skip modules but keep their rpms (#305)

Sometimes RPMs are packed in a module. It's a little harder to detect
the actual modules themselves on a running system, but we can still
check their RPMs. This change allows skipping modules, but keeps their
RPM children.

Signed-off-by: Jason Shepherd <[email protected]>

Author: jasinner

tools/redhat/redhat_osv/convert_redhat_test.py

@@ -8,25 +8,29 @@
 class TestRedHatConverter(unittest.TestCase):
     """Test end-to-end convertion from RedHAt CSAF to OSV format"""
 
+    test_advisories = ["2024_4546", "2024_6220"]
+
     def test_convert_redhat(self):
-        """ Test a single demo CSAF file """
-        modified_time = datetime.strptime("2024-09-02T14:30:00",
-                                          "%Y-%m-%dT%H:%M:%S")
-        csaf_file = "testdata/rhsa-2024_4546.json"
-        expected_file = "testdata/RHSA-2024_4546.json"
-
-        with open(csaf_file, "r", encoding="utf-8") as fp:
-            csaf_data = fp.read()
-        converter = RedHatConverter()
-        osv_data = converter.convert(csaf_data,
-                                     modified_time.strftime(DATE_FORMAT))
-
-        assert osv_data[0] == "RHSA-2024:4546"
-        result_data = json.loads(osv_data[1])
-
-        with open(expected_file, "r", encoding="utf-8") as fp:
-            expected_data = json.load(fp)
-        assert expected_data == result_data
+        for test_advisory in self.test_advisories:
+            """ Test a single demo CSAF file """
+            modified_time = datetime.strptime("2024-09-02T14:30:00",
+                                              "%Y-%m-%dT%H:%M:%S")
+            csaf_file = f"testdata/rhsa-{test_advisory}.json"
+            expected_file = f"testdata/RHSA-{test_advisory}.json"
+
+            with open(csaf_file, "r", encoding="utf-8") as fp:
+                csaf_data = fp.read()
+            converter = RedHatConverter()
+            osv_data = converter.convert(csaf_data,
+                                         modified_time.strftime(DATE_FORMAT))
+
+            advisory_id = test_advisory.replace("_", ":")
+            assert osv_data[0] == f"RHSA-{advisory_id}"
+            result_data = json.loads(osv_data[1])
+
+            with open(expected_file, "r", encoding="utf-8") as fp:
+                expected_data = json.load(fp)
+            assert expected_data == result_data
 
 
 if __name__ == '__main__':

tools/redhat/redhat_osv/csaf.py

@@ -3,6 +3,8 @@
 from dataclasses import dataclass, InitVar, field
 from typing import Any, Iterable
 
+class RemediationParseError(ValueError):
+    pass
 
 @dataclass
 class Remediation:
@@ -32,7 +34,7 @@ def __post_init__(self, csaf_product_id: str, cpes: dict[str, str],
         # We split the name from the rest of the 'version' data (EVRA). We store name as component.
         split_component_version = self.product_version.rsplit("-", maxsplit=2)
         if len(split_component_version) < 3:
-            raise ValueError(
+            raise RemediationParseError(
                 f"Could not convert component into NEVRA: {self.product_version}"
             )
         # RHEL Modules have 4 colons in the name part of the NEVRA. If we detect a modular RPM
@@ -96,7 +98,12 @@ def __post_init__(self, csaf_vuln: dict[str, Any], cpes: dict[str, str],
         self.references = csaf_vuln["references"]
         self.remediations = []
         for product_id in csaf_vuln["product_status"]["fixed"]:
-            self.remediations.append(Remediation(product_id, cpes, purls))
+            try:
+                self.remediations.append(Remediation(product_id, cpes, purls))
+            except RemediationParseError:
+                continue
+        if not self.remediations:
+            raise ValueError(f"Did not find any remediations for {self.cve_id}")
 
 
 def gen_dict_extract(key, var: Iterable):