Skip to content

Commit

Permalink
fix not enough general CVE Severity/Severity error fallback (#851)
Browse files Browse the repository at this point in the history
Closes OSIDB-3767
  • Loading branch information
osoukup authored Dec 6, 2024
2 parents 8c14f75 + 9a78e71 commit 18e773f
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 10 deletions.
11 changes: 6 additions & 5 deletions apps/trackers/jira/query.py
Original file line number Diff line number Diff line change
Expand Up @@ -616,12 +616,13 @@ def generate(self):
]:
try:
severity_method()
except MissingVulnerabilityIssueFieldError:
except (MissingSeverityError, MissingVulnerabilityIssueFieldError):
if severity_error:
raise MissingVulnerabilityIssueFieldError(
"Neither CVE Severity nor Severity field is available for Vulnerability "
f"issuetype in Jira project {self.ps_module.bts_key} while at least one "
"of the two fields is required."
raise TrackerCreationError(
"Neither CVE Severity nor Severity field is available as expected for "
f"Vulnerability issuetype in Jira project {self.ps_module.bts_key} while "
"at least one of the two fields is required to be available with allowed "
"values containing Critical, Important, Moderate, and Low."
)
severity_error = True

Expand Down
55 changes: 50 additions & 5 deletions apps/trackers/tests/test_jira.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@
ComponentUnavailableError,
MissingEmbargoStatusError,
MissingSecurityLevelError,
MissingSeverityError,
MissingSourceError,
MissingTargetReleaseVersionError,
MissingVulnerabilityIssueFieldError,
Expand Down Expand Up @@ -1475,10 +1474,10 @@ def test_cve_severity_field(
validate_minimum_key_value(minimum=expected, evaluated=query_builder._query)
else:
if missing:
with pytest.raises(MissingVulnerabilityIssueFieldError):
with pytest.raises(TrackerCreationError):
TrackerJiraQueryBuilder(tracker).generate()
if wrong:
with pytest.raises(MissingSeverityError):
with pytest.raises(TrackerCreationError):
TrackerJiraQueryBuilder(tracker).generate()
if flaw_impact == Impact.NOVALUE:
with pytest.raises(TrackerCreationError):
Expand Down Expand Up @@ -1594,15 +1593,61 @@ def test_severity_field(
validate_minimum_key_value(minimum=expected, evaluated=quer_builder._query)
else:
if missing:
with pytest.raises(MissingVulnerabilityIssueFieldError):
with pytest.raises(TrackerCreationError):
TrackerJiraQueryBuilder(tracker).generate()
if wrong:
with pytest.raises(MissingSeverityError):
with pytest.raises(TrackerCreationError):
TrackerJiraQueryBuilder(tracker).generate()
if flaw_impact == Impact.NOVALUE:
with pytest.raises(TrackerCreationError):
TrackerJiraQueryBuilder(tracker).generate()

def test_severity_field_values(self):
"""
properly account for an unexpected
value scheme of the Severity field
this test is OSIDB-3767 reproducer
"""
JiraProjectFields(
project_key="FOOPROJECT",
field_id="123-severity",
field_name="Severity",
allowed_values=[
"Urgent",
"More Urgent",
"Super Urgent",
"Totally Urgent",
],
).save()

flaw = FlawFactory(
embargoed=False,
source="REDHAT",
)
ps_module = PsModuleFactory(
bts_key="FOOPROJECT",
bts_name="jboss",
private_trackers_allowed=False,
)
affect = AffectFactory(
flaw=flaw,
ps_module=ps_module.name,
affectedness=Affect.AffectAffectedness.AFFECTED,
)
ps_update_stream = PsUpdateStreamFactory(ps_module=ps_module)
tracker = TrackerFactory(
affects=[affect],
external_system_id=None,
type=Tracker.TrackerType.JIRA,
ps_update_stream=ps_update_stream.name,
embargoed=flaw.is_embargoed,
)

quer_builder = TrackerJiraQueryBuilder(tracker)
# do not throw exception here but fallback
quer_builder.generate()

@pytest.mark.parametrize(
"model_src,allowed_jira_src,expected_jira_src,other_outcome",
[
Expand Down
4 changes: 4 additions & 0 deletions docs/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## Unreleased
### Fixed
- Fix not enough general CVE Severity/Severity error fallback (OSIDB-3767)

## [4.6.0] - 2024-12-02
### Added
- Update field `updated_dt` on queryset update (OSIDB-3573)
Expand Down

0 comments on commit 18e773f

Please sign in to comment.