From 17381949f5f7ddc585f928e1977e655a1832aeb7 Mon Sep 17 00:00:00 2001
From: Tushar Goel <tushar.goel.dav@gmail.com>
Date: Fri, 15 Nov 2024 07:45:02 +0530
Subject: [PATCH 1/3] Fix API errors

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
---
 vulnerabilities/api.py            |   2 +-
 vulnerabilities/tests/test_api.py | 111 +++++++++++++++++++++++-------
 2 files changed, 89 insertions(+), 24 deletions(-)

diff --git a/vulnerabilities/api.py b/vulnerabilities/api.py
index c4a82b529..8cc07b82e 100644
--- a/vulnerabilities/api.py
+++ b/vulnerabilities/api.py
@@ -323,7 +323,7 @@ def get_vulnerabilities_for_a_package(self, package, fix) -> dict:
         otherwise return vulnerabilities fixed by the `package`.
         """
         fixed_packages = self.get_fixed_packages(package=package)
-        if fix:
+        if not fix:
             qs = package.affected_by_vulnerabilities.all()
         else:
             qs = package.fixing_vulnerabilities.all()
diff --git a/vulnerabilities/tests/test_api.py b/vulnerabilities/tests/test_api.py
index ac10d1b7c..5e744de83 100644
--- a/vulnerabilities/tests/test_api.py
+++ b/vulnerabilities/tests/test_api.py
@@ -570,6 +570,65 @@ def setUp(self):
     def test_api_with_lesser_and_greater_fixed_by_packages(self):
         response = self.csrf_client.get(f"/api/packages/{self.pkg_2_13_1.id}", format="json").data
 
+        # expected = {
+        #     "url": "http://testserver/api/packages/{0}".format(self.pkg_2_13_1.id),
+        #     "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1",
+        #     "type": "maven",
+        #     "namespace": "com.fasterxml.jackson.core",
+        #     "name": "jackson-databind",
+        #     "version": "2.13.1",
+        #     "qualifiers": {},
+        #     "subpath": "",
+        #     "is_vulnerable": True,
+        #     "next_non_vulnerable_version": "2.14.0-rc1",
+        #     "latest_non_vulnerable_version": "2.14.0-rc1",
+        #     "affected_by_vulnerabilities": [
+        #         {
+        #             "url": "http://testserver/api/vulnerabilities/{0}".format(self.vul3.id),
+        #             "vulnerability_id": "VCID-vul3-vul3-vul3",
+        #             "summary": "This is VCID-vul3-vul3-vul3",
+        #             "references": [],
+        #             "fixed_packages": [],
+        #             "aliases": ["CVE-2021-46877", "GHSA-3x8x-79m2-3w2w"],
+        #             "resource_url": "http://testserver/vulnerabilities/VCID-vul3-vul3-vul3",
+        #         }
+        #     ],
+        #     "fixing_vulnerabilities": [
+        #         {
+        #             "url": "http://testserver/api/vulnerabilities/{0}".format(self.vul1.id),
+        #             "vulnerability_id": "VCID-vul1-vul1-vul1",
+        #             "summary": "This is VCID-vul1-vul1-vul1",
+        #             "references": [],
+        #             "fixed_packages": [
+        #                 {
+        #                     "url": "http://testserver/api/packages/{0}".format(
+        #                         self.pkg_2_12_6_1.id
+        #                     ),
+        #                     "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.6.1",
+        #                     "is_vulnerable": True,
+        #                     "affected_by_vulnerabilities": [
+        #                         {"vulnerability": "VCID-vul2-vul2-vul2"}
+        #                     ],
+        #                     "resource_url": "http://testserver/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.6.1",
+        #                 },
+        #                 {
+        #                     "url": "http://testserver/api/packages/{0}".format(self.pkg_2_13_2.id),
+        #                     "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2",
+        #                     "is_vulnerable": True,
+        #                     "affected_by_vulnerabilities": [
+        #                         {"vulnerability": "VCID-vul2-vul2-vul2"}
+        #                     ],
+        #                     "resource_url": "http://testserver/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2",
+        #                 },
+        #             ],
+        #             "aliases": ["CVE-2020-36518", "GHSA-57j2-w4cx-62h2"],
+        #             "resource_url": "http://testserver/vulnerabilities/VCID-vul1-vul1-vul1",
+        #         }
+        #     ],
+        #     "resource_url": "http://testserver/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1",
+        #     "risk_score": None,
+        # }
+
         expected = {
             "url": "http://testserver/api/packages/{0}".format(self.pkg_2_13_1.id),
             "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1",
@@ -583,17 +642,6 @@ def test_api_with_lesser_and_greater_fixed_by_packages(self):
             "next_non_vulnerable_version": "2.14.0-rc1",
             "latest_non_vulnerable_version": "2.14.0-rc1",
             "affected_by_vulnerabilities": [
-                {
-                    "url": "http://testserver/api/vulnerabilities/{0}".format(self.vul3.id),
-                    "vulnerability_id": "VCID-vul3-vul3-vul3",
-                    "summary": "This is VCID-vul3-vul3-vul3",
-                    "references": [],
-                    "fixed_packages": [],
-                    "aliases": ["CVE-2021-46877", "GHSA-3x8x-79m2-3w2w"],
-                    "resource_url": "http://testserver/vulnerabilities/VCID-vul3-vul3-vul3",
-                }
-            ],
-            "fixing_vulnerabilities": [
                 {
                     "url": "http://testserver/api/vulnerabilities/{0}".format(self.vul1.id),
                     "vulnerability_id": "VCID-vul1-vul1-vul1",
@@ -601,32 +649,49 @@ def test_api_with_lesser_and_greater_fixed_by_packages(self):
                     "references": [],
                     "fixed_packages": [
                         {
-                            "url": "http://testserver/api/packages/{0}".format(
-                                self.pkg_2_12_6_1.id
-                            ),
-                            "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.6.1",
+                            "url": "http://testserver/api/packages/{0}".format(self.pkg_2_13_2.id),
+                            "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2",
                             "is_vulnerable": True,
                             "affected_by_vulnerabilities": [
                                 {"vulnerability": "VCID-vul2-vul2-vul2"}
                             ],
-                            "resource_url": "http://testserver/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.6.1",
+                            "resource_url": "http://testserver/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2",
+                        }
+                    ],
+                    "aliases": ["CVE-2020-36518", "GHSA-57j2-w4cx-62h2"],
+                    "resource_url": "http://testserver/vulnerabilities/VCID-vul1-vul1-vul1",
+                }
+            ],
+            "fixing_vulnerabilities": [
+                {
+                    "url": "http://testserver/api/vulnerabilities/{0}".format(self.vul3.id),
+                    "vulnerability_id": "VCID-vul3-vul3-vul3",
+                    "summary": "This is VCID-vul3-vul3-vul3",
+                    "references": [],
+                    "fixed_packages": [
+                        {
+                            "url": "http://testserver/api/packages/{0}".format(self.pkg_2_12_6.id),
+                            "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.6",
+                            "is_vulnerable": False,
+                            "affected_by_vulnerabilities": [],
+                            "resource_url": "http://testserver/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.6",
                         },
                         {
-                            "url": "http://testserver/api/packages/{0}".format(self.pkg_2_13_2.id),
-                            "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2",
+                            "url": "http://testserver/api/packages/{0}".format(self.pkg_2_13_1.id),
+                            "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1",
                             "is_vulnerable": True,
                             "affected_by_vulnerabilities": [
-                                {"vulnerability": "VCID-vul2-vul2-vul2"}
+                                {"vulnerability": "VCID-vul1-vul1-vul1"}
                             ],
-                            "resource_url": "http://testserver/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2",
+                            "resource_url": "http://testserver/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1",
                         },
                     ],
-                    "aliases": ["CVE-2020-36518", "GHSA-57j2-w4cx-62h2"],
-                    "resource_url": "http://testserver/vulnerabilities/VCID-vul1-vul1-vul1",
+                    "aliases": ["CVE-2021-46877", "GHSA-3x8x-79m2-3w2w"],
+                    "resource_url": "http://testserver/vulnerabilities/VCID-vul3-vul3-vul3",
                 }
             ],
-            "resource_url": "http://testserver/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1",
             "risk_score": None,
+            "resource_url": "http://testserver/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1",
         }
 
         assert response == expected

From fad3f932d9e49e20354cf2d4fdb1a05228de0a9e Mon Sep 17 00:00:00 2001
From: Tushar Goel <tushar.goel.dav@gmail.com>
Date: Fri, 15 Nov 2024 07:46:21 +0530
Subject: [PATCH 2/3] Fix API bug

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
---
 vulnerabilities/tests/test_api.py | 59 -------------------------------
 1 file changed, 59 deletions(-)

diff --git a/vulnerabilities/tests/test_api.py b/vulnerabilities/tests/test_api.py
index 5e744de83..d9c435528 100644
--- a/vulnerabilities/tests/test_api.py
+++ b/vulnerabilities/tests/test_api.py
@@ -570,65 +570,6 @@ def setUp(self):
     def test_api_with_lesser_and_greater_fixed_by_packages(self):
         response = self.csrf_client.get(f"/api/packages/{self.pkg_2_13_1.id}", format="json").data
 
-        # expected = {
-        #     "url": "http://testserver/api/packages/{0}".format(self.pkg_2_13_1.id),
-        #     "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1",
-        #     "type": "maven",
-        #     "namespace": "com.fasterxml.jackson.core",
-        #     "name": "jackson-databind",
-        #     "version": "2.13.1",
-        #     "qualifiers": {},
-        #     "subpath": "",
-        #     "is_vulnerable": True,
-        #     "next_non_vulnerable_version": "2.14.0-rc1",
-        #     "latest_non_vulnerable_version": "2.14.0-rc1",
-        #     "affected_by_vulnerabilities": [
-        #         {
-        #             "url": "http://testserver/api/vulnerabilities/{0}".format(self.vul3.id),
-        #             "vulnerability_id": "VCID-vul3-vul3-vul3",
-        #             "summary": "This is VCID-vul3-vul3-vul3",
-        #             "references": [],
-        #             "fixed_packages": [],
-        #             "aliases": ["CVE-2021-46877", "GHSA-3x8x-79m2-3w2w"],
-        #             "resource_url": "http://testserver/vulnerabilities/VCID-vul3-vul3-vul3",
-        #         }
-        #     ],
-        #     "fixing_vulnerabilities": [
-        #         {
-        #             "url": "http://testserver/api/vulnerabilities/{0}".format(self.vul1.id),
-        #             "vulnerability_id": "VCID-vul1-vul1-vul1",
-        #             "summary": "This is VCID-vul1-vul1-vul1",
-        #             "references": [],
-        #             "fixed_packages": [
-        #                 {
-        #                     "url": "http://testserver/api/packages/{0}".format(
-        #                         self.pkg_2_12_6_1.id
-        #                     ),
-        #                     "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.6.1",
-        #                     "is_vulnerable": True,
-        #                     "affected_by_vulnerabilities": [
-        #                         {"vulnerability": "VCID-vul2-vul2-vul2"}
-        #                     ],
-        #                     "resource_url": "http://testserver/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.6.1",
-        #                 },
-        #                 {
-        #                     "url": "http://testserver/api/packages/{0}".format(self.pkg_2_13_2.id),
-        #                     "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2",
-        #                     "is_vulnerable": True,
-        #                     "affected_by_vulnerabilities": [
-        #                         {"vulnerability": "VCID-vul2-vul2-vul2"}
-        #                     ],
-        #                     "resource_url": "http://testserver/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2",
-        #                 },
-        #             ],
-        #             "aliases": ["CVE-2020-36518", "GHSA-57j2-w4cx-62h2"],
-        #             "resource_url": "http://testserver/vulnerabilities/VCID-vul1-vul1-vul1",
-        #         }
-        #     ],
-        #     "resource_url": "http://testserver/packages/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1",
-        #     "risk_score": None,
-        # }
-
         expected = {
             "url": "http://testserver/api/packages/{0}".format(self.pkg_2_13_1.id),
             "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1",

From aeb9f58a95159746147896f0c3847f2147963dc9 Mon Sep 17 00:00:00 2001
From: Tushar Goel <tushar.goel.dav@gmail.com>
Date: Fri, 15 Nov 2024 07:49:04 +0530
Subject: [PATCH 3/3] Prepare for release v34.3.1

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
---
 CHANGELOG.rst                                 |  6 ++--
 setup.cfg                                     |  2 +-
 ...kagechangelog_software_version_and_more.py | 31 +++++++++++++++++++
 vulnerablecode/__init__.py                    |  2 +-
 4 files changed, 37 insertions(+), 4 deletions(-)
 create mode 100644 vulnerabilities/migrations/0080_alter_packagechangelog_software_version_and_more.py

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index c4ce8e2ec..7bd7dc278 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,8 +1,10 @@
 Release notes
 =============
 
-Version (next)
------------------------
+Version v34.3.1
+----------------
+
+- HOTFIX: Fix API bug #1654
 
 
 Version v34.3.0
diff --git a/setup.cfg b/setup.cfg
index 6760f917c..e317a5a82 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -1,6 +1,6 @@
 [metadata]
 name = vulnerablecode
-version = 34.3.0
+version = 34.3.1
 license = Apache-2.0 AND CC-BY-SA-4.0
 
 # description must be on ONE line https://github.com/pypa/setuptools/issues/1390
diff --git a/vulnerabilities/migrations/0080_alter_packagechangelog_software_version_and_more.py b/vulnerabilities/migrations/0080_alter_packagechangelog_software_version_and_more.py
new file mode 100644
index 000000000..f535e7fe4
--- /dev/null
+++ b/vulnerabilities/migrations/0080_alter_packagechangelog_software_version_and_more.py
@@ -0,0 +1,31 @@
+# Generated by Django 4.2.16 on 2024-11-15 02:18
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0079_alter_packagechangelog_software_version_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="packagechangelog",
+            name="software_version",
+            field=models.CharField(
+                default="34.3.1",
+                help_text="Version of the software at the time of change",
+                max_length=100,
+            ),
+        ),
+        migrations.AlterField(
+            model_name="vulnerabilitychangelog",
+            name="software_version",
+            field=models.CharField(
+                default="34.3.1",
+                help_text="Version of the software at the time of change",
+                max_length=100,
+            ),
+        ),
+    ]
diff --git a/vulnerablecode/__init__.py b/vulnerablecode/__init__.py
index 8e76d4ba0..56e782dad 100644
--- a/vulnerablecode/__init__.py
+++ b/vulnerablecode/__init__.py
@@ -12,7 +12,7 @@
 import warnings
 from pathlib import Path
 
-__version__ = "34.3.0"
+__version__ = "34.3.1"
 
 
 def command_line():