Improve CollectRepoFixCommitPipeline to use input and ensure it collect fixed_by_commit_patches correctly.

ziadhany · ziadhany · commit 857b0802a80a · 2026-02-11T18:50:12.000+02:00
Signed-off-by: ziad hany &lt;ziadhany2016@gmail.com&gt;
diff --git a/vulnerabilities/importers/__init__.py b/vulnerabilities/importers/__init__.py
@@ -46,9 +46,6 @@
 from vulnerabilities.pipelines.v2_importers import apache_kafka_importer as apache_kafka_importer_v2
 from vulnerabilities.pipelines.v2_importers import apache_tomcat_importer as apache_tomcat_v2
 from vulnerabilities.pipelines.v2_importers import archlinux_importer as archlinux_importer_v2
-from vulnerabilities.pipelines.v2_importers import (
-    collect_repo_fix_commits as collect_repo_fix_commits,
-)
 from vulnerabilities.pipelines.v2_importers import curl_importer as curl_importer_v2
 from vulnerabilities.pipelines.v2_importers import debian_importer as debian_importer_v2
 from vulnerabilities.pipelines.v2_importers import (
@@ -148,6 +145,5 @@
         ubuntu_usn.UbuntuUSNImporter,
         fireeye.FireyeImporter,
         oss_fuzz.OSSFuzzImporter,
-        collect_repo_fix_commits.CollectRepoFixCommitPipeline,
     ]
 )
diff --git a/vulnerabilities/pipelines/v2_importers/collect_repo_fix_commits.py b/vulnerabilities/pipelines/v2_importers/collect_repo_fix_commits.py
@@ -6,7 +6,8 @@
 from git import Repo
 
 from vulnerabilities.importer import AdvisoryData
-from vulnerabilities.importer import ReferenceV2
+from vulnerabilities.importer import AffectedPackageV2
+from vulnerabilities.importer import PackageCommitPatchData
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
 
 SECURITY_PATTERNS = [
@@ -22,7 +23,7 @@ class CollectRepoFixCommitPipeline(VulnerableCodeBaseImporterPipelineV2):
     Pipeline to collect fix commits from any git repository.
     """
 
-    pipeline_id = "repo_fix_commit"
+    pipeline_id = "collect_fix_commit"
 
     @classmethod
     def steps(cls):
@@ -34,23 +35,26 @@ def steps(cls):
 
     def clone(self):
         """Clone the repository."""
-        self.repo_url = "https://github.com/torvalds/linux"
-        repo_path = tempfile.mkdtemp()
+        self.repo_url = self.inputs["repo_url"]
+        if not self.repo_url:
+            raise ValueError("Repo is required for CollectRepoFixCommitPipeline")
+
+        self.purl = self.inputs["purl"]
         self.repo = Repo.clone_from(
             url=self.repo_url,
-            to_path=repo_path,
+            to_path=tempfile.mkdtemp(),
             bare=True,
             no_checkout=True,
             multi_options=["--filter=blob:none"],
         )
 
     def advisories_count(self) -> int:
-        return int(self.repo.git.rev_list("--count", "HEAD"))
+        return 0
 
-    def classify_commit_type(self, commit) -> list[str]:
+    def extract_vulnerability_id(self, commit) -> list[str]:
         """
-        Extract vulnerability identifiers from a commit message.
-        Returns a list of matched vulnerability IDs (normalized to uppercase).
+        Extract vulnerability id from a commit message.
+        Returns a list of matched vulnerability IDs
         """
         matches = []
         for pattern in SECURITY_PATTERNS:
@@ -67,7 +71,7 @@ def collect_fix_commits(self):
 
         grouped_commits = defaultdict(list)
         for commit in self.repo.iter_commits("--all"):
-            matched_ids = self.classify_commit_type(commit)
+            matched_ids = self.extract_vulnerability_id(commit)
             if not matched_ids:
                 continue
 
@@ -87,16 +91,30 @@ def collect_advisories(self):
         """
         self.log("Generating AdvisoryData objects from grouped commits.")
         grouped_commits = self.collect_fix_commits()
-        for vuln_id, commits in grouped_commits.items():
-            references = [ReferenceV2(url=f"{self.repo_url}/commit/{cid}") for cid, _ in commits]
+        for vuln_id, commits_data in grouped_commits.items():
+            if not commits_data or not vuln_id:
+                continue
 
-            summary_lines = [f"- {cid}: {msg}" for cid, msg in commits]
+            summary_lines = []
+            for c_hash, msg in commits_data:
+                summary_lines.append(f"{c_hash}: {msg}")
             summary = f"Commits fixing {vuln_id}:\n" + "\n".join(summary_lines)
+
+            commit_hash_set = {commit_hash for commit_hash, _ in commits_data}
+            affected_packages = [
+                AffectedPackageV2(
+                    package=self.purl,
+                    fixed_by_commit_patches=[
+                        PackageCommitPatchData(vcs_url=self.repo_url, commit_hash=commit_hash)
+                        for commit_hash in commit_hash_set
+                    ],
+                )
+            ]
+
             yield AdvisoryData(
                 advisory_id=vuln_id,
-                aliases=[vuln_id],
                 summary=summary,
-                references_v2=references,
+                affected_packages=affected_packages,
                 url=self.repo_url,
             )
 
diff --git a/vulnerabilities/tests/pipelines/v2_importers/test_collect_fix_commit.py b/vulnerabilities/tests/pipelines/v2_importers/test_collect_fix_commit.py
@@ -14,6 +14,7 @@
 from unittest.mock import patch
 
 import pytest
+from packageurl import PackageURL
 
 from vulnerabilities.pipelines.v2_importers.collect_repo_fix_commits import (
     CollectRepoFixCommitPipeline,
@@ -33,7 +34,7 @@ def test_classify_commit_type_extracts_ids(pipeline):
     class DummyCommit:
         message = "Fix for CVE-2023-1234 and GHSA-2479-qvv7-47qq"
 
-    result = pipeline.classify_commit_type(DummyCommit)
+    result = pipeline.extract_vulnerability_id(DummyCommit)
     assert result == ["CVE-2023-1234", "GHSA-2479-qvv7-47qq"]
 
 
@@ -78,12 +79,13 @@ def test_collect_advisories_from_json(self):
 
         pipeline = CollectRepoFixCommitPipeline()
         pipeline.repo_url = "https://github.com/test/repo"
+        pipeline.purl = PackageURL.from_string("pkg:generic/test")
         pipeline.log = MagicMock()
         pipeline.collect_fix_commits = MagicMock(return_value=grouped_commits)
 
         result = [adv.to_dict() for adv in pipeline.collect_advisories()]
 
-        util_tests.check_results_against_json(result, expected_file)
+        util_tests.check_results_against_json(result, expected_file, True)
 
 
 @pytest.mark.parametrize(
@@ -108,7 +110,7 @@ def __init__(self, message):
             self.message = message
 
     commit = DummyCommit(commit_message)
-    result = pipeline.classify_commit_type(commit)
+    result = pipeline.extract_vulnerability_id(commit)
 
     assert result == expected_ids, f"Unexpected result for message: {commit_message}"
 
@@ -119,6 +121,6 @@ def test_classify_commit_type_case_insensitive(pipeline):
     class DummyCommit:
         message = "fix cVe-2022-9999 and ghSa-dead-beef-baad"
 
-    result = pipeline.classify_commit_type(DummyCommit)
+    result = pipeline.extract_vulnerability_id(DummyCommit)
     assert any("CVE-2022-9999" in r.upper() for r in result)
     assert any("GHSA-DEAD-BEEF-BAAD" in r.upper() for r in result)
diff --git a/vulnerabilities/tests/test_data/fix_commits/expected_linux_advisory_output.json b/vulnerabilities/tests/test_data/fix_commits/expected_linux_advisory_output.json
@@ -1,37 +1,67 @@
 [
   {
     "advisory_id": "CVE-2021-0001",
-    "aliases": [
-      "CVE-2021-0001"
-    ],
-    "summary": "Commits fixing CVE-2021-0001:\n- abc123: Fix CVE-2021-0001",
-    "affected_packages": [],
-    "references_v2": [
+    "aliases": [],
+    "summary": "Commits fixing CVE-2021-0001:\n41b43c74bda19753c757036673ea9db74acf494a: Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB.",
+    "affected_packages": [
       {
-        "reference_id": "",
-        "reference_type": "",
-        "url": "https://github.com/test/repo/commit/abc123"
+        "package": {
+          "type": "generic",
+          "namespace": "",
+          "name": "test",
+          "version": "",
+          "qualifiers": "",
+          "subpath": ""
+        },
+        "affected_version_range": null,
+        "fixed_version_range": null,
+        "introduced_by_commit_patches": [],
+        "fixed_by_commit_patches": [
+          {
+            "vcs_url": "https://github.com/test/repo",
+            "commit_hash": "41b43c74bda19753c757036673ea9db74acf494a",
+            "patch_text": null,
+            "patch_checksum": null
+          }
+        ]
       }
     ],
+    "references_v2": [],
+    "patches": [],
     "severities": [],
     "date_published": null,
     "weaknesses": [],
     "url": "https://github.com/test/repo"
   },
   {
     "advisory_id": "GHSA-dead-beef-baad",
-    "aliases": [
-      "GHSA-dead-beef-baad"
-    ],
-    "summary": "Commits fixing GHSA-dead-beef-baad:\n- def456: Patch GHSA-dead-beef-baad",
-    "affected_packages": [],
-    "references_v2": [
+    "aliases": [],
+    "summary": "Commits fixing GHSA-dead-beef-baad:\n49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba: Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().",
+    "affected_packages": [
       {
-        "reference_id": "",
-        "reference_type": "",
-        "url": "https://github.com/test/repo/commit/def456"
+        "package": {
+          "type": "generic",
+          "namespace": "",
+          "name": "test",
+          "version": "",
+          "qualifiers": "",
+          "subpath": ""
+        },
+        "affected_version_range": null,
+        "fixed_version_range": null,
+        "introduced_by_commit_patches": [],
+        "fixed_by_commit_patches": [
+          {
+            "vcs_url": "https://github.com/test/repo",
+            "commit_hash": "49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba",
+            "patch_text": null,
+            "patch_checksum": null
+          }
+        ]
       }
     ],
+    "references_v2": [],
+    "patches": [],
     "severities": [],
     "date_published": null,
     "weaknesses": [],
diff --git a/vulnerabilities/tests/test_data/fix_commits/grouped_commits_input.json b/vulnerabilities/tests/test_data/fix_commits/grouped_commits_input.json
@@ -1,8 +1,8 @@
 {
   "CVE-2021-0001": [
-    ["abc123", "Fix CVE-2021-0001"]
+    ["41b43c74bda19753c757036673ea9db74acf494a", "Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB."]
   ],
   "GHSA-dead-beef-baad": [
-    ["def456", "Patch GHSA-dead-beef-baad"]
+    ["49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba", "Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags()."]
   ]
 }

Original file line number	Diff line number	Diff line change
`@@ -1,8 +1,8 @@`
`1`	`1`	`{`
`2`	`2`	`"CVE-2021-0001": [`
`3`		`- ["abc123", "Fix CVE-2021-0001"]`
	`3`	`+ ["41b43c74bda19753c757036673ea9db74acf494a", "Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB."]`
`4`	`4`	`],`
`5`	`5`	`"GHSA-dead-beef-baad": [`
`6`		`- ["def456", "Patch GHSA-dead-beef-baad"]`
	`6`	`+ ["49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba", "Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags()."]`
`7`	`7`	`]`
`8`	`8`	`}`