fix(ubuntu): improve parsing severity from priority

Improve the error handling when setting the vulnerability severity from the patch priority. Signed-off-by: Weston Steimel <[email protected]>
anchore · Dec 11, 2023 · 2225134 · 2225134
1 parent 63f56f1
commit 2225134
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 2 deletions.
diff --git a/src/vunnel/providers/ubuntu/parser.py b/src/vunnel/providers/ubuntu/parser.py
@@ -460,6 +460,13 @@ def map_namespace(release_name: str) -> str | None:
     return None
 
 
+def parse_severity_from_priority(cve: CVEFile) -> Severity:
+    severity = cve.priority.capitalize()
+    if severity in {"Untriaged"}:
+        return Severity.Unknown
+    return getattr(Severity, severity)
+
+
 def map_parsed(parsed_cve: CVEFile, logger: logging.Logger | None = None):  # noqa: C901, PLR0912
     """
     Maps a parsed CVE dict into a Vulnerability object.
@@ -493,10 +500,16 @@ def map_parsed(parsed_cve: CVEFile, logger: logging.Logger | None = None):  # no
                 continue
 
             r = Vulnerability()
+
             try:
-                r.Severity = getattr(Severity, parsed_cve.priority.capitalize())
+                r.Severity = parse_severity_from_priority(parsed_cve)
+            except AttributeError:
+                logger.warning(
+                    f"setting unknown severity on {parsed_cve.name} due to unsupported priority value {parsed_cve.priority}",
+                )
+                r.Severity = Severity.Unknown
             except Exception:
-                logger.exception("setting unknown severity due to exception getting severity")
+                logger.exception(f"setting unknown severity on {parsed_cve.name} due to exception parsing severity from priority")
                 r.Severity = Severity.Unknown
 
             r.Name = parsed_cve.name

diff --git a/tests/unit/providers/ubuntu/test_ubuntu.py b/tests/unit/providers/ubuntu/test_ubuntu.py
@@ -21,8 +21,10 @@
     parse_cve_file,
     parse_list,
     parse_multiline_keyvalue,
+    parse_severity_from_priority,
     parse_simple_keyvalue,
     patch_states,
+    Severity,
     ubuntu_version_names,
 )
 
@@ -393,6 +395,63 @@ def test_reprocess_merged_cve(self, tmpdir):
         result = udp._reprocess_merged_cve(cve_id, cvs_file)
         assert result.patches == data.patches + [Patch(**p) for p in new_distro_patches]
 
+    @pytest.mark.parametrize(
+        ("cve", "expected_severity"),
+        [
+            (
+                CVEFile(name="unset"),
+                Severity.Unknown,
+            ),
+            (
+                CVEFile(name="unknown", priority="unknown"),
+                Severity.Unknown,
+            ),
+            (
+                CVEFile(name="untriaged", priority="untriaged"),
+                Severity.Unknown,
+            ),
+            (
+                CVEFile(name="negligible", priority="negligible"),
+                Severity.Negligible,
+            ),
+            (
+                CVEFile(name="low", priority="low"),
+                Severity.Low,
+            ),
+            (
+                CVEFile(name="medium", priority="medium"),
+                Severity.Medium,
+            ),
+            (
+                CVEFile(name="high", priority="high"),
+                Severity.High,
+            ),
+            (
+                CVEFile(name="critical", priority="critical"),
+                Severity.Critical,
+            ),
+        ],
+    )
+    def test_parse_severity_from_priority(self, cve: CVEFile, expected_severity: Severity):
+        assert parse_severity_from_priority(cve) == expected_severity
+
+    @pytest.mark.parametrize(
+        ("cve", "error_type"),
+        [
+            (
+                CVEFile(name="unset", priority="something-else"),
+                AttributeError,
+            ),
+            (
+                None,
+                Exception,
+            ),
+        ],
+    )
+    def test_parse_severity_from_priority(self, cve: CVEFile, error_type: Exception):
+        with pytest.raises(error_type):
+            parse_severity_from_priority(cve)
+
 
 @pytest.fixture()
 def hydrate_git_repo(tmpdir, helpers):