|
13 | 13 | from django.test import TestCase |
14 | 14 | from fetchcode.package_versions import PackageVersion |
15 | 15 | from packageurl import PackageURL |
| 16 | +import pytest |
16 | 17 | from univers.version_constraint import VersionConstraint |
17 | 18 | from univers.version_range import GemVersionRange |
18 | 19 | from univers.version_range import VersionRange |
|
24 | 25 | from vulnerabilities.importer import PackageCommitPatchData |
25 | 26 | from vulnerabilities.importer import PatchData |
26 | 27 | from vulnerabilities.importer import VulnerabilitySeverity |
27 | | -from vulnerabilities.models import AdvisoryV2 |
| 28 | +from vulnerabilities.models import AdvisoryAlias, AdvisoryV2 |
28 | 29 | from vulnerabilities.pipelines import insert_advisory_v2 |
29 | 30 | from vulnerabilities.references import XsaReferenceV2 |
30 | 31 | from vulnerabilities.references import ZbxReferenceV2 |
31 | 32 | from vulnerabilities.tests.pipelines import TestLogger |
32 | | -from vulnerabilities.utils import AffectedPackage |
| 33 | +from vulnerabilities.utils import AffectedPackage, relate_aliases_with_advisories |
33 | 34 | from vulnerabilities.utils import get_item |
34 | 35 | from vulnerabilities.utils import get_severity_range |
35 | 36 | from vulnerabilities.utils import nearest_patched_package |
@@ -262,3 +263,156 @@ def test_content_id_from_adv_data_roundtrip_are_same(self): |
262 | 263 | id_from_roundtrip = utils.compute_content_id_v2(adv_roundtrip) |
263 | 264 |
|
264 | 265 | self.assertEqual(id_from_data, id_from_roundtrip) |
| 266 | + |
| 267 | + |
| 268 | +@pytest.mark.django_db |
| 269 | +def test_returns_advisories_from_alias(): |
| 270 | + advisory = AdvisoryV2.objects.create( |
| 271 | + advisory_id="GHSA-123", |
| 272 | + datasource_id="ds", |
| 273 | + pipeline_id="ds_importer_v2", |
| 274 | + unique_content_id="i3giu", |
| 275 | + url="https://test.com", |
| 276 | + avid="GHSA-123", |
| 277 | + is_latest=True, |
| 278 | + _all_impacts_unfurled_at="2025-01-01", |
| 279 | + ) |
| 280 | + |
| 281 | + alias = AdvisoryAlias.objects.create(alias="CVE-2025-123") |
| 282 | + alias.advisories.add(advisory) |
| 283 | + |
| 284 | + result = relate_aliases_with_advisories(["CVE-2025-123"]) |
| 285 | + |
| 286 | + assert result == {advisory} |
| 287 | + |
| 288 | + |
| 289 | +@pytest.mark.django_db |
| 290 | +def test_returns_latest_advisory_from_advisory_id(): |
| 291 | + advisory = AdvisoryV2.objects.create( |
| 292 | + advisory_id="GHSA-456", |
| 293 | + avid="GHSA-456", |
| 294 | + is_latest=True, |
| 295 | + _all_impacts_unfurled_at="2025-01-01", |
| 296 | + datasource_id="ds", |
| 297 | + pipeline_id="ds_importer_v2", |
| 298 | + unique_content_id="i3giu2w", |
| 299 | + url="https://test.com", |
| 300 | + ) |
| 301 | + |
| 302 | + result = relate_aliases_with_advisories(["GHSA-456"]) |
| 303 | + |
| 304 | + assert advisory in result |
| 305 | + assert len(result) == 1 |
| 306 | + |
| 307 | + |
| 308 | +@pytest.mark.django_db |
| 309 | +def test_handles_mixed_aliases_and_advisory_ids(): |
| 310 | + alias_adv = AdvisoryV2.objects.create( |
| 311 | + advisory_id="GHSA-1", |
| 312 | + avid="GHSA-1", |
| 313 | + is_latest=True, |
| 314 | + _all_impacts_unfurled_at="2025-01-01", |
| 315 | + datasource_id="ds", |
| 316 | + pipeline_id="ds_importer_v2", |
| 317 | + unique_content_id="i3gswiu", |
| 318 | + url="https://test.com", |
| 319 | + ) |
| 320 | + |
| 321 | + advisory_id_adv = AdvisoryV2.objects.create( |
| 322 | + advisory_id="GHSA-2", |
| 323 | + avid="GHSA-2", |
| 324 | + is_latest=True, |
| 325 | + _all_impacts_unfurled_at="2025-01-01", |
| 326 | + datasource_id="ds", |
| 327 | + pipeline_id="ds_importer_v2", |
| 328 | + unique_content_id="i3giu2ww", |
| 329 | + url="https://test.com", |
| 330 | + ) |
| 331 | + |
| 332 | + alias = AdvisoryAlias.objects.create(alias="CVE-2025-1") |
| 333 | + alias.advisories.add(alias_adv) |
| 334 | + |
| 335 | + result = relate_aliases_with_advisories( |
| 336 | + ["CVE-2025-1", "GHSA-2"] |
| 337 | + ) |
| 338 | + |
| 339 | + assert result == {alias_adv, advisory_id_adv} |
| 340 | + |
| 341 | + |
| 342 | +@pytest.mark.django_db |
| 343 | +def test_excludes_non_latest_alias_advisories(): |
| 344 | + latest = AdvisoryV2.objects.create( |
| 345 | + advisory_id="GHSA-1", |
| 346 | + avid="GHSA-1", |
| 347 | + is_latest=True, |
| 348 | + _all_impacts_unfurled_at="2025-01-01", |
| 349 | + datasource_id="ds", |
| 350 | + pipeline_id="ds_importer_v2", |
| 351 | + unique_content_id="i3giu", |
| 352 | + url="https://test.com", |
| 353 | + ) |
| 354 | + |
| 355 | + old = AdvisoryV2.objects.create( |
| 356 | + advisory_id="GHSA-1-old", |
| 357 | + avid="GHSA-1", |
| 358 | + is_latest=False, |
| 359 | + _all_impacts_unfurled_at="2025-01-01", |
| 360 | + datasource_id="ds", |
| 361 | + pipeline_id="ds_importer_v2", |
| 362 | + unique_content_id="i3giu2w", |
| 363 | + url="https://test.com", |
| 364 | + ) |
| 365 | + |
| 366 | + alias = AdvisoryAlias.objects.create(alias="CVE-2025-1") |
| 367 | + alias.advisories.add(latest, old) |
| 368 | + |
| 369 | + result = relate_aliases_with_advisories(["CVE-2025-1"]) |
| 370 | + |
| 371 | + assert result == {latest} |
| 372 | + |
| 373 | + |
| 374 | +@pytest.mark.django_db |
| 375 | +def test_excludes_unfurled_advisories(): |
| 376 | + advisory = AdvisoryV2.objects.create( |
| 377 | + advisory_id="GHSA-1", |
| 378 | + avid="GHSA-1", |
| 379 | + is_latest=True, |
| 380 | + _all_impacts_unfurled_at=None, |
| 381 | + datasource_id="ds", |
| 382 | + pipeline_id="ds_importer_v2", |
| 383 | + unique_content_id="i3giu", |
| 384 | + url="https://test.com", |
| 385 | + ) |
| 386 | + |
| 387 | + alias = AdvisoryAlias.objects.create(alias="CVE-2025-1") |
| 388 | + alias.advisories.add(advisory) |
| 389 | + |
| 390 | + result = relate_aliases_with_advisories(["CVE-2025-1"]) |
| 391 | + |
| 392 | + assert result == set() |
| 393 | + |
| 394 | + |
| 395 | +@pytest.mark.django_db |
| 396 | +def test_deduplicates_results(): |
| 397 | + advisory = AdvisoryV2.objects.create( |
| 398 | + advisory_id="GHSA-1", |
| 399 | + avid="GHSA-1", |
| 400 | + is_latest=True, |
| 401 | + _all_impacts_unfurled_at="2025-01-01", |
| 402 | + datasource_id="ds", |
| 403 | + pipeline_id="ds_importer_v2", |
| 404 | + unique_content_id="i3giu", |
| 405 | + url="https://test.com", |
| 406 | + ) |
| 407 | + |
| 408 | + alias1 = AdvisoryAlias.objects.create(alias="CVE-1") |
| 409 | + alias2 = AdvisoryAlias.objects.create(alias="CVE-2") |
| 410 | + |
| 411 | + alias1.advisories.add(advisory) |
| 412 | + alias2.advisories.add(advisory) |
| 413 | + |
| 414 | + result = relate_aliases_with_advisories( |
| 415 | + ["CVE-1", "CVE-2"] |
| 416 | + ) |
| 417 | + |
| 418 | + assert result == {advisory} |
0 commit comments