Merge pull request #102 from gardenlinux/workaround-release-notes

Fixes gardenlinux/glvd#160

Author: fwilhe

src/main/java/io/gardenlinux/glvd/releasenotes/ReleaseNoteGenerator.java

@@ -39,6 +39,7 @@ public ReleaseNote generate() {
         var cvesNewVersionIgnoreResolved = cvesNewVersion.stream().filter(sourcePackageCve -> !resolvedInNew.contains(sourcePackageCve.getCveId())).toList();
         var cvesNewVersionCveIds = cvesNewVersionIgnoreResolved.stream().map(SourcePackageCve::getCveId).collect(Collectors.joining());
         var diff = cvesOldVersion.stream().filter(sourcePackageCve -> !cvesNewVersionCveIds.contains(sourcePackageCve.getCveId())).toList();
+
         HashMap<String, List<String>> sourcePackageNameToCveListMapping = new HashMap<>();
         for (SourcePackageCve sourcePackageCve : diff) {
             var cveList = sourcePackageNameToCveListMapping.getOrDefault(sourcePackageCve.getSourcePackageName(), new ArrayList<>());
@@ -47,12 +48,24 @@ public ReleaseNote generate() {
         }
         List<ReleaseNotesPackage> releaseNotesPackages = new ArrayList<>();
         sourcePackageNameToCveListMapping.forEach((sourcePackage, cves) ->
-                releaseNotesPackages.add(
-                        new ReleaseNotesPackage(sourcePackage,
-                                getVersionByPackageName(sourcePackagesInOldVersion, sourcePackage),
-                                getVersionByPackageName(sourcePackagesInNewVersion, sourcePackage),
-                                cves)
-                )
+                {
+                    String oldVersion = getVersionByPackageName(sourcePackagesInOldVersion, sourcePackage);
+                    String newVersion = getVersionByPackageName(sourcePackagesInNewVersion, sourcePackage);
+                    if (oldVersion.isEmpty() || newVersion.isEmpty()) {
+                        return;
+                    }
+                    // https://github.com/gardenlinux/glvd/issues/160
+                    // If the old and new version are the same, this is probably a false positive
+                    if (oldVersion.equals(newVersion)) {
+                        return;
+                    }
+                    releaseNotesPackages.add(
+                            new ReleaseNotesPackage(sourcePackage,
+                                    oldVersion,
+                                    newVersion,
+                                    cves)
+                    );
+                }
         );
 
         return new ReleaseNote(gardenLinuxVersion.printVersion(), releaseNotesPackages);

src/test/java/io/gardenlinux/glvd/GlvdControllerTest.java

@@ -231,7 +231,7 @@ public void shouldGetCveDetailsWithContextsForKernelCveIsResolved() {
                 .body("details.kernelLtsVersion[0]", equalTo("6.6"))
                 .body("details.kernelLtsVersion[1]", equalTo("6.12"))
                 // This CVE is not fixed in any kernel, so all are vulnerable
-                .body("details.isVulnerable", is(List.of(true, true, true, true, true, true, true, true)))
+                .body("details.isVulnerable", is(List.of(true, true, true, true, true, true, true)))
                 // Is explicitly marked as "resolved"
                 .body("contexts.resolved", hasItems(true));
     }
@@ -275,6 +275,16 @@ public void shouldGenerateEmptyPatchReleaseNotesForDistWithNoSourcePackages() {
                 .body("packageList", empty());
     }
 
+    @Test
+    public void reproduceIssue153() {
+        // Reproducer for https://github.com/gardenlinux/glvd/issues/153
+        given(this.spec).accept("application/json")
+                .when().port(this.port).get("/v1/patchReleaseNotes/1443.20")
+                .then().statusCode(200)
+                .body("version", equalTo("1443.20"))
+                .body("packageList", empty());
+    }
+
     @Test
     public void shouldReportExpectedTriagesForGardenlinuxVersion() {
         given(this.spec).accept("application/json")

src/test/java/io/gardenlinux/glvd/ReleaseNoteGeneratorTest.java

@@ -204,4 +204,72 @@ public void generateReleaseNotesWithCveContextOfNonVulnerableCve() {
         assertEquals(cveOld3.getCveId(), actual.getPackageList().get(2).getFixedCves().getFirst());
     }
 
+    SourcePackageCve rubyCveOld = new SourcePackageCve(
+            "CVE-2023-28755",
+            "ruby3.1",
+            "3.1.2-8.4gl0",
+            gardenLinuxVersion.previousPatchVersion(),
+            true,
+            "",
+            "",
+            "",
+            7.5f,
+            "",
+            7.5f,
+            7.5f,
+            7.5f,
+            7.5f,
+            "",
+            "",
+            "",
+            ""
+    );
+
+    SourcePackageCve rubyCveNew = new SourcePackageCve(
+            "CVE-2023-28755",
+            "ruby3.1",
+            "3.1.2-8.4gl0",
+            gardenLinuxVersion.printVersion(),
+            true,
+            "",
+            "",
+            "",
+            7.5f,
+            "",
+            7.5f,
+            7.5f,
+            7.5f,
+            7.5f,
+            "",
+            "",
+            "",
+            ""
+    );
+
+    @Test
+    public void generateReleaseNotesWithCveListAffectingTheSamePackageVersion() {
+        final List<SourcePackageCve> cvesOldVersion = List.of(rubyCveOld);
+        final List<SourcePackageCve> cvesNewVersion = List.of(rubyCveNew);
+        final List<String> resolvedInNew = List.of();
+        final List<DebSrc> sourcePackagesInOldVersion = List.of(new DebSrc(DIST_ID_OLD, "2023-10-01", "ruby3.1", "3.1.2-8.4gl0"), new DebSrc(DIST_ID_OLD, "2023-10-01", "rubygems", "3.4.20-1"));
+        final List<DebSrc> sourcePackagesInNewVersion = List.of(new DebSrc(DIST_ID_NEW, "2023-10-01", "ruby3.1", "3.1.2-8.4gl0"), new DebSrc(DIST_ID_NEW, "2023-10-01", "rubygems", "3.4.20-1"));
+
+        var actual = new ReleaseNoteGenerator(gardenLinuxVersion, cvesOldVersion, cvesNewVersion, resolvedInNew, sourcePackagesInOldVersion, sourcePackagesInNewVersion).generate();
+
+        assertEquals(0, actual.getPackageList().size());
+    }
+
+    @Test
+    public void generateReleaseNotesWithCveListAffectingTheSamePackageVersionWhenNewCveIsTriaged() {
+        final List<SourcePackageCve> cvesOldVersion = List.of(rubyCveOld);
+        final List<SourcePackageCve> cvesNewVersion = List.of(rubyCveNew);
+        final List<String> resolvedInNew = List.of(rubyCveNew.getCveId());
+        final List<DebSrc> sourcePackagesInOldVersion = List.of(new DebSrc(DIST_ID_OLD, "2023-10-01", "ruby3.1", "3.1.2-8.4gl0"), new DebSrc(DIST_ID_OLD, "2023-10-01", "rubygems", "3.4.20-1"));
+        final List<DebSrc> sourcePackagesInNewVersion = List.of(new DebSrc(DIST_ID_NEW, "2023-10-01", "ruby3.1", "3.1.2-8.4gl0"), new DebSrc(DIST_ID_NEW, "2023-10-01", "rubygems", "3.4.20-1"));
+
+        var actual = new ReleaseNoteGenerator(gardenLinuxVersion, cvesOldVersion, cvesNewVersion, resolvedInNew, sourcePackagesInOldVersion, sourcePackagesInNewVersion).generate();
+
+        assertEquals(0, actual.getPackageList().size());
+    }
+
 }

src/test/resources/test-data/01-schema.sql

@@ -3,7 +3,7 @@
 --
 
 -- Dumped from database version 17.4 (Debian 17.4-1.pgdg120+2)
--- Dumped by pg_dump version 17.4 (Debian 17.4-1.pgdg120+2)
+-- Dumped by pg_dump version 17.5 (Debian 17.5-1)
 
 SET statement_timeout = 0;
 SET lock_timeout = 0;
@@ -640,4 +640,5 @@ ALTER TABLE ONLY public.debsrc
 
 --
 -- PostgreSQL database dump complete
---
+--
+