fix not enough general CVE Severity/Severity error fallback (OSIDB-3767)

RedHatProductSecurity · Dec 6, 2024 · 9a78e71 · 9a78e71
1 parent 8c14f75
commit 9a78e71
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 10 deletions.
diff --git a/apps/trackers/jira/query.py b/apps/trackers/jira/query.py
@@ -616,12 +616,13 @@ def generate(self):
         ]:
             try:
                 severity_method()
-            except MissingVulnerabilityIssueFieldError:
+            except (MissingSeverityError, MissingVulnerabilityIssueFieldError):
                 if severity_error:
-                    raise MissingVulnerabilityIssueFieldError(
-                        "Neither CVE Severity nor Severity field is available for Vulnerability "
-                        f"issuetype in Jira project {self.ps_module.bts_key} while at least one "
-                        "of the two fields is required."
+                    raise TrackerCreationError(
+                        "Neither CVE Severity nor Severity field is available as expected for "
+                        f"Vulnerability issuetype in Jira project {self.ps_module.bts_key} while "
+                        "at least one of the two fields is required to be available with allowed "
+                        "values containing Critical, Important, Moderate, and Low."
                     )
                 severity_error = True
 

diff --git a/apps/trackers/tests/test_jira.py b/apps/trackers/tests/test_jira.py
@@ -14,7 +14,6 @@
     ComponentUnavailableError,
     MissingEmbargoStatusError,
     MissingSecurityLevelError,
-    MissingSeverityError,
     MissingSourceError,
     MissingTargetReleaseVersionError,
     MissingVulnerabilityIssueFieldError,
@@ -1475,10 +1474,10 @@ def test_cve_severity_field(
             validate_minimum_key_value(minimum=expected, evaluated=query_builder._query)
         else:
             if missing:
-                with pytest.raises(MissingVulnerabilityIssueFieldError):
+                with pytest.raises(TrackerCreationError):
                     TrackerJiraQueryBuilder(tracker).generate()
             if wrong:
-                with pytest.raises(MissingSeverityError):
+                with pytest.raises(TrackerCreationError):
                     TrackerJiraQueryBuilder(tracker).generate()
             if flaw_impact == Impact.NOVALUE:
                 with pytest.raises(TrackerCreationError):
@@ -1594,15 +1593,61 @@ def test_severity_field(
             validate_minimum_key_value(minimum=expected, evaluated=quer_builder._query)
         else:
             if missing:
-                with pytest.raises(MissingVulnerabilityIssueFieldError):
+                with pytest.raises(TrackerCreationError):
                     TrackerJiraQueryBuilder(tracker).generate()
             if wrong:
-                with pytest.raises(MissingSeverityError):
+                with pytest.raises(TrackerCreationError):
                     TrackerJiraQueryBuilder(tracker).generate()
             if flaw_impact == Impact.NOVALUE:
                 with pytest.raises(TrackerCreationError):
                     TrackerJiraQueryBuilder(tracker).generate()
 
+    def test_severity_field_values(self):
+        """
+        properly account for an unexpected
+        value scheme of the Severity field
+
+        this test is OSIDB-3767 reproducer
+        """
+        JiraProjectFields(
+            project_key="FOOPROJECT",
+            field_id="123-severity",
+            field_name="Severity",
+            allowed_values=[
+                "Urgent",
+                "More Urgent",
+                "Super Urgent",
+                "Totally Urgent",
+            ],
+        ).save()
+
+        flaw = FlawFactory(
+            embargoed=False,
+            source="REDHAT",
+        )
+        ps_module = PsModuleFactory(
+            bts_key="FOOPROJECT",
+            bts_name="jboss",
+            private_trackers_allowed=False,
+        )
+        affect = AffectFactory(
+            flaw=flaw,
+            ps_module=ps_module.name,
+            affectedness=Affect.AffectAffectedness.AFFECTED,
+        )
+        ps_update_stream = PsUpdateStreamFactory(ps_module=ps_module)
+        tracker = TrackerFactory(
+            affects=[affect],
+            external_system_id=None,
+            type=Tracker.TrackerType.JIRA,
+            ps_update_stream=ps_update_stream.name,
+            embargoed=flaw.is_embargoed,
+        )
+
+        quer_builder = TrackerJiraQueryBuilder(tracker)
+        # do not throw exception here but fallback
+        quer_builder.generate()
+
     @pytest.mark.parametrize(
         "model_src,allowed_jira_src,expected_jira_src,other_outcome",
         [

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+### Fixed
+- Fix not enough general CVE Severity/Severity error fallback (OSIDB-3767)
+
 ## [4.6.0] - 2024-12-02
 ### Added
 - Update field `updated_dt` on queryset update (OSIDB-3573)