Fix debian importer.

Ignores a the invalid version "3.8.20-4." Signed-off-by: Shivam Sandbhor <[email protected]>
Hritik14 · Apr 27, 2021 · 114a970 · 114a970
1 parent 65443e4
commit 114a970
Showing 1 changed file with 14 additions and 5 deletions.
diff --git a/vulnerabilities/importers/debian.py b/vulnerabilities/importers/debian.py
@@ -22,6 +22,7 @@
 #  Visit https://github.com/nexB/vulnerablecode/ for support and download.
 
 import dataclasses
+import json
 from dateutil import parser as dateparser
 from typing import Any
 from typing import List
@@ -107,25 +108,31 @@ def _fetch(self) -> Mapping[str, Any]:
 
     def _parse(self, pkg_name: str, records: Mapping[str, Any]) -> List[Advisory]:
         advisories = []
+        ignored_versions = {"3.8.20-4."}
 
         for cve_id, record in records.items():
             impacted_purls, resolved_purls = [], []
             if not cve_id.startswith("CVE"):
                 continue
 
             # vulnerabilities starting with something else may not be public yet
-            # see for instance https://web.archive.org/web/20201215213725/https://security-tracker.debian.org/tracker/TEMP-0000000-A2EB44  # nopep8
-            # TODO: this would need to be revisited though to ensure we are not missing out on anything  # nopep8
+            # see for instance https://web.archive.org/web/20201215213725/https://security-tracker.debian.org/tracker/TEMP-0000000-A2EB44
+            # TODO: this would need to be revisited though to ensure we are not missing out on anything
 
             for release_name, release_record in record["releases"].items():
                 if not release_record.get("repositories", {}).get(release_name):
                     continue
 
+                version = release_record["repositories"][release_name]
+
+                if version in ignored_versions:
+                    continue
+
                 purl = PackageURL(
                     name=pkg_name,
                     type="deb",
                     namespace="debian",
-                    version=release_record["repositories"][release_name],
+                    version=version,
                     qualifiers={"distro": release_name},
                 )
 
@@ -134,7 +141,10 @@ def _parse(self, pkg_name: str, records: Mapping[str, Any]) -> List[Advisory]:
                 else:
                     impacted_purls.append(purl)
 
-                if "fixed_version" in release_record:
+                if (
+                    "fixed_version" in release_record
+                    and release_record["fixed_version"] not in ignored_versions
+                ):
                     resolved_purls.append(
                         PackageURL(
                             name=pkg_name,
@@ -150,7 +160,6 @@ def _parse(self, pkg_name: str, records: Mapping[str, Any]) -> List[Advisory]:
             if debianbug:
                 bug_url = f"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug={debianbug}"
                 references.append(Reference(url=bug_url, reference_id=debianbug))
-            # print(nearest_patched_package(impacted_purls, resolved_purls))
             advisories.append(
                 Advisory(
                     vulnerability_id=cve_id,