diff --git a/components/collector/src/source_collectors/trivy/security_warnings.py b/components/collector/src/source_collectors/trivy/security_warnings.py index d5d0764d18..fd5c4683ca 100644 --- a/components/collector/src/source_collectors/trivy/security_warnings.py +++ b/components/collector/src/source_collectors/trivy/security_warnings.py @@ -80,7 +80,7 @@ def _parse_json(self, json: JSON, filename: str) -> Entities: level=vulnerability["Severity"], package_name=package_name, installed_version=vulnerability["InstalledVersion"], - fixed_version=vulnerability["FixedVersion"], + fixed_version=vulnerability.get("FixedVersion", ""), url=vulnerability["References"][0], # Assume the 1st link is at least as relevant as the others ), ) diff --git a/components/collector/tests/source_collectors/trivy/test_security_warnings.py b/components/collector/tests/source_collectors/trivy/test_security_warnings.py index dbcaf6a417..2633cd09c2 100644 --- a/components/collector/tests/source_collectors/trivy/test_security_warnings.py +++ b/components/collector/tests/source_collectors/trivy/test_security_warnings.py @@ -45,6 +45,15 @@ def vulnerabilities_json(self, schema_version: int = 1): "https://lists.apache.org/thread.html", ], }, + { + "VulnerabilityID": "CVE-2024-5432", + "PkgName": "python", + "InstalledVersion": "3.13.1", + "Title": "Vulnerability without fixed version", + "Description": "This vulnerability has no fixed version field.", + "Severity": "LOW", + "References": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5432"], + }, ], }, ] @@ -77,6 +86,17 @@ def expected_entities(self): "fixed_version": "", "url": "https://curl.haxx.se/docs/CVE-2019-3822.html", }, + { + "key": "CVE-2024-5432@python@trivy-ci-test (alpine 3_7_1)", + "vulnerability_id": "CVE-2024-5432", + "title": "Vulnerability without fixed version", + "description": "This vulnerability has no fixed version field.", + "level": "LOW", + "package_name": "python", + "installed_version": "3.13.1", + "fixed_version": "", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5432", + }, ] async def test_warnings(self): @@ -84,7 +104,7 @@ async def test_warnings(self): for schema_version in self.SCHEMA_VERSIONS: with self.subTest(schema_version=schema_version): response = await self.collect(get_request_json_return_value=self.vulnerabilities_json(schema_version)) - self.assert_measurement(response, value="2", entities=self.expected_entities()) + self.assert_measurement(response, value="3", entities=self.expected_entities()) async def test_warning_levels(self): """Test the number of security warnings when specifying a level.""" @@ -108,4 +128,4 @@ async def test_fix_not_available(self): for schema_version in self.SCHEMA_VERSIONS: with self.subTest(schema_version=schema_version): response = await self.collect(get_request_json_return_value=self.vulnerabilities_json(schema_version)) - self.assert_measurement(response, value="1", entities=[self.expected_entities()[1]]) + self.assert_measurement(response, value="2", entities=self.expected_entities()[1:]) diff --git a/docs/src/changelog.md b/docs/src/changelog.md index a33eac5eae..483848ac24 100644 --- a/docs/src/changelog.md +++ b/docs/src/changelog.md @@ -14,6 +14,10 @@ If your currently installed *Quality-time* version is not the latest version, pl ## [Unreleased] +### Fixed + +- Don't throw an exception when a Trivy JSON file contains vulnerabilities without fixed version information. Fixes [#10606](https://github.com/ICTU/quality-time/issues/10606). + ### Added - When measuring missing metrics, make the subject type and the metric type of the missing metrics link to the reference documentation. Closes [#10528](https://github.com/ICTU/quality-time/issues/10528).