up

2025-10-12 20:37:18 +03:00
parent 016c5a3fe7
commit d3a98326d1
306 changed files with 21409 additions and 4449 deletions
--- a/tools/FixtureUpdater/Program.cs
+++ b/tools/FixtureUpdater/Program.cs
@@ -9,6 +9,7 @@ using StellaOps.Feedser.Source.Common;
 using StellaOps.Feedser.Source.Ghsa.Internal;
 using StellaOps.Feedser.Source.Osv.Internal;
 using StellaOps.Feedser.Source.Osv;
+using StellaOps.Feedser.Source.Nvd;
 using StellaOps.Feedser.Storage.Mongo.Documents;
 using StellaOps.Feedser.Storage.Mongo.Dtos;

@@ -19,11 +20,14 @@ var serializerOptions = new JsonSerializerOptions(JsonSerializerDefaults.Web)

 var projectRoot = Path.GetFullPath(Path.Combine(AppContext.BaseDirectory, "..", "..", "..", "..", ".."));

-var fixturesPath = Path.Combine(projectRoot, "src", "StellaOps.Feedser.Source.Osv.Tests", "Fixtures");
+var osvFixturesPath = Path.Combine(projectRoot, "src", "StellaOps.Feedser.Source.Osv.Tests", "Fixtures");
+var ghsaFixturesPath = Path.Combine(projectRoot, "src", "StellaOps.Feedser.Source.Ghsa.Tests", "Fixtures");
+var nvdFixturesPath = Path.Combine(projectRoot, "src", "StellaOps.Feedser.Source.Nvd.Tests", "Nvd", "Fixtures");

-RewriteOsvFixtures(fixturesPath);
-RewriteSnapshotFixtures(fixturesPath);
-RewriteGhsaFixtures(fixturesPath);
+RewriteOsvFixtures(osvFixturesPath);
+RewriteSnapshotFixtures(osvFixturesPath);
+RewriteGhsaFixtures(osvFixturesPath);
+RewriteCreditParityFixtures(ghsaFixturesPath, nvdFixturesPath);
 return;

 void RewriteOsvFixtures(string fixturesPath)
@@ -229,3 +233,146 @@ void RewriteGhsaFixtures(string fixturesPath)
        Console.WriteLine($"[FixtureUpdater] Updated {Path.Combine(fixturesPath, "osv-ghsa.ghsa.json")}");
    }
 }
+
+void RewriteCreditParityFixtures(string ghsaFixturesPath, string nvdFixturesPath)
+{
+    Directory.CreateDirectory(ghsaFixturesPath);
+    Directory.CreateDirectory(nvdFixturesPath);
+
+    var advisoryKeyGhsa = "GHSA-credit-parity";
+    var advisoryKeyNvd = "CVE-2025-5555";
+    var recordedAt = new DateTimeOffset(2025, 10, 10, 15, 0, 0, TimeSpan.Zero);
+    var published = new DateTimeOffset(2025, 10, 9, 18, 30, 0, TimeSpan.Zero);
+    var modified = new DateTimeOffset(2025, 10, 10, 12, 0, 0, TimeSpan.Zero);
+
+    AdvisoryCredit[] CreateCredits(string source) =>
+    [
+        CreateCredit("Alice Researcher", "reporter", new[] { "mailto:alice.researcher@example.com" }, source),
+        CreateCredit("Bob Maintainer", "remediation_developer", new[] { "https://github.com/acme/bob-maintainer" }, source)
+    ];
+
+    AdvisoryCredit CreateCredit(string displayName, string role, IReadOnlyList<string> contacts, string source)
+    {
+        var provenance = new AdvisoryProvenance(
+            source,
+            "credit",
+            $"{source}:{displayName.ToLowerInvariant().Replace(' ', '-')}",
+            recordedAt,
+            new[] { ProvenanceFieldMasks.Credits });
+
+        return new AdvisoryCredit(displayName, role, contacts, provenance);
+    }
+
+    AdvisoryReference[] CreateReferences(string sourceName, params (string Url, string Kind)[] entries)
+    {
+        if (entries is null || entries.Length == 0)
+        {
+            return Array.Empty<AdvisoryReference>();
+        }
+
+        var references = new List<AdvisoryReference>(entries.Length);
+        foreach (var entry in entries)
+        {
+            var provenance = new AdvisoryProvenance(
+                sourceName,
+                "reference",
+                entry.Url,
+                recordedAt,
+                new[] { ProvenanceFieldMasks.References });
+
+            references.Add(new AdvisoryReference(
+                entry.Url,
+                entry.Kind,
+                sourceTag: null,
+                summary: null,
+                provenance));
+        }
+
+        return references.ToArray();
+    }
+
+    Advisory CreateAdvisory(
+        string sourceName,
+        string advisoryKey,
+        IEnumerable<string> aliases,
+        AdvisoryCredit[] credits,
+        AdvisoryReference[] references,
+        string documentValue)
+    {
+        var documentProvenance = new AdvisoryProvenance(
+            sourceName,
+            "document",
+            documentValue,
+            recordedAt,
+            new[] { ProvenanceFieldMasks.Advisory });
+        var mappingProvenance = new AdvisoryProvenance(
+            sourceName,
+            "mapping",
+            advisoryKey,
+            recordedAt,
+            new[] { ProvenanceFieldMasks.Advisory });
+
+        return new Advisory(
+            advisoryKey,
+            "Credit parity regression fixture",
+            "Credit parity regression fixture",
+            "en",
+            published,
+            modified,
+            "moderate",
+            exploitKnown: false,
+            aliases,
+            credits,
+            references,
+            Array.Empty<AffectedPackage>(),
+            Array.Empty<CvssMetric>(),
+            new[] { documentProvenance, mappingProvenance });
+    }
+
+    var ghsa = CreateAdvisory(
+        "ghsa",
+        advisoryKeyGhsa,
+        new[] { advisoryKeyGhsa, advisoryKeyNvd },
+        CreateCredits("ghsa"),
+        CreateReferences(
+            "ghsa",
+            ( $"https://github.com/advisories/{advisoryKeyGhsa}", "advisory"),
+            ( "https://example.com/ghsa/patch", "patch")),
+        $"security/advisories/{advisoryKeyGhsa}");
+
+    var osv = CreateAdvisory(
+        OsvConnectorPlugin.SourceName,
+        advisoryKeyGhsa,
+        new[] { advisoryKeyGhsa, advisoryKeyNvd },
+        CreateCredits(OsvConnectorPlugin.SourceName),
+        CreateReferences(
+            OsvConnectorPlugin.SourceName,
+            ( $"https://github.com/advisories/{advisoryKeyGhsa}", "advisory"),
+            ( $"https://osv.dev/vulnerability/{advisoryKeyGhsa}", "advisory")),
+        $"https://osv.dev/vulnerability/{advisoryKeyGhsa}");
+
+    var nvd = CreateAdvisory(
+        NvdConnectorPlugin.SourceName,
+        advisoryKeyNvd,
+        new[] { advisoryKeyNvd, advisoryKeyGhsa },
+        CreateCredits(NvdConnectorPlugin.SourceName),
+        CreateReferences(
+            NvdConnectorPlugin.SourceName,
+            ( $"https://services.nvd.nist.gov/vuln/detail/{advisoryKeyNvd}", "advisory"),
+            ( "https://example.com/nvd/reference", "report")),
+        $"https://services.nvd.nist.gov/vuln/detail/{advisoryKeyNvd}");
+
+    var ghsaSnapshot = SnapshotSerializer.ToSnapshot(ghsa);
+    var osvSnapshot = SnapshotSerializer.ToSnapshot(osv);
+    var nvdSnapshot = SnapshotSerializer.ToSnapshot(nvd);
+
+    File.WriteAllText(Path.Combine(ghsaFixturesPath, "credit-parity.ghsa.json"), ghsaSnapshot);
+    File.WriteAllText(Path.Combine(ghsaFixturesPath, "credit-parity.osv.json"), osvSnapshot);
+    File.WriteAllText(Path.Combine(ghsaFixturesPath, "credit-parity.nvd.json"), nvdSnapshot);
+
+    File.WriteAllText(Path.Combine(nvdFixturesPath, "credit-parity.ghsa.json"), ghsaSnapshot);
+    File.WriteAllText(Path.Combine(nvdFixturesPath, "credit-parity.osv.json"), osvSnapshot);
+    File.WriteAllText(Path.Combine(nvdFixturesPath, "credit-parity.nvd.json"), nvdSnapshot);
+
+    Console.WriteLine($"[FixtureUpdater] Updated credit parity fixtures under {ghsaFixturesPath} and {nvdFixturesPath}");
+}