From a6ce64c40c789d5a51f35571bf5ae8f90e4177a8 Mon Sep 17 00:00:00 2001 From: Keshav Priyadarshi Date: Wed, 2 Oct 2024 15:10:10 +0530 Subject: [PATCH 01/10] Properly migrate crispy_forms to 2.x - Crispy removed all Bootstrap template packs. - These template packs are now available as standalone packages. - See https://github.com/django-crispy-forms/django-crispy-forms/releases/tag/2.0 - Fixes https://github.com/aboutcode-org/vulnerablecode/issues/1602 Signed-off-by: Keshav Priyadarshi --- requirements.txt | 1 + setup.cfg | 1 + vulnerablecode/settings.py | 2 ++ 3 files changed, 4 insertions(+) diff --git a/requirements.txt b/requirements.txt index 994f9ccf4..885130eab 100644 --- a/requirements.txt +++ b/requirements.txt @@ -21,6 +21,7 @@ click==8.1.2 coreapi==2.3.3 coreschema==0.0.4 cryptography==43.0.1 +crispy-bootstrap4==2024.1 cwe2==3.0.0 dateparser==1.1.1 decorator==5.1.1 diff --git a/setup.cfg b/setup.cfg index b46f23cdf..531212bde 100644 --- a/setup.cfg +++ b/setup.cfg @@ -62,6 +62,7 @@ install_requires = django-filter>=24.0 django-widget-tweaks>=1.5.0 django-crispy-forms>=2.3 + crispy-bootstrap4>=2024.1 django-environ>=0.11.0 gunicorn>=23.0.0 diff --git a/vulnerablecode/settings.py b/vulnerablecode/settings.py index d3d302d2e..f2f612098 100644 --- a/vulnerablecode/settings.py +++ b/vulnerablecode/settings.py @@ -78,6 +78,7 @@ "rest_framework.authtoken", "widget_tweaks", "crispy_forms", + "crispy_bootstrap4", # for API doc "drf_spectacular", # required for Django collectstatic discovery @@ -196,6 +197,7 @@ str(PROJECT_DIR / "static"), ] +CRISPY_ALLOWED_TEMPLATE_PACKS = "bootstrap4" CRISPY_TEMPLATE_PACK = "bootstrap4" From cf2e6c83c1a8b5a025588121f8efab6c53ce2c75 Mon Sep 17 00:00:00 2001 From: Keshav Priyadarshi Date: Wed, 2 Oct 2024 18:16:46 +0530 Subject: [PATCH 02/10] Fix Swagger API documentation - Revert drf-spectacular to 0.24.2 Signed-off-by: Keshav Priyadarshi --- requirements.txt | 4 ++-- setup.cfg | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements.txt b/requirements.txt index 885130eab..0326622b8 100644 --- a/requirements.txt +++ b/requirements.txt @@ -36,8 +36,8 @@ djangorestframework==3.15.2 doc8==0.11.1 docopt==0.6.2 docutils==0.17.1 -drf-spectacular==0.27.2 -drf-spectacular-sidecar==2024.7.1 +drf-spectacular==0.24.2 +drf-spectacular-sidecar==2022.10.1 executing==0.8.3 fetchcode==0.3.0 freezegun==1.2.1 diff --git a/setup.cfg b/setup.cfg index 531212bde..ec64dcfd4 100644 --- a/setup.cfg +++ b/setup.cfg @@ -67,7 +67,7 @@ install_requires = gunicorn>=23.0.0 # for the API doc - drf-spectacular[sidecar]>=0.27.2 + drf-spectacular[sidecar]>=0.24.2 #essentials packageurl-python>=0.15 From 447d1bfca73b4bd5c1e43c1e9e6f400365069b4b Mon Sep 17 00:00:00 2001 From: Keshav Priyadarshi Date: Wed, 2 Oct 2024 18:39:15 +0530 Subject: [PATCH 03/10] Use queryset with prefetch in /api/aliases endpoint Signed-off-by: Keshav Priyadarshi --- vulnerabilities/api.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/vulnerabilities/api.py b/vulnerabilities/api.py index 0b3dc2b8e..5d953db9b 100644 --- a/vulnerabilities/api.py +++ b/vulnerabilities/api.py @@ -685,14 +685,10 @@ def filter_alias(self, queryset, name, value): return self.queryset.filter(aliases__alias__icontains=alias) -class AliasViewSet(viewsets.ReadOnlyModelViewSet): +class AliasViewSet(VulnerabilityViewSet): """ Lookup for vulnerabilities by vulnerability aliases such as a CVE (https://nvd.nist.gov/general/cve-process). """ - queryset = Vulnerability.objects.all() - serializer_class = VulnerabilitySerializer - filter_backends = (filters.DjangoFilterBackend,) filterset_class = AliasFilterSet - throttle_classes = [StaffUserRateThrottle, AnonRateThrottle] From 518c3e1cbf6904c58731739fc2f02d9fdef34342 Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Mon, 7 Oct 2024 17:53:29 +0530 Subject: [PATCH 04/10] Add changelog Signed-off-by: Tushar Goel --- CHANGELOG.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 93beb0ff4..5edefef5a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,11 +1,14 @@ Release notes ============= - Version (next) ------------------- +Version v34.0.2 +------------------- + - Add management command to commit exported vulnerability data (#1600) +- Fix API 500 error (#1603) Version v34.0.1 From f6310f87e7b678eac331a494e312f80b658aeaa5 Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Mon, 7 Oct 2024 17:53:44 +0530 Subject: [PATCH 05/10] Add changelog Signed-off-by: Tushar Goel --- CHANGELOG.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5edefef5a..7caadf836 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -4,6 +4,7 @@ Release notes Version (next) ------------------- + Version v34.0.2 ------------------- From 954110daa67ff7efed863a40d8c68c8103f452f9 Mon Sep 17 00:00:00 2001 From: Tushar Goel Date: Mon, 7 Oct 2024 17:59:34 +0530 Subject: [PATCH 06/10] Bump VCIO version Signed-off-by: Tushar Goel --- setup.cfg | 2 +- ...0070_alter_advisory_created_by_and_more.py | 39 +++++++++++++++++++ vulnerablecode/__init__.py | 2 +- 3 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 vulnerabilities/migrations/0070_alter_advisory_created_by_and_more.py diff --git a/setup.cfg b/setup.cfg index ec64dcfd4..a2fae91ec 100644 --- a/setup.cfg +++ b/setup.cfg @@ -1,6 +1,6 @@ [metadata] name = vulnerablecode -version = 34.0.1 +version = 34.0.2 license = Apache-2.0 AND CC-BY-SA-4.0 # description must be on ONE line https://github.com/pypa/setuptools/issues/1390 diff --git a/vulnerabilities/migrations/0070_alter_advisory_created_by_and_more.py b/vulnerabilities/migrations/0070_alter_advisory_created_by_and_more.py new file mode 100644 index 000000000..41294f20a --- /dev/null +++ b/vulnerabilities/migrations/0070_alter_advisory_created_by_and_more.py @@ -0,0 +1,39 @@ +# Generated by Django 4.2.15 on 2024-10-07 12:28 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ("vulnerabilities", "0069_exploit_delete_kev"), + ] + + operations = [ + migrations.AlterField( + model_name="advisory", + name="created_by", + field=models.CharField( + help_text="Fully qualified name of the importer prefixed with themodule name importing the advisory. Eg:vulnerabilities.pipeline.nginx_importer.NginxImporterPipeline", + max_length=100, + ), + ), + migrations.AlterField( + model_name="packagechangelog", + name="software_version", + field=models.CharField( + default="34.0.2", + help_text="Version of the software at the time of change", + max_length=100, + ), + ), + migrations.AlterField( + model_name="vulnerabilitychangelog", + name="software_version", + field=models.CharField( + default="34.0.2", + help_text="Version of the software at the time of change", + max_length=100, + ), + ), + ] diff --git a/vulnerablecode/__init__.py b/vulnerablecode/__init__.py index c8e069baf..797c0871b 100644 --- a/vulnerablecode/__init__.py +++ b/vulnerablecode/__init__.py @@ -12,7 +12,7 @@ import warnings from pathlib import Path -__version__ = "34.0.1" +__version__ = "34.0.2" def command_line(): From 7fbb40d0c556c56e2ff8cad3f960c9ebd60112c1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Oct 2024 21:30:01 +0000 Subject: [PATCH 07/10] Bump django from 4.2.15 to 4.2.16 Bumps [django](https://github.com/django/django) from 4.2.15 to 4.2.16. - [Commits](https://github.com/django/django/compare/4.2.15...4.2.16) --- updated-dependencies: - dependency-name: django dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 0326622b8..7cebc77ef 100644 --- a/requirements.txt +++ b/requirements.txt @@ -27,7 +27,7 @@ dateparser==1.1.1 decorator==5.1.1 defusedxml==0.7.1 distro==1.7.0 -Django==4.2.15 +Django==4.2.16 django-crispy-forms==2.3 django-environ==0.11.2 django-filter==24.3 From 4a2151a9fba1db806086e630a5f556b1773438f4 Mon Sep 17 00:00:00 2001 From: Keshav Priyadarshi Date: Tue, 8 Oct 2024 23:16:38 +0530 Subject: [PATCH 08/10] Bump fetchcode to v0.6.0 Signed-off-by: Keshav Priyadarshi --- requirements.txt | 2 +- setup.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.txt b/requirements.txt index 7cebc77ef..94bf8f0df 100644 --- a/requirements.txt +++ b/requirements.txt @@ -39,7 +39,7 @@ docutils==0.17.1 drf-spectacular==0.24.2 drf-spectacular-sidecar==2022.10.1 executing==0.8.3 -fetchcode==0.3.0 +fetchcode==0.6.0 freezegun==1.2.1 frozenlist==1.3.0 gitdb==4.0.9 diff --git a/setup.cfg b/setup.cfg index a2fae91ec..596dc5901 100644 --- a/setup.cfg +++ b/setup.cfg @@ -90,7 +90,7 @@ install_requires = # networking GitPython>=3.1.17 requests>=2.25.1 - fetchcode>=0.3.0 + fetchcode>=0.6.0 #pipeline aboutcode.pipeline>=0.1.0 From 46ace78cfd662eea714cebdbcb7a043fc629d309 Mon Sep 17 00:00:00 2001 From: Keshav Priyadarshi Date: Tue, 8 Oct 2024 23:44:40 +0530 Subject: [PATCH 09/10] Update GitHub importer test fixture Signed-off-by: Keshav Priyadarshi --- vulnerabilities/improvers/valid_versions.py | 1 + .../tests/pipelines/test_github_importer_pipeline.py | 9 +++++++++ .../tests/pipelines/test_nginx_importer_pipeline.py | 2 +- 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/vulnerabilities/improvers/valid_versions.py b/vulnerabilities/improvers/valid_versions.py index 5d1e087ec..0940661b3 100644 --- a/vulnerabilities/improvers/valid_versions.py +++ b/vulnerabilities/improvers/valid_versions.py @@ -433,6 +433,7 @@ class GitHubBasicImprover(ValidVersionImprover): "3.0.0b3-", "3.0b6dev-r41684", "-class.-jw.util.version.Version-", + "vulnerabilities", ] ) diff --git a/vulnerabilities/tests/pipelines/test_github_importer_pipeline.py b/vulnerabilities/tests/pipelines/test_github_importer_pipeline.py index d46e3ef19..29e869381 100644 --- a/vulnerabilities/tests/pipelines/test_github_importer_pipeline.py +++ b/vulnerabilities/tests/pipelines/test_github_importer_pipeline.py @@ -303,6 +303,13 @@ def test_get_package_versions(mock_response): improver = GitHubBasicImprover() valid_versions = [ + "1.0.1", + "1.0.2", + "1.0.3", + "1.0.4", + "1.1", + "1.1.1", + "1.1.2", "1.1.3", "1.1.4", "1.10", @@ -317,7 +324,9 @@ def test_get_package_versions(mock_response): "1.10a1", "1.10b1", "1.10rc1", + "vulnerabilities", ] + result = sorted( improver.get_package_versions(package_url=PackageURL(type="pypi", name="django")) ) diff --git a/vulnerabilities/tests/pipelines/test_nginx_importer_pipeline.py b/vulnerabilities/tests/pipelines/test_nginx_importer_pipeline.py index 8a71a11fd..c4bce99a6 100644 --- a/vulnerabilities/tests/pipelines/test_nginx_importer_pipeline.py +++ b/vulnerabilities/tests/pipelines/test_nginx_importer_pipeline.py @@ -195,7 +195,7 @@ def interesting_advisories(self) -> QuerySet: ) assert interesting_advisories == advisories - @mock.patch("fetchcode.package_versions.github_response") + @mock.patch("fetchcode.utils.github_response") def test_NginxBasicImprover_fetch_nginx_version_from_git_tags(self, mock_fetcher): reponse_files = [ "github-nginx-nginx-0.json", From 37c6c7e69f71535dcaf8d8b9bbce98eb9fc062d9 Mon Sep 17 00:00:00 2001 From: Keshav Priyadarshi Date: Tue, 8 Oct 2024 23:46:37 +0530 Subject: [PATCH 10/10] Use updated github_response API in VulnTotal Signed-off-by: Keshav Priyadarshi --- vulntotal/datasources/github.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vulntotal/datasources/github.py b/vulntotal/datasources/github.py index 154a31fe6..57293f3cb 100644 --- a/vulntotal/datasources/github.py +++ b/vulntotal/datasources/github.py @@ -11,7 +11,7 @@ from typing import Iterable from dotenv import load_dotenv -from fetchcode.package_versions import github_response +from fetchcode.utils import github_response from packageurl import PackageURL from vulntotal.validator import DataSource