Merge branch 'main' into 597-migrate-archlinux

Merging latest 'main' into this archlinux importer branch.

Signed-off-by: John M. Horan <[email protected]>

CHANGELOG.rst

@@ -1,6 +1,13 @@
 Release notes
 =============
 
+
+Version v30.1.0
+----------------
+
+- We added a new "/packages/all" API endpoint to get all Package URLs know to be vulnerable.
+
+
 Version v30.0.0
 ----------------
 
@@ -80,7 +87,6 @@ This is a major version that is not backward compatible.
 - The data license is now CC-BY-SA-4.0 as this is the highest common
   denominator license among all the data sources we collect and aggregate. 
 
-
 Other:
 
 - We dropped calver to use a plain semver.

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = vulnerablecode
-version = 30.0.0
+version = 30.1.0
 license = Apache-2.0 AND CC-BY-SA-4.0
 
 # description must be on ONE line https://github.com/pypa/setuptools/issues/1390

vulnerabilities/api.py

@@ -254,6 +254,12 @@ def bulk_search(self, request):
 
         return Response(response)
 
+    @action(detail=False, methods=["get"])
+    def all(self, request):
+        vulnerable_packages = Package.objects.vulnerable().only(*PackageURL._fields)
+        vulnerable_purls = [str(package.purl) for package in vulnerable_packages]
+        return Response(vulnerable_purls)
+
 
 class VulnerabilityFilterSet(filters.FilterSet):
     class Meta:

vulnerabilities/models.py

@@ -94,7 +94,7 @@ def vulnerable_to(self):
         """
         Return packages that are vulnerable to this vulnerability.
         """
-        return self.packages.filter(packagerelatedvulnerability__fix=False)
+        return self.packages.vulnerable()
 
     @property
     def resolved_to(self):
@@ -198,6 +198,12 @@ def for_package_url_object(self, purl):
         else:
             return self.none()
 
+    def vulnerable(self):
+        """
+        Return all vulnerable packages.
+        """
+        return Package.objects.filter(packagerelatedvulnerability__fix=False).distinct()
+
 
 class Package(PackageURLMixin):
     """

vulnerabilities/templates/navbar.html

@@ -18,6 +18,20 @@
         </div>
     </div>
     <div class="navbar-end mr-3">
+        <div class="navbar-item navbar-item is-cursor-help">
+            <div class="dropdown is-right is-hoverable ">
+                <div class="dropdown-trigger has-text-grey-light">
+                    API
+                </div>
+                    <div class="dropdown-menu navbar-hover-div" role="menu">
+                    <div class="dropdown-content">
+                        <div class="dropdown-item about-hover-div">
+                            If you want to try the JSON REST API for VulnerableCode.io, please send an email to <a href="mailto:[email protected]">[email protected]</a> with "VulnerableCode API Key" in the email title. API access is limited to a maximum of 1000 package-versions per request.
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>
         <div class="navbar-item navbar-item is-cursor-help">
             <div class="dropdown is-right is-hoverable ">
                 <div class="dropdown-trigger has-text-grey-light">
@@ -46,7 +60,6 @@
                                     Source code and issues at <a href="https://github.com/nexB/vulnerablecode">https://github.com/nexB/vulnerablecode</a>
                                 </li>
                             </ul>
-                            If you want to try the JSON REST API, please send a note to <a href="mailto:[email protected]">[email protected]</a> to request an API key for testing.
                         </div>
                     </div>
                 </div>

vulnerabilities/tests/test_fix_api.py

@@ -12,7 +12,6 @@
 from django.contrib.auth import get_user_model
 from django.test import TestCase
 from django.test import TransactionTestCase
-from django.utils.http import int_to_base36
 from packageurl import PackageURL
 from rest_framework import status
 from rest_framework.test import APIClient
@@ -109,6 +108,7 @@ def setUp(self):
             summary="test-vuln",
         )
         self.vuln = vuln
+        self.vulnerable_packages = []
         for i in range(0, 10):
             query_kwargs = dict(
                 type="generic",
@@ -258,6 +258,29 @@ def test_api_with_single_vulnerability_and_vulnerable_package(self):
             ],
         }
 
+    def test_api_with_all_vulnerable_packages(self):
+        with self.assertNumQueries(4):
+            # There are 4 queries:
+            # 1. SAVEPOINT
+            # 2. Authenticating user
+            # 3. Get all vulnerable packages
+            # 4. RELEASE SAVEPOINT
+            response = self.csrf_client.get(f"/api/packages/all", format="json").data
+            assert len(response) == 11
+            assert response == [
+                "pkg:generic/nginx/test@0",
+                "pkg:generic/nginx/test@1",
+                "pkg:generic/nginx/test@11",
+                "pkg:generic/nginx/test@2",
+                "pkg:generic/nginx/test@3",
+                "pkg:generic/nginx/test@4",
+                "pkg:generic/nginx/test@5",
+                "pkg:generic/nginx/test@6",
+                "pkg:generic/nginx/test@7",
+                "pkg:generic/nginx/test@8",
+                "pkg:generic/nginx/test@9",
+            ]
+
 
 class CPEApi(TestCase):
     def setUp(self):

vulnerabilities/tests/test_fix_models.py

@@ -0,0 +1,66 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+from django.contrib.auth import get_user_model
+from django.test import TestCase
+from packageurl import PackageURL
+
+from vulnerabilities.models import Package
+from vulnerabilities.models import PackageRelatedVulnerability
+from vulnerabilities.models import Vulnerability
+
+User = get_user_model()
+
+
+class TestPackageModel(TestCase):
+    def setUp(self):
+        vuln1 = Vulnerability.objects.create(
+            summary="test-vuln",
+        )
+        vuln2 = Vulnerability.objects.create(
+            summary="test-vuln1",
+        )
+        for i in range(0, 10):
+            query_kwargs = dict(
+                type="generic",
+                namespace="nginx",
+                name="test",
+                version=str(i),
+                qualifiers={},
+                subpath="",
+            )
+            vuln_package = Package.objects.create(**query_kwargs)
+            # Attaching same package to 2 vulnerabilities
+            PackageRelatedVulnerability.objects.create(
+                package=vuln_package,
+                vulnerability=vuln1,
+                fix=False,
+            )
+            PackageRelatedVulnerability.objects.create(
+                package=vuln_package,
+                vulnerability=vuln2,
+                fix=False,
+            )
+
+    def test_get_vulnerable_packages(self):
+        vuln_packages = Package.objects.vulnerable()
+        assert vuln_packages.count() == 10
+        vuln_purls = [pkg.purl for pkg in vuln_packages.only(*PackageURL._fields)]
+        assert vuln_purls == [
+            "pkg:generic/nginx/test@0",
+            "pkg:generic/nginx/test@1",
+            "pkg:generic/nginx/test@2",
+            "pkg:generic/nginx/test@3",
+            "pkg:generic/nginx/test@4",
+            "pkg:generic/nginx/test@5",
+            "pkg:generic/nginx/test@6",
+            "pkg:generic/nginx/test@7",
+            "pkg:generic/nginx/test@8",
+            "pkg:generic/nginx/test@9",
+        ]

vulnerablecode/__init__.py

@@ -12,7 +12,7 @@
 import warnings
 from pathlib import Path
 
-__version__ = "30.0.0"
+__version__ = "30.1.0"
 
 
 def command_line():