Merge branch 'main' into update-rtd

Signed-off-by: John M. Horan [email protected]

Author: johnmhoran

CHANGELOG.rst

@@ -8,36 +8,39 @@ Version v30.0.0
   transform imported data and convert that in Vulnerabilities and Packages. Improvers can
   also improve and refine imported and existing data as well as enrich data using external
   data sources. The migration to this new architecture is under way and not all importers
-  are available. You can track the progress in this issue: https://github.com/nexB/vulnerablecode/issues/597 
+  are available.
   Because of these extensive changes, it is not possible to migrate existing imported
   data to the new schema. You will need instead to restart imports from an empty database
   or request access to the new vulnerablecode.io live instance.
+  You can track the progress in this issue: https://github.com/nexB/vulnerablecode/issues/597 
 
 - We added new data sources including PYSEC, GitHub and GitLab.
 
 - We improved the documentation including adding development examples for importers and improvers.
 
-- We removed the ability to edit relationships from the UI. The UI is now read-only
-  and we will need to design a different UI for proper review and curation of vulnerabilities.
+- We removed the ability to edit relationships from the UI. The UI is now read-only.
+- We replace the web UI with a brand new UI based on the same overall look and feel as ScanCode.io.
 
 - We added support for NixOS as a Linux deployment target.
 
 - The aliases of a vulnerabily are reported in the API vulnerabilities/ endpoint
 
-
 - There are breaking Changes at API level with changes in the data structure:
 
   - in the /api/vulnerabilities/ endpoint:
 
     - Rename `resolved_packages` to `fixed_packages` 
     - Rename `unresolved_packages` to `affected_packages`
     - Rename `url` to `reference_url` in the reference list
+    - Add is_vulnerable property in fixed and affected_packages.
 
   - in the /api/packages/ endpoint:
 
     - Rename `unresolved_vulnerabilities` to `affected_by_vulnerabilities`
     - Rename  `resolved_vulnerabilities` to `fixing_vulnerabilities`
     - Rename `url` to `reference_url` in the reference list
+    - Add new attribute `is_resolved`
+    - Add namespace filter
 
 - We have provided backward compatibility for `url` and `unresolved_vulnerabilities` for now
 
@@ -66,8 +69,6 @@ Version v30.0.0
   their API Key in the REST API.
   Users can be created using the Django "createsuperuser" management command.
 
-- Add is_vulnerable property in fixed and affected_packages.
-
 Other:
 
 - we dropped calver to use a plain semver.

Makefile

@@ -109,7 +109,7 @@ sqlite:
 	@$(MAKE) migrate
 
 run:
-	${MANAGE} runserver 8001 --noreload --insecure
+	${MANAGE} runserver 8001 --insecure
 
 test:
 	@echo "-> Run the test suite"

requirements.txt

@@ -1,4 +1,3 @@
-aiohttp==3.8.1
 aiosignal==1.2.0
 alabaster==0.7.12
 asgiref==3.5.0

setup.cfg

@@ -25,7 +25,7 @@ classifiers =
     Topic :: Security
     Topic :: Software Development :: Bug Tracking
     Framework :: Django
-    
+
 keywords =
     open source
     vulnerability
@@ -81,7 +81,6 @@ install_requires =
 
     # networking
     GitPython>=3.1.17
-    aiohttp>=3.7.4.post0
     requests>=2.25.1
     fetchcode>=0.1.0
 

vulnerabilities/api.py

@@ -190,7 +190,15 @@ class PackageFilterSet(filters.FilterSet):
 
     class Meta:
         model = Package
-        fields = ["name", "type", "version", "subpath", "purl", "packagerelatedvulnerability__fix"]
+        fields = [
+            "name",
+            "type",
+            "version",
+            "subpath",
+            "purl",
+            "namespace",
+            "packagerelatedvulnerability__fix",
+        ]
 
     def filter_purl(self, queryset, name, value):
         purl = unquote(value)

vulnerabilities/forms.py

@@ -34,10 +34,13 @@ class PackageForm(forms.Form):
 
     type = forms.ChoiceField(choices=get_package_types)
     name = forms.CharField(
-        required=False, widget=forms.TextInput(attrs={"placeholder": "package name"})
+        required=False, widget=forms.TextInput(attrs={"placeholder": "Package name or purl"})
     )
 
 
 class CVEForm(forms.Form):
 
-    vuln_id = forms.CharField(widget=forms.TextInput(attrs={"placeholder": "vulnerability id"}))
+    vuln_id = forms.CharField(
+        required=False,
+        widget=forms.TextInput(attrs={"placeholder": "Vulnerability ID or CVE/GHSA"}),
+    )

vulnerabilities/migrations/0018_alter_alias_options.py

@@ -0,0 +1,17 @@
+# Generated by Django 4.0.6 on 2022-08-18 20:58
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('vulnerabilities', '0017_delete_reference_to_cpes_with_empty_urls'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='alias',
+            options={'ordering': ['alias']},
+        ),
+    ]

vulnerabilities/migrations/0019_alter_vulnerabilityreference_options.py

@@ -0,0 +1,17 @@
+# Generated by Django 4.0.6 on 2022-08-23 19:15
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('vulnerabilities', '0018_alter_alias_options'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='vulnerabilityreference',
+            options={'ordering': ['reference_id', 'url']},
+        ),
+    ]

vulnerabilities/models.py

@@ -124,6 +124,7 @@ class Meta:
             "url",
             "reference_id",
         )
+        ordering = ["reference_id", "url"]
 
     def __str__(self):
         reference_id = f" {self.reference_id}" if self.reference_id else ""
@@ -362,6 +363,21 @@ class Alias(models.Model):
         related_name="aliases",
     )
 
+    @property
+    def url(self):
+        """
+        Create a URL for the alias.
+        """
+        alias: str = self.alias
+        if alias.startswith("CVE"):
+            return f"https://nvd.nist.gov/vuln/detail/{alias}"
+
+        if alias.startswith("GHSA"):
+            return f"https://github.com/advisories/{alias}"
+
+    class Meta:
+        ordering = ["alias"]
+
     def __str__(self):
         return self.alias
 

vulnerabilities/package_managers.py

@@ -37,7 +37,6 @@
 # FIXME: use purl for cache key, rather than an undefined package_name key
 # FIXME: DO NOT cache by default as this is an optimization that does not work for long running processes
 # FIXME: DO NOT use set() for storing version lists: they lose the original ordering
-# FIXME: DO NOT use aiohttp that makes the code more complex before this is can be tested for correctness first
 
 
 @dataclasses.dataclass(frozen=True)