Add resource_url on the Vulnerability model #95

Signed-off-by: tdruez <tdruez@nexb.com>

component_catalog/templates/component_catalog/tables/vulnerability_list_table.html

@@ -10,10 +10,14 @@
     <tr>
       <td>
         <strong>
-          <a href="{{ vulnerablecode_url }}vulnerabilities/{{ vulnerability.vulnerability_id }}" target="_blank">
+          {% if vulnerability.resource_url %}
+            <a href="{{ vulnerability.resource_url }}" target="_blank">
+              {{ vulnerability.vulnerability_id }}
+              <i class="fa-solid fa-up-right-from-square mini"></i>
+            </a>
+          {% else %}
             {{ vulnerability.vulnerability_id }}
-            <i class="fa-solid fa-up-right-from-square mini"></i>
-          </a>
+          {% endif %}
         </strong>
       </td>
       <td>

component_catalog/templates/component_catalog/tabs/tab_vulnerabilities.html

@@ -34,10 +34,14 @@
       <tr>
         <td>
           <strong>
-            <a href="{{ values.vulnerablecode_url }}vulnerabilities/{{ vulnerability.vulnerability_id }}" target="_blank">
+            {% if vulnerability.resource_url %}
+              <a href="{{ vulnerability.resource_url }}" target="_blank">
+                {{ vulnerability.vulnerability_id }}
+                <i class="fa-solid fa-up-right-from-square mini"></i>
+              </a>
+            {% else %}
               {{ vulnerability.vulnerability_id }}
-              <i class="fa-solid fa-up-right-from-square mini"></i>
-            </a>
+            {% endif %}
           </strong>
         </td>
         <td>

component_catalog/tests/test_views.py

@@ -1239,7 +1239,7 @@ def test_package_list_multi_send_about_files_view(self):
 
     def test_package_details_view_num_queries(self):
         self.client.login(username=self.super_user.username, password="secret")
-        with self.assertNumQueries(29):
+        with self.assertNumQueries(28):
             self.client.get(self.package1.get_absolute_url())
 
     def test_package_details_view_content(self):

component_catalog/views.py

@@ -256,7 +256,6 @@ def tab_vulnerabilities(self):
         if not vulnerabilities_qs:
             return
 
-        vulnerablecode = VulnerableCode(self.object.dataspace)
         label = (
             f"Vulnerabilities"
             f' <span class="badge badge-vulnerability">{len(vulnerabilities_qs)}</span>'
@@ -270,7 +269,6 @@ def tab_vulnerabilities(self):
 
         context = {
             "vulnerabilities": vulnerabilities,
-            "vulnerablecode_url": vulnerablecode.service_url,
         }
 
         return {

product_portfolio/templates/product_portfolio/tabs/tab_vulnerabilities.html

@@ -7,10 +7,14 @@
       <tr>
         <td>
           <strong>
-            <a href="{{ vulnerablecode_url }}vulnerabilities/{{ vulnerability.vulnerability_id }}" target="_blank">
+            {% if vulnerability.resource_url %}
+              <a href="{{ vulnerability.resource_url }}" target="_blank">
+                {{ vulnerability.vulnerability_id }}
+                <i class="fa-solid fa-up-right-from-square mini"></i>
+              </a>
+            {% else %}
               {{ vulnerability.vulnerability_id }}
-              <i class="fa-solid fa-up-right-from-square mini"></i>
-            </a>
+            {% endif %}
           </strong>
         </td>
         <td>

product_portfolio/views.py

@@ -1136,7 +1136,6 @@ def get_context_data(self, **kwargs):
                 "page_obj": page_obj,
                 "total_count": total_count,
                 "search_query": self.request.GET.get("vulnerabilities-q", ""),
-                "vulnerablecode_url": VulnerableCode(product.dataspace).service_url,
             }
         )
 

vulnerabilities/migrations/0002_vulnerability_resource_url.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.0.6 on 2024-09-04 11:51
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('vulnerabilities', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='vulnerability',
+            name='resource_url',
+            field=models.URLField(blank=True, help_text='URL of the data source for this Vulnerability.', max_length=1024, verbose_name='Resource URL'),
+        ),
+    ]

vulnerabilities/models.py

@@ -61,6 +61,12 @@ class Vulnerability(HistoryDateFieldsMixin, DataspacedModel):
             "For example, 'VCID-2024-0001'."
         ),
     )
+    resource_url = models.URLField(
+        _("Resource URL"),
+        max_length=1024,
+        blank=True,
+        help_text=_("URL of the data source for this Vulnerability."),
+    )
     summary = models.TextField(
         help_text=_("A brief summary of the vulnerability, outlining its nature and impact."),
         blank=True,
@@ -203,10 +209,9 @@ def as_cyclonedx(self, affected_instances):
             for instance in affected_instances
         ]
 
-        source_url = f"https://public.vulnerablecode.io/vulnerabilities/{self.vulnerability_id}"
         source = cdx_vulnerability.VulnerabilitySource(
             name="VulnerableCode",
-            url=source_url,
+            url=self.resource_url,
         )
 
         references = []

vulnerabilities/tests/data/vulnerabilities/idna_3.6_as_cyclonedx.json

@@ -130,6 +130,6 @@
   ],
   "source": {
     "name": "VulnerableCode",
-    "url": "https://public.vulnerablecode.io/vulnerabilities/VCID-j3au-usaz-aaag"
+    "url": "http://public.vulnerablecode.io/vulnerabilities/VCID-j3au-usaz-aaag"
   }
 }

vulnerabilities/tests/test_models.py

@@ -149,6 +149,7 @@ def test_vulnerability_model_create_from_data(self):
                     ],
                 },
             ],
+            "resource_url": "http://public.vulnerablecode.io/vulnerabilities/VCID-q4q6-yfng-aaag",
         }
 
         vulnerability1 = Vulnerability.create_from_data(
@@ -160,6 +161,7 @@ def test_vulnerability_model_create_from_data(self):
         self.assertEqual(vulnerability_data["summary"], vulnerability1.summary)
         self.assertEqual(vulnerability_data["aliases"], vulnerability1.aliases)
         self.assertEqual(vulnerability_data["references"], vulnerability1.references)
+        self.assertEqual(vulnerability_data["resource_url"], vulnerability1.resource_url)
         self.assertEqual(7.5, vulnerability1.min_score)
         self.assertEqual(7.5, vulnerability1.max_score)
         self.assertQuerySetEqual(vulnerability1.affected_packages.all(), [package1])

vulnerabilities/tests/test_views.py

@@ -13,7 +13,6 @@
 from component_catalog.tests import make_component
 from component_catalog.tests import make_package
 from dje.models import Dataspace
-from dje.models import DataspaceConfiguration
 from dje.tests import create_superuser
 from vulnerabilities.models import Vulnerability
 from vulnerabilities.tests import make_vulnerability
@@ -27,10 +26,6 @@ def setUp(self):
             name="Dataspace",
             enable_vulnerablecodedb_access=True,
         )
-        DataspaceConfiguration.objects.create(
-            dataspace=self.dataspace,
-            vulnerablecode_url="vulnerablecode_url/",
-        )
         self.super_user = create_superuser("super_user", self.dataspace)
 
         self.component1 = make_component(self.dataspace)
@@ -43,7 +38,7 @@ def setUp(self):
 
     def test_vulnerability_list_view_num_queries(self):
         self.client.login(username=self.super_user.username, password="secret")
-        with self.assertNumQueries(8):
+        with self.assertNumQueries(7):
             response = self.client.get(reverse("vulnerabilities:vulnerability_list"))
 
         vulnerability_count = Vulnerability.objects.count()
@@ -71,11 +66,19 @@ def test_vulnerability_list_view_enable_vulnerablecodedb_access(self):
     def test_vulnerability_list_view_vulnerability_id_link(self):
         self.client.login(username=self.super_user.username, password="secret")
         response = self.client.get(reverse("vulnerabilities:vulnerability_list"))
+
+        expected = f"<strong>{self.vulnerability1.vulnerability_id}</strong>"
+        self.assertContains(response, expected, html=True)
+
+        self.vulnerability1.resource_url = (
+            f"https://url/vulnerabilities/{self.vulnerability1.vulnerability_id}"
+        )
+        self.vulnerability1.save()
         expected = f"""
-        <a href="vulnerablecode_url/vulnerabilities/{self.vulnerability1.vulnerability_id}"
-           target="_blank">
+        <a href="{self.vulnerability1.resource_url}" target="_blank">
            {self.vulnerability1.vulnerability_id}
            <i class="fa-solid fa-up-right-from-square mini"></i>
         </a>
         """
+        response = self.client.get(reverse("vulnerabilities:vulnerability_list"))
         self.assertContains(response, expected, html=True)

vulnerabilities/views.py

@@ -44,6 +44,7 @@ def get_queryset(self):
             .only(
                 "uuid",
                 "vulnerability_id",
+                "resource_url",
                 "aliases",
                 "summary",
                 "fixed_packages_count",
@@ -67,6 +68,4 @@ def get_context_data(self, **kwargs):
         if not self.dataspace.enable_vulnerablecodedb_access:
             raise Http404("VulnerableCode access is not enabled.")
 
-        vulnerablecode = VulnerableCode(self.dataspace)
-        context_data["vulnerablecode_url"] = vulnerablecode.service_url
         return context_data