Begin postgresql.py migration #969

johnmhoran · TG1999 · commit b5c94bdf5b9f · 2022-11-21T20:58:50.000+05:30
Reference: #969 Signed-off-by: John M. Horan <johnmhoran@gmail.com>
diff --git a/vulnerabilities/importers/postgresql.py b/vulnerabilities/importers/postgresql.py
@@ -13,17 +13,27 @@
 from bs4 import BeautifulSoup
 from packageurl import PackageURL
 
+# is there a univers versionrange?  a version?
+from univers.version_range import GenericVersionRange
+from univers.versions import GenericVersion
+
 from vulnerabilities import severity_systems
+
+# add AffectedPackage
 from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AffectedPackage
 from vulnerabilities.importer import Importer
 from vulnerabilities.importer import Reference
 from vulnerabilities.importer import VulnerabilitySeverity
+
+# we no longer use nearest_patched_package, do we?
 from vulnerabilities.utils import nearest_patched_package
 
 
 class PostgreSQLImporter(Importer):
 
     root_url = "https://www.postgresql.org/support/security/"
+    # need spdx_license_expression and license_url
 
     def updated_advisories(self):
         advisories = []
@@ -54,26 +64,64 @@ def to_advisories(data):
         if "windows" in summary.lower():
             pkg_qualifiers = {"os": "windows"}
 
-        affected_packages = [
-            PackageURL(
-                type="generic",
-                name="postgresql",
-                version=version.strip(),
-                qualifiers=pkg_qualifiers,
+        # affected_packages = [
+        #     PackageURL(
+        #         type="generic",
+        #         name="postgresql",
+        #         version=version.strip(),
+        #         qualifiers=pkg_qualifiers,
+        #     )
+        #     for version in affected_col.text.split(",")
+        # ]
+
+        # fixed_packages = [
+        #     PackageURL(
+        #         type="generic",
+        #         name="postgresql",
+        #         version=version.strip(),
+        #         qualifiers=pkg_qualifiers,
+        #     )
+        #     for version in fixed_col.text.split(",")
+        #     # why the "if version" here but not in affected_packages?
+        #     # aren't we assuming (can we assume?) there are an equal number of versions in affect_packages and fixed_packages?
+        #     if version
+        # ]
+
+        # This will replace the affected_packages and fixed_packages lists above. ============
+        affected_packages = []
+        affected_version_list = affected_col.text.split(",")
+        fixed_version_list = fixed_col.text.split(",")
+        package_count = len(affected_version_list)
+
+        while package_count > 0:
+            summary = summary
+
+            affected = affected_version_list[0]
+            affected_version_list.pop(0)
+            # Do we need "if affected else None"?
+            affected_version_range = (
+                GenericVersionRange.from_versions([affected]) if affected else None
             )
-            for version in affected_col.text.split(",")
-        ]
-
-        fixed_packages = [
-            PackageURL(
-                type="generic",
-                name="postgresql",
-                version=version.strip(),
-                qualifiers=pkg_qualifiers,
+
+            fixed = fixed_version_list[0]
+            fixed_version_list.pop(0)
+            # Do we need "if affected else None"?
+            fixed_version = GenericVersion(fixed) if fixed else None
+
+            package_count -= 1
+
+            affected_package = AffectedPackage(
+                package=PackageURL(
+                    name="postgresql",
+                    type="generic",
+                    namespace="postgresql",
+                ),
+                affected_version_range=affected_version_range,
+                fixed_version=fixed_version,
             )
-            for version in fixed_col.text.split(",")
-            if version
-        ]
+            affected_packages.append(affected_package)
+
+            # end of initial draft insert ===================================
 
         try:
             cve_id = ref_col.select("nobr")[0].text
@@ -105,10 +153,13 @@ def to_advisories(data):
 
         advisories.append(
             AdvisoryData(
-                vulnerability_id=cve_id,
+                # 10/26/2022 Wednesday 6:40:01 PM.  Throws error (terminal points to test data): TypeError: __init__() got an unexpected keyword argument 'vulnerability_id'
+                # vulnerability_id=cve_id,
+                aliases=[cve_id],
                 summary=summary,
                 references=references,
-                affected_packages=nearest_patched_package(affected_packages, fixed_packages),
+                # affected_packages=nearest_patched_package(affected_packages, fixed_packages),
+                affected_packages=affected_packages,
             )
         )
 
diff --git a/vulnerabilities/tests/test_postgresql.py b/vulnerabilities/tests/test_postgresql.py
@@ -32,7 +32,9 @@ def test_to_advisories(self):
         expected_advisories = [
             AdvisoryData(
                 summary="ALTER ... DEPENDS ON EXTENSION is missing authorization checks.more details",
-                vulnerability_id="CVE-2020-1720",
+                # 10/26/2022 Wednesday 6:40:01 PM.  Throws error: TypeError: __init__() got an unexpected keyword argument 'vulnerability_id'
+                # vulnerability_id="CVE-2020-1720",
+                aliases=["CVE-2020-1720"],
                 affected_packages=[
                     AffectedPackage(
                         vulnerable_package=PackageURL(
@@ -103,7 +105,9 @@ def test_to_advisories(self):
             ),
             AdvisoryData(
                 summary="Windows installer runs executables from uncontrolled directoriesmore details",
-                vulnerability_id="CVE-2020-10733",
+                # 10/26/2022 Wednesday 6:40:01 PM.  Throws error: TypeError: __init__() got an unexpected keyword argument 'vulnerability_id'
+                # vulnerability_id="CVE-2020-10733",
+                aliases=["CVE-2020-10733"],
                 affected_packages=[
                     AffectedPackage(
                         vulnerable_package=PackageURL(
@@ -184,6 +188,188 @@ def test_to_advisories(self):
 
         found_advisories = to_advisories(raw_data)
 
-        found_advisories = list(map(AdvisoryData.normalized, found_advisories))
-        expected_advisories = list(map(AdvisoryData.normalized, expected_advisories))
+        # 10/26/2022 Wednesday 7:07:13 PM.  Throws error: AttributeError: type object 'AdvisoryData' has no attribute 'normalized'
+        # found_advisories = list(map(AdvisoryData.normalized, found_advisories))
+        found_advisories = list(map(AdvisoryData, found_advisories))
+        # expected_advisories = list(map(AdvisoryData.normalized, expected_advisories))
+        expected_advisories = list(map(AdvisoryData, expected_advisories))
+        assert sorted(found_advisories) == sorted(expected_advisories)
+
+    # 10/27/2022 Thursday 6:40:04 PM.  This is intended to be an updated test -- but I have barely started to work on it!
+    # Focusing instead on postgresql.py for now.
+    def test_to_advisories_updated(self):
+
+        with open(TEST_DATA) as f:
+            raw_data = f.read()
+
+        expected_advisories = [
+            AdvisoryData(
+                summary="ALTER ... DEPENDS ON EXTENSION is missing authorization checks.more details",
+                # 10/26/2022 Wednesday 6:40:01 PM.  Throws error: TypeError: __init__() got an unexpected keyword argument 'vulnerability_id'
+                # vulnerability_id="CVE-2020-1720",
+                aliases=["CVE-2020-1720"],
+                affected_packages=[
+                    AffectedPackage(
+                        vulnerable_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="10",
+                        ),
+                        patched_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="10.12",
+                        ),
+                    ),
+                    AffectedPackage(
+                        vulnerable_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="11",
+                        ),
+                        patched_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="11.7",
+                        ),
+                    ),
+                    AffectedPackage(
+                        vulnerable_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="12",
+                        ),
+                        patched_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="12.2",
+                        ),
+                    ),
+                    AffectedPackage(
+                        vulnerable_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="9.6",
+                        ),
+                        patched_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="9.6.17",
+                        ),
+                    ),
+                ],
+                references=[
+                    Reference(
+                        reference_id="",
+                        url="https://www.postgresql.org/about/news/postgresql-122-117-1012-9617-9521-and-9426-released-2011/",
+                    ),
+                    Reference(
+                        reference_id="",
+                        url="https://www.postgresql.org/support/security/CVE-2020-1720/",
+                        severities=[
+                            VulnerabilitySeverity(
+                                system=severity_systems.CVSSV3,
+                                value="3.1",
+                            ),
+                            VulnerabilitySeverity(
+                                system=severity_systems.CVSSV3_VECTOR,
+                                value=["AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"],
+                            ),
+                        ],
+                    ),
+                ],
+            ),
+            AdvisoryData(
+                summary="Windows installer runs executables from uncontrolled directoriesmore details",
+                # 10/26/2022 Wednesday 6:40:01 PM.  Throws error: TypeError: __init__() got an unexpected keyword argument 'vulnerability_id'
+                # vulnerability_id="CVE-2020-10733",
+                aliases=["CVE-2020-10733"],
+                affected_packages=[
+                    AffectedPackage(
+                        vulnerable_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="10",
+                            qualifiers={"os": "windows"},
+                        ),
+                        patched_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="10.13",
+                            qualifiers={"os": "windows"},
+                        ),
+                    ),
+                    AffectedPackage(
+                        vulnerable_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="11",
+                            qualifiers={"os": "windows"},
+                        ),
+                        patched_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="11.8",
+                            qualifiers={"os": "windows"},
+                        ),
+                    ),
+                    AffectedPackage(
+                        vulnerable_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="12",
+                            qualifiers={"os": "windows"},
+                        ),
+                        patched_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="12.3",
+                            qualifiers={"os": "windows"},
+                        ),
+                    ),
+                    AffectedPackage(
+                        vulnerable_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="9.6",
+                            qualifiers={"os": "windows"},
+                        ),
+                        patched_package=PackageURL(
+                            type="generic",
+                            name="postgresql",
+                            version="9.6.18",
+                            qualifiers={"os": "windows"},
+                        ),
+                    ),
+                ],
+                references=[
+                    Reference(
+                        reference_id="",
+                        url="https://www.postgresql.org/about/news/postgresql-123-118-1013-9618-and-9522-released-2038/",
+                    ),
+                    Reference(
+                        reference_id="",
+                        url="https://www.postgresql.org/support/security/CVE-2020-10733/",
+                        severities=[
+                            VulnerabilitySeverity(
+                                system=severity_systems.CVSSV3,
+                                value="6.7",
+                            ),
+                            VulnerabilitySeverity(
+                                system=severity_systems.CVSSV3_VECTOR,
+                                value=["AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"],
+                            ),
+                        ],
+                    ),
+                ],
+            ),
+        ]
+
+        found_advisories = to_advisories(raw_data)
+
+        # 10/26/2022 Wednesday 7:07:13 PM.  Throws error: AttributeError: type object 'AdvisoryData' has no attribute 'normalized'
+        # found_advisories = list(map(AdvisoryData.normalized, found_advisories))
+        # found_advisories = list(map(AdvisoryData, found_advisories))
+        # expected_advisories = list(map(AdvisoryData.normalized, expected_advisories))
+        # expected_advisories = list(map(AdvisoryData, expected_advisories))
         assert sorted(found_advisories) == sorted(expected_advisories)
