From 2225134ce851859985bc782a2791d0297414fe4d Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Mon, 11 Dec 2023 17:53:42 +0000 Subject: [PATCH] fix(ubuntu): improve parsing severity from priority Improve the error handling when setting the vulnerability severity from the patch priority. Signed-off-by: Weston Steimel --- src/vunnel/providers/ubuntu/parser.py | 17 ++++++- tests/unit/providers/ubuntu/test_ubuntu.py | 59 ++++++++++++++++++++++ 2 files changed, 74 insertions(+), 2 deletions(-) diff --git a/src/vunnel/providers/ubuntu/parser.py b/src/vunnel/providers/ubuntu/parser.py index 0f1c28a9..a41783ff 100644 --- a/src/vunnel/providers/ubuntu/parser.py +++ b/src/vunnel/providers/ubuntu/parser.py @@ -460,6 +460,13 @@ def map_namespace(release_name: str) -> str | None: return None +def parse_severity_from_priority(cve: CVEFile) -> Severity: + severity = cve.priority.capitalize() + if severity in {"Untriaged"}: + return Severity.Unknown + return getattr(Severity, severity) + + def map_parsed(parsed_cve: CVEFile, logger: logging.Logger | None = None): # noqa: C901, PLR0912 """ Maps a parsed CVE dict into a Vulnerability object. @@ -493,10 +500,16 @@ def map_parsed(parsed_cve: CVEFile, logger: logging.Logger | None = None): # no continue r = Vulnerability() + try: - r.Severity = getattr(Severity, parsed_cve.priority.capitalize()) + r.Severity = parse_severity_from_priority(parsed_cve) + except AttributeError: + logger.warning( + f"setting unknown severity on {parsed_cve.name} due to unsupported priority value {parsed_cve.priority}", + ) + r.Severity = Severity.Unknown except Exception: - logger.exception("setting unknown severity due to exception getting severity") + logger.exception(f"setting unknown severity on {parsed_cve.name} due to exception parsing severity from priority") r.Severity = Severity.Unknown r.Name = parsed_cve.name diff --git a/tests/unit/providers/ubuntu/test_ubuntu.py b/tests/unit/providers/ubuntu/test_ubuntu.py index 6fe23dd2..f3e78a4f 100644 --- a/tests/unit/providers/ubuntu/test_ubuntu.py +++ b/tests/unit/providers/ubuntu/test_ubuntu.py @@ -21,8 +21,10 @@ parse_cve_file, parse_list, parse_multiline_keyvalue, + parse_severity_from_priority, parse_simple_keyvalue, patch_states, + Severity, ubuntu_version_names, ) @@ -393,6 +395,63 @@ def test_reprocess_merged_cve(self, tmpdir): result = udp._reprocess_merged_cve(cve_id, cvs_file) assert result.patches == data.patches + [Patch(**p) for p in new_distro_patches] + @pytest.mark.parametrize( + ("cve", "expected_severity"), + [ + ( + CVEFile(name="unset"), + Severity.Unknown, + ), + ( + CVEFile(name="unknown", priority="unknown"), + Severity.Unknown, + ), + ( + CVEFile(name="untriaged", priority="untriaged"), + Severity.Unknown, + ), + ( + CVEFile(name="negligible", priority="negligible"), + Severity.Negligible, + ), + ( + CVEFile(name="low", priority="low"), + Severity.Low, + ), + ( + CVEFile(name="medium", priority="medium"), + Severity.Medium, + ), + ( + CVEFile(name="high", priority="high"), + Severity.High, + ), + ( + CVEFile(name="critical", priority="critical"), + Severity.Critical, + ), + ], + ) + def test_parse_severity_from_priority(self, cve: CVEFile, expected_severity: Severity): + assert parse_severity_from_priority(cve) == expected_severity + + @pytest.mark.parametrize( + ("cve", "error_type"), + [ + ( + CVEFile(name="unset", priority="something-else"), + AttributeError, + ), + ( + None, + Exception, + ), + ], + ) + def test_parse_severity_from_priority(self, cve: CVEFile, error_type: Exception): + with pytest.raises(error_type): + parse_severity_from_priority(cve) + @pytest.fixture() def hydrate_git_repo(tmpdir, helpers):