Merge branch 'main' into 1228-fixed-affected-version-matching #1228

Reference: #1228

Signed-off-by: John M. Horan johnmhoran@gmail.com

CHANGELOG.rst

@@ -2,6 +2,13 @@ Release notes
 =============
 
 
+Version v33.3.0
+----------------
+
+- We filtered out the weakness that are not presented in the 
+  cwe2.database before passing them into the vulnerability details view. 
+
+
 Version v33.2.0
 -----------------
 

README.rst

@@ -105,6 +105,7 @@ On a Debian system, use this::
     git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
     make dev envfile postgres
     make test
+    source venv/bin/activate
     ./manage.py import vulnerabilities.importers.nginx.NginxImporter
     ./manage.py improve --all
     make run

requirements.txt

@@ -11,16 +11,16 @@ beautifulsoup4==4.10.0
 binaryornot==0.4.4
 black==22.3.0
 boolean.py==3.8
-certifi==2022.12.7
+certifi==2023.7.22
 cffi==1.15.0
 chardet==4.0.0
 charset-normalizer==2.0.12
 click==8.1.2
-cryptography==41.0.0
+cryptography==41.0.3
 decorator==5.1.1
 defusedxml==0.7.1
 distro==1.7.0
-Django==4.1.7
+Django==4.1.10
 django-crispy-forms==1.10.0
 django-environ==0.8.1
 django-filter==21.1
@@ -71,7 +71,7 @@ pure-eval==0.2.2
 py==1.11.0
 pycodestyle==2.8.0
 pycparser==2.21
-Pygments==2.11.2
+Pygments==2.15.0
 PyNaCl==1.5.0
 pyparsing==3.0.7
 pyrsistent==0.18.1
@@ -81,7 +81,7 @@ python-dateutil==2.8.2
 python-dotenv==0.20.0
 pytz==2022.1
 PyYAML==6.0.1
-requests==2.27.1
+requests==2.31.0
 restructuredtext-lint==1.4.0
 saneyaml==0.6.0
 semantic-version==2.9.0
@@ -98,7 +98,7 @@ sphinxcontrib-htmlhelp==2.0.0
 sphinxcontrib-jsmath==1.0.1
 sphinxcontrib-qthelp==1.0.3
 sphinxcontrib-serializinghtml==1.1.5
-sqlparse==0.4.2
+sqlparse==0.4.4
 stack-data==0.2.0
 stevedore==3.5.0
 texttable==1.6.4

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = vulnerablecode
-version = 33.2.0
+version = 33.3.0
 license = Apache-2.0 AND CC-BY-SA-4.0
 
 # description must be on ONE line https://github.com/pypa/setuptools/issues/1390

vulnerabilities/models.py

@@ -278,17 +278,26 @@ class Weakness(models.Model):
     vulnerabilities = models.ManyToManyField(Vulnerability, related_name="weaknesses")
     db = Database()
 
+    @property
+    def weakness(self):
+        """
+        Return a queryset of Weakness for this vulnerability.
+        """
+        try:
+            weakness = self.db.get(self.cwe_id)
+            return weakness
+        except Exception as e:
+            logger.warning(f"Could not find CWE {self.cwe_id}: {e}")
+
     @property
     def name(self):
         """Return the weakness's name."""
-        weakness = self.db.get(self.cwe_id)
-        return weakness.name
+        return self.weakness.name if self.weakness else ""
 
     @property
     def description(self):
         """Return the weakness's description."""
-        weakness = self.db.get(self.cwe_id)
-        return weakness.description
+        return self.weakness.description if self.weakness else ""
 
 
 class VulnerabilityReferenceQuerySet(BaseQuerySet):

vulnerabilities/tests/test_models.py

@@ -400,3 +400,9 @@ def test_string_to_purl_to_dict_to_package(self):
         )
         assert vulnerablecode_package.qualifiers == {}
         assert vulnerablecode_package.subpath == ""
+
+    def test_cwe_not_present_in_weaknesses_db(self):
+        w1 = models.Weakness.objects.create(name="189")
+        assert w1.weakness is None
+        assert w1.name is ""
+        assert w1.description is ""

vulnerabilities/views.py

@@ -118,6 +118,10 @@ def get_queryset(self):
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
+        weaknesses = self.object.weaknesses.all()
+        weaknesses_present_in_db = [
+            weakness_object for weakness_object in weaknesses if weakness_object.weakness
+        ]
         context.update(
             {
                 "vulnerability": self.object,
@@ -127,7 +131,7 @@ def get_context_data(self, **kwargs):
                 "aliases": self.object.aliases.all(),
                 "affected_packages": self.object.affected_packages.all(),
                 "fixed_by_packages": self.object.fixed_by_packages.all(),
-                "weaknesses": self.object.weaknesses.all(),
+                "weaknesses": weaknesses_present_in_db,
             }
         )
         return context

vulnerablecode/__init__.py

@@ -12,7 +12,7 @@
 import warnings
 from pathlib import Path
 
-__version__ = "33.2.0"
+__version__ = "33.3.0"
 
 
 def command_line():