Skip to content

Commit 4ef60d2

Browse files
keshav-spacekeshav-space
committed
Prevent committing partial advisory data to db
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
1 parent 083daed commit 4ef60d2

File tree

2 files changed

+35
-1
lines changed

2 files changed

+35
-1
lines changed

vulnerabilities/pipes/advisory.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -134,6 +134,7 @@ def insert_advisory(advisory: AdvisoryData, pipeline_id: str, logger: Callable =
134134
return advisory_obj
135135

136136

137+
@transaction.atomic
137138
def insert_advisory_v2(
138139
advisory: AdvisoryData,
139140
pipeline_id: str,

vulnerabilities/tests/pipes/test_vulnerablecode_importer_pipeline_v2.py

Lines changed: 34 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,11 +10,17 @@
1010
import logging
1111
from datetime import datetime
1212
from datetime import timedelta
13+
from unittest.mock import patch
1314

1415
import pytest
16+
from packageurl import PackageURL
17+
from univers.version_range import VersionRange
1518

1619
from vulnerabilities.importer import AdvisoryData
20+
from vulnerabilities.importer import AffectedPackageV2
1721
from vulnerabilities.models import AdvisoryV2
22+
from vulnerabilities.models import ImpactedPackage
23+
from vulnerabilities.models import PackageV2
1824
from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
1925

2026

@@ -40,7 +46,18 @@ def dummy_advisory():
4046
references_v2=[],
4147
severities=[],
4248
weaknesses=[],
43-
affected_packages=[],
49+
affected_packages=[
50+
AffectedPackageV2(
51+
package=PackageURL.from_string("pkg:npm/foobar"),
52+
affected_version_range=VersionRange.from_string("vers:npm/<=1.2.3"),
53+
fixed_version_range=VersionRange.from_string("vers:npm/1.2.4"),
54+
),
55+
AffectedPackageV2(
56+
package=PackageURL.from_string("pkg:npm/foobar"),
57+
affected_version_range=VersionRange.from_string("vers:npm/<=3.2.3"),
58+
fixed_version_range=VersionRange.from_string("vers:npm/3.2.4"),
59+
),
60+
],
4461
advisory_id="ADV-123",
4562
date_published=datetime.now() - timedelta(days=10),
4663
url="https://example.com/advisory/1",
@@ -60,3 +77,19 @@ def test_collect_and_store_advisories(dummy_importer):
6077
assert len(dummy_importer.log_messages) >= 2
6178
assert "Successfully collected" in dummy_importer.log_messages[-1][1]
6279
assert AdvisoryV2.objects.count() == 1
80+
81+
82+
@pytest.mark.django_db
83+
@patch("vulnerabilities.pipes.advisory.get_exact_purls_v2", side_effect=Exception("error"))
84+
def test_advisory_import_atomicity_no_partial_adv_import(mock_exception, dummy_importer):
85+
dummy_importer.collect_and_store_advisories()
86+
assert AdvisoryV2.objects.count() == 0
87+
assert ImpactedPackage.objects.count() == 0
88+
89+
90+
@pytest.mark.django_db
91+
def test_advisory_import_atomicity(dummy_importer):
92+
dummy_importer.collect_and_store_advisories()
93+
assert AdvisoryV2.objects.count() == 1
94+
assert ImpactedPackage.objects.count() == 2
95+
assert PackageV2.objects.count() == 4

0 commit comments

Comments
 (0)