Update commit parsing pipeline to support collecting fix commits from multiple repositories

Signed-off-by: ziad hany <ziadhany2016@gmail.com>

Author: ziadhany

vulnerabilities/importers/__init__.py

@@ -44,6 +44,7 @@
 from vulnerabilities.pipelines.v2_importers import aosp_importer as aosp_importer_v2
 from vulnerabilities.pipelines.v2_importers import apache_httpd_importer as apache_httpd_v2
 from vulnerabilities.pipelines.v2_importers import archlinux_importer as archlinux_importer_v2
+from vulnerabilities.pipelines.v2_importers import collect_fix_commits as collect_fix_commits_v2
 from vulnerabilities.pipelines.v2_importers import curl_importer as curl_importer_v2
 from vulnerabilities.pipelines.v2_importers import (
     elixir_security_importer as elixir_security_importer_v2,
@@ -135,5 +136,19 @@
         ubuntu_usn.UbuntuUSNImporter,
         fireeye.FireyeImporter,
         oss_fuzz.OSSFuzzImporter,
+        collect_fix_commits_v2.CollectNodejsFixCommitsPipeline,
+        collect_fix_commits_v2.CollectCpythonFixCommitsPipeline,
+        collect_fix_commits_v2.CollectGoFixCommitsPipeline,
+        collect_fix_commits_v2.CollectRustFixCommitsPipeline,
+        collect_fix_commits_v2.CollectPhpFixCommitsPipeline,
+        collect_fix_commits_v2.CollectRubyFixCommitsPipeline,
+        collect_fix_commits_v2.CollectNginxFixCommitsPipeline,
+        collect_fix_commits_v2.CollectPostgresFixCommitsPipeline,
+        collect_fix_commits_v2.CollectMysqlFixCommitsPipeline,
+        collect_fix_commits_v2.CollectGitFixCommitsPipeline,
+        collect_fix_commits_v2.CollectTensorflowFixCommitsPipeline,
+        collect_fix_commits_v2.CollectFirefoxFixCommitsPipeline,
+        collect_fix_commits_v2.CollectQEMUFixCommitsPipeline,
+        collect_fix_commits_v2.CollectDenoFixCommitsPipeline,
     ]
 )

vulnerabilities/pipelines/__init__.py

@@ -8,7 +8,11 @@
 #
 
 import logging
+import re
+import shutil
+import tempfile
 import traceback
+from collections import defaultdict
 from datetime import datetime
 from datetime import timezone
 from timeit import default_timer as timer
@@ -19,8 +23,12 @@
 from aboutcode.pipeline import LoopProgress
 from aboutcode.pipeline import PipelineDefinition
 from aboutcode.pipeline import humanize_time
+from git import Repo
+from packageurl.contrib.url2purl import url2purl
 
 from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AffectedPackageV2
+from vulnerabilities.importer import PackageCommitPatchData
 from vulnerabilities.improver import MAX_CONFIDENCE
 from vulnerabilities.models import Advisory
 from vulnerabilities.models import PipelineRun
@@ -321,3 +329,109 @@ def collect_and_store_advisories(self):
                 continue
 
         self.log(f"Successfully collected {collected_advisory_count:,d} advisories")
+
+
+class CollectVCSFixCommitPipeline(VulnerableCodeBaseImporterPipelineV2):
+    """
+    Pipeline to collect fix commits from any git repository.
+    """
+
+    repo_url: str
+    patterns: list[str] = [
+        r"\bCVE-\d{4}-\d{4,19}\b",
+        r"GHSA-[2-9cfghjmpqrvwx]{4}-[2-9cfghjmpqrvwx]{4}-[2-9cfghjmpqrvwx]{4}",
+    ]
+
+    @classmethod
+    def steps(cls):
+        return (
+            cls.clone,
+            cls.collect_and_store_advisories,
+            cls.clean_downloads,
+        )
+
+    def clone(self):
+        """Clone the repository."""
+        self.repo = Repo.clone_from(
+            url=self.repo_url,
+            to_path=tempfile.mkdtemp(),
+            bare=True,
+            no_checkout=True,
+            multi_options=["--filter=blob:none"],
+        )
+
+    def advisories_count(self) -> int:
+        return 0
+
+    def extract_vulnerability_id(self, commit) -> list[str]:
+        """
+        Extract vulnerability id from a commit message.
+        Returns a list of matched vulnerability IDs
+        """
+        matches = []
+        for pattern in self.patterns:
+            found = re.findall(pattern, commit.message, flags=re.IGNORECASE)
+            matches.extend(found)
+        return matches
+
+    def collect_fix_commits(self):
+        """
+        Iterate through repository commits and group them by vulnerability identifiers.
+        return a list with (vuln_id, [(commit_id, commit_message)]).
+        """
+        self.log("Processing git repository fix commits (grouped by vulnerability IDs).")
+
+        grouped_commits = defaultdict(list)
+        for commit in self.repo.iter_commits("--all"):
+            matched_ids = self.extract_vulnerability_id(commit)
+            if not matched_ids:
+                continue
+
+            commit_id = commit.hexsha
+            commit_message = commit.message.strip()
+
+            for vuln_id in matched_ids:
+                grouped_commits[vuln_id].append((commit_id, commit_message))
+
+        self.log(f"Found {len(grouped_commits)} vulnerabilities with related commits.")
+        self.log("Finished processing all commits.")
+        return grouped_commits
+
+    def collect_advisories(self):
+        """
+        Generate AdvisoryData objects for each vulnerability ID grouped with its related commits.
+        """
+        self.log("Generating AdvisoryData objects from grouped commits.")
+        grouped_commits = self.collect_fix_commits()
+        purl = url2purl(self.repo_url)
+
+        for vuln_id, commits_data in grouped_commits.items():
+            if not commits_data or not vuln_id:
+                continue
+
+            commit_hash_set = {commit_hash for commit_hash, _ in commits_data}
+            affected_packages = [
+                AffectedPackageV2(
+                    package=purl,
+                    fixed_by_commit_patches=[
+                        PackageCommitPatchData(vcs_url=self.repo_url, commit_hash=commit_hash)
+                        for commit_hash in commit_hash_set
+                    ],
+                )
+            ]
+
+            yield AdvisoryData(
+                advisory_id=vuln_id,
+                affected_packages=affected_packages,
+                url=self.repo_url,
+            )
+
+    def clean_downloads(self):
+        """Cleanup any temporary repository data."""
+        self.log("Cleaning up local repository resources.")
+        if hasattr(self, "repo") and self.repo.working_dir:
+            shutil.rmtree(path=self.repo.working_dir)
+
+    def on_failure(self):
+        """Ensure cleanup is always performed on failure."""
+        self.clean_downloads()

vulnerabilities/pipelines/v2_importers/collect_fix_commits.py

@@ -0,0 +1,71 @@
+from vulnerabilities.pipelines import CollectVCSFixCommitPipeline
+
+
+class CollectNodejsFixCommitsPipeline(CollectVCSFixCommitPipeline):
+    pipeline_id = "collect_nodejs_fix_commits"
+    repo_url = "https://github.com/nodejs/node"
+
+
+class CollectCpythonFixCommitsPipeline(CollectVCSFixCommitPipeline):
+    pipeline_id = "collect_cpython_fix_commits"
+    repo_url = "https://github.com/python/cpython"
+
+
+class CollectGoFixCommitsPipeline(CollectVCSFixCommitPipeline):
+    pipeline_id = "collect_go_fix_commits"
+    repo_url = "https://github.com/golang/go"
+
+
+class CollectRustFixCommitsPipeline(CollectVCSFixCommitPipeline):
+    pipeline_id = "collect_rust_lang_fix_commits"
+    repo_url = "https://github.com/rust-lang/rust"
+
+
+class CollectPhpFixCommitsPipeline(CollectVCSFixCommitPipeline):
+    pipeline_id = "collect_php_fix_commits"
+    repo_url = "https://github.com/php/php-src"
+
+
+class CollectRubyFixCommitsPipeline(CollectVCSFixCommitPipeline):
+    pipeline_id = "collect_ruby_fix_commits"
+    repo_url = "https://github.com/ruby/ruby"
+
+
+class CollectNginxFixCommitsPipeline(CollectVCSFixCommitPipeline):
+    pipeline_id = "collect_nginx_fix_commits"
+    repo_url = "https://github.com/nginx/nginx"
+
+
+class CollectPostgresFixCommitsPipeline(CollectVCSFixCommitPipeline):
+    pipeline_id = "collect_postgres_fix_commits"
+    repo_url = "https://github.com/postgres/postgres"
+
+
+class CollectMysqlFixCommitsPipeline(CollectVCSFixCommitPipeline):
+    pipeline_id = "collect_mysql_fix_commits"
+    repo_url = "https://github.com/mysql/mysql-server"
+
+
+class CollectGitFixCommitsPipeline(CollectVCSFixCommitPipeline):
+    pipeline_id = "collect_git_fix_commits"
+    repo_url = "https://github.com/git/git"
+
+
+class CollectTensorflowFixCommitsPipeline(CollectVCSFixCommitPipeline):
+    pipeline_id = "collect_tensorflow_fix_commits"
+    repo_url = "https://github.com/tensorflow/tensorflow"
+
+
+class CollectFirefoxFixCommitsPipeline(CollectVCSFixCommitPipeline):
+    pipeline_id = "collect_firefox_fix_commits"
+    repo_url = "https://github.com/mozilla-firefox/firefox"
+
+
+class CollectQEMUFixCommitsPipeline(CollectVCSFixCommitPipeline):
+    pipeline_id = "collect_qemu_fix_commits"
+    repo_url = "https://github.com/qemu/qemu"
+
+
+class CollectDenoFixCommitsPipeline(CollectVCSFixCommitPipeline):
+    pipeline_id = "collect_deno_fix_commits"
+    repo_url = "https://github.com/denoland/deno"