work

2025-11-25 08:01:23 +02:00
parent d92973d6fd
commit 6bee1fdcf5
207 changed files with 12816 additions and 2295 deletions
--- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/Internal/CccsMapper.cs
+++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/Internal/CccsMapper.cs
@@ -1,10 +1,12 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using StellaOps.Concelier.Models;
-using StellaOps.Concelier.Storage.Mongo.Documents;
-
-namespace StellaOps.Concelier.Connector.Cccs.Internal;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text.RegularExpressions;
+using StellaOps.Concelier.Models;
+using StellaOps.Concelier.Storage.Mongo.Documents;
+using StellaOps.Concelier.Normalization.SemVer;
+
+namespace StellaOps.Concelier.Connector.Cccs.Internal;

 internal static class CccsMapper
 {
@@ -108,44 +110,149 @@ internal static class CccsMapper
            .ToArray();
    }

-    private static IReadOnlyList<AffectedPackage> BuildPackages(CccsAdvisoryDto dto, DateTimeOffset recordedAt)
-    {
-        if (dto.Products.Count == 0)
-        {
-            return Array.Empty<AffectedPackage>();
-        }
-
-        var packages = new List<AffectedPackage>(dto.Products.Count);
-        foreach (var product in dto.Products)
-        {
-            if (string.IsNullOrWhiteSpace(product))
-            {
-                continue;
-            }
-
-            var identifier = product.Trim();
-            var provenance = new AdvisoryProvenance(
-                CccsConnectorPlugin.SourceName,
-                "package",
-                identifier,
-                recordedAt,
-                new[] { ProvenanceFieldMasks.AffectedPackages });
-
-            packages.Add(new AffectedPackage(
-                AffectedPackageTypes.Vendor,
-                identifier,
-                platform: null,
-                versionRanges: Array.Empty<AffectedVersionRange>(),
-                statuses: Array.Empty<AffectedPackageStatus>(),
-                provenance: new[] { provenance },
-                normalizedVersions: Array.Empty<NormalizedVersionRule>()));
-        }
-
-        return packages.Count == 0
-            ? Array.Empty<AffectedPackage>()
-            : packages
-                .DistinctBy(static package => package.Identifier, StringComparer.OrdinalIgnoreCase)
-                .OrderBy(static package => package.Identifier, StringComparer.OrdinalIgnoreCase)
-                .ToArray();
-    }
-}
+    private static IReadOnlyList<AffectedPackage> BuildPackages(CccsAdvisoryDto dto, DateTimeOffset recordedAt)
+    {
+        if (dto.Products.Count == 0)
+        {
+            return Array.Empty<AffectedPackage>();
+        }
+
+        var packages = new List<AffectedPackage>(dto.Products.Count);
+        for (var index = 0; index < dto.Products.Count; index++)
+        {
+            var product = dto.Products[index];
+            if (string.IsNullOrWhiteSpace(product))
+            {
+                continue;
+            }
+
+            var identifier = product.Trim();
+            var provenance = new AdvisoryProvenance(
+                CccsConnectorPlugin.SourceName,
+                "package",
+                identifier,
+                recordedAt,
+                new[] { ProvenanceFieldMasks.AffectedPackages });
+
+            var rangeAnchor = $"cccs:{dto.SerialNumber}:{index}";
+            var versionRanges = BuildVersionRanges(product, rangeAnchor, recordedAt);
+            var normalizedVersions = BuildNormalizedVersions(versionRanges, rangeAnchor);
+
+            packages.Add(new AffectedPackage(
+                AffectedPackageTypes.Vendor,
+                identifier,
+                platform: null,
+                versionRanges: versionRanges,
+                statuses: Array.Empty<AffectedPackageStatus>(),
+                provenance: new[] { provenance },
+                normalizedVersions: normalizedVersions));
+        }
+
+        return packages.Count == 0
+            ? Array.Empty<AffectedPackage>()
+            : packages
+                .DistinctBy(static package => package.Identifier, StringComparer.OrdinalIgnoreCase)
+                .OrderBy(static package => package.Identifier, StringComparer.OrdinalIgnoreCase)
+                .ToArray();
+    }
+
+    private static IReadOnlyList<AffectedVersionRange> BuildVersionRanges(string productText, string rangeAnchor, DateTimeOffset recordedAt)
+    {
+        var versionText = ExtractFirstVersionToken(productText);
+        if (string.IsNullOrWhiteSpace(versionText))
+        {
+            return Array.Empty<AffectedVersionRange>();
+        }
+
+        var provenance = new AdvisoryProvenance(
+            CccsConnectorPlugin.SourceName,
+            "range",
+            rangeAnchor,
+            recordedAt,
+            new[] { ProvenanceFieldMasks.VersionRanges });
+
+        var vendorExtensions = new Dictionary<string, string>
+        {
+            ["cccs.version.raw"] = versionText!,
+            ["cccs.anchor"] = rangeAnchor,
+        };
+
+        var semVerResults = SemVerRangeRuleBuilder.Build(versionText!, patchedVersion: null, provenanceNote: rangeAnchor);
+        if (semVerResults.Count > 0)
+        {
+            return semVerResults.Select(result =>
+                new AffectedVersionRange(
+                    rangeKind: NormalizedVersionSchemes.SemVer,
+                    introducedVersion: result.Primitive.Introduced,
+                    fixedVersion: result.Primitive.Fixed,
+                    lastAffectedVersion: result.Primitive.LastAffected,
+                    rangeExpression: result.Expression ?? versionText!,
+                    provenance: provenance,
+                    primitives: new RangePrimitives(
+                        result.Primitive,
+                        Nevra: null,
+                        Evr: null,
+                        VendorExtensions: vendorExtensions)))
+                .ToArray();
+        }
+
+        var primitives = new RangePrimitives(
+            new SemVerPrimitive(
+                Introduced: versionText,
+                IntroducedInclusive: true,
+                Fixed: null,
+                FixedInclusive: false,
+                LastAffected: null,
+                LastAffectedInclusive: true,
+                ConstraintExpression: null,
+                ExactValue: versionText),
+            Nevra: null,
+            Evr: null,
+            VendorExtensions: vendorExtensions);
+
+        return new[]
+        {
+            new AffectedVersionRange(
+                rangeKind: NormalizedVersionSchemes.SemVer,
+                introducedVersion: null,
+                fixedVersion: null,
+                lastAffectedVersion: null,
+                rangeExpression: versionText,
+                provenance: provenance,
+                primitives: primitives),
+        };
+    }
+
+    private static IReadOnlyList<NormalizedVersionRule> BuildNormalizedVersions(
+        IReadOnlyList<AffectedVersionRange> ranges,
+        string rangeAnchor)
+    {
+        if (ranges.Count == 0)
+        {
+            return Array.Empty<NormalizedVersionRule>();
+        }
+
+        var rules = new List<NormalizedVersionRule>(ranges.Count);
+        foreach (var range in ranges)
+        {
+            var rule = range.ToNormalizedVersionRule(rangeAnchor);
+            if (rule is not null)
+            {
+                rules.Add(rule);
+            }
+        }
+
+        return rules.Count == 0 ? Array.Empty<NormalizedVersionRule>() : rules.ToArray();
+    }
+
+    private static string? ExtractFirstVersionToken(string value)
+    {
+        if (string.IsNullOrWhiteSpace(value))
+        {
+            return null;
+        }
+
+        var match = Regex.Match(value, @"\d+(?:\.\d+){0,3}(?:[A-Za-z0-9\-_]*)?");
+        return match.Success ? match.Value : null;
+    }
+}