Merge pull request #1482 from metacpan/haarg/cve-by-cve-id

haarg · web-flow · commit b87ebbd86200 · 2026-05-18T17:25:33.000+02:00
index and fetch CVEs by CVE ID
diff --git a/es/cve/mapping.json b/es/cve/mapping.json
@@ -4,6 +4,9 @@
         "affected_versions": {
             "type": "text"
         },
+        "cve_id": {
+            "type": "keyword"
+        },
         "cpansa_id": {
             "type": "keyword"
         },
diff --git a/lib/MetaCPAN/Query/CVE.pm b/lib/MetaCPAN/Query/CVE.pm
@@ -22,6 +22,45 @@ sub find_cves_by_cpansa {
     return +{ cve => [ map { $_->{_source} } @{ $res->{hits}{hits} } ] };
 }
 
+sub find_cves_by_cpansa_or_cve_id {
+    my ( $self, $id ) = @_;
+
+    my $query = +{
+        bool => {
+            should => [
+                { term => { cve_id    => $id } },
+                { term => { cpansa_id => $id } },
+            ],
+        },
+    };
+
+    my $res = $self->es->search(
+        es_doc_path('cve'),
+        body => {
+            query => $query,
+            size  => 999,
+        },
+    );
+
+    return +{ cve => [ map { $_->{_source} } @{ $res->{hits}{hits} } ] };
+}
+
+sub find_cves_by_cve_id {
+    my ( $self, $cve_id ) = @_;
+
+    my $query = +{ term => { cve_id => $cve_id } };
+
+    my $res = $self->es->search(
+        es_doc_path('cve'),
+        body => {
+            query => $query,
+            size  => 999,
+        }
+    );
+
+    return +{ cve => [ map { $_->{_source} } @{ $res->{hits}{hits} } ] };
+}
+
 sub find_cves_by_release {
     my ( $self, $author, $release ) = @_;
 
diff --git a/lib/MetaCPAN/Script/CVE.pm b/lib/MetaCPAN/Script/CVE.pm
@@ -20,13 +20,6 @@ has cve_url => (
     default => 'https://butterfly.cpansec.org/feed/cpansa.json',
 );
 
-has cve_dev_url => (
-    is      => 'ro',
-    isa     => Uri,
-    coerce  => 1,
-    default => 'https://butterfly.cpansec.org/feed/cpansa.json',
-);
-
 has test => (
     is            => 'ro',
     isa           => Bool,
@@ -73,8 +66,10 @@ sub index_cve_data {
 
     for my $dist ( sort keys %{$data} ) {
         for my $cpansa ( @{ $data->{$dist} } ) {
-            if ( !$cpansa->{cpansa_id} ) {
-                log_warn { sprintf( "Dist '%s' missing cpansa_id", $dist ) };
+            if ( !$cpansa->{cpansa_id} && !$cpansa->{cve_id} ) {
+                log_warn {
+                    sprintf( "Dist '%s' missing cpansa_id and cve_id", $dist )
+                };
                 next;
             }
 
@@ -195,6 +190,7 @@ sub index_cve_data {
 
             my $doc_data = {
                 distribution      => $dist,
+                cve_id            => $cpansa->{cve_id},
                 cpansa_id         => $cpansa->{cpansa_id},
                 affected_versions => $cpansa->{affected_versions},
                 cves              => $cpansa->{cves},
@@ -210,8 +206,15 @@ sub index_cve_data {
                 delete $doc_data->{$k} unless exists $valid_keys{$k};
             }
 
+            if ( $cpansa->{cve_id} && $cpansa->{cpansa_id} ) {
+
+                # if both exist, ensure an older record using cpansa_id as the
+                # id is removed.
+                $bulk->delete( { id => $cpansa->{cpansa_id} } );
+            }
+
             $bulk->update( {
-                id            => $cpansa->{cpansa_id},
+                id            => $cpansa->{cve_id} // $cpansa->{cpansa_id},
                 doc           => $doc_data,
                 doc_as_upsert => true,
             } );
@@ -226,7 +229,7 @@ sub retrieve_cve_data {
 
     return decode_json( path( $self->json_file )->slurp ) if $self->json_file;
 
-    my $url = $self->test ? $self->cve_dev_url : $self->cve_url;
+    my $url = $self->cve_url;
 
     log_info { 'Fetching data from ', $url };
     my $resp = $self->ua->get($url);
diff --git a/lib/MetaCPAN/Server/Controller/CVE.pm b/lib/MetaCPAN/Server/Controller/CVE.pm
@@ -12,7 +12,8 @@ with 'MetaCPAN::Server::Role::JSONP';
 sub get : Path('') : Args(1) {
     my ( $self, $c, $cpansa_id ) = @_;
     $c->stash_or_detach(
-        $c->model('ESQuery')->cve->find_cves_by_cpansa($cpansa_id) );
+        $c->model('ESQuery')->cve->find_cves_by_cpansa_or_cve_id($cpansa_id)
+    );
 }
 
 sub release : Path('release') : Args(2) {
diff --git a/t/00_setup.t b/t/00_setup.t
@@ -43,6 +43,7 @@ $server->index_cover;
 $server->index_river;
 $server->index_bus_factor;
 $server->index_tickets;
+$server->index_cves;
 
 $server->prepare_user_test_data;
 
diff --git a/t/lib/MetaCPAN/TestServer.pm b/t/lib/MetaCPAN/TestServer.pm
@@ -7,6 +7,7 @@ use MetaCPAN::Script::Author         ();
 use MetaCPAN::Script::BusFactor      ();
 use MetaCPAN::Script::Cover          ();
 use MetaCPAN::Script::CPANTestersAPI ();
+use MetaCPAN::Script::CVE            ();
 use MetaCPAN::Script::Favorite       ();
 use MetaCPAN::Script::First          ();
 use MetaCPAN::Script::Latest         ();
@@ -270,6 +271,19 @@ sub index_bus_factor {
     );
 }
 
+sub index_cves {
+    my $self = shift;
+
+    local @ARGV = (
+        'cve',
+        '--cve_url',
+        URI->new( 'file://' . testdata_dir()->child('cves.json') )->as_string,
+    );
+
+    ok( MetaCPAN::Script::CVE->new_with_options( %{ $self->_config } )->run,
+        'index cves', );
+}
+
 sub prepare_user_test_data {
     my $self = shift;
     ok(
diff --git a/test-data/cves.json b/test-data/cves.json
@@ -0,0 +1,57 @@
+{
+    "Multiple-Releases": [
+        {
+            "affected_versions": [
+                "<=1.1"
+            ],
+            "cpansa_id": "CPANSA-Multiple-Releases-2025-54321",
+            "cve": {},
+            "cves": [],
+            "description": "Description of 54321",
+            "distribution": "Multiple-Releases",
+            "references": [
+                "https://metacpan.org/"
+            ],
+            "reported": "2025-01-01",
+            "severity": "medium",
+            "title": "Title of 54321"
+        },
+        {
+            "affected_versions": [
+                ">=1.2,<=1.5"
+            ],
+            "cpansa_id": "CPANSA-Multiple-Releases-2025-54322",
+            "cve": {},
+            "cve_id": "CVE-2025-54322",
+            "cves": [
+                "CVE-2025-54322"
+            ],
+            "description": "Description of 54322",
+            "distribution": "Multiple-Releases",
+            "references": [
+                "https://metacpan.org/"
+            ],
+            "reported": "2025-01-02",
+            "severity": "medium",
+            "title": "Title of 54322"
+        },
+        {
+            "affected_versions": [
+                ">=1.7"
+            ],
+            "cve": {},
+            "cve_id": "CVE-2025-54323",
+            "cves": [
+                "CVE-2025-54323"
+            ],
+            "description": "Description of 54323",
+            "distribution": "Multiple-Releases",
+            "references": [
+                "https://metacpan.org/"
+            ],
+            "reported": "2025-01-03",
+            "severity": "medium",
+            "title": "Title of 54323"
+        }
+    ]
+}

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,8 @@ with 'MetaCPAN::Server::Role::JSONP';`
`12`	`12`	`sub get : Path('') : Args(1) {`
`13`	`13`	`my ( $self, $c, $cpansa_id ) = @_;`
`14`	`14`	`$c->stash_or_detach(`
`15`		`- $c->model('ESQuery')->cve->find_cves_by_cpansa($cpansa_id) );`
	`15`	`+ $c->model('ESQuery')->cve->find_cves_by_cpansa_or_cve_id($cpansa_id)`
	`16`	`+ );`
`16`	`17`	`}`
`17`	`18`
`18`	`19`	`sub release : Path('release') : Args(2) {`