Propagate vulnerability info to registration blobs (#798)

NuGet · Jul 14, 2020 · c8298cd · c8298cd
1 parent a9d546e
commit c8298cd
Show file tree

Hide file tree

Showing 9 changed files with 154 additions and 1 deletion.
diff --git a/src/NuGet.Jobs.Catalog2Registration/Schema/EntityBuilder.cs b/src/NuGet.Jobs.Catalog2Registration/Schema/EntityBuilder.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Linq;
 using Microsoft.Extensions.Options;
 using NuGet.Protocol.Catalog;
 using NuGet.Protocol.Registration;
@@ -169,6 +170,23 @@ private void UpdateCatalogEntry(
 
             catalogEntry.Title = packageDetails.Title ?? string.Empty;
             catalogEntry.Version = parsedVersion.ToFullString();
+
+            if (hive == HiveType.SemVer2 &&
+                packageDetails.Vulnerabilities != null && 
+                packageDetails.Vulnerabilities.Count > 0)
+            {
+                catalogEntry.Vulnerabilities = packageDetails.Vulnerabilities.Select(v => 
+                    new RegistrationPackageVulnerability()
+                    {
+                        AdvisoryUrl = v.AdvisoryUrl,
+                        Severity = v.Severity
+                    }
+                ).ToList();
+            }
+            else
+            {
+                catalogEntry.Vulnerabilities = null;
+            }
         }
 
         public RegistrationLeaf NewLeaf(RegistrationLeafItem leafItem)

diff --git a/src/NuGet.Protocol.Catalog/Models/PackageDetailsCatalogLeaf.cs b/src/NuGet.Protocol.Catalog/Models/PackageDetailsCatalogLeaf.cs
@@ -93,5 +93,8 @@ public class PackageDetailsCatalogLeaf : CatalogLeaf
 
         [JsonProperty("iconFile")]
         public string IconFile { get; set; }
+
+        [JsonProperty("vulnerabilities")]
+        public List<PackageVulnerability> Vulnerabilities { get; set; }
     }
 }
diff --git a/src/NuGet.Protocol.Catalog/Models/PackageVulnerability.cs b/src/NuGet.Protocol.Catalog/Models/PackageVulnerability.cs
@@ -0,0 +1,25 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Newtonsoft.Json;
+
+namespace NuGet.Protocol.Catalog
+{
+    public class PackageVulnerability
+    {
+        [JsonProperty("@id")]
+        public string Id { get; set; }
+
+        [JsonProperty("@type")]
+        public string Type { get; set; }
+
+        [JsonProperty("advisoryUrl")]
+        public string AdvisoryUrl { get; set; }
+
+        [JsonProperty("gitHubDatabaseKey")]
+        public string GitHubDatabaseKey { get; set; }
+
+        [JsonProperty("severity")]
+        public string Severity { get; set; }
+    }
+}
diff --git a/src/NuGet.Protocol.Catalog/NuGet.Protocol.Catalog.csproj b/src/NuGet.Protocol.Catalog/NuGet.Protocol.Catalog.csproj
@@ -86,6 +86,7 @@
     <Compile Include="Models\CatalogPageContext.cs" />
     <Compile Include="Models\CatalogPageItem.cs" />
     <Compile Include="Models\ContextTypeDescription.cs" />
+    <Compile Include="Models\PackageVulnerability.cs" />
     <Compile Include="Models\PackageDeprecation.cs" />
     <Compile Include="Models\ICatalogLeafItem.cs" />
     <Compile Include="Models\ModelExtensions.cs" />

diff --git a/src/NuGet.Services.V3/NuGet.Services.V3.csproj b/src/NuGet.Services.V3/NuGet.Services.V3.csproj
@@ -44,6 +44,7 @@
     <Compile Include="Registration\Models\RegistrationContainerContext.cs" />
     <Compile Include="Registration\Models\RegistrationLeafContext.cs" />
     <Compile Include="Registration\Models\RegistrationPackageDependencyGroup.cs" />
+    <Compile Include="Registration\Models\RegistrationPackageVulnerability.cs" />
     <Compile Include="Support\Guard.cs" />
     <Compile Include="Support\IdAndValue.cs" />
     <Compile Include="IV3TelemetryService.cs" />

diff --git a/src/NuGet.Services.V3/Registration/Models/RegistrationCatalogEntry.cs b/src/NuGet.Services.V3/Registration/Models/RegistrationCatalogEntry.cs
@@ -75,5 +75,8 @@ public class RegistrationCatalogEntry
 
         [JsonProperty("version")]
         public string Version { get; set; }
+
+        [JsonProperty("vulnerabilities")]
+        public List<RegistrationPackageVulnerability> Vulnerabilities { get; set; }
     }
 }
diff --git a/src/NuGet.Services.V3/Registration/Models/RegistrationContainerContext.cs b/src/NuGet.Services.V3/Registration/Models/RegistrationContainerContext.cs
@@ -55,5 +55,8 @@ public class RegistrationContainerContext
 
         [JsonProperty("registration")]
         public ContextTypeDescription Registration { get; set; }
+
+        [JsonProperty("vulnerabilities")]
+        public ContextTypeDescription Vulnerabilities { get; set; }
     }
 }
diff --git a/src/NuGet.Services.V3/Registration/Models/RegistrationPackageVulnerability.cs b/src/NuGet.Services.V3/Registration/Models/RegistrationPackageVulnerability.cs
@@ -0,0 +1,16 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Newtonsoft.Json;
+
+namespace NuGet.Protocol.Registration
+{
+    public class RegistrationPackageVulnerability
+    {
+        [JsonProperty("advisoryUrl")]
+        public string AdvisoryUrl { get; set; }
+
+        [JsonProperty("severity")]
+        public string Severity { get; set; }
+    }
+}
diff --git a/tests/NuGet.Jobs.Catalog2Registration.Tests/Schema/EntityBuilderFacts.cs b/tests/NuGet.Jobs.Catalog2Registration.Tests/Schema/EntityBuilderFacts.cs
@@ -129,7 +129,7 @@ public void ExcludesDeprecationInformationForNonSemVer2Hives(HiveType hive, bool
             }
 
             [Fact]
-            public void PopulatesProperties()
+            public void PopulatesDeprecationProperties()
             {
                 Hive = HiveType.SemVer2;
                 var leaf = V3Data.Leaf;
@@ -221,6 +221,89 @@ public void PopulatesProperties()
 }",
                     json);
             }
+
+            [Fact]
+            public void PopulatesVulnerabilityProperties()
+            {
+                Hive = HiveType.SemVer2;
+                var leaf = V3Data.Leaf;
+                leaf.Vulnerabilities = new List<PackageVulnerability>() {
+                    new PackageVulnerability
+                    {
+                        Id = "https://example/v3/catalog0/data/2020.07.06.06.49.47/bar.1.0.0.json#vulnerability/GitHub/999",
+                        Type = "Vulnerability",
+                        GitHubDatabaseKey = "999",
+                        AdvisoryUrl = "https://nvd.nist.gov/vuln/detail/CVE-1234-56789",
+                        Severity = "3"
+                    }
+                };
+
+                Target.UpdateLeafItem(LeafItem, Hive, Id, leaf);
+
+                var json = JsonConvert.SerializeObject(LeafItem, SerializerSettings);
+                Assert.Equal(
+                @"{
+  ""@id"": ""https://example/reg-gz-semver2/windowsazure.storage/7.1.2-alpha.json"",
+  ""@type"": ""Package"",
+  ""commitTimeStamp"": ""0001-01-01T00:00:00+00:00"",
+  ""catalogEntry"": {
+    ""@type"": ""PackageDetails"",
+    ""authors"": ""Microsoft"",
+    ""dependencyGroups"": [
+      {
+        ""dependencies"": [
+          {
+            ""id"": ""Microsoft.Data.OData"",
+            ""range"": ""[5.6.4, )"",
+            ""registration"": ""https://example/reg-gz-semver2/microsoft.data.odata/index.json""
+          },
+          {
+            ""id"": ""Newtonsoft.Json"",
+            ""range"": ""[6.0.8, )"",
+            ""registration"": ""https://example/reg-gz-semver2/newtonsoft.json/index.json""
+          }
+        ],
+        ""targetFramework"": "".NETFramework4.0-Client""
+      }
+    ],
+    ""description"": ""Description."",
+    ""iconUrl"": ""https://example/fc/windowsazure.storage/7.1.2-alpha/icon"",
+    ""id"": ""WindowsAzure.Storage"",
+    ""language"": ""en-US"",
+    ""licenseExpression"": """",
+    ""licenseUrl"": ""http://go.microsoft.com/fwlink/?LinkId=331471"",
+    ""listed"": true,
+    ""minClientVersion"": ""2.12"",
+    ""packageContent"": ""https://example/fc/windowsazure.storage/7.1.2-alpha/windowsazure.storage.7.1.2-alpha.nupkg"",
+    ""projectUrl"": ""https://github.com/Azure/azure-storage-net"",
+    ""published"": ""2017-01-03T00:00:00+00:00"",
+    ""requireLicenseAcceptance"": true,
+    ""summary"": ""Summary."",
+    ""tags"": [
+      ""Microsoft"",
+      ""Azure"",
+      ""Storage"",
+      ""Table"",
+      ""Blob"",
+      ""File"",
+      ""Queue"",
+      ""Scalable"",
+      ""windowsazureofficial""
+    ],
+    ""title"": ""Windows Azure Storage"",
+    ""version"": ""7.1.2-alpha+git"",
+    ""vulnerabilities"": [
+      {
+        ""advisoryUrl"": ""https://nvd.nist.gov/vuln/detail/CVE-1234-56789"",
+        ""severity"": ""3""
+      }
+    ]
+  },
+  ""packageContent"": ""https://example/fc/windowsazure.storage/7.1.2-alpha/windowsazure.storage.7.1.2-alpha.nupkg"",
+  ""registration"": ""https://example/reg-gz-semver2/windowsazure.storage/index.json""
+}",
+                json);
+            }
         }
 
         public class NewLeaf : Facts