Update classify_patch_source function so we can store both Patch and PackageCommitPatch

Signed-off-by: ziad hany <ziadhany2016@gmail.com>

Author: ziadhany

vulnerabilities/pipelines/v2_importers/aosp_importer.py

@@ -88,22 +88,22 @@ def collect_advisories(self):
                     patch_url = commit_data.get("patchUrl")
                     commit_id = commit_data.get("commitId")
 
-                    base_purl, patch_obj = classify_patch_source(
+                    base_purl, patch_obj_list = classify_patch_source(
                         vcs_url=None,
                         commit_hash=commit_id,
                         patch_url=patch_url,
                         patch_text=None,
                     )
-
-                    if isinstance(patch_obj, PackageCommitPatchData):
-                        fixed_commit = patch_obj
-                        affected_package = AffectedPackageV2(
-                            package=base_purl,
-                            fixed_by_commit_patches=[fixed_commit],
-                        )
-                        affected_packages.append(affected_package)
-                    elif isinstance(patch_obj, PatchData):
-                        patches.append(patch_obj)
+                    for patch_obj in patch_obj_list:
+                        if isinstance(patch_obj, PackageCommitPatchData):
+                            fixed_commit = patch_obj
+                            affected_package = AffectedPackageV2(
+                                package=base_purl,
+                                fixed_by_commit_patches=[fixed_commit],
+                            )
+                            affected_packages.append(affected_package)
+                        elif isinstance(patch_obj, PatchData):
+                            patches.append(patch_obj)
 
                 url = (
                     "https://raw.githubusercontent.com/quarkslab/aosp_dataset/refs/heads/master/cves/"

vulnerabilities/pipes/advisory.py

@@ -19,7 +19,8 @@
 from django.db import transaction
 from django.db.models import Q
 from django.db.models.query import QuerySet
-from packageurl.contrib.purl2url import get_repo_url
+from packageurl import PackageURL
+from packageurl.contrib.purl2url import purl2url
 from packageurl.contrib.url2purl import url2purl
 
 from aboutcode.hashid import get_core_purl
@@ -184,15 +185,17 @@ def classify_patch_source(vcs_url, commit_hash, patch_text, patch_url):
         purl = url2purl(vcs_url)
 
     if not purl:
-        return None, PatchData(
-            patch_text=patch_text,
-            patch_url=patch_url,
-        )
+        return None, [
+            PatchData(
+                patch_text=patch_text,
+                patch_url=patch_url,
+            )
+        ]
 
     base_purl = get_core_purl(purl)
     purl_string = base_purl.to_string()
 
-    vcs_url_p = get_repo_url(purl_string)
+    vcs_url_p = purl2url(purl_string)
     commit_hash_p = purl.version
 
     final_vcs_url = vcs_url or vcs_url_p
@@ -204,16 +207,28 @@ def classify_patch_source(vcs_url, commit_hash, patch_text, patch_url):
         and is_commit(final_commit_hash)
         and purl.type in VCS_URLS_SUPPORTED_TYPES
     ):
-        return base_purl, PackageCommitPatchData(
-            vcs_url=final_vcs_url,
-            commit_hash=final_commit_hash,
+        purl = PackageURL(
+            type=purl.type, namespace=purl.namespace, name=purl.name, version=final_commit_hash
+        )
+        final_patch_url = patch_url or purl2url(str(purl))
+        return base_purl, [
+            PackageCommitPatchData(
+                vcs_url=final_vcs_url,
+                commit_hash=final_commit_hash,
+                patch_text=patch_text,
+            ),
+            PatchData(
+                patch_text=patch_text,
+                patch_url=final_patch_url,
+            ),
+        ]
+
+    return None, [
+        PatchData(
+            patch_url=patch_url or final_vcs_url,
             patch_text=patch_text,
         )
-
-    return None, PatchData(
-        patch_url=patch_url or final_vcs_url,
-        patch_text=patch_text,
-    )
+    ]
 
 
 def insert_advisory(advisory: AdvisoryData, pipeline_id: str, logger: Callable = None):

vulnerabilities/tests/test_data/aosp/CVE-aosp_test3-expected.json

@@ -27,7 +27,13 @@
       }
     ],
     "references_v2": [],
-    "patches": [],
+    "patches": [
+      {
+        "patch_url": "https://github.com/torvalds/linux/commit/0048b4837affd153897ed1222283492070027aa9",
+        "patch_text": null,
+        "patch_checksum": null
+      }
+    ],
     "severities": [
       {
         "system": "generic_textual",

vulnerabilities/tests/test_importer.py

@@ -25,21 +25,27 @@ def test_all_importers_have_unique_name():
 
 
 @pytest.mark.parametrize(
-    "vcs_url, commit_hash, patch_text, patch_url, expected_result_tuple",
+    "vcs_url, commit_hash, patch_text, patch_url, expected_data_list",
     [
         # SUPPORTED: VCS URL + commit hash + no code patch
         (
             "https://github.com/user/repo",
-            "a1b2c3d4",
+            "a5f3206663e16c0686739fa83fca2978e6818b6",
             None,
             None,
             (
                 "pkg:github/user/repo",
-                PackageCommitPatchData(
-                    vcs_url="https://github.com/user/repo",
-                    commit_hash="a1b2c3d4",
-                    patch_text=None,
-                ),
+                [
+                    PackageCommitPatchData(
+                        vcs_url="https://github.com/user/repo",
+                        commit_hash="a5f3206663e16c0686739fa83fca2978e6818b6",
+                        patch_text=None,
+                    ),
+                    PatchData(
+                        patch_text=None,
+                        patch_url="https://github.com/user/repo/tree/a5f3206663e16c0686739fa83fca2978e6818b6",
+                    ),
+                ],
             ),
         ),
         # UNSUPPORTED: VCS URL + commit hash + no code patch
@@ -50,10 +56,12 @@ def test_all_importers_have_unique_name():
             None,
             (
                 None,
-                PatchData(
-                    patch_text=None,
-                    patch_url="https://unsupported.example.com/repo",
-                ),
+                [
+                    PatchData(
+                        patch_text=None,
+                        patch_url="https://unsupported.example.com/repo",
+                    )
+                ],
             ),
         ),
         # SUPPORTED: VCS URL + commit hash + code patch
@@ -64,11 +72,17 @@ def test_all_importers_have_unique_name():
             "https://github.com/user/repo/commit/a1b2c3d4",
             (
                 "pkg:github/user/repo",
-                PackageCommitPatchData(
-                    commit_hash="deadbeef",
-                    vcs_url="https://github.com/user/repo",
-                    patch_text="diff --git a/file b/file",
-                ),
+                [
+                    PackageCommitPatchData(
+                        commit_hash="deadbeef",
+                        vcs_url="https://github.com/user/repo",
+                        patch_text="diff --git a/file b/file",
+                    ),
+                    PatchData(
+                        patch_text="diff --git a/file b/file",
+                        patch_url="https://github.com/user/repo/commit/a1b2c3d4",
+                    ),
+                ],
             ),
         ),
         # UNSUPPORTED: VCS URL + commit hash + code patch
@@ -79,10 +93,12 @@ def test_all_importers_have_unique_name():
             "https://example.com/user/unknown/commits/a1b2c3d4",
             (
                 None,
-                PatchData(
-                    patch_text="diff content",
-                    patch_url="https://example.com/user/unknown/commits/a1b2c3d4",
-                ),
+                [
+                    PatchData(
+                        patch_text="diff content",
+                        patch_url="https://example.com/user/unknown/commits/a1b2c3d4",
+                    )
+                ],
             ),
         ),
         #  NO VCS URL + NO commit hash + code patch
@@ -93,10 +109,12 @@ def test_all_importers_have_unique_name():
             "https://example.com/user/unknown/commits/a1b2c3d4",
             (
                 None,
-                PatchData(
-                    patch_text="diff content",
-                    patch_url="https://example.com/user/unknown/commits/a1b2c3d4",
-                ),
+                [
+                    PatchData(
+                        patch_text="diff content",
+                        patch_url="https://example.com/user/unknown/commits/a1b2c3d4",
+                    )
+                ],
             ),
         ),
         # SUPPORTED: VCS URL + NO commit hash + no code patch #invalid
@@ -107,10 +125,12 @@ def test_all_importers_have_unique_name():
             None,
             (
                 None,
-                PatchData(
-                    patch_text=None,
-                    patch_url="https://github.com/user/repo",
-                ),
+                [
+                    PatchData(
+                        patch_text=None,
+                        patch_url="https://github.com/user/repo",
+                    )
+                ],
             ),
         ),
         # UNSUPPORTED: VCS URL + NO commit hash + no code patch #invalid
@@ -121,10 +141,12 @@ def test_all_importers_have_unique_name():
             None,
             (
                 None,
-                PatchData(
-                    patch_text=None,
-                    patch_url="https://example.com/user/repo",
-                ),
+                [
+                    PatchData(
+                        patch_text=None,
+                        patch_url="https://example.com/user/repo",
+                    )
+                ],
             ),
         ),
         # SUPPORTED: VCS URL + NO commit hash + code patch
@@ -135,11 +157,17 @@ def test_all_importers_have_unique_name():
             "https://github.com/user/unknown/commit/98e516011d6e096e25247b82fc5f196bbeecff10",
             (
                 "pkg:github/user/unknown",
-                PackageCommitPatchData(
-                    vcs_url="https://github.com/user/repo",
-                    commit_hash="98e516011d6e096e25247b82fc5f196bbeecff10",
-                    patch_text=None,
-                ),
+                [
+                    PackageCommitPatchData(
+                        vcs_url="https://github.com/user/repo",
+                        commit_hash="98e516011d6e096e25247b82fc5f196bbeecff10",
+                        patch_text=None,
+                    ),
+                    PatchData(
+                        patch_text=None,
+                        patch_url="https://github.com/user/unknown/commit/98e516011d6e096e25247b82fc5f196bbeecff10",
+                    ),
+                ],
             ),
         ),
         # UNSUPPORTED: VCS URL + NO commit hash + code patch
@@ -150,32 +178,40 @@ def test_all_importers_have_unique_name():
             "https://example.com/user/unknown/commits/98e516011d6e096e25247b82fc5f196bbeecff10.patch",
             (
                 None,
-                PatchData(
-                    patch_text=None,
-                    patch_url="https://example.com/user/unknown/commits/98e516011d6e096e25247b82fc5f196bbeecff10.patch",
-                ),
+                [
+                    PatchData(
+                        patch_text=None,
+                        patch_url="https://example.com/user/unknown/commits/98e516011d6e096e25247b82fc5f196bbeecff10.patch",
+                    )
+                ],
             ),
         ),
     ],
 )
 def test_classify_patch_source_integration(
-    vcs_url, commit_hash, patch_text, patch_url, expected_result_tuple
+    vcs_url, commit_hash, patch_text, patch_url, expected_data_list
 ):
-    expected_purl, expected_data_obj = expected_result_tuple
+    expected_purl, expected_data_objects = expected_data_list
 
-    actual_purl, actual_data_obj = classify_patch_source(
+    actual_purl, actual_data_objects = classify_patch_source(
         vcs_url=vcs_url, commit_hash=commit_hash, patch_text=patch_text, patch_url=patch_url
     )
 
-    assert isinstance(actual_data_obj, type(expected_data_obj))
-
-    if isinstance(actual_data_obj, PackageCommitPatchData):
-        assert actual_data_obj.vcs_url == expected_data_obj.vcs_url
-        assert actual_data_obj.commit_hash == expected_data_obj.commit_hash
-        assert actual_data_obj.patch_text == expected_data_obj.patch_text
+    if expected_purl:
         assert str(actual_purl) == expected_purl
-
-    elif isinstance(actual_data_obj, PatchData):
-        assert actual_data_obj.patch_url == expected_data_obj.patch_url
-        assert actual_data_obj.patch_text == expected_data_obj.patch_text
+    else:
         assert actual_purl is None
+
+    assert len(actual_data_objects) == len(expected_data_objects)
+
+    for actual_data_obj, expected_data_obj in zip(actual_data_objects, expected_data_objects):
+        assert isinstance(actual_data_obj, type(expected_data_obj))
+
+        if isinstance(actual_data_obj, PackageCommitPatchData):
+            assert actual_data_obj.vcs_url == expected_data_obj.vcs_url
+            assert actual_data_obj.commit_hash == expected_data_obj.commit_hash
+            assert actual_data_obj.patch_text == expected_data_obj.patch_text
+
+        elif isinstance(actual_data_obj, PatchData):
+            assert actual_data_obj.patch_url == expected_data_obj.patch_url
+            assert actual_data_obj.patch_text == expected_data_obj.patch_text