Skip to content

Commit 0ae0057

Browse files
committed
Use impact to determine suitable fix for affected pkg
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
1 parent 3859939 commit 0ae0057

File tree

3 files changed

+65
-157
lines changed

3 files changed

+65
-157
lines changed

vulnerabilities/models.py

Lines changed: 0 additions & 59 deletions
Original file line numberDiff line numberDiff line change
@@ -3152,65 +3152,6 @@ def get_absolute_url(self):
31523152
def current_version(self):
31533153
return self.version_class(self.version)
31543154

3155-
def get_affecting_vulnerabilities(self):
3156-
"""
3157-
Return a list of vulnerabilities that affect this package together with information regarding
3158-
the versions that fix the vulnerabilities.
3159-
"""
3160-
if self.version_rank == 0:
3161-
self.calculate_version_rank
3162-
package_details_advs = []
3163-
3164-
fixed_by_packages = PackageV2.objects.get_fixed_by_package_versions(self, fix=True)
3165-
3166-
package_advisories = self.affected_by_advisories.prefetch_related(
3167-
Prefetch(
3168-
"fixed_by_packages",
3169-
queryset=fixed_by_packages,
3170-
to_attr="fixed_packages",
3171-
)
3172-
)
3173-
3174-
for adv in package_advisories:
3175-
package_details_advs.append({"advisory": adv})
3176-
later_fixed_packages = []
3177-
3178-
for fixed_pkg in adv.fixed_by_packages.all():
3179-
if fixed_pkg not in fixed_by_packages:
3180-
continue
3181-
fixed_version = self.version_class(fixed_pkg.version)
3182-
if fixed_version > self.current_version:
3183-
later_fixed_packages.append(fixed_pkg)
3184-
3185-
next_fixed_package_vulns = []
3186-
3187-
sort_fixed_by_packages_by_version = []
3188-
if later_fixed_packages:
3189-
sort_fixed_by_packages_by_version = sorted(
3190-
later_fixed_packages, key=lambda p: p.version_rank
3191-
)
3192-
3193-
fixed_by_pkgs = []
3194-
3195-
for vuln_details in package_details_advs:
3196-
if vuln_details["advisory"] != adv:
3197-
continue
3198-
vuln_details["fixed_by_purl"] = []
3199-
vuln_details["fixed_by_purl_advisories"] = []
3200-
3201-
for fixed_by_pkg in sort_fixed_by_packages_by_version:
3202-
fixed_by_package_details = {}
3203-
fixed_by_purl = PackageURL.from_string(fixed_by_pkg.purl)
3204-
next_fixed_package_vulns = list(fixed_by_pkg.affected_by_advisories.all())
3205-
3206-
fixed_by_package_details["fixed_by_purl"] = fixed_by_purl
3207-
fixed_by_package_details["fixed_by_purl_advisories"] = next_fixed_package_vulns
3208-
fixed_by_pkgs.append(fixed_by_package_details)
3209-
3210-
vuln_details["fixed_by_package_details"] = fixed_by_pkgs
3211-
3212-
return package_details_advs
3213-
32143155

32153156
class AdvisoryExploit(models.Model):
32163157
"""

vulnerabilities/templates/advisory_package_details.html

Lines changed: 49 additions & 70 deletions
Original file line numberDiff line numberDiff line change
@@ -6,83 +6,62 @@
66
{% load url_filters %}
77

88
{% block title %}
9-
VulnerableCode Advisory Package Details - {{ advisory.advisory_id }}
9+
VulnerableCode Advisory Package Details - {{ advisoryv2.advisory_id }}
1010
{% endblock %}
1111

1212
{% block content %}
1313

14-
{% if advisory %}
15-
<section class="section pt-0">
16-
<div class="details-container">
17-
<article class="panel is-info panel-header-only">
18-
<div class="panel-heading py-2 is-size-6">
19-
Vulnerable and Fixing Package details for Advisory:
20-
<span class="tag is-white custom">
21-
{{ advisory.advisory_id }}
22-
</span>
23-
</div>
24-
</article>
25-
<div id="tab-content">
26-
<table class="table vcio-table width-100-pct mt-2">
27-
<thead>
28-
<tr>
29-
<th style="width: 50%;">Affected</th>
30-
<th>Fixed by</th>
31-
</tr>
32-
</thead>
33-
<tbody>
34-
{% for package in affected_packages %}
35-
<tr>
36-
<td>
37-
<a href="{{ package.get_absolute_url }}?search={{ package.purl }}" target="_self">{{ package.purl }}</a>
38-
</td>
39-
<td>
40-
41-
{% for match in all_affected_fixed_by_matches %}
42-
{% if match.affected_package == package %}
43-
{% if match.matched_fixed_by_packages|length > 0 %}
44-
{% for pkg in match.matched_fixed_by_packages %}
45-
<a href="/packages/{{ pkg }}?search={{ pkg }}" target="_self">{{ pkg }}</a>
46-
<br />
47-
{% endfor %}
48-
{% else %}
14+
{% if advisoryv2 %}
15+
<section class="section pt-0">
16+
<div class="details-container">
17+
<article class="panel is-info panel-header-only">
18+
<div class="panel-heading py-2 is-size-6">
19+
Vulnerable and Fixing Package details for Advisory:
20+
<span class="tag is-white custom">
21+
{{ advisoryv2.advisory_id }}
22+
</span>
23+
</div>
24+
</article>
25+
<div id="tab-content">
26+
<table class="table vcio-table width-100-pct mt-2">
27+
<thead>
28+
<tr>
29+
<th style="width: 50%;">Affected</th>
30+
<th>Fixed by</th>
31+
</tr>
32+
</thead>
33+
<tbody>
34+
{% for impact in advisoryv2.impacted_packages.all %}
35+
<tr>
36+
<td>
37+
{% for package in impact.affecting_packages.all %}
38+
<a href="{{ package.get_absolute_url }}?search={{ package.purl }}" target="_self">{{ package.purl }}</a>
39+
<br />
40+
{% endfor %}
41+
</td>
42+
<td>
43+
{% for package in impact.fixed_by_packages.all %}
44+
<a href="{{ package.get_absolute_url }}?search={{ package.purl }}" target="_self">{{ package.purl }}</a>
45+
<br />
46+
{% empty %}
4947
<span class="emphasis-vulnerable">There are no reported fixed by versions.</span>
50-
{% endif %}
51-
{% endif %}
52-
{% endfor %}
53-
54-
</td>
55-
</tr>
56-
{% empty %}
57-
<tr>
58-
<td colspan="2">
59-
This vulnerability is not known to affect any packages.
60-
</td>
61-
</tr>
62-
{% endfor %}
63-
</tbody>
64-
</table>
65-
</div>
66-
</div>
67-
</section>
48+
{% endfor %}
49+
</td>
50+
</tr>
51+
{% empty %}
52+
<tr>
53+
<td colspan="2">
54+
This vulnerability is not known to affect any packages.
55+
</td>
56+
</tr>
57+
{% endfor %}
58+
</tbody>
59+
</table>
60+
</div>
61+
</div>
62+
</section>
6863
{% endif %}
6964

7065
<script src="{% static 'js/main.js' %}" crossorigin="anonymous"></script>
7166

72-
<script>
73-
function goToTab(tabName) {
74-
const activeLink = document.querySelector('div.tabs.is-boxed li.is-active');
75-
const activeTabContent = document.querySelector('div.tab-div.is-active');
76-
77-
activeLink.classList.remove('is-active');
78-
activeTabContent.classList.remove('is-active');
79-
80-
const target_id = document.querySelector(`[data-tab='${tabName}']`);
81-
const targetTabContent = document.querySelector(`[data-content='${tabName}']`);
82-
83-
target_id.classList.add('is-active');
84-
targetTabContent.classList.add('is-active');
85-
}
86-
</script>
87-
8867
{% endblock %}

vulnerabilities/views.py

Lines changed: 16 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -616,37 +616,25 @@ def get_queryset(self):
616616
.get_queryset()
617617
.prefetch_related(
618618
Prefetch(
619-
"affecting_packages",
620-
queryset=models.PackageV2.objects.only("type", "namespace", "name", "version"),
621-
),
622-
Prefetch(
623-
"fixed_by_packages",
624-
queryset=models.PackageV2.objects.only("type", "namespace", "name", "version"),
625-
),
619+
"impacted_packages",
620+
queryset=models.ImpactedPackage.objects.prefetch_related(
621+
Prefetch(
622+
"affecting_packages",
623+
queryset=models.PackageV2.objects.only(
624+
"type", "namespace", "name", "version"
625+
),
626+
),
627+
Prefetch(
628+
"fixed_by_packages",
629+
queryset=models.PackageV2.objects.only(
630+
"type", "namespace", "name", "version"
631+
),
632+
),
633+
),
634+
)
626635
)
627636
)
628637

629-
def get_context_data(self, **kwargs):
630-
"""
631-
Build context with preloaded QuerySets and minimize redundant queries.
632-
"""
633-
context = super().get_context_data(**kwargs)
634-
advisory = self.object
635-
(
636-
sorted_fixed_by_packages,
637-
sorted_affected_packages,
638-
all_affected_fixed_by_matches,
639-
) = advisory.aggregate_fixed_and_affected_packages()
640-
context.update(
641-
{
642-
"affected_packages": sorted_affected_packages,
643-
"fixed_by_packages": sorted_fixed_by_packages,
644-
"all_affected_fixed_by_matches": all_affected_fixed_by_matches,
645-
"advisory": advisory,
646-
}
647-
)
648-
return context
649-
650638

651639
class PipelineScheduleListView(ListView, FormMixin):
652640
model = PipelineSchedule

0 commit comments

Comments
 (0)