vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Match affected and fixed-by Packages

Open johnmhoran opened this issue 1 year ago • 8 comments

The initial commit in this PR adds CSS for the collapsed (< 1024px) responsive Bulma navbar and adjusts some template nesting. Substantive work on matching affected and fixed-by Packages to follow.

Reference: https://github.com/nexB/vulnerablecode/issues/1287

johnmhoran avatar Jul 30 '24 00:07 johnmhoran

@johnmhoran thanks! please provide screenshots and let us know when it's good to be merged

TG1999 avatar Aug 06 '24 10:08 TG1999

@TG1999 I just committed and tried to push my latest changes -- no tests yet, and I'm not yet able to properly sort the Package search results (but the immediate task, the new matched affected/fixed by records, look great and are properly sorted ;-) -- but immediately ran into a problem evidently because you had committed and pushed numerous changes of your own to this branch that I did not have locally. I followed the git instruction to run 'git pull' on this branch, it seems to have been merged automatically and without reported conflicts.

I then ran git push origin 1287-resume-combining-affected-fixed-tabs successfully, no errors. However, on this PR page, 1 test failed twice -- some codestyle test unrelated to my work -- and I see the warning This branch has conflicts that must be resolved. I'd feel comfortable resolving conflicts locally with my VSCode, but have not yet used the GH interface for that and am a bit reluctant to click one of the links for web editor or command line or Resolve conflicts.

johnmhoran avatar Aug 07 '24 00:08 johnmhoran

@TG1999 I just updated main locally, merged into my branch, resolved a few conflicts and committed and pushed. Waiting for the GH checks to finish.

The primary goal of this issue and PR was matching the affected and fixed-by Packages, and that's now in place on the Vulnerability details page. (I'll add a screen shot or two in another comment below.) My next task will be to add some tests.

This PR also includes a few other items I encountered along the way:

  • Added version_class-based sorting to the matched affect/fixed-by records
  • Added a filter to encode Package URLs so that a link to a Package with a qualifiers value will properly recognize the qualifiers separator and following data.

Note: I also tried to update the PackageSearch class in views.py to incorporate my version_class-based sorting into the get_queryset() method but could not figure out how to do that. I tried to modify .order_by() directly and by adding a .annotate() clause (if that's the right word), but no luck. Please let me know if you have any suggestions on how I should approach.

johnmhoran avatar Aug 07 '24 01:08 johnmhoran

@TG1999 A few screen shots of the new matched affect/fixed-by Package records on the Vulnerabilities details page.

The landing page showing the Essentials tab contents and next to it, the new Affected/Fixed by packages tab.

image

Scrolling down the Essentials content a bit, here are the first 3 records from the new tab (plus a link to that tab):

image

And this is the new Affected/Fixed by packages tab when selected:

image

johnmhoran avatar Aug 07 '24 02:08 johnmhoran

@TG1999 @pombredanne While exploring the sorting of a variety of PURL types using purl_version_class = RANGE_CLASS_BY_SCHEMES[purl.type].version_class, I see that pkg:apk/alpine/[email protected]?arch=x86 is raising an exception: KeyError: 'apk'.

Although apk is listed as a PURL type (https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#apk), is it possible that univers handles alpine but does not yet handle apk, and thus a sort using version_class will fail for pkg:apk/*?

Not sure if this is still needed (or relevant to my question), but we import AlpineLinuxVersionRange separately from RANGE_CLASS_BY_SCHEMES and then update the latter with the former.

from univers.version_range import RANGE_CLASS_BY_SCHEMES
from univers.version_range import AlpineLinuxVersionRange

. . .

def purl_sort_key(purl: models.Package):
    RANGE_CLASS_BY_SCHEMES["alpine"] = AlpineLinuxVersionRange
    purl_version_class = RANGE_CLASS_BY_SCHEMES[purl.type].version_class
    return (purl.type, purl.namespace, purl.name, purl_version_class(purl.version), purl.qualifiers, purl.subpath)

AlpineLinuxVersionRange defines scheme as alpine but does not refer to apk. The only univers reference I see for apk is in alpine_test.txt.NOTICE -- "Alpine Package Keeper (apk) is a package manager developed for Alpine Linux.".

johnmhoran avatar Aug 11 '24 00:08 johnmhoran

Note that alpine_test.txt.ABOUT contains a reference to an alpine PURL type:

package_url: pkg:alpine/[email protected]#test/version.data

but alpine is not listed in purl-spec as a PURL type and appears only under the listing for 'apk'.

johnmhoran avatar Aug 11 '24 00:08 johnmhoran

I'm seeing similar key errors for some other PURL types like bitbucket, bitnami and cocoapods, so perhaps these are just examples of PURL types that are not yet covered by univers?

johnmhoran avatar Aug 11 '24 02:08 johnmhoran

@TG1999 @pombredanne This PR is ready for review. I've refactored the sort and version-class functions and added tests for these functions and for the custom quote filter.

Note: After learning that not all "known PURL types" -- https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#known-purl-types -- have a univers version_class, I revised the sort and version-class tests to test only PURL types currently supported by univers.

I see that once again the only failing check here is test_codestyle, which I think I've seen failing for other PRs recently as well -- no idea why it's failing or how to resolve.

johnmhoran avatar Aug 12 '24 20:08 johnmhoran

Thanks @johnmhoran ! LGTM

TG1999 avatar Sep 12 '24 11:09 TG1999