Create initial Vulnerability Package relationships for the advisory, including references and severity scores. Package relationships are established only for resolved (concrete) versions.
(
advisory: Advisory,
pipeline_id: str,
confidence: int = MAX_CONFIDENCE,
logger: Callable = None,
)
| 421 | |
| 422 | @transaction.atomic |
| 423 | def import_advisory( |
| 424 | advisory: Advisory, |
| 425 | pipeline_id: str, |
| 426 | confidence: int = MAX_CONFIDENCE, |
| 427 | logger: Callable = None, |
| 428 | ): |
| 429 | """ |
| 430 | Create initial Vulnerability Package relationships for the advisory, |
| 431 | including references and severity scores. |
| 432 | |
| 433 | Package relationships are established only for resolved (concrete) versions. |
| 434 | """ |
| 435 | from vulnerabilities import import_runner |
| 436 | from vulnerabilities.improvers import default |
| 437 | |
| 438 | advisory_data: AdvisoryData = advisory.to_advisory_data() |
| 439 | if logger: |
| 440 | logger(f"Importing advisory id: {advisory.id}", level=logging.DEBUG) |
| 441 | |
| 442 | affected_purls = [] |
| 443 | fixed_purls = [] |
| 444 | for affected_package in advisory_data.affected_packages: |
| 445 | package_affected_purls, package_fixed_purls = default.get_exact_purls( |
| 446 | affected_package=affected_package |
| 447 | ) |
| 448 | affected_purls.extend(package_affected_purls) |
| 449 | fixed_purls.extend(package_fixed_purls) |
| 450 | |
| 451 | aliases = get_or_create_aliases(advisory_data.aliases) |
| 452 | vulnerability = import_runner.get_or_create_vulnerability_and_aliases( |
| 453 | vulnerability_id=None, |
| 454 | aliases=aliases, |
| 455 | summary=advisory_data.summary, |
| 456 | advisory=advisory, |
| 457 | ) |
| 458 | |
| 459 | if not vulnerability: |
| 460 | if logger: |
| 461 | logger(f"Unable to get vulnerability for advisory: {advisory!r}", level=logging.ERROR) |
| 462 | return |
| 463 | |
| 464 | for ref in advisory_data.references: |
| 465 | reference = VulnerabilityReference.objects.get_or_none( |
| 466 | reference_id=ref.reference_id, |
| 467 | url=ref.url, |
| 468 | ) |
| 469 | if not reference: |
| 470 | reference = import_runner.create_valid_vulnerability_reference( |
| 471 | reference_id=ref.reference_id, |
| 472 | url=ref.url, |
| 473 | ) |
| 474 | if reference: |
| 475 | VulnerabilityRelatedReference.objects.update_or_create( |
| 476 | reference=reference, |
| 477 | vulnerability=vulnerability, |
| 478 | ) |
| 479 | for severity in ref.severities: |
| 480 | try: |