Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Hotfix]change sql get vulnerabilities by package id #8540

Merged
merged 6 commits into from
Apr 23, 2021
Merged

[Hotfix]change sql get vulnerabilities by package id #8540

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7819767
change sql get vulunerabilities by package id
Apr 22, 2021
25efbae
Adjusted logic to provide correct groupings, adjusted UTs
drewgillies Apr 23, 2021
f50f4cf
Addressed feedback
drewgillies Apr 23, 2021
71c5506
Added a 30 minute cache for vulnerability dictionaries
drewgillies Apr 23, 2021
706fa86
Revert "Added a 30 minute cache for vulnerability dictionaries"
drewgillies Apr 23, 2021
ae9560b
Addressed feedback
drewgillies Apr 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 13 additions & 17 deletions src/NuGetGallery/Services/PackageVulnerabilitiesService.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,11 @@

using System;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Data.Entity;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this using required?

Copy link
Contributor

@drewgillies drewgillies Apr 23, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. Thanks. Probably a leftover from the caching.

using NuGet.Services.Entities;

namespace NuGetGallery
Expand All @@ -21,26 +23,20 @@ public PackageVulnerabilitiesService(IEntitiesContext entitiesContext)

public IReadOnlyDictionary<int, IReadOnlyList<PackageVulnerability>> GetVulnerabilitiesById(string id)
{
var result = new Dictionary<int, List<PackageVulnerability>>();
var packagesMatchingId = _entitiesContext.Packages
.Where(p => p.PackageRegistration != null && p.PackageRegistration.Id == id)
.Include($"{nameof(Package.VulnerablePackageRanges)}.{nameof(VulnerablePackageVersionRange.Vulnerability)}");
foreach (var package in packagesMatchingId)
var packageKeyAndVulnerability = _entitiesContext.VulnerableRanges
.Include(x => x.Vulnerability)
.Where(x => x.PackageId == id)
.SelectMany(x => x.Packages.Select(p => new {PackageKey = p.Key, x.Vulnerability}));

if (!packageKeyAndVulnerability.Any())
joelverhagen marked this conversation as resolved.
Show resolved Hide resolved
{
if (package.VulnerablePackageRanges == null)
{
continue;
}

if (package.VulnerablePackageRanges.Any())
{
result.Add(package.Key,
package.VulnerablePackageRanges.Select(vr => vr.Vulnerability).ToList());
}
return null;
}

return !result.Any() ? null :
result.ToDictionary(kv => kv.Key, kv => kv.Value as IReadOnlyList<PackageVulnerability>);
var packageVulnerabilitiesDictionary = packageKeyAndVulnerability
.GroupBy(pv => pv.PackageKey, pv => pv.Vulnerability)
.ToDictionary(pv => pv.Key, pv => pv.ToList().AsReadOnly() as IReadOnlyList<PackageVulnerability>);
return new ReadOnlyDictionary<int, IReadOnlyList<PackageVulnerability>>(packageVulnerabilitiesDictionary);
}

public bool IsPackageVulnerable(Package package)
Expand Down
28 changes: 9 additions & 19 deletions tests/NuGetGallery.Facts/Services/PackageVulnerabilitiesServiceFacts.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ public class PackageVulnerabilitiesServiceFacts : TestContainer
private Package _packageVulnerable100;
private Package _packageVulnerable110;
private Package _packageVulnerable111;
private Package _packageVulnerable112;

private Package _packageNotVulnerable;

Expand All @@ -31,16 +30,9 @@ public void GetsVulnerabilitiesOfPackage()
{
// Arrange
SetUp();
var packages = new[]
{
_packageVulnerable100,
_packageVulnerable110,
_packageVulnerable111,
_packageVulnerable112,
_packageNotVulnerable
};
var vulnerableRanges = new[] {_versionRangeModerate, _versionRangeCritical};
var context = GetFakeContext();
context.Packages.AddRange(packages);
context.VulnerableRanges.AddRange(vulnerableRanges);
var target = Get<PackageVulnerabilitiesService>();

// Act
Expand Down Expand Up @@ -96,12 +88,14 @@ private void SetUp()

_versionRangeCritical = new VulnerablePackageVersionRange
{
PackageId = "Vulnerable",
Vulnerability = _vulnerabilityCritical,
PackageVersionRange = "1.1.1",
FirstPatchedPackageVersion = "1.1.2"
};
_versionRangeModerate = new VulnerablePackageVersionRange
{
PackageId = "Vulnerable",
Vulnerability = _vulnerabilityModerate,
PackageVersionRange = "<=1.1.1",
FirstPatchedPackageVersion = "1.1.2"
Expand Down Expand Up @@ -129,7 +123,7 @@ private void SetUp()
};
_packageVulnerable111 = new Package
{
Key = 3, // simulate a different order in db - create a non-contiguous range of rows, even if the range is contiguous
Key = 2,
PackageRegistration = _registrationVulnerable,
Version = "1.1.1",
VulnerablePackageRanges = new List<VulnerablePackageVersionRange>
Expand All @@ -138,19 +132,15 @@ private void SetUp()
_versionRangeCritical
}
};
_packageVulnerable112 = new Package
{
Key = 2, // simulate a different order in db - create a non-contiguous range of rows, even if the range is contiguous
PackageRegistration = _registrationVulnerable,
Version = "1.1.2",
VulnerablePackageRanges = new List<VulnerablePackageVersionRange>()
};
_packageNotVulnerable = new Package
{
Key = 4,
Key = 3,
PackageRegistration = new PackageRegistration { Id = "NotVulnerable" },
VulnerablePackageRanges = new List<VulnerablePackageVersionRange>()
};

_versionRangeCritical.Packages = new List<Package> { _packageVulnerable111 };
_versionRangeModerate.Packages = new List<Package> { _packageVulnerable100, _packageVulnerable110, _packageVulnerable111 };
}
}
}