chore: move debian parser from vulnerability dict to dataclass

src/vunnel/providers/debian/parser.py

@@ -12,6 +12,7 @@
 
 from vunnel.result import SQLiteReader
 from vunnel.utils import http, vulnerability
+from vunnel.utils.vulnerability import FixedIn, Vulnerability
 
 DSAFixedInTuple = namedtuple("DSAFixedInTuple", ["dsa", "link", "distro", "pkg", "ver"])
 DSACollection = namedtuple("DSACollection", ["cves", "nocves"])
@@ -269,7 +270,7 @@ def _normalize_json(self, ns_cve_dsalist=None):  # noqa: PLR0912,PLR0915,C901
         if ns_cve_dsalist is None:
             ns_cve_dsalist = {}
 
-        vuln_records = {}
+        vuln_records: dict[str, dict[str, dict[str, Vulnerability]]] = {}
 
         for pkg in data:
             for vid in data[pkg]:
@@ -310,15 +311,20 @@ def _normalize_json(self, ns_cve_dsalist=None):  # noqa: PLR0912,PLR0915,C901
                         if complete:
                             if vid not in vuln_records[relno]:
                                 # create a new record
-                                vuln_records[relno][vid] = copy.deepcopy(vulnerability.vulnerability_element)
+                                # and populate the static information about the new vuln record
+                                vuln_records[relno][vid] = {
+                                    "Vulnerability": Vulnerability(
+                                        Name=str(vid),
+                                        NamespaceName="debian:" + str(relno),
+                                        Description=vulnerability_data.get("description", ""),
+                                        Link="https://security-tracker.debian.org/tracker/" + str(vid),
+                                        Severity="Unknown",
+                                        CVSS=[],
+                                        FixedIn=[],
+                                    ),
+                                }
                                 vuln_record = vuln_records[relno][vid]
 
-                                # populate the static information about the new vuln record
-                                vuln_record["Vulnerability"]["Description"] = vulnerability_data.get("description", "")
-                                vuln_record["Vulnerability"]["Name"] = str(vid)
-                                vuln_record["Vulnerability"]["NamespaceName"] = "debian:" + str(relno)
-                                vuln_record["Vulnerability"]["Link"] = "https://security-tracker.debian.org/tracker/" + str(vid)
-                                vuln_record["Vulnerability"]["Severity"] = "Unknown"
                             else:
                                 vuln_record = vuln_records[relno][vid]
 
@@ -349,9 +355,9 @@ def _normalize_json(self, ns_cve_dsalist=None):  # noqa: PLR0912,PLR0915,C901
                             if (
                                 sev
                                 and vulnerability.severity_order[sev]
-                                > vulnerability.severity_order[vuln_record["Vulnerability"]["Severity"]]
+                                > vulnerability.severity_order[vuln_record["Vulnerability"].Severity]
                             ):
-                                vuln_record["Vulnerability"]["Severity"] = sev
+                                vuln_record["Vulnerability"].Severity = sev
 
                             # add fixedIn
                             skip_fixedin = False
@@ -375,8 +381,8 @@ def _normalize_json(self, ns_cve_dsalist=None):  # noqa: PLR0912,PLR0915,C901
 
                             if not skip_fixedin:
                                 # collect metrics for vendor advisory
-                                met_ns = vuln_record["Vulnerability"]["NamespaceName"]
-                                met_sev = vuln_record["Vulnerability"]["Severity"]
+                                met_ns = vuln_record["Vulnerability"].NamespaceName
+                                met_sev = vuln_record["Vulnerability"].Severity
 
                                 if met_ns not in adv_mets:
                                     adv_mets[met_ns] = {
@@ -422,18 +428,14 @@ def _normalize_json(self, ns_cve_dsalist=None):  # noqa: PLR0912,PLR0915,C901
                                     ] += 1
 
                                 # append fixed in record to vulnerability
-                                vuln_record["Vulnerability"]["FixedIn"].append(fixed_el)
+                                if "Module" not in fixed_el:
+                                    fixed_el["Module"] = None
+                                vuln_record["Vulnerability"].FixedIn.append(FixedIn(**fixed_el))
 
-                            # strip out any top level that is not set
-                            final_record = {"Vulnerability": {}}
-                            for k in vuln_record["Vulnerability"]:
-                                if vuln_record["Vulnerability"][k]:
-                                    final_record["Vulnerability"][k] = copy.deepcopy(vuln_record["Vulnerability"][k])
-
-                            # retlists[relno].append(final_record)
-
-                    except Exception:
-                        self.logger.exception(f"ignoring error parsing vuln: {vid}, pkg: {pkg}, rel: {rel}")
+                    except Exception as e:
+                        self.logger.exception(
+                            f"ignoring error ({e.__class__.__name__}) parsing vuln: {vid}, pkg: {pkg}, rel: {rel}",
+                        )
 
         self.logger.debug(f"metrics for advisory information: {orjson.dumps(adv_mets).decode('utf-8')}")
 
@@ -477,7 +479,9 @@ def process_result(file_path: str) -> None:
                         legacy_records[relno] = {}
 
                     records += 1
-                    legacy_records[relno][vid] = envelope.item
+                    envelope.item["Vulnerability"].setdefault("CVSS", [])
+                    envelope.item["Vulnerability"].setdefault("FixedIn", [])
+                    legacy_records[relno][vid] = {"Vulnerability": Vulnerability(**envelope.item["Vulnerability"])}
 
             self.logger.debug(f"legacy dataset {file_path} contains {len(releases)} releases with {records} records")
 
@@ -505,8 +509,11 @@ def process_file(contents: list[dict[str, Any]]) -> None:
                         del cvss_metadata["Vectors"]
                     record["Vulnerability"]["Metadata"]["NVD"]["CVSSv2"] = cvss_metadata
 
+                # default required fields for dataclass
+                record["Vulnerability"].setdefault("FixedIn", [])
+                record["Vulnerability"].setdefault("CVSS", [])
                 # write the record back
-                legacy_records[relno][vid] = record
+                legacy_records[relno][vid] = Vulnerability(**record["Vulnerability"])
 
         # read every json file in the legacy directory
         for root, _dirs, files in os.walk(self.legacy_records_path):
@@ -548,7 +555,7 @@ def get(self):
                         self.logger.info(
                             f"clearing severity on {vid}, see https://github.com/anchore/grype-db/issues/108#issuecomment-1796301073",
                         )
-                        vuln_record["Vulnerability"]["Severity"] = "Unknown"
+                        vuln_record["Vulnerability"].Severity = "Unknown"
                     yield relno, vid, vuln_record
         else:
             yield from ()

tests/unit/providers/debian/test-fixtures/snapshots/debian:10/cve-2005-3111.json

@@ -1 +1 @@
-{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2005-3111","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"debian:10","FixedIn":[{"Name":"backupninja","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"0.8-2","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Link":"https://security-tracker.debian.org/tracker/CVE-2005-3111","Description":"The handler code for backupninja 0.8 and earlier creates temporary files with predictable filenames, which allows local users to modify arbitrary files via a symlink attack.","Metadata":{},"Name":"CVE-2005-3111","CVSS":[]}}}
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2005-3111","item":{"Vulnerability":{"Name":"CVE-2005-3111","NamespaceName":"debian:10","Description":"The handler code for backupninja 0.8 and earlier creates temporary files with predictable filenames, which allows local users to modify arbitrary files via a symlink attack.","Severity":"Medium","Link":"https://security-tracker.debian.org/tracker/CVE-2005-3111","CVSS":[],"FixedIn":[{"Name":"backupninja","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"0.8-2","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}

tests/unit/providers/debian/test-fixtures/snapshots/debian:10/cve-2007-2383.json

@@ -1 +1 @@
-{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2007-2383","item":{"Vulnerability":{"Severity":"Negligible","NamespaceName":"debian:10","FixedIn":[],"Link":"https://security-tracker.debian.org/tracker/CVE-2007-2383","Description":"The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka \"JavaScript Hijacking.\"","Metadata":{},"Name":"CVE-2007-2383","CVSS":[]}}}
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2007-2383","item":{"Vulnerability":{"Name":"CVE-2007-2383","NamespaceName":"debian:10","Description":"The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka \"JavaScript Hijacking.\"","Severity":"Negligible","Link":"https://security-tracker.debian.org/tracker/CVE-2007-2383","CVSS":[],"FixedIn":[],"Metadata":{}}}}

tests/unit/providers/debian/test-fixtures/snapshots/debian:10/cve-2008-7220.json

@@ -1 +1 @@
-{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2008-7220","item":{"Vulnerability":{"Severity":"High","NamespaceName":"debian:10","FixedIn":[{"Name":"prototypejs","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"1.6.0.2-1","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Link":"https://security-tracker.debian.org/tracker/CVE-2008-7220","Description":"Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make \"cross-site ajax requests\" via unknown vectors.","Metadata":{},"Name":"CVE-2008-7220","CVSS":[]}}}
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2008-7220","item":{"Vulnerability":{"Name":"CVE-2008-7220","NamespaceName":"debian:10","Description":"Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make \"cross-site ajax requests\" via unknown vectors.","Severity":"High","Link":"https://security-tracker.debian.org/tracker/CVE-2008-7220","CVSS":[],"FixedIn":[{"Name":"prototypejs","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"1.6.0.2-1","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}

tests/unit/providers/debian/test-fixtures/snapshots/debian:10/cve-2013-1444.json

@@ -1 +1 @@
-{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2013-1444","item":{"Vulnerability":{"Severity":"Low","NamespaceName":"debian:10","FixedIn":[{"Name":"txt2man","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"1.5.5-4.1","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Link":"https://security-tracker.debian.org/tracker/CVE-2013-1444","Description":"A certain Debian patch for txt2man 1.5.5, as used in txt2man 1.5.5-2, 1.5.5-4, and others, allows local users to overwrite arbitrary files via a symlink attack on /tmp/2222.","Metadata":{},"Name":"CVE-2013-1444","CVSS":[]}}}
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2013-1444","item":{"Vulnerability":{"Name":"CVE-2013-1444","NamespaceName":"debian:10","Description":"A certain Debian patch for txt2man 1.5.5, as used in txt2man 1.5.5-2, 1.5.5-4, and others, allows local users to overwrite arbitrary files via a symlink attack on /tmp/2222.","Severity":"Low","Link":"https://security-tracker.debian.org/tracker/CVE-2013-1444","CVSS":[],"FixedIn":[{"Name":"txt2man","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"1.5.5-4.1","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}

tests/unit/providers/debian/test-fixtures/snapshots/debian:10/cve-2022-0456.json

@@ -1 +1 @@
-{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2022-0456","item":{"Vulnerability":{"Severity":"Negligible","NamespaceName":"debian:10","FixedIn":[{"Name":"chromium","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"None","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Link":"https://security-tracker.debian.org/tracker/CVE-2022-0456","Description":"","Metadata":{},"Name":"CVE-2022-0456","CVSS":[]}}}
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:10/cve-2022-0456","item":{"Vulnerability":{"Name":"CVE-2022-0456","NamespaceName":"debian:10","Description":"","Severity":"Negligible","Link":"https://security-tracker.debian.org/tracker/CVE-2022-0456","CVSS":[],"FixedIn":[{"Name":"chromium","NamespaceName":"debian:10","VersionFormat":"dpkg","Version":"None","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}

tests/unit/providers/debian/test-fixtures/snapshots/debian:11/cve-2022-0456.json

@@ -1 +1 @@
-{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:11/cve-2022-0456","item":{"Vulnerability":{"Severity":"Unknown","NamespaceName":"debian:11","FixedIn":[{"Name":"chromium","NamespaceName":"debian:11","VersionFormat":"dpkg","Version":"98.0.4758.80-1~deb11u1","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Link":"https://security-tracker.debian.org/tracker/CVE-2022-0456","Description":"","Metadata":{},"Name":"CVE-2022-0456","CVSS":[]}}}
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:11/cve-2022-0456","item":{"Vulnerability":{"Name":"CVE-2022-0456","NamespaceName":"debian:11","Description":"","Severity":"Unknown","Link":"https://security-tracker.debian.org/tracker/CVE-2022-0456","CVSS":[],"FixedIn":[{"Name":"chromium","NamespaceName":"debian:11","VersionFormat":"dpkg","Version":"98.0.4758.80-1~deb11u1","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}

tests/unit/providers/debian/test-fixtures/snapshots/debian:12/cve-2022-0456.json

@@ -1 +1 @@
-{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:12/cve-2022-0456","item":{"Vulnerability":{"Severity":"Unknown","NamespaceName":"debian:12","FixedIn":[{"Name":"chromium","NamespaceName":"debian:12","VersionFormat":"dpkg","Version":"98.0.4758.80-1","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Link":"https://security-tracker.debian.org/tracker/CVE-2022-0456","Description":"","Metadata":{},"Name":"CVE-2022-0456","CVSS":[]}}}
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:12/cve-2022-0456","item":{"Vulnerability":{"Name":"CVE-2022-0456","NamespaceName":"debian:12","Description":"","Severity":"Unknown","Link":"https://security-tracker.debian.org/tracker/CVE-2022-0456","CVSS":[],"FixedIn":[{"Name":"chromium","NamespaceName":"debian:12","VersionFormat":"dpkg","Version":"98.0.4758.80-1","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}

tests/unit/providers/debian/test-fixtures/snapshots/debian:8/cve-2005-3111.json

@@ -1 +1 @@
-{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:8/cve-2005-3111","item":{"Vulnerability":{"Severity":"Medium","NamespaceName":"debian:8","FixedIn":[{"Name":"backupninja","NamespaceName":"debian:8","VersionFormat":"dpkg","Version":"0.8-2","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]}}],"Link":"https://security-tracker.debian.org/tracker/CVE-2005-3111","Description":"The handler code for backupninja 0.8 and earlier creates temporary files with predictable filenames, which allows local users to modify arbitrary files via a symlink attack.","Metadata":{},"Name":"CVE-2005-3111","CVSS":[]}}}
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:8/cve-2005-3111","item":{"Vulnerability":{"Name":"CVE-2005-3111","NamespaceName":"debian:8","Description":"The handler code for backupninja 0.8 and earlier creates temporary files with predictable filenames, which allows local users to modify arbitrary files via a symlink attack.","Severity":"Medium","Link":"https://security-tracker.debian.org/tracker/CVE-2005-3111","CVSS":[],"FixedIn":[{"Name":"backupninja","NamespaceName":"debian:8","VersionFormat":"dpkg","Version":"0.8-2","Module":"","VendorAdvisory":{"NoAdvisory":false,"AdvisorySummary":[]},"VulnerableRange":null}],"Metadata":{}}}}

tests/unit/providers/debian/test-fixtures/snapshots/debian:8/cve-2007-2383.json

@@ -1 +1 @@
-{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:8/cve-2007-2383","item":{"Vulnerability":{"Severity":"Negligible","NamespaceName":"debian:8","FixedIn":[],"Link":"https://security-tracker.debian.org/tracker/CVE-2007-2383","Description":"The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka \"JavaScript Hijacking.\"","Metadata":{},"Name":"CVE-2007-2383","CVSS":[]}}}
+{"schema":"https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json","identifier":"debian:8/cve-2007-2383","item":{"Vulnerability":{"Name":"CVE-2007-2383","NamespaceName":"debian:8","Description":"The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka \"JavaScript Hijacking.\"","Severity":"Negligible","Link":"https://security-tracker.debian.org/tracker/CVE-2007-2383","CVSS":[],"FixedIn":[],"Metadata":{}}}}