From 9a78e719da4d2ac27dbb4a176a6ee70f235fe8c2 Mon Sep 17 00:00:00 2001 From: osoukup Date: Fri, 6 Dec 2024 10:33:31 +0100 Subject: [PATCH] fix not enough general CVE Severity/Severity error fallback (OSIDB-3767) --- apps/trackers/jira/query.py | 11 ++++--- apps/trackers/tests/test_jira.py | 55 +++++++++++++++++++++++++++++--- docs/CHANGELOG.md | 4 +++ 3 files changed, 60 insertions(+), 10 deletions(-) diff --git a/apps/trackers/jira/query.py b/apps/trackers/jira/query.py index d4514d943..190f7f705 100644 --- a/apps/trackers/jira/query.py +++ b/apps/trackers/jira/query.py @@ -616,12 +616,13 @@ def generate(self): ]: try: severity_method() - except MissingVulnerabilityIssueFieldError: + except (MissingSeverityError, MissingVulnerabilityIssueFieldError): if severity_error: - raise MissingVulnerabilityIssueFieldError( - "Neither CVE Severity nor Severity field is available for Vulnerability " - f"issuetype in Jira project {self.ps_module.bts_key} while at least one " - "of the two fields is required." + raise TrackerCreationError( + "Neither CVE Severity nor Severity field is available as expected for " + f"Vulnerability issuetype in Jira project {self.ps_module.bts_key} while " + "at least one of the two fields is required to be available with allowed " + "values containing Critical, Important, Moderate, and Low." ) severity_error = True diff --git a/apps/trackers/tests/test_jira.py b/apps/trackers/tests/test_jira.py index 423042aa6..e6c129950 100644 --- a/apps/trackers/tests/test_jira.py +++ b/apps/trackers/tests/test_jira.py @@ -14,7 +14,6 @@ ComponentUnavailableError, MissingEmbargoStatusError, MissingSecurityLevelError, - MissingSeverityError, MissingSourceError, MissingTargetReleaseVersionError, MissingVulnerabilityIssueFieldError, @@ -1475,10 +1474,10 @@ def test_cve_severity_field( validate_minimum_key_value(minimum=expected, evaluated=query_builder._query) else: if missing: - with pytest.raises(MissingVulnerabilityIssueFieldError): + with pytest.raises(TrackerCreationError): TrackerJiraQueryBuilder(tracker).generate() if wrong: - with pytest.raises(MissingSeverityError): + with pytest.raises(TrackerCreationError): TrackerJiraQueryBuilder(tracker).generate() if flaw_impact == Impact.NOVALUE: with pytest.raises(TrackerCreationError): @@ -1594,15 +1593,61 @@ def test_severity_field( validate_minimum_key_value(minimum=expected, evaluated=quer_builder._query) else: if missing: - with pytest.raises(MissingVulnerabilityIssueFieldError): + with pytest.raises(TrackerCreationError): TrackerJiraQueryBuilder(tracker).generate() if wrong: - with pytest.raises(MissingSeverityError): + with pytest.raises(TrackerCreationError): TrackerJiraQueryBuilder(tracker).generate() if flaw_impact == Impact.NOVALUE: with pytest.raises(TrackerCreationError): TrackerJiraQueryBuilder(tracker).generate() + def test_severity_field_values(self): + """ + properly account for an unexpected + value scheme of the Severity field + + this test is OSIDB-3767 reproducer + """ + JiraProjectFields( + project_key="FOOPROJECT", + field_id="123-severity", + field_name="Severity", + allowed_values=[ + "Urgent", + "More Urgent", + "Super Urgent", + "Totally Urgent", + ], + ).save() + + flaw = FlawFactory( + embargoed=False, + source="REDHAT", + ) + ps_module = PsModuleFactory( + bts_key="FOOPROJECT", + bts_name="jboss", + private_trackers_allowed=False, + ) + affect = AffectFactory( + flaw=flaw, + ps_module=ps_module.name, + affectedness=Affect.AffectAffectedness.AFFECTED, + ) + ps_update_stream = PsUpdateStreamFactory(ps_module=ps_module) + tracker = TrackerFactory( + affects=[affect], + external_system_id=None, + type=Tracker.TrackerType.JIRA, + ps_update_stream=ps_update_stream.name, + embargoed=flaw.is_embargoed, + ) + + quer_builder = TrackerJiraQueryBuilder(tracker) + # do not throw exception here but fallback + quer_builder.generate() + @pytest.mark.parametrize( "model_src,allowed_jira_src,expected_jira_src,other_outcome", [ diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index eaab105fb..04ad1389e 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## Unreleased +### Fixed +- Fix not enough general CVE Severity/Severity error fallback (OSIDB-3767) + ## [4.6.0] - 2024-12-02 ### Added - Update field `updated_dt` on queryset update (OSIDB-3573)