Apply suggestions from code review

Signed-off-by: Tushar Goel <[email protected]>

Author: TG1999

CHANGELOG.rst

@@ -7,6 +7,7 @@ Next release
 
 - We re-enabled support for the mozilla vulnerabilities advisories importer.
 - We re-enabled support for the gentoo vulnerabilities advisories importer.
+- We re-enabled support for the istio vulnerabilities advisories importer.
 
 
 Version v31.1.1

vulnerabilities/importers/__init__.py

@@ -15,8 +15,8 @@
 from vulnerabilities.importers import gentoo
 from vulnerabilities.importers import github
 from vulnerabilities.importers import gitlab
-from vulnerabilities.importers import mozilla
 from vulnerabilities.importers import istio
+from vulnerabilities.importers import mozilla
 from vulnerabilities.importers import nginx
 from vulnerabilities.importers import npm
 from vulnerabilities.importers import nvd

vulnerabilities/importers/istio.py

@@ -59,28 +59,28 @@ def process_file(self, path):
         for release in data.get("releases") or []:
             # If it is of form "All releases prior to x"
             if "All releases prior" in release:
-                release = release.strip()
-                release = release.split(" ")
+                _, _, release = release.strip().rpartition(" ")
                 constraints.append(
-                    VersionConstraint(version=SemverVersion(release[4]), comparator="<")
+                    VersionConstraint(version=SemverVersion(release), comparator="<")
                 )
 
             # Eg. 'All releases 1.5 and later'
             elif "All releases" in release and "and later" in release:
-                release = release.split()[2].strip()
+                # remove All releases from string
+                release = release.replace("All releases", "").strip()
+                # remove and later from string
+                release = release.replace("and later", "").strip()
+                if not is_release(release):
+                    continue
                 constraints.append(
-                    VersionConstraint(version=SemverVersion(release), comparator=">")
+                    VersionConstraint(version=SemverVersion(release), comparator=">=")
                 )
 
+            # Eg. 1.5 to 2.0
             elif "to" in release:
-                release = release.strip()
-                release = release.split(" ")
-                constraints.append(
-                    VersionConstraint(version=SemverVersion(release[0]), comparator=">=")
-                )
-                constraints.append(
-                    VersionConstraint(version=SemverVersion(release[2]), comparator="<=")
-                )
+                lower, _, upper = release.strip().partition("to")
+                constraints.append(VersionConstraint(version=SemverVersion(lower), comparator=">="))
+                constraints.append(VersionConstraint(version=SemverVersion(upper), comparator="<="))
 
             # If it is a single release
             elif is_release(release):
@@ -95,19 +95,20 @@ def process_file(self, path):
 
             affected_packages = []
 
-            affected_packages.append(
-                AffectedPackage(
-                    package=PackageURL(type="golang", name="istio"),
-                    affected_version_range=GolangVersionRange(constraints=constraints),
+            if constraints:
+                affected_packages.append(
+                    AffectedPackage(
+                        package=PackageURL(type="golang", namespace="istio.io", name="istio"),
+                        affected_version_range=GolangVersionRange(constraints=constraints),
+                    )
                 )
-            )
 
-            affected_packages.append(
-                AffectedPackage(
-                    package=PackageURL(type="github", name="istio"),
-                    affected_version_range=GitHubVersionRange(constraints=constraints),
+                affected_packages.append(
+                    AffectedPackage(
+                        package=PackageURL(type="github", namespace="istio", name="istio"),
+                        affected_version_range=GitHubVersionRange(constraints=constraints),
+                    )
                 )
-            )
 
             title = data.get("title") or ""
             references = []

vulnerabilities/improvers/default.py

@@ -46,15 +46,25 @@ def get_inferences(self, advisory_data: AdvisoryData) -> Iterable[Inference]:
             for affected_package in advisory_data.affected_packages:
                 # To deal with multiple fixed versions in a single affected package
                 affected_purls, fixed_purls = get_exact_purls(affected_package)
-                for fixed_purl in fixed_purls:
+                if not fixed_purls:
                     yield Inference(
                         aliases=advisory_data.aliases,
                         confidence=MAX_CONFIDENCE,
                         summary=advisory_data.summary,
                         affected_purls=affected_purls,
-                        fixed_purl=fixed_purl,
+                        fixed_purl=None,
                         references=advisory_data.references,
                     )
+                else:
+                    for fixed_purl in fixed_purls or []:
+                        yield Inference(
+                            aliases=advisory_data.aliases,
+                            confidence=MAX_CONFIDENCE,
+                            summary=advisory_data.summary,
+                            affected_purls=affected_purls,
+                            fixed_purl=fixed_purl,
+                            references=advisory_data.references,
+                        )
 
         else:
             yield Inference.from_advisory_data(

vulnerabilities/tests/test_data/istio/istio-expected.json

@@ -8,25 +8,25 @@
       {
         "package": {
           "type": "golang",
-          "namespace": null,
+          "namespace": "istio.io",
           "name": "istio",
           "version": null,
           "qualifiers": null,
           "subpath": null
         },
-        "affected_version_range": "vers:golang/>=1.1.0|<=1.1.15|>=1.2.0|<=1.2.6|>=1.3.0|<=1.3.1",
+        "affected_version_range": "vers:golang/<0.0.9|>=1.1.0|<=1.1.15|>=1.3.0|<=1.3.1|>=1.5.0",
         "fixed_version": null
       },
       {
         "package": {
           "type": "github",
-          "namespace": null,
+          "namespace": "istio",
           "name": "istio",
           "version": null,
           "qualifiers": null,
           "subpath": null
         },
-        "affected_version_range": "vers:github/>=1.1.0|<=1.1.15|>=1.2.0|<=1.2.6|>=1.3.0|<=1.3.1",
+        "affected_version_range": "vers:github/<0.0.9|>=1.1.0|<=1.1.15|>=1.3.0|<=1.3.1|>=1.5.0",
         "fixed_version": null
       }
     ],

vulnerabilities/tests/test_data/istio/test_file.md

@@ -5,7 +5,7 @@ description: Incorrect access control.
 cves: [CVE-2019-12243]
 cvss: "8.9"
 vector: "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C"
-releases: ["1.1 to 1.1.15", "1.2 to 1.2.6", "1.3 to 1.3.1"]
+releases: ["All releases prior to 0.0.9","1.1 to 1.1.15","1.3 to 1.3.1", "All releases 1.5.0 and later"]
 publishdate: 2019-05-28
 
 ---

vulnerabilities/tests/test_istio.py

@@ -26,7 +26,12 @@ def test_istio_get_data_from_md():
         "cves": ["CVE-2019-12243"],
         "cvss": "8.9",
         "vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C",
-        "releases": ["1.1 to 1.1.15", "1.2 to 1.2.6", "1.3 to 1.3.1"],
+        "releases": [
+            "All releases prior to 0.0.9",
+            "1.1 to 1.1.15",
+            "1.3 to 1.3.1",
+            "All releases 1.5.0 and later",
+        ],
         "publishdate": "2019-05-28",
     }