Update postgresql.py and test file, clean up code and comments #969

johnmhoran · TG1999 · commit 03d93095fe1b · 2022-11-21T20:59:29.000+05:30
Reference: #969 Signed-off-by: John M. Horan <johnmhoran@gmail.com>
diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py
@@ -16,6 +16,7 @@
 from vulnerabilities.importers import nginx
 from vulnerabilities.importers import nvd
 from vulnerabilities.importers import openssl
+from vulnerabilities.importers import postgresql
 from vulnerabilities.importers import pypa
 from vulnerabilities.importers import pysec
 from vulnerabilities.importers import redhat
@@ -31,6 +32,7 @@
     pysec.PyPIImporter,
     debian.DebianImporter,
     gitlab.GitLabAPIImporter,
+    postgresql.PostgreSQLImporter,
     pypa.PyPaImporter,
     archlinux.ArchlinuxImporter,
     ubuntu.UbuntuImporter,
diff --git a/vulnerabilities/importers/postgresql.py b/vulnerabilities/importers/postgresql.py
@@ -22,39 +22,30 @@
 from vulnerabilities.importer import Reference
 from vulnerabilities.importer import VulnerabilitySeverity
 
-# we no longer use nearest_patched_package, do we?
-from vulnerabilities.utils import nearest_patched_package
-
 
 class PostgreSQLImporter(Importer):
 
     root_url = "https://www.postgresql.org/support/security/"
-    # need license_url; 'mit' below is just a placeholder value -- need to determine actual license
-    spdx_license_expression = "mit"
+    license_url = "https://www.postgresql.org/about/licence/"
+    spdx_license_expression = "PostgreSQL"
 
     def advisory_data(self):
-        # Not used but we added during huddle?
-        # urls = []
-        # No longer used
-        # advisories = []
         known_urls = {self.root_url}
         visited_urls = set()
+        data_by_url = {}
         while True:
             unvisited_urls = known_urls - visited_urls
             for url in unvisited_urls:
                 data = requests.get(url).content
+                data_by_url[url] = data
                 visited_urls.add(url)
                 known_urls.update(find_advisory_urls(data))
 
-            # Could these 2 lines be replaced with `known_urls != visited_urls`?
             if known_urls == visited_urls:
                 break
 
-        # What is batch_advisories()?  Old code?
-        # return self.batch_advisories(advisories)
-
-        for url in visited_urls:
-            data = requests.get(url).content
+        # JMH: why did we replace "for url in visited_urls:"?
+        for url, data in data_by_url.items():
             yield from to_advisories(data)
 
 
@@ -79,9 +70,8 @@ def to_advisories(data):
                     AffectedPackage(
                         package=PackageURL(
                             name="postgresql",
+                            # TODO: See https://github.com/nexB/vulnerablecode/issues/990
                             type="generic",
-                            # TODO: Discuss namespace issue for postgresql
-                            namespace="postgresql",
                             qualifiers=pkg_qualifiers,
                         ),
                         affected_version_range=GenericVersionRange.from_versions(
@@ -97,20 +87,21 @@ def to_advisories(data):
                 AffectedPackage(
                     package=PackageURL(
                         name="postgresql",
+                        # TODO: See https://github.com/nexB/vulnerablecode/issues/990
                         type="generic",
-                        # TODO: Discuss namespace issue for postgresql
-                        namespace="postgresql",
                         qualifiers=pkg_qualifiers,
                     ),
                     affected_version_range=GenericVersionRange.from_versions(affected_version_list),
                 )
             )
-
+        cve_id = ""
         try:
+            # in the prior code, this is the only place where cve_id was defined, and presumably
+            # there was no error like the error we got:
+            # UnboundLocalError: local variable 'cve_id' referenced before assignment
             cve_id = ref_col.select("nobr")[0].text
             # This is for the anomaly in https://www.postgresql.org/support/security/8.1/ 's
             # last entry
-            # Note: in this example and others, final entry/entries have no CVE in the 1st column
         except IndexError:
             pass
 
@@ -134,19 +125,18 @@ def to_advisories(data):
                     )
                     severities.append(severity)
             references.append(Reference(url=link, severities=severities))
-
-        advisories.append(
-            AdvisoryData(
-                aliases=[cve_id],
-                summary=summary,
-                references=references,
-                affected_packages=affected_packages,
+        if cve_id:
+            advisories.append(
+                AdvisoryData(
+                    # we defined cve_id and added the if... because we got this error:
+                    # UnboundLocalError: local variable 'cve_id' referenced before assignment
+                    # but JMH is not sure what caused the error or whether this is a legit fix
+                    aliases=[cve_id],
+                    summary=summary,
+                    references=references,
+                    affected_packages=affected_packages,
+                )
             )
-        )
-
-    # Keep temporarily for reference
-    print("\ntotal test_advisories (i.e., AdvisoryData objects) = {}".format(len(advisories)))
-    print("\nadvisories = {}".format(advisories))
 
     return advisories
 
diff --git a/vulnerabilities/tests/conftest.py b/vulnerabilities/tests/conftest.py
@@ -37,7 +37,6 @@ def no_rmtree(monkeypatch):
     "test_msr2019.py",
     "test_npm.py",
     "test_package_managers.py",
-    "test_postgresql.py",
     "test_retiredotnet.py",
     "test_ruby.py",
     "test_rust.py",
diff --git a/vulnerabilities/tests/test_data/postgresql/parse-advisory-postgresql-expected.json b/vulnerabilities/tests/test_data/postgresql/parse-advisory-postgresql-expected.json
@@ -0,0 +1,170 @@
+[
+  {
+    "aliases": [
+      "CVE-2020-10733"
+    ],
+    "summary": "Windows installer runs executables from uncontrolled directoriesmore details",
+    "affected_packages": [
+      {
+        "package": {
+          "type": "generic",
+          "namespace": null,
+          "name": "postgresql",
+          "version": null,
+          "qualifiers": {
+            "os": "windows"
+          },
+          "subpath": null
+        },
+        "affected_version_range": "vers:generic/9.6.0|10.0.0|11.0.0|12.0.0",
+        "fixed_version": "12.3"
+      },
+      {
+        "package": {
+          "type": "generic",
+          "namespace": null,
+          "name": "postgresql",
+          "version": null,
+          "qualifiers": {
+            "os": "windows"
+          },
+          "subpath": null
+        },
+        "affected_version_range": "vers:generic/9.6.0|10.0.0|11.0.0|12.0.0",
+        "fixed_version": "11.8"
+      },
+      {
+        "package": {
+          "type": "generic",
+          "namespace": null,
+          "name": "postgresql",
+          "version": null,
+          "qualifiers": {
+            "os": "windows"
+          },
+          "subpath": null
+        },
+        "affected_version_range": "vers:generic/9.6.0|10.0.0|11.0.0|12.0.0",
+        "fixed_version": "10.13"
+      },
+      {
+        "package": {
+          "type": "generic",
+          "namespace": null,
+          "name": "postgresql",
+          "version": null,
+          "qualifiers": {
+            "os": "windows"
+          },
+          "subpath": null
+        },
+        "affected_version_range": "vers:generic/9.6.0|10.0.0|11.0.0|12.0.0",
+        "fixed_version": "9.6.18"
+      }
+    ],
+    "references": [
+      {
+        "reference_id": "",
+        "url": "https://www.postgresql.org/support/security/CVE-2020-10733/",
+        "severities": [
+          {
+            "system": "cvssv3",
+            "value": "6.7"
+          },
+          {
+            "system": "cvssv3_vector",
+            "value": [
+              "AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"
+            ]
+          }
+        ]
+      },
+      {
+        "reference_id": "",
+        "url": "https://www.postgresql.org/about/news/postgresql-123-118-1013-9618-and-9522-released-2038/",
+        "severities": []
+      }
+    ],
+    "date_published": null
+  },
+  {
+    "aliases": [
+      "CVE-2020-1720"
+    ],
+    "summary": "ALTER ... DEPENDS ON EXTENSION is missing authorization checks.more details",
+    "affected_packages": [
+      {
+        "package": {
+          "type": "generic",
+          "namespace": null,
+          "name": "postgresql",
+          "version": null,
+          "qualifiers": null,
+          "subpath": null
+        },
+        "affected_version_range": "vers:generic/9.6.0|10.0.0|11.0.0|12.0.0",
+        "fixed_version": "12.2"
+      },
+      {
+        "package": {
+          "type": "generic",
+          "namespace": null,
+          "name": "postgresql",
+          "version": null,
+          "qualifiers": null,
+          "subpath": null
+        },
+        "affected_version_range": "vers:generic/9.6.0|10.0.0|11.0.0|12.0.0",
+        "fixed_version": "11.7"
+      },
+      {
+        "package": {
+          "type": "generic",
+          "namespace": null,
+          "name": "postgresql",
+          "version": null,
+          "qualifiers": null,
+          "subpath": null
+        },
+        "affected_version_range": "vers:generic/9.6.0|10.0.0|11.0.0|12.0.0",
+        "fixed_version": "10.12"
+      },
+      {
+        "package": {
+          "type": "generic",
+          "namespace": null,
+          "name": "postgresql",
+          "version": null,
+          "qualifiers": null,
+          "subpath": null
+        },
+        "affected_version_range": "vers:generic/9.6.0|10.0.0|11.0.0|12.0.0",
+        "fixed_version": "9.6.17"
+      }
+    ],
+    "references": [
+      {
+        "reference_id": "",
+        "url": "https://www.postgresql.org/support/security/CVE-2020-1720/",
+        "severities": [
+          {
+            "system": "cvssv3",
+            "value": "3.1"
+          },
+          {
+            "system": "cvssv3_vector",
+            "value": [
+              "AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
+            ]
+          }
+        ]
+      },
+      {
+        "reference_id": "",
+        "url": "https://www.postgresql.org/about/news/postgresql-122-117-1012-9617-9521-and-9426-released-2011/",
+        "severities": []
+      }
+    ],
+    "date_published": null
+  }
+]
diff --git a/vulnerabilities/tests/test_postgresql.py b/vulnerabilities/tests/test_postgresql.py
