Add a test for gentoo importer v2

Signed-off-by: ziad hany <ziadhany2016@gmail.com>

Author: ziadhany

vulnerabilities/pipelines/v2_importers/gentoo_importer.py

@@ -57,17 +57,18 @@ def collect_advisories(self) -> Iterable[AdvisoryData]:
     def process_file(self, file):
         cves = []
         summary = ""
-        vuln_references = []
         xml_root = ET.parse(file).getroot()
         id = xml_root.attrib.get("id")
-        if id:
-            glsa = "GLSA-" + id
-            vuln_references = [
-                ReferenceV2(
-                    reference_id=glsa,
-                    url=f"https://security.gentoo.org/glsa/{id}",
-                )
-            ]
+        if not id:
+            raise ValueError("Missing `id` attribute")
+
+        glsa = "GLSA-" + id
+        vuln_references = [
+            ReferenceV2(
+                reference_id=glsa,
+                url=f"https://security.gentoo.org/glsa/{id}",
+            )
+        ]
 
         for child in xml_root:
             if child.tag == "references":
@@ -79,19 +80,16 @@ def process_file(self, file):
             if child.tag == "affected":
                 affected_packages = list(affected_and_safe_purls(child))
 
-        # It is very inefficient, to create new Advisory for each CVE
-        # this way, but there seems no alternative.
-        for cve in cves:
-            yield AdvisoryData(
-                advisory_id=cve,
-                aliases=[cve],
-                summary=summary,
-                references=vuln_references,
-                affected_packages=affected_packages,
-                url=f"https://security.gentoo.org/glsa/{id}"
-                if id
-                else "https://security.gentoo.org/glsa",
-            )
+        yield AdvisoryData(
+            advisory_id=glsa,
+            aliases=cves,
+            summary=summary,
+            references_v2=vuln_references,
+            affected_packages=affected_packages,
+            url=f"https://security.gentoo.org/glsa/{id}"
+            if id
+            else "https://security.gentoo.org/glsa",
+        )
 
     def clean_downloads(self):
         if self.vcs_response:

vulnerabilities/tests/pipelines/v2_importers/test_gentoo_importer_v2.py

@@ -0,0 +1,36 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+from pathlib import Path
+from unittest.mock import Mock, patch
+
+import pytest
+
+from vulnerabilities.pipelines.v2_importers.gentoo_importer import GentooImporterPipeline
+from vulnerabilities.tests import util_tests
+
+TEST_DATA = Path(__file__).parent.parent.parent / "test_data" / "gentoo_v2"
+
+TEST_CVE_FILES = [
+    TEST_DATA / "glsa-201709-09.xml",
+    TEST_DATA / "glsa-202511-02.xml",
+]
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("xml_file", TEST_CVE_FILES)
+def test_gentoo_advisories_per_file(xml_file):
+    pipeline = GentooImporterPipeline()
+    pipeline.vcs_response = Mock(dest_dir=TEST_DATA)
+
+    with patch.object(Path, "glob", return_value=[xml_file]):
+        result = [adv.to_dict() for adv in pipeline.collect_advisories()]
+
+    expected_file = xml_file.with_name(xml_file.stem + "-expected.json")
+    util_tests.check_results_against_json(result, expected_file)

vulnerabilities/tests/test_data/gentoo_v2/glsa-201709-09-expected.json

@@ -0,0 +1,37 @@
+[
+  {
+    "advisory_id": "GLSA-201709-09",
+    "aliases": [
+      "CVE-2017-9800"
+    ],
+    "summary": "A command injection vulnerability in Subversion may allow remote\n    attackers to execute arbitrary code.",
+    "affected_packages": [
+      {
+        "package": {
+          "type": "ebuild",
+          "namespace": "dev-vcs",
+          "name": "subversion",
+          "version": "",
+          "qualifiers": "",
+          "subpath": ""
+        },
+        "affected_version_range": "vers:ebuild/0.1.1|!=1.9.7",
+        "fixed_version_range": null,
+        "introduced_by_commit_patches": [],
+        "fixed_by_commit_patches": []
+      }
+    ],
+    "references_v2": [
+      {
+        "reference_id": "GLSA-201709-09",
+        "reference_type": "",
+        "url": "https://security.gentoo.org/glsa/201709-09"
+      }
+    ],
+    "patches": [],
+    "severities": [],
+    "date_published": null,
+    "weaknesses": [],
+    "url": "https://security.gentoo.org/glsa/201709-09"
+  }
+]

vulnerabilities/tests/test_data/gentoo_v2/glsa-201709-09.xml

@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201709-09">
+  <title>Subversion: Arbitrary code execution</title>
+  <synopsis>A command injection vulnerability in Subversion may allow remote
+    attackers to execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">subversion</product>
+  <announced>2017-09-17</announced>
+  <revised count="1">2017-09-17</revised>
+  <bug>627480</bug>
+  <access>remote</access>
+  <affected>
+    <package name="dev-vcs/subversion" auto="yes" arch="*">
+      <unaffected range="ge">1.9.7</unaffected>
+      <unaffected range="rgt">1.8.18</unaffected>
+      <vulnerable range="lt">1.9.7</vulnerable>
+      <vulnerable range="eq">0.1.1</vulnerable>      
+      
+    </package>
+  </affected>
+  <background>
+    <p>Subversion is a version control system intended to eventually replace
+      CVS. Like CVS, it has an optional client-server architecture (where the
+      server can be an Apache server running mod_svn, or an ssh program as in
+      CVS’s :ext: method). In addition to supporting the features found in
+      CVS, Subversion also provides support for moving and copying files and
+      directories.
+    </p>
+  </background>
+  <description>
+    <p>Specially crafted ‘ssh://...’ URLs may allow the owner of the
+      repository to execute arbitrary commands on client’s machine if those
+      commands are already installed on the client’s system. This is
+      especially dangerous when the third-party repository has one or more
+      submodules with specially crafted ‘ssh://...’ URLs. Each time the
+      repository is recursively cloned or submodules are updated the payload
+      will be triggered.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, by enticing a user to clone a specially crafted
+      repository, could possibly execute arbitrary code with the privileges of
+      the process.
+    </p>
+  </impact>
+  <workaround>
+    <p>There are several alternative ways to fix this vulnerability. Please
+      refer to Subversion Team Announce for more details.
+    </p>
+  </workaround>
+  <resolution>
+    <p>All Subversion 1.9.x users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-vcs/subversion-1.9.7"
+    </code>
+    
+    <p>All Subversion 1.8.x users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-vcs/subversion-1.8.18"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9800">
+      CVE-2017-9800
+    </uri>
+    <uri link="https://subversion.apache.org/security/CVE-2017-9800-advisory.txt">
+      Subversion Team Announce
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-09-01T12:55:21Z">b-man</metadata>
+  <metadata tag="submitter" timestamp="2017-09-17T15:50:43Z">chrisadr</metadata>
+</glsa>

vulnerabilities/tests/test_data/gentoo_v2/glsa-202511-02-expected.json

@@ -0,0 +1,61 @@
+[
+  {
+    "advisory_id": "GLSA-202511-02",
+    "aliases": [
+      "CVE-2024-40857",
+      "CVE-2024-40866",
+      "CVE-2024-44185",
+      "CVE-2024-44187",
+      "CVE-2024-44192",
+      "CVE-2024-44244",
+      "CVE-2024-44296",
+      "CVE-2024-54467",
+      "CVE-2024-54551",
+      "CVE-2025-24201",
+      "CVE-2025-24208",
+      "CVE-2025-24209",
+      "CVE-2025-24213",
+      "CVE-2025-24216",
+      "CVE-2025-24264",
+      "CVE-2025-30427",
+      "CVE-2025-31273",
+      "CVE-2025-31278",
+      "CVE-2025-43211",
+      "CVE-2025-43212",
+      "CVE-2025-43216",
+      "CVE-2025-43227",
+      "CVE-2025-43228",
+      "CVE-2025-43240",
+      "CVE-2025-43265"
+    ],
+    "summary": "Multiple vulnerabilities have been discovered in WebKitGTK+, the worst of which can lead to execution of arbitary code.",
+    "affected_packages": [
+      {
+        "package": {
+          "type": "ebuild",
+          "namespace": "net-libs",
+          "name": "webkit-gtk",
+          "version": "",
+          "qualifiers": "",
+          "subpath": ""
+        },
+        "affected_version_range": "vers:ebuild/!=2.48.5",
+        "fixed_version_range": null,
+        "introduced_by_commit_patches": [],
+        "fixed_by_commit_patches": []
+      }
+    ],
+    "references_v2": [
+      {
+        "reference_id": "GLSA-202511-02",
+        "reference_type": "",
+        "url": "https://security.gentoo.org/glsa/202511-02"
+      }
+    ],
+    "patches": [],
+    "severities": [],
+    "date_published": null,
+    "weaknesses": [],
+    "url": "https://security.gentoo.org/glsa/202511-02"
+  }
+]

vulnerabilities/tests/test_data/gentoo_v2/glsa-202511-02.xml

@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202511-02">
+    <title>WebKitGTK+: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in WebKitGTK+, the worst of which can lead to execution of arbitary code.</synopsis>
+    <product type="ebuild">webkit-gtk</product>
+    <announced>2025-11-24</announced>
+    <revised count="1">2025-11-24</revised>
+    <bug>938026</bug>
+    <bug>941276</bug>
+    <bug>951739</bug>
+    <bug>961021</bug>
+    <access>remote</access>
+    <affected>
+        <package name="net-libs/webkit-gtk" auto="yes" arch="*">
+            <unaffected range="ge" slot="4.1">2.48.5</unaffected>
+            <unaffected range="ge" slot="6">2.48.5</unaffected>
+            <vulnerable range="lt" slot="4.1">2.48.5</vulnerable>
+            <vulnerable range="lt" slot="6">2.48.5</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>WebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All WebKitGTK+ users should upgrade to the latest version:</p>
+
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.48.5:4.1" ">=net-libs/webkit-gtk-2.48.5:6"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-40857">CVE-2024-40857</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-40866">CVE-2024-40866</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-44185">CVE-2024-44185</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-44187">CVE-2024-44187</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-44192">CVE-2024-44192</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-44244">CVE-2024-44244</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-44296">CVE-2024-44296</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-54467">CVE-2024-54467</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-54551">CVE-2024-54551</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-24201">CVE-2025-24201</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-24208">CVE-2025-24208</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-24209">CVE-2025-24209</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-24213">CVE-2025-24213</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-24216">CVE-2025-24216</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-24264">CVE-2025-24264</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-30427">CVE-2025-30427</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-31273">CVE-2025-31273</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-31278">CVE-2025-31278</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-43211">CVE-2025-43211</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-43212">CVE-2025-43212</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-43216">CVE-2025-43216</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-43227">CVE-2025-43227</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-43228">CVE-2025-43228</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-43240">CVE-2025-43240</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-43265">CVE-2025-43265</uri>
+        <uri link="https://webkitgtk.org/security/WSA-2025-0002.html">WSA-2025-0002</uri>
+        <uri link="https://webkitgtk.org/security/WSA-2025-0003.html">WSA-2025-0003</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-11-24T23:57:31.542544Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2025-11-24T23:57:31.545141Z">sam</metadata>
+</glsa>