SecurityAdvisories: skip duplicate GitHub advisories where package name and CVE matches

glaubinix · glaubinix · commit 8da5e513fab3 · 2024-05-17T14:27:06.000+02:00
diff --git a/src/SecurityAdvisory/GitHubSecurityAdvisoriesSource.php b/src/SecurityAdvisory/GitHubSecurityAdvisoriesSource.php
@@ -44,6 +44,8 @@ public function getAdvisories(ConsoleIO $io): ?RemoteSecurityAdvisoryCollection
     {
         /** @var array<string, array<string, RemoteSecurityAdvisory>> $advisoryMap */
         $advisoryMap = [];
+        /** @var array<string, array<string, true>> $foundPackageCves */
+        $foundPackageCves = [];
         $hasNextPage = true;
         $after = '';
 
@@ -95,6 +97,15 @@ public function getAdvisories(ConsoleIO $io): ?RemoteSecurityAdvisoryCollection
 
                 $packageName = strtolower($node['package']['name']);
 
+                // GitHub can have multiple advisories per CVE and package
+                if ($cve !== null) {
+                    if (isset($foundPackageCves[$packageName][$cve])) {
+                        continue;
+                    }
+
+                    $foundPackageCves[$packageName][$cve] = true;
+                }
+
                 // GitHub adds spaces everywhere e.g. > 1.0, adjust to be able to match other advisories
                 $versionRange = Preg::replace('#\s#', '', $node['vulnerableVersionRange']);
                 if (isset($advisoryMap[$packageName][$remoteId])) {
diff --git a/tests/SecurityAdvisory/GitHubSecurityAdvisoriesSourceTest.php b/tests/SecurityAdvisory/GitHubSecurityAdvisoriesSourceTest.php
@@ -146,6 +146,38 @@ public function testWithPagination(): void
         $this->assertSame(Severity::MEDIUM, $advisories[1]->severity);
     }
 
+    public function testDuplicateCvePerPackage(): void
+    {
+        $responseFactory = function (string $method, string $url, array $options) {
+            $this->assertSame('POST', $method);
+            $this->assertSame('https://api.github.com/graphql', $url);
+            $this->assertSame('{"query":"query{securityVulnerabilities(ecosystem:COMPOSER,first:100){nodes{advisory{summary,permalink,publishedAt,withdrawnAt,severity,identifiers{type,value},references{url}},vulnerableVersionRange,package{name}},pageInfo{hasNextPage,endCursor}}}"}', $options['body']);
+
+            return new MockResponse(json_encode($this->getGraphQLResultPageWithMultipleCvePerPackage()), ['http_code' => 200, 'response_headers' => ['Content-Type' => 'application/json; charset=utf-8']]);
+        };
+        $client = new MockHttpClient($responseFactory);
+
+        $source = new GitHubSecurityAdvisoriesSource($client, new NullLogger(), $this->providerManager, [], $this->doctrine);
+        $package = $this->getPackage();
+        $advisoryCollection = $source->getAdvisories(new BufferIO());
+
+        $this->assertNotNull($advisoryCollection);
+        $this->assertSame(1, $client->getRequestsCount());
+
+        $advisories = $advisoryCollection->getAdvisoriesForPackageName($package->getName());
+        $this->assertCount(1, $advisories);
+
+        $this->assertSame('GHSA-h58v-c6rf-abcd', $advisories[0]->id);
+        $this->assertSame('Insert tag injection', $advisories[0]->title);
+        $this->assertSame('vendor/package', $advisories[0]->packageName);
+        $this->assertSame('=4.10.0', $advisories[0]->affectedVersions);
+        $this->assertSame('https://github.com/advisories/GHSA-h58v-c6rf-abcd', $advisories[0]->link);
+        $this->assertSame('CVE-2020-25768', $advisories[0]->cve);
+        $this->assertSame('2021-07-01T17:00:04+0000', $advisories[0]->date->format(\DateTimeInterface::ISO8601));
+        $this->assertNull($advisories[0]->composerRepository);
+        $this->assertSame(Severity::MEDIUM, $advisories[0]->severity);
+    }
+
     private function getPackage(): Package
     {
         $package = new Package();
@@ -191,6 +223,24 @@ private function getGraphQLResultSecondPage(): array
         ];
     }
 
+    private function getGraphQLResultPageWithMultipleCvePerPackage(): array
+    {
+        return [
+            'data' => [
+                'securityVulnerabilities' => [
+                    'nodes' => [
+                        $this->graphQlPackageNode('GHSA-h58v-c6rf-abcd', 'vendor/package', '= 4.10.0', 'CVE-2020-25768', 'Insert tag injection', '2021-07-01T17:00:04Z'),
+                        $this->graphQlPackageNode('GHSA-f7wm-x4gw-abcd', 'vendor/package', '= 4.10.0', 'CVE-2020-25768', 'Insert tag injection in forms', '2020-09-24T16:23:54Z'),
+                    ],
+                    'pageInfo' => [
+                        'hasNextPage' => false,
+                        'endCursor' => 'Y3Vyc29yOnYyOpK5MjAxOS0xMi0xN1QyMDozNTozMSswMTowMM0LWQ==',
+                    ],
+                ],
+            ],
+        ];
+    }
+
     private function graphQlPackageNode(string $advisoryId, string $packageName, string $range, string $cve, string $summary, string $publishedAt): array
     {
         return [
