Skip to content

Commit

Permalink
change sql get vulnerabilities by package id (#8540)
Browse files Browse the repository at this point in the history
* change sql get vulunerabilities by package id

* Adjusted logic to provide correct groupings, adjusted UTs

Co-authored-by: Drew Gillies <drewgil@microsoft.com>
  • Loading branch information
lyndaidaii and drewgillies authored Apr 23, 2021
1 parent 409f844 commit a2ab1c7
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 41 deletions.
31 changes: 10 additions & 21 deletions src/NuGetGallery/Services/PackageVulnerabilitiesService.cs
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@

using System;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Data.Entity;
using System.IO;
using System.Linq;
using NuGet.Services.Entities;

Expand All @@ -21,26 +21,15 @@ public PackageVulnerabilitiesService(IEntitiesContext entitiesContext)

public IReadOnlyDictionary<int, IReadOnlyList<PackageVulnerability>> GetVulnerabilitiesById(string id)
{
var result = new Dictionary<int, List<PackageVulnerability>>();
var packagesMatchingId = _entitiesContext.Packages
.Where(p => p.PackageRegistration != null && p.PackageRegistration.Id == id)
.Include($"{nameof(Package.VulnerablePackageRanges)}.{nameof(VulnerablePackageVersionRange.Vulnerability)}");
foreach (var package in packagesMatchingId)
{
if (package.VulnerablePackageRanges == null)
{
continue;
}

if (package.VulnerablePackageRanges.Any())
{
result.Add(package.Key,
package.VulnerablePackageRanges.Select(vr => vr.Vulnerability).ToList());
}
}

return !result.Any() ? null :
result.ToDictionary(kv => kv.Key, kv => kv.Value as IReadOnlyList<PackageVulnerability>);
var packageKeyAndVulnerability = _entitiesContext.VulnerableRanges
.Include(x => x.Vulnerability)
.Where(x => x.PackageId == id)
.SelectMany(x => x.Packages.Select(p => new {PackageKey = p.Key, x.Vulnerability}))
.GroupBy(pv => pv.PackageKey, pv => pv.Vulnerability)
.ToDictionary(pv => pv.Key, pv => pv.ToList().AsReadOnly() as IReadOnlyList<PackageVulnerability>);

return !packageKeyAndVulnerability.Any() ? null
: new ReadOnlyDictionary<int, IReadOnlyList<PackageVulnerability>>(packageKeyAndVulnerability);
}

public bool IsPackageVulnerable(Package package)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

using System.Collections.Generic;
using System.Linq;
using NuGet.Services.Entities;
using NuGetGallery.Framework;
using Xunit;
Expand All @@ -22,7 +21,6 @@ public class PackageVulnerabilitiesServiceFacts : TestContainer
private Package _packageVulnerable100;
private Package _packageVulnerable110;
private Package _packageVulnerable111;
private Package _packageVulnerable112;

private Package _packageNotVulnerable;

Expand All @@ -31,16 +29,9 @@ public void GetsVulnerabilitiesOfPackage()
{
// Arrange
SetUp();
var packages = new[]
{
_packageVulnerable100,
_packageVulnerable110,
_packageVulnerable111,
_packageVulnerable112,
_packageNotVulnerable
};
var vulnerableRanges = new[] {_versionRangeModerate, _versionRangeCritical};
var context = GetFakeContext();
context.Packages.AddRange(packages);
context.VulnerableRanges.AddRange(vulnerableRanges);
var target = Get<PackageVulnerabilitiesService>();

// Act
Expand Down Expand Up @@ -96,12 +87,14 @@ private void SetUp()

_versionRangeCritical = new VulnerablePackageVersionRange
{
PackageId = "Vulnerable",
Vulnerability = _vulnerabilityCritical,
PackageVersionRange = "1.1.1",
FirstPatchedPackageVersion = "1.1.2"
};
_versionRangeModerate = new VulnerablePackageVersionRange
{
PackageId = "Vulnerable",
Vulnerability = _vulnerabilityModerate,
PackageVersionRange = "<=1.1.1",
FirstPatchedPackageVersion = "1.1.2"
Expand Down Expand Up @@ -129,7 +122,7 @@ private void SetUp()
};
_packageVulnerable111 = new Package
{
Key = 3, // simulate a different order in db - create a non-contiguous range of rows, even if the range is contiguous
Key = 2,
PackageRegistration = _registrationVulnerable,
Version = "1.1.1",
VulnerablePackageRanges = new List<VulnerablePackageVersionRange>
Expand All @@ -138,19 +131,15 @@ private void SetUp()
_versionRangeCritical
}
};
_packageVulnerable112 = new Package
{
Key = 2, // simulate a different order in db - create a non-contiguous range of rows, even if the range is contiguous
PackageRegistration = _registrationVulnerable,
Version = "1.1.2",
VulnerablePackageRanges = new List<VulnerablePackageVersionRange>()
};
_packageNotVulnerable = new Package
{
Key = 4,
Key = 3,
PackageRegistration = new PackageRegistration { Id = "NotVulnerable" },
VulnerablePackageRanges = new List<VulnerablePackageVersionRange>()
};

_versionRangeCritical.Packages = new List<Package> { _packageVulnerable111 };
_versionRangeModerate.Packages = new List<Package> { _packageVulnerable100, _packageVulnerable110, _packageVulnerable111 };
}
}
}

0 comments on commit a2ab1c7

Please sign in to comment.