Add step to import newly collected advisory

keshav-space · keshav-space · commit 29d96d3bab3a · 2024-08-27T00:39:07.000+05:30
Signed-off-by: Keshav Priyadarshi &lt;git@keshav.space&gt;
diff --git a/vulnerabilities/pipelines/__init__.py b/vulnerabilities/pipelines/__init__.py
@@ -15,10 +15,10 @@
 from aboutcode.pipeline import BasePipeline
 from aboutcode.pipeline import LoopProgress
 
-from vulnerabilities import import_runner
 from vulnerabilities.importer import AdvisoryData
-from vulnerabilities.improvers.default import DefaultImporter
-from vulnerabilities.models import Advisory
+from vulnerabilities.improver import MAX_CONFIDENCE
+from vulnerabilities.pipelines.pipes.importer import import_advisory
+from vulnerabilities.pipelines.pipes.importer import insert_advisory
 from vulnerabilities.utils import classproperty
 
 module_logger = logging.getLogger(__name__)
@@ -47,13 +47,14 @@ class VulnerableCodeBaseImporterPipeline(VulnerableCodePipeline):
 
     Uses:
         Subclass this Pipeline and implement ``advisories_count`` and ``collect_advisories`` method.
-        Also override the ``steps`` if needed.
+        Also override the ``steps`` and ``advisory_confidence`` as needed.
     """
 
     license_url = None
     spdx_license_expression = None
     repo_url = None
     importer_name = None
+    advisory_confidence = MAX_CONFIDENCE
 
     @classmethod
     def steps(cls):
@@ -86,34 +87,17 @@ def collect_and_store_advisories(self):
         collected_advisory_count = 0
         progress = LoopProgress(total_iterations=self.advisories_count(), logger=self.log)
         for advisory in progress.iter(self.collect_advisories()):
-            self.insert_advisory(advisory=advisory)
+            new_advisory = insert_advisory(
+                advisory=advisory,
+                pipeline_name=self.qualified_name,
+                logger=self.log,
+            )
+            if new_advisory:
+                self.new_advisories.append(new_advisory)
             collected_advisory_count += 1
 
         self.log(f"Successfully collected {collected_advisory_count:,d} advisories")
 
-    def insert_advisory(self, advisory: AdvisoryData):
-        try:
-            obj, created = Advisory.objects.get_or_create(
-                aliases=advisory.aliases,
-                summary=advisory.summary,
-                affected_packages=[pkg.to_dict() for pkg in advisory.affected_packages],
-                references=[ref.to_dict() for ref in advisory.references],
-                date_published=advisory.date_published,
-                weaknesses=advisory.weaknesses,
-                defaults={
-                    "created_by": self.qualified_name,
-                    "date_collected": datetime.now(timezone.utc),
-                },
-                url=advisory.url,
-            )
-            if created:
-                self.new_advisories.append(obj)
-        except Exception as e:
-            self.log(
-                f"Error while processing {advisory!r} with aliases {advisory.aliases!r}: {e!r} \n {traceback_format_exc()}",
-                level=logging.ERROR,
-            )
-
     def import_new_advisories(self):
         new_advisories_count = len(self.new_advisories)
 
@@ -129,14 +113,14 @@ def import_advisory(self, advisory) -> None:
         if advisory.date_imported:
             return
         try:
-            advisory_importer = DefaultImporter(advisories=[advisory])
-            inferences = advisory_importer.get_inferences(advisory_data=advisory.to_advisory_data())
-            import_runner.process_inferences(
-                inferences=inferences,
+            import_advisory(
                 advisory=advisory,
-                improver_name=self.qualified_name,
+                pipeline_name=self.qualified_name,
+                confidence=self.advisory_confidence,
+                logger=self.log,
             )
         except Exception as e:
             self.log(
-                f"Failed to process advisory: {advisory!r} with error {e!r}", level=logging.ERROR
+                f"Failed to process advisory: {advisory!r} with error {e!r}",
+                level=logging.ERROR,
             )
diff --git a/vulnerabilities/pipelines/pipes/importer.py b/vulnerabilities/pipelines/pipes/importer.py
@@ -0,0 +1,159 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+import logging
+from datetime import datetime
+from datetime import timezone
+from traceback import format_exc as traceback_format_exc
+from typing import Callable
+
+from django.db import transaction
+
+from vulnerabilities import import_runner
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.improver import MAX_CONFIDENCE
+from vulnerabilities.improvers import default
+from vulnerabilities.models import Advisory
+from vulnerabilities.models import Package
+from vulnerabilities.models import PackageRelatedVulnerability
+from vulnerabilities.models import VulnerabilityReference
+from vulnerabilities.models import VulnerabilityRelatedReference
+from vulnerabilities.models import VulnerabilitySeverity
+from vulnerabilities.models import Weakness
+
+
+def insert_advisory(advisory: AdvisoryData, pipeline_name: str, logger: Callable):
+    try:
+        obj, created = Advisory.objects.get_or_create(
+            aliases=advisory.aliases,
+            summary=advisory.summary,
+            affected_packages=[pkg.to_dict() for pkg in advisory.affected_packages],
+            references=[ref.to_dict() for ref in advisory.references],
+            date_published=advisory.date_published,
+            weaknesses=advisory.weaknesses,
+            defaults={
+                "created_by": pipeline_name,
+                "date_collected": datetime.now(timezone.utc),
+            },
+            url=advisory.url,
+        )
+        if created:
+            return obj
+    except Exception as e:
+        logger(
+            f"Error while processing {advisory!r} with aliases {advisory.aliases!r}: {e!r} \n {traceback_format_exc()}",
+            level=logging.ERROR,
+        )
+
+
+@transaction.atomic
+def import_advisory(
+    advisory: Advisory,
+    pipeline_name: str,
+    logger: Callable,
+    confidence: int = MAX_CONFIDENCE,
+):
+    """
+    Create initial Vulnerability Package relationships for the advisory,
+    including references and severity scores.
+
+    Package relationships are established only for resolved (concrete) versions.
+    """
+
+    advisory_data: AdvisoryData = advisory.to_advisory_data()
+    logger(f"Importing advisory id: {advisory.id}", level=logging.DEBUG)
+
+    affected_purls = []
+    fixed_purls = []
+    for affected_package in advisory_data.affected_packages:
+        package_affected_purls, package_fixed_purls = default.get_exact_purls(
+            affected_package=affected_package
+        )
+        affected_purls.extend(package_affected_purls)
+        fixed_purls.extend(package_fixed_purls)
+
+    vulnerability = import_runner.get_or_create_vulnerability_and_aliases(
+        vulnerability_id=None,
+        aliases=advisory_data.aliases,
+        summary=advisory_data.summary,
+        advisory=advisory,
+    )
+
+    if not vulnerability:
+        logger(f"Unable to get vulnerability for advisory: {advisory!r}", level=logging.WARNING)
+        return
+
+    for ref in advisory_data.references:
+        reference = VulnerabilityReference.objects.get_or_none(
+            reference_id=ref.reference_id,
+            url=ref.url,
+        )
+        if not reference:
+            reference = import_runner.create_valid_vulnerability_reference(
+                reference_id=ref.reference_id,
+                url=ref.url,
+            )
+            if not reference:
+                continue
+
+        VulnerabilityRelatedReference.objects.update_or_create(
+            reference=reference,
+            vulnerability=vulnerability,
+        )
+        for severity in ref.severities:
+            try:
+                published_at = str(severity.published_at) if severity.published_at else None
+                _, created = VulnerabilitySeverity.objects.update_or_create(
+                    scoring_system=severity.system.identifier,
+                    reference=reference,
+                    defaults={
+                        "value": str(severity.value),
+                        "scoring_elements": str(severity.scoring_elements),
+                        "published_at": published_at,
+                    },
+                )
+            except:
+                logger(
+                    f"Failed to create VulnerabilitySeverity for: {severity} with error:\n{traceback_format_exc()}",
+                    level=logging.ERROR,
+                )
+            if not created:
+                logger(
+                    f"Severity updated for reference {ref!r} to value: {severity.value!r} "
+                    f"and scoring_elements: {severity.scoring_elements!r}",
+                    level=logging.DEBUG,
+                )
+
+    for affected_purl in affected_purls or []:
+        vulnerable_package, _ = Package.objects.get_or_create_from_purl(purl=affected_purl)
+        PackageRelatedVulnerability(
+            vulnerability=vulnerability,
+            package=vulnerable_package,
+            created_by=pipeline_name,
+            confidence=confidence,
+            fix=False,
+        ).update_or_create(advisory=advisory)
+
+    for fixed_purl in fixed_purls:
+        fixed_package, _ = Package.objects.get_or_create_from_purl(purl=fixed_purl)
+        PackageRelatedVulnerability(
+            vulnerability=vulnerability,
+            package=fixed_package,
+            created_by=pipeline_name,
+            confidence=confidence,
+            fix=True,
+        ).update_or_create(advisory=advisory)
+
+    if advisory_data.weaknesses and vulnerability:
+        for cwe_id in advisory_data.weaknesses:
+            cwe_obj, _ = Weakness.objects.get_or_create(cwe_id=cwe_id)
+            cwe_obj.vulnerabilities.add(vulnerability)
+            cwe_obj.save()
+
+    advisory.date_imported = datetime.now(timezone.utc)
+    advisory.save()
