diff --git a/tools/redhat/redhat_osv/osv.py b/tools/redhat/redhat_osv/osv.py index 5153df1..5a6eb72 100644 --- a/tools/redhat/redhat_osv/osv.py +++ b/tools/redhat/redhat_osv/osv.py @@ -111,14 +111,8 @@ class Affected: Class to hold affected data for a Vulnerability """ - remediation: InitVar[Remediation] - package: Package = field(init=False) - ranges: list[Range] = field(init=False) - - def __post_init__(self, remediation: Remediation): - self.package = Package(remediation.component, remediation.cpe, - remediation.purl) - self.ranges = [Range(remediation.fixed_version)] + package: Package + ranges: list[Range] # pylint: disable=too-many-instance-attributes @@ -162,8 +156,31 @@ def __init__(self, csaf_data: CSAF, modified: str, published: str = ""): self.affected: list[Affected] = [] for vulnerability in csaf_data.vulnerabilities: self.related.append(vulnerability.cve_id) + # Deduplicate arch specific remediations + unique_packages: dict[str: tuple[str: str]] = {} for remediation in vulnerability.remediations: - self.affected.append(Affected(remediation)) + # Safety check for when we start processing non-rpm content + if not remediation.purl.startswith("pkg:rpm/"): + package = Package(remediation.component, remediation.cpe, remediation.purl) + ranges = [Range(remediation.fixed_version)] + self.affected.append(Affected(package, ranges)) + else: + # Each RPM version in RHEL has a trailing '.', remove those to avoid + # problems comparing the same package from different archs + version_arch_split = remediation.fixed_version.rsplit(".", 1) + # CPE's are URI percent encoded and '&' is a reserved character so it should + # never appear in a CPE without being percent encoded. + unique_packages[remediation.cpe + "&" + remediation.component] = ( + version_arch_split[0], remediation.purl, + ) + # Add all the RPM packages without arch suffixes + for package_key, version_purl in unique_packages.items(): + package_key_parts = package_key.split("&", 1) + cpe = package_key_parts[0] + component = package_key_parts[1] + package = Package(component, cpe, version_purl[1]) + ranges = [Range(version_purl[0])] + self.affected.append(Affected(package, ranges)) self.references = self._convert_references(csaf_data) diff --git a/tools/redhat/testdata/RHSA-2024_4546.json b/tools/redhat/testdata/RHSA-2024_4546.json index 312305c..fa69c81 100644 --- a/tools/redhat/testdata/RHSA-2024_4546.json +++ b/tools/redhat/testdata/RHSA-2024_4546.json @@ -29,27 +29,7 @@ "introduced": "0" }, { - "fixed": "0:2.13.3-3.el8_6.1.src" - } - ] - } - ] - }, - { - "package": { - "name": "git-lfs", - "ecosystem": "Red Hat:rhel_aus:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:2.13.3-3.el8_6.1.x86_64" + "fixed": "0:2.13.3-3.el8_6.1" } ] } @@ -69,7 +49,7 @@ "introduced": "0" }, { - "fixed": "0:2.13.3-3.el8_6.1.x86_64" + "fixed": "0:2.13.3-3.el8_6.1" } ] } @@ -89,47 +69,7 @@ "introduced": "0" }, { - "fixed": "0:2.13.3-3.el8_6.1.x86_64" - } - ] - } - ] - }, - { - "package": { - "name": "git-lfs", - "ecosystem": "Red Hat:rhel_e4s:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:2.13.3-3.el8_6.1.ppc64le" - } - ] - } - ] - }, - { - "package": { - "name": "git-lfs", - "ecosystem": "Red Hat:rhel_e4s:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:2.13.3-3.el8_6.1.src" + "fixed": "0:2.13.3-3.el8_6.1" } ] } @@ -149,7 +89,7 @@ "introduced": "0" }, { - "fixed": "0:2.13.3-3.el8_6.1.x86_64" + "fixed": "0:2.13.3-3.el8_6.1" } ] } @@ -169,27 +109,7 @@ "introduced": "0" }, { - "fixed": "0:2.13.3-3.el8_6.1.ppc64le" - } - ] - } - ] - }, - { - "package": { - "name": "git-lfs-debuginfo", - "ecosystem": "Red Hat:rhel_e4s:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs-debuginfo" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:2.13.3-3.el8_6.1.x86_64" + "fixed": "0:2.13.3-3.el8_6.1" } ] } @@ -209,47 +129,7 @@ "introduced": "0" }, { - "fixed": "0:2.13.3-3.el8_6.1.ppc64le" - } - ] - } - ] - }, - { - "package": { - "name": "git-lfs-debugsource", - "ecosystem": "Red Hat:rhel_e4s:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs-debugsource" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:2.13.3-3.el8_6.1.x86_64" - } - ] - } - ] - }, - { - "package": { - "name": "git-lfs", - "ecosystem": "Red Hat:rhel_tus:8.6::appstream", - "purl": "pkg:rpm/redhat/git-lfs" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0:2.13.3-3.el8_6.1.src" + "fixed": "0:2.13.3-3.el8_6.1" } ] } @@ -269,7 +149,7 @@ "introduced": "0" }, { - "fixed": "0:2.13.3-3.el8_6.1.x86_64" + "fixed": "0:2.13.3-3.el8_6.1" } ] } @@ -289,7 +169,7 @@ "introduced": "0" }, { - "fixed": "0:2.13.3-3.el8_6.1.x86_64" + "fixed": "0:2.13.3-3.el8_6.1" } ] } @@ -309,7 +189,7 @@ "introduced": "0" }, { - "fixed": "0:2.13.3-3.el8_6.1.x86_64" + "fixed": "0:2.13.3-3.el8_6.1" } ] }