Address PR comments including simplifying code #972

Reference: #972

Signed-off-by: John M. Horan <[email protected]>

Author: johnmhoran

vulnerabilities/importers/apache_kafka.py

@@ -8,12 +8,11 @@
 #
 
 
+import pytz
 import requests
 from bs4 import BeautifulSoup
+from dateutil.parser import parse
 from packageurl import PackageURL
-from univers.version_constraint import VersionConstraint
-from univers.version_range import MavenVersionRange
-from univers.versions import MavenVersion
 
 from vulnerabilities.importer import AdvisoryData
 from vulnerabilities.importer import AffectedPackage
@@ -28,6 +27,7 @@
         "2.8.0 - 2.8.1, 3.0.0 - 3.0.1, 3.1.0 - 3.1.1, 3.2.0 - 3.2.1": "affected",
         "2.8.2, 3.0.2, 3.1.2, 3.2.3": "fixed",
         "affected_version_range": "vers:apache/>=2.8.0|<=2.8.1|!=2.8.2|>=3.0.0|<=3.0.1|!=3.0.2|>=3.1.0|<=3.1.1|!=3.1.2|>=3.2.0|<=3.2.1|!=3.2.3",
+        "Issue announced": "19 Sep 2022",
     },
     "CVE-2022-23302": {
         "action": "omit",
@@ -52,30 +52,35 @@
         "2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0.": "affected",
         "2.6.3, 2.7.2, 2.8.1, 3.0.0 and later": "fixed",
         "affected_version_range": "vers:apache/2.0.0|2.0.1|2.1.0|2.1.1|2.2.0|2.2.1|2.2.2|2.3.0|2.3.1|2.4.0|2.4.1|2.5.0|2.5.1|2.6.0|2.6.1|2.6.2|!=2.6.3|2.7.0|2.7.1|!=2.7.2|2.8.0.|!=2.8.1|<3.0.0",
+        "Issue announced": "21 Sep 2021",
     },
     "CVE-2019-12399": {
         "action": "include",
         "2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0": "affected",
         "2.2.2, 2.3.1 and later": "fixed",
         "affected_version_range": "vers:apache/2.0.0|2.0.1|2.1.0|2.1.1|2.2.0|2.2.1|!=2.2.2|2.3.0|<2.3.1",
+        "Issue announced": "13 Jan 2020",
     },
     "CVE-2018-17196": {
         "action": "include",
         "0.11.0.0 to 2.1.0": "affected",
         "2.1.1 and later": "fixed",
         "affected_version_range": "vers:apache/>=0.11.0.0|<2.1.1",
+        "Issue announced": "10 July 2019",
     },
     "CVE-2018-1288": {
         "action": "include",
         "0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, 1.0.0": "affected",
         "0.10.2.2, 0.11.0.3, 1.0.1, 1.1.0": "fixed",
         "affected_version_range": "vers:apache/>=0.9.0.0|<=0.9.0.1|>=0.10.0.0|<=0.10.2.1|!=0.10.2.2|>=0.11.0.0|<=0.11.0.2|!=0.11.0.3|1.0.0|!=1.0.1|!=1.1.0",
+        "Issue announced": "26 July 2018",
     },
     "CVE-2017-12610": {
         "action": "include",
         "0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.1": "affected",
         "0.10.2.2, 0.11.0.2, 1.0.0": "fixed",
         "affected_version_range": "vers:apache/>=0.10.0.0|<=0.10.2.1|!=0.10.2.2|>=0.11.0.0|<=0.11.0.1|!=0.11.0.2|!=1.0.0",
+        "Issue announced": "26 July 2018",
     },
 }
 
@@ -111,50 +116,46 @@ def to_advisory(self, advisory_page):
 
             cve_description_paragraph = cve_section_beginning.find_next_sibling("p")
 
-            stripped_cve_description_paragraph = str(cve_description_paragraph.get_text())
-            stripped_cve_description_paragraph = stripped_cve_description_paragraph.replace(
-                "\n", ""
-            )
-            stripped_cve_description_paragraph = " ".join(
-                stripped_cve_description_paragraph.split()
-            )
+            description = str(cve_description_paragraph.get_text())
+            description = " ".join(description.split())
 
             cve_data_table = cve_section_beginning.find_next_sibling("table")
             cve_data_table_rows = cve_data_table.find_all("tr")
             affected_versions_row = cve_data_table_rows[0]
             fixed_versions_row = cve_data_table_rows[1]
 
-            affected_versions_string = affected_versions_row.find_all("td")[1].text
-            fixed_versions_string = fixed_versions_row.find_all("td")[1].text
-
             # Remove leading white space after initial comma
-            affected_versions_string_split_SPLIT = [
-                substring.strip()
-                for substring in affected_versions_string.split(",")
-                if not substring.isspace()
-            ]
-            fixed_versions_string_split_SPLIT = [
-                substring.strip()
-                for substring in fixed_versions_string.split(",")
-                if not substring.isspace()
-            ]
+            affected_versions = affected_versions_row.find_all("td")[1].text
+
+            affected_versions_clean = [v.strip() for v in affected_versions.split(",")]
+            affected_versions_clean = [v for v in affected_versions if v]
+
+            fixed_versions = fixed_versions_row.find_all("td")[1].text
+
+            fixed_versions_clean = [v.strip() for v in fixed_versions.split(",")]
+            fixed_versions_clean = [v for v in fixed_versions if v]
 
             # This throws a KeyError if the opening h2 tag `id` data changes or is not in the
             # hard-coded affected_version_range_mapping dictionary.
             if affected_version_range_mapping[cve_id]["action"] == "include":
 
                 # These 2 variables (not used elsewhere) trigger the KeyError for changed/missing data.
                 check_affected_versions_key = affected_version_range_mapping[cve_id][
-                    affected_versions_string
-                ]
-                check_fixed_versions_key = affected_version_range_mapping[cve_id][
-                    fixed_versions_string
+                    affected_versions
                 ]
+                check_fixed_versions_key = affected_version_range_mapping[cve_id][fixed_versions]
 
                 references = [
-                    Reference(url=self.ASF_PAGE_URL),
                     Reference(
-                        url=f"https://cve.mitre.org/cgi-bin/cvename.cgi?name={cve_id}",
+                        url=self.ASF_PAGE_URL,
+                        reference_id=cve_id,
+                    ),
+                    Reference(
+                        url=f"{self.ASF_PAGE_URL}#{cve_id}",
+                        reference_id=cve_id,
+                    ),
+                    Reference(
+                        url=f"https://nvd.nist.gov/vuln/detail/{cve_id}",
                         reference_id=cve_id,
                     ),
                 ]
@@ -171,12 +172,17 @@ def to_advisory(self, advisory_page):
                 )
                 affected_packages.append(affected_package)
 
+                date_published = parse(
+                    affected_version_range_mapping[cve_id]["Issue announced"]
+                ).replace(tzinfo=pytz.UTC)
+
                 advisories.append(
                     AdvisoryData(
                         aliases=[cve_id],
-                        summary=stripped_cve_description_paragraph,
+                        summary=description,
                         affected_packages=affected_packages,
                         references=references,
+                        date_published=date_published,
                     )
                 )