trustification · ctron · Oct 7, 2024 · JimFuller-RedHat · Oct 7, 2024 · ctron
diff --git a/modules/ingestor/src/service/advisory/osv/loader.rs b/modules/ingestor/src/service/advisory/osv/loader.rs
@@ -4,6 +4,7 @@ use crate::{
             advisory_vulnerability::{Version, VersionInfo, VersionSpec},
             AdvisoryInformation, AdvisoryVulnerabilityInformation,
         },
+        purl::creator::PurlCreator,
         Graph,
     },
     model::IngestResult,
@@ -70,6 +71,8 @@ impl<'g> OsvLoader<'g> {
                 .await?;
         }
 
+        let mut purl_creator = PurlCreator::new();
+
         for cve_id in cve_ids {
             self.graph.ingest_vulnerability(&cve_id, (), &tx).await?;
 
@@ -104,97 +107,85 @@ impl<'g> OsvLoader<'g> {
             }
 
             for affected in &osv.affected {
-                if let Some(package) = &affected.package {
-                    let mut purls = vec![];
+                // we only process it when we have a package
+
+                let Some(package) = &affected.package else {
+                    continue;
+                };
 
-                    purls.extend(translate::to_purl(package).map(Purl::from));
+                // extract PURLs
+
+                let mut purls = vec![];
+                purls.extend(translate::to_purl(package).map(Purl::from));
+                if let Some(purl) = &package.purl {
+                    purls.extend(Purl::from_str(purl).ok());
+                }
 
-                    if let Some(purl) = &package.purl {
-                        purls.extend(Purl::from_str(purl).ok());
+                for purl in purls {
+                    // iterate through the known versions, apply the version, and create them
+                    for version in affected.versions.iter().flatten() {
+                        let mut purl = purl.clone();
+                        purl.version = Some(version.clone());
+                        purl_creator.add(purl);
                     }
 
-                    for purl in purls {
-                        for range in affected.ranges.iter().flatten() {
-                            let parsed_range = events_to_range(&range.events);
-                            match &parsed_range {
-                                (Some(start), None) => {
-                                    advisory_vuln
-                                        .ingest_package_status(
-                                            None,
-                                            &purl,
-                                            "affected",
-                                            VersionInfo {
-                                                // TODO detect better version scheme
-                                                scheme: "semver".to_string(),
-                                                spec: VersionSpec::Range(
-                                                    Version::Inclusive(start.clone()),
-                                                    Version::Unbounded,
-                                                ),
-                                            },
-                                            &tx,
-                                        )
-                                        .await?
-                                }
-                                (None, Some(end)) => {
-                                    advisory_vuln
-                                        .ingest_package_status(
-                                            None,
-                                            &purl,
-                                            "affected",
-                                            VersionInfo {
-                                                // TODO detect better version scheme
-                                                scheme: "semver".to_string(),
-                                                spec: VersionSpec::Range(
-                                                    Version::Unbounded,
-                                                    Version::Exclusive(end.clone()),
-                                                ),
-                                            },
-                                            &tx,
-                                        )
-                                        .await?
-                                }
-                                (Some(start), Some(end)) => {
-                                    advisory_vuln
-                                        .ingest_package_status(
-                                            None,
-                                            &purl,
-                                            "affected",
-                                            VersionInfo {
-                                                // TODO detect better version scheme
-                                                scheme: "semver".to_string(),
-                                                spec: VersionSpec::Range(
-                                                    Version::Inclusive(start.clone()),
-                                                    Version::Exclusive(end.clone()),
-                                                ),
-                                            },
-                                            &tx,
-                                        )
-                                        .await?
-                                }
-                                _ => { /* what? */ }
-                            }
-
-                            if let (_, Some(fixed)) = &parsed_range {
-                                advisory_vuln
-                                    .ingest_package_status(
-                                        None,
-                                        &purl,
-                                        "fixed",
-                                        VersionInfo {
-                                            // TODO detect better version scheme
-                                            scheme: "semver".to_string(),
-                                            spec: VersionSpec::Exact(fixed.clone()),
-                                        },
-                                        &tx,
-                                    )
-                                    .await?
-                            }
+                    for range in affected.ranges.iter().flatten() {
+                        let parsed_range = events_to_range(&range.events);
+
+                        let spec = match &parsed_range {
+                            (Some(start), None) => Some(VersionSpec::Range(
+                                Version::Inclusive(start.clone()),
+                                Version::Unbounded,
+                            )),
+                            (None, Some(end)) => Some(VersionSpec::Range(
+                                Version::Unbounded,
+                                Version::Exclusive(end.clone()),
+                            )),
+                            (Some(start), Some(end)) => Some(VersionSpec::Range(
+                                Version::Inclusive(start.clone()),
+                                Version::Exclusive(end.clone()),
+                            )),
+                            (None, None) => None,
+                        };
+
+                        if let Some(spec) = spec {
+                            advisory_vuln
+                                .ingest_package_status(
+                                    None,
+                                    &purl,
+                                    "affected",
+                                    VersionInfo {
+                                        // TODO detect better version scheme
+                                        scheme: "semver".to_string(),
+                                        spec,
+                                    },
+                                    &tx,
+                                )
+                                .await?;
+                        }
+
+                        if let (_, Some(fixed)) = &parsed_range {
+                            advisory_vuln
+                                .ingest_package_status(
+                                    None,
+                                    &purl,
+                                    "fixed",
+                                    VersionInfo {
+                                        // TODO detect better version scheme
+                                        scheme: "semver".to_string(),
+                                        spec: VersionSpec::Exact(fixed.clone()),
+                                    },
+                                    &tx,
+                                )
+                                .await?
                         }
                     }
                 }
             }
         }
 
+        purl_creator.create(&self.graph.connection(&tx)).await?;
+
         tx.commit().await?;
 
         Ok(IngestResult {