                         {% for alias in aliases %}
                                             {% if alias.url %}
-                                                <a href={{ alias.url }} target="_blank">{{ alias }}<i class="fa fa-external-link fa_link_custom"></i></a>
+                                                <a href="{{ alias.url }}" target="_blank">{{ alias }}<i class="fa fa-external-link fa_link_custom"></i></a>
                                             {% else %}
                                                 {{ alias }}
                                             {% endif %}

diff --git a/vulnerabilities/tests/test_affected_package.py b/vulnerabilities/tests/test_affected_package.py
@@ -57,6 +57,19 @@ def test_affected_package_merge():
                 ),
             ),
             AffectedPackage(package=PackageURL(type="npm", name="foo"), fixed_version="2.0.0"),
+            AffectedPackage(
+                package=PackageURL(type="npm", name="foo"),
+                affected_version_range=GemVersionRange(
+                    constraints=(
+                        VersionConstraint(
+                            comparator=">=", version=RubygemsVersion(string="10.2.0")
+                        ),
+                        VersionConstraint(
+                            comparator="<=", version=RubygemsVersion(string="10.5.0")
+                        ),
+                    )
+                ),
+            ),
         ]
     )
     expected = (
@@ -69,7 +82,13 @@ def test_affected_package_merge():
                     VersionConstraint(comparator=">=", version=RubygemsVersion(string="5.2.0")),
                     VersionConstraint(comparator="<=", version=RubygemsVersion(string="5.2.6.2")),
                 )
-            )
+            ),
+            GemVersionRange(
+                constraints=(
+                    VersionConstraint(comparator=">=", version=RubygemsVersion(string="10.2.0")),
+                    VersionConstraint(comparator="<=", version=RubygemsVersion(string="10.5.0")),
+                )
+            ),
         ],
         ["1.0.0", "2.0.0"],
     )

diff --git a/vulnerabilities/tests/test_api.py b/vulnerabilities/tests/test_api.py
@@ -362,16 +362,6 @@ def test_api_with_single_vulnerability_and_fixed_package(self):
                     "aliases": ["CVE-2029-1234"],
                 },
             ],
-            "unresolved_vulnerabilities": [
-                {
-                    "url": f"http://testserver/api/vulnerabilities/{self.vuln1.id}",
-                    "vulnerability_id": self.vuln1.vulnerability_id,
-                    "summary": "test-vuln1",
-                    "references": [],
-                    "fixed_packages": [],
-                    "aliases": ["CVE-2019-1234", "GMS-1234-4321"],
-                }
-            ],
         }
 
     def test_api_with_single_vulnerability_and_vulnerable_package(self):
@@ -402,22 +392,6 @@ def test_api_with_single_vulnerability_and_vulnerable_package(self):
                 }
             ],
             "fixing_vulnerabilities": [],
-            "unresolved_vulnerabilities": [
-                {
-                    "url": f"http://testserver/api/vulnerabilities/{self.vuln.id}",
-                    "vulnerability_id": self.vuln.vulnerability_id,
-                    "summary": "test-vuln",
-                    "references": [],
-                    "fixed_packages": [
-                        {
-                            "url": f"http://testserver/api/packages/{self.package.id}",
-                            "purl": "pkg:generic/nginx/test@11",
-                            "is_vulnerable": True,
-                        }
-                    ],
-                    "aliases": ["CVE-2029-1234"],
-                }
-            ],
         }
 
     def test_api_with_all_vulnerable_packages(self):

diff --git a/vulnerabilities/tests/test_data/github_api/inference-expected.json b/vulnerabilities/tests/test_data/github_api/inference-expected.json
@@ -424,5 +424,67 @@
       }
     ],
     "weaknesses": []
+  },
+  {
+    "vulnerability_id": null,
+    "aliases": [
+      "CVE-2022-21831",
+      "GHSA-w749-p3v6-hccq"
+    ],
    "confidence": 100,
+    "summary": "Possible code injection vulnerability in Rails / Active Storage",
+    "affected_purls": [
+      {
+        "type": "gem",
+        "namespace": null,
+        "name": "activestorage",
+        "version": "10.2.1",
+        "qualifiers": null,
+        "subpath": null
+      },
+      {
+        "type": "gem",
+        "namespace": null,
+        "name": "activestorage",
+        "version": "10.2.8",
+        "qualifiers": null,
+        "subpath": null
+      }
+    ],
+    "fixed_purl": null,
+    "references": [
+      {
+        "reference_id": "",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21831",
+        "severities": []
+      },
+      {
+        "reference_id": "",
+        "url": "https://github.com/rails/rails/commit/0a72f7d670e9aa77a0bb8584cb1411ddabb7546e",
+        "severities": []
+      },
+      {
+        "reference_id": "",
+        "url": "https://groups.google.com/g/rubyonrails-security/c/n-p-W1yxatI",
+        "severities": []
+      },
+      {
+        "reference_id": "",
+        "url": "https://rubysec.com/advisories/CVE-2022-21831/",
+        "severities": []
+      },
+      {
+        "reference_id": "GHSA-w749-p3v6-hccq",
+        "url": "https://github.com/advisories/GHSA-w749-p3v6-hccq",
+        "severities": [
+          {
+            "system": "cvssv3.1_qr",
+            "value": "HIGH",
+            "scoring_elements": ""
+          }
+        ]
+      }
+    ],
+    "weaknesses": []
   }
 ]
diff --git a/vulnerabilities/tests/test_default_improver.py b/vulnerabilities/tests/test_default_improver.py
@@ -17,6 +17,7 @@
 from vulnerabilities.importer import Reference
 from vulnerabilities.improver import Inference
 from vulnerabilities.improvers.default import DefaultImprover
+from vulnerabilities.improvers.default import get_exact_purls
 from vulnerabilities.tests import util_tests
 
 BASE_DIR = os.path.dirname(os.path.abspath(__file__))
@@ -136,3 +137,21 @@ def test_default_improver_with_nvd():
         for data in list(default_improver.get_inferences(AdvisoryData.from_dict(advisory_data)))
     ]
     util_tests.check_results_against_json(result, expected_file)
+
+
+def test_default_improver_invalid_version():
+    pkg_dict = PackageURL(
+        type="rpm",
+        namespace="rpms",
+        name="python",
+        qualifiers={},
+        subpath=None,
+    ).to_dict()
+    pkg = {
+        "package": pkg_dict,
+        "affected_version_range": "vers:apache/",  # This is currently returned from vulnerabilities.importers.apache_httpd.ApacheHTTPDImporter
+        "fixed_version": None,
+    }
+    affected_package = AffectedPackage.from_dict(pkg)
+
+    assert get_exact_purls(affected_package) == ([], [])
diff --git a/vulnerabilities/tests/test_github.py b/vulnerabilities/tests/test_github.py
@@ -172,6 +172,8 @@ def valid_versions():
         "6.0.3.4",
         "6.0.3.rc1",
         "6.0.2.rc2",
+        "10.2.8",
+        "10.2.1",
     ]
 
 
@@ -203,7 +205,27 @@ def test_github_improver(mock_response, regen=REGEN):
                     )
                 ),
                 fixed_version=None,
-            )
+            ),
+            AffectedPackage(
+                package=PackageURL(
+                    type="gem",
+                    namespace=None,
+                    name="activestorage",
+                    version=None,
+                    qualifiers={},
+                    subpath=None,
+                ),
+                affected_version_range=GemVersionRange(
+                    constraints=(
+                        VersionConstraint(
+                            comparator=">=", version=RubygemsVersion(string="10.2.0")
+                        ),
+                        VersionConstraint(
+                            comparator="<=", version=RubygemsVersion(string="10.2.8")
+                        ),
+                    )
+                ),
+            ),
         ],
         references=[
             Reference(

diff --git a/vulnerablecode/__init__.py b/vulnerablecode/__init__.py
@@ -12,7 +12,7 @@
 import warnings
 from pathlib import Path
 
-__version__ = "32.0.1"
+__version__ = "33.0.0"
 
 
 def command_line():