Fix gitlab and elixir security importer (#1934)

* Fix gitlab and elixir security importer

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>

* Fix tests

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>

---------

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>

Author: TG1999

vulnerabilities/pipelines/__init__.py

@@ -361,6 +361,13 @@ def get_published_package_versions(
         try:
             versions = package_versions.versions(str(package_url))
             for version in versions or []:
+                if (
+                    version.release_date
+                    and version.release_date.tzinfo
+                    and until
+                    and until.tzinfo is None
+                ):
+                    until = until.replace(tzinfo=timezone.utc)
                 if until and version.release_date and version.release_date > until:
                     continue
                 versions_before_until.append(version.value)

vulnerabilities/pipelines/v2_importers/elixir_security_importer.py

@@ -39,7 +39,12 @@ class ElixirSecurityImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
 
     @classmethod
     def steps(cls):
-        return (cls.collect_and_store_advisories,)
+        return (cls.clone, cls.collect_and_store_advisories, cls.clean_downloads)
+
+    def clean_downloads(self):
+        if self.vcs_response:
+            self.log(f"Removing cloned repository")
+            self.vcs_response.delete()
 
     def clone(self):
         self.log(f"Cloning `{self.repo_url}`")
@@ -62,6 +67,9 @@ def collect_advisories(self) -> Iterable[AdvisoryData]:
 
     def process_file(self, file, base_path) -> Iterable[AdvisoryData]:
         relative_path = str(file.relative_to(base_path)).strip("/")
+        path_segments = str(file).split("/")
+        # use the last two segments as the advisory ID
+        advisory_id = "/".join(path_segments[-2:]).replace(".yml", "")
         advisory_url = (
             f"https://github.com/dependabot/elixir-security-advisories/blob/master/{relative_path}"
         )
@@ -114,8 +122,8 @@ def process_file(self, file, base_path) -> Iterable[AdvisoryData]:
             date_published = dateparser.parse(yaml_file.get("disclosure_date"))
 
         yield AdvisoryData(
-            advisory_id=cve_id,
-            aliases=[],
+            advisory_id=advisory_id,
+            aliases=[cve_id],
             summary=summary,
             references_v2=references,
             affected_packages=affected_packages,

vulnerabilities/pipelines/v2_importers/gitlab_importer.py

@@ -233,6 +233,8 @@ def parse_gitlab_advisory(
     # refer to schema here https://gitlab.com/gitlab-org/advisories-community/-/blob/main/ci/schema/schema.json
     aliases = gitlab_advisory.get("identifiers")
     advisory_id = gitlab_advisory.get("identifier")
+    package_slug = gitlab_advisory.get("package_slug")
+    advisory_id = f"{package_slug}/{advisory_id}" if package_slug else advisory_id
     if advisory_id in aliases:
         aliases.remove(advisory_id)
     summary = build_description(gitlab_advisory.get("title"), gitlab_advisory.get("description"))
@@ -244,8 +246,6 @@ def parse_gitlab_advisory(
 
     date_published = dateparser.parse(gitlab_advisory.get("pubdate"))
     date_published = date_published.replace(tzinfo=pytz.UTC)
-    package_slug = gitlab_advisory.get("package_slug")
-    advisory_id = f"{package_slug}/{advisory_id}" if package_slug else advisory_id
     advisory_url = get_advisory_url(
         file=file,
         base_path=base_path,

vulnerabilities/templates/advisory_detail.html

@@ -156,7 +156,7 @@
                                     "
                                 >Affected and Fixed Packages</td>
                                 <td class="two-col-right wrap-strings">
-                                    <a href="{{ advisory.id }}/packages">
+                                    <a href="/advisories/packages/{{ advisory.avid }}">
                                         Package Details
                                     </a>
                                 </td>

vulnerabilities/tests/pipelines/test_elixir_security_v2_importer.py

@@ -72,7 +72,7 @@ def test_collect_advisories(mock_fetch_via_vcs, mock_vcs_response):
     assert len(advisories) == 1
 
     advisory: AdvisoryData = advisories[0]
-    assert advisory.advisory_id == "CVE-2022-9999"
+    assert advisory.advisory_id == "some_package/CVE-2022-9999"
     assert advisory.summary.startswith("Cross-site scripting vulnerability")
     assert advisory.affected_packages[0].package.name == "plug"
     assert advisory.affected_packages[0].package.type == "hex"

vulnerabilities/views.py

@@ -570,8 +570,8 @@ class AdvisoryPackagesDetails(DetailView):
 
     model = models.AdvisoryV2
     template_name = "advisory_package_details.html"
-    slug_url_kwarg = "id"
-    slug_field = "id"
+    slug_url_kwarg = "avid"
+    slug_field = "avid"
 
     def get_queryset(self):
         """

vulnerablecode/urls.py

@@ -103,6 +103,11 @@ def __init__(self, *args, **kwargs):
         HomePageV2.as_view(),
         name="home",
     ),
+    path(
+        "advisories/packages/<path:avid>",
+        AdvisoryPackagesDetails.as_view(),
+        name="advisory_package_details",
+    ),
     path(
         "advisories/<path:avid>",
         AdvisoryDetails.as_view(),
@@ -143,11 +148,6 @@ def __init__(self, *args, **kwargs):
         VulnerabilityPackagesDetails.as_view(),
         name="vulnerability_package_details",
     ),
-    path(
-        "advisories/<int:id>/packages",
-        AdvisoryPackagesDetails.as_view(),
-        name="advisory_package_details",
-    ),
     path(
         "api/",
         include(api_router.urls),