From ac23afd6e685093662bac3d0fa12b0cafe254244 Mon Sep 17 00:00:00 2001
From: xwzQmxx <1499273991@qq.com>
Date: Mon, 9 May 2022 18:58:12 +0800
Subject: [PATCH 1/2] support display hole patch

---
 cve-vulner-manager/common/common.go      | 11 +++-
 cve-vulner-manager/controllers/upload.go |  4 +-
 cve-vulner-manager/models/modeldb.go     | 13 +++-
 cve-vulner-manager/models/uploadcve.go   | 65 ++++++++++++++++++-
 cve-vulner-manager/taskhandler/common.go | 79 ++++++++++++++++++++----
 5 files changed, 155 insertions(+), 17 deletions(-)

diff --git a/cve-vulner-manager/common/common.go b/cve-vulner-manager/common/common.go
index 318c934..64d58e5 100644
--- a/cve-vulner-manager/common/common.go
+++ b/cve-vulner-manager/common/common.go
@@ -343,6 +343,7 @@ type CveOriginData struct {
 	FixSuggest     CveFixSuggest      `json:"fixSuggest"`
 	Version        string             `json:"version"`
 	Credibility    int                `json:"credibility"`
+	Patch          []CveOriginPatch   `json:"patch"`
 }
 
 type UploadData struct {
@@ -369,6 +370,14 @@ type CveOriginDetailData struct {
 	FixSuggest     CveFixSuggest      `json:"fixSuggest"`
 }
 
+type CveOriginPatch struct {
+	Package    string `json:"package"`
+	FixVersion string `json:"fixversion"`
+	FixPatch   string `json:"fix_patch"`
+	BreakPatch string `json:"break_patch"`
+	Source     string `json:"source"`
+}
+
 func GetRepoOrg() (string, error) {
 	BConfig, err := config.NewConfig("ini", "conf/app.conf")
 	if err != nil {
@@ -474,7 +483,7 @@ func SliceRemoveDup(req interface{}) (ret []interface{}) {
 	}
 	value := reflect.ValueOf(req)
 	for i := 0; i < value.Len(); i++ {
-		if i > 0 && reflect.DeepEqual(value.Index(i - 1).Interface(), value.Index(i).Interface()) {
+		if i > 0 && reflect.DeepEqual(value.Index(i-1).Interface(), value.Index(i).Interface()) {
 			continue
 		}
 		ret = append(ret, value.Index(i).Interface())
diff --git a/cve-vulner-manager/controllers/upload.go b/cve-vulner-manager/controllers/upload.go
index 48e9fac..35c40eb 100644
--- a/cve-vulner-manager/controllers/upload.go
+++ b/cve-vulner-manager/controllers/upload.go
@@ -164,7 +164,7 @@ func (u *UserUploadController) Post() {
 		return
 	}
 	//Judge whether it is legal
-	if uploaddata.Token == "" {
+	/*if uploaddata.Token == "" {
 		resp["errno"] = errcode.RecodeSessionErr
 		resp["errmsg"] = errcode.RecodeText(errcode.RecodeSessionErr)
 		resp["body"] = []ResultData{}
@@ -182,7 +182,7 @@ func (u *UserUploadController) Post() {
 			u.RetData(resp)
 			return
 		}
-	}
+	}*/
 	if uploaddata.CveData == nil || len(uploaddata.CveData) == 0 {
 		resp["errno"] = errcode.RecodeNodata
 		resp["errmsg"] = errcode.RecodeText(errcode.RecodeNodata)
diff --git a/cve-vulner-manager/models/modeldb.go b/cve-vulner-manager/models/modeldb.go
index 154a222..228bee4 100644
--- a/cve-vulner-manager/models/modeldb.go
+++ b/cve-vulner-manager/models/modeldb.go
@@ -391,6 +391,17 @@ type OriginUpstreamImpact struct {
 	Impact   string `orm:"size(32);column(impact);null" description:"包含v2,v3评分数据"`
 }
 
+type OriginUpstreamPatch struct {
+	ID         int64  `orm:"PK;auto;column(id)"`
+	OID        string `orm:"size(256);column(o_id)" description:"OriginUpstream 外键"`
+	CveNum     string `orm:"size(256);column(cve_num);index" description:"cve编号"`
+	Package    string `orm:"size(256);column(package)" description:"影响的软件包"`
+	FixVersion string `orm:"size(64);column(fix_version)" description:"修复版本"`
+	FixPatch   string `orm:"size(256);column(fix_patch)" description:"修复补丁"`
+	BreakPatch string `orm:"size(256);column(break_patch)" description:"问题引入补丁"`
+	Source     string `orm:"size(64);column(source)" description:"来源"`
+}
+
 type OriginUpstreamImpactScore struct {
 	ScoreId      int64 `orm:"pk;auto;column(score_id)"`
 	ImpactId     int64 `orm:"index;column(impact_id)" description:"OriginUpstreamImpact 外键"`
@@ -1054,7 +1065,7 @@ func CreateDb() bool {
 			new(MindSporeBrandTags), new(OriginUpstreamRecord),
 			new(OpenLookengSecurityReviewer), new(OpenLookengYaml),
 			new(IssueCommunityStatistics), new(CommunityYamlConfig),
-			new(IssueDeleteRecord), new(AuthTokenInfo),
+			new(IssueDeleteRecord), new(AuthTokenInfo), new(OriginUpstreamPatch),
 		)
 		logs.Info("table create success!")
 		errosyn := orm.RunSyncdb("default", false, true)
diff --git a/cve-vulner-manager/models/uploadcve.go b/cve-vulner-manager/models/uploadcve.go
index c870a53..0deeb2f 100644
--- a/cve-vulner-manager/models/uploadcve.go
+++ b/cve-vulner-manager/models/uploadcve.go
@@ -73,7 +73,7 @@ func QueryOriginRepo(pkgName string) (GiteRepo, bool) {
 	}
 }
 
-func QueryOrgAllRepo(org string) ([]GiteRepo) {
+func QueryOrgAllRepo(org string) []GiteRepo {
 	o := orm.NewOrm()
 	var gr []GiteRepo
 	num, err := o.Raw("select * from cve_gite_repo where org_path = ? and status = ?", org, 0).QueryRows(&gr)
@@ -228,6 +228,7 @@ func CreateOriginCve(CveData common.CveOriginData, ou *OriginUpstream, od *Origi
 				o.Rollback()
 				return 0, err
 			}
+
 			od.CveId = num
 			lod := OriginUpstreamDesc{CveId: num}
 			o.Delete(&lod, "CveId")
@@ -238,6 +239,11 @@ func CreateOriginCve(CveData common.CveOriginData, ou *OriginUpstream, od *Origi
 				o.Rollback()
 				return 0, err
 			}
+
+			if err := resetOriginPatch(&CveData, o, ou.Ids); err != nil {
+				logs.Error("reset origin patch fail", err)
+			}
+
 			ous.CveId = num
 			lous := OriginUpstreamConfig{CveId: num}
 			err := o.Read(&lous, "CveId")
@@ -591,6 +597,11 @@ func CreateOriginCve(CveData common.CveOriginData, ou *OriginUpstream, od *Origi
 				o.Rollback()
 				return 0, err
 			}
+
+			if err := resetOriginPatch(&CveData, o, ou.Ids); err != nil {
+				logs.Error("reset origin patch fail", err)
+			}
+
 			num := ouse.CveId
 			od.CveId = num
 			lod := OriginUpstreamDesc{CveId: num}
@@ -947,6 +958,58 @@ func CreateOriginCve(CveData common.CveOriginData, ou *OriginUpstream, od *Origi
 	return 0, nil
 }
 
+func resetOriginPatch(cveData *common.CveOriginData, o orm.Ormer, oid string) error {
+	if cveData == nil {
+		return nil
+	}
+
+	delPatch := &OriginUpstreamPatch{OID: oid, CveNum: cveData.CveNum}
+	_, _ = o.Delete(delPatch, "o_id", "cve_num")
+
+	if cveData.UpdateType == "delete" {
+		return nil
+	}
+
+	var patches []OriginUpstreamPatch
+	for _, v := range cveData.Patch {
+		patches = append(patches, OriginUpstreamPatch{
+			OID:        oid,
+			CveNum:     cveData.CveNum,
+			Package:    v.Package,
+			FixVersion: v.FixVersion,
+			FixPatch:   v.FixPatch,
+			BreakPatch: v.BreakPatch,
+			Source:     v.Source,
+		})
+	}
+
+	bulk := len(patches)
+	if len(patches) == 0 {
+		return nil
+	}
+
+	_, err := o.InsertMulti(bulk, patches)
+
+	return err
+}
+
+func QueryCveOriginPatchInfo(cveNum string) ([]OriginUpstreamPatch, error) {
+	if cveNum == "" {
+		return nil, nil
+	}
+
+	sql := "select package,fix_version,fix_patch,break_patch,source from cve_origin_upstream_patch where o_id = ?"
+	o := orm.NewOrm()
+	var res []OriginUpstreamPatch
+
+	_, err := o.Raw(sql, cveNum).QueryRows(&res)
+	if err != nil {
+		return nil, err
+	}
+
+	return res, nil
+}
+
 func QueryCveErrorInfo(issueStatus int8, startDate, endDate string) ([]IssueTemplate, bool) {
 	o := orm.NewOrm()
 	var it []IssueTemplate
diff --git a/cve-vulner-manager/taskhandler/common.go b/cve-vulner-manager/taskhandler/common.go
index 2139195..649b5e8 100644
--- a/cve-vulner-manager/taskhandler/common.go
+++ b/cve-vulner-manager/taskhandler/common.go
@@ -57,6 +57,9 @@ const bodyTpl = `一、漏洞信息
   %v
  漏洞数据来源:
   %v
+ 漏洞补丁信息：
+  %s
+ <br></br>
 二、漏洞分析结构反馈
  影响性分析说明：
   %v
@@ -85,6 +88,8 @@ const bodyUpTpl = `一、漏洞信息
   %v
  漏洞数据来源:
   %v
+ 漏洞补丁信息：
+  %s
 二、漏洞分析结构反馈
  影响性分析说明：
   %v
@@ -113,6 +118,8 @@ const bodySecLinkTpl = `一、漏洞信息
   %v
  漏洞数据来源:
   %v
+ 漏洞补丁信息：
+  %s
 二、漏洞分析结构反馈
  影响性分析说明：
   %v
@@ -168,6 +175,8 @@ const gaussBodyTpl = `一、漏洞信息
   %v
  漏洞数据来源:
   %v
+ 漏洞补丁信息：
+  %s
 二、漏洞分析结构反馈
  影响性分析说明：
   %v
@@ -194,6 +203,8 @@ const SporeBodyTpl = `一、漏洞信息
   %v
  漏洞数据来源:
   %v
+ 漏洞补丁信息：
+  %s
 二、漏洞分析结构反馈
  影响性分析说明：
   %v
@@ -220,6 +231,8 @@ const gaussBodyUpTpl = `一、漏洞信息
   %v
  漏洞数据来源:
   %v
+ 漏洞补丁信息：
+  %s
 二、漏洞分析结构反馈
  影响性分析说明：
   %v
@@ -247,6 +260,8 @@ const SporeBodyUpTpl = `一、漏洞信息
   %v
  漏洞数据来源:
   %v
+ 漏洞补丁信息：
+  %s
 二、漏洞分析结构反馈
  影响性分析说明：
   %v
@@ -273,6 +288,8 @@ const LooKengBodyTpl = `一、漏洞信息
   %v
  漏洞数据来源:
   %v
+ 漏洞补丁信息：
+  %s
 二、漏洞分析结构反馈
  影响性分析说明：
   %v
@@ -298,6 +315,8 @@ const LooKengBodyUpTpl = `一、漏洞信息
   %v
  漏洞数据来源:
   %v
+ 漏洞补丁信息：
+  %s
 二、漏洞分析结构反馈
  影响性分析说明：
   %v
@@ -945,16 +964,16 @@ func CreateIssueBody(accessToken, owner, path, assignee string,
 			if its.Status == 3 && len(its.SecLink) > 3 && cve.OrganizationID == 1 {
 				body = fmt.Sprintf(bodySecLinkTpl, cveNumber, cvePkg, cve.CveVersion, scoreType, nveScore, nveVector,
 					cve.Description, cve.RepairTime, updateTime, cve.CveDetailUrl, commentCmd, holeSource(cve.DataSource),
-					cveAnalysis, openEulerScore, oVector, affectedVersion, abiVersion, its.SecLink)
+					genPatchInfo(cve.CveNum), cveAnalysis, openEulerScore, oVector, affectedVersion, abiVersion, its.SecLink)
 			} else {
 				if cve.OrganizationID == 1 {
 					body = fmt.Sprintf(bodyUpTplx, cveNumber, cvePkg, cve.CveVersion, scoreType, nveScore, nveVector,
 						cve.Description, cve.RepairTime, updateTime, cve.CveDetailUrl, commentCmd, holeSource(cve.DataSource),
-						cveAnalysis, openEulerScore, oVector, affectedVersion, abiVersion)
+						genPatchInfo(cve.CveNum), cveAnalysis, openEulerScore, oVector, affectedVersion, abiVersion)
 				} else {
 					body = fmt.Sprintf(bodyUpTplx, cveNumber, cveRepo, cve.CveVersion, scoreType, nveScore, nveVector,
 						cve.Description, cve.RepairTime, updateTime, cve.CveDetailUrl, commentCmd, holeSource(cve.DataSource),
-						cveAnalysis, openEulerScore, oVector, affectedVersion)
+						genPatchInfo(cve.CveNum), cveAnalysis, openEulerScore, oVector, affectedVersion)
 				}
 			}
 			requestBody = fmt.Sprintf(`{
@@ -975,11 +994,11 @@ func CreateIssueBody(accessToken, owner, path, assignee string,
 			if cve.OrganizationID == 1 {
 				body = fmt.Sprintf(bodyTplx, cveNumber, cvePkg, cve.CveVersion, scoreType, nveScore, nveVector,
 					cve.Description, cve.RepairTime, updateTime, cve.CveDetailUrl, commentCmd, holeSource(cve.DataSource),
-					cveAnalysis, openEulerScore, affectedVersion, abiVersion)
+					genPatchInfo(cve.CveNum), cveAnalysis, openEulerScore, affectedVersion, abiVersion)
 			} else {
 				body = fmt.Sprintf(bodyTplx, cveNumber, cveRepo, cve.CveVersion, scoreType, nveScore, nveVector,
 					cve.Description, cve.RepairTime, updateTime, cve.CveDetailUrl, commentCmd, holeSource(cve.DataSource),
-					cveAnalysis, openEulerScore, affectedVersion)
+					genPatchInfo(cve.CveNum), cveAnalysis, openEulerScore, affectedVersion)
 			}
 			requestBody = fmt.Sprintf(`{
 			"access_token": "%s",
@@ -1000,11 +1019,11 @@ func CreateIssueBody(accessToken, owner, path, assignee string,
 		if cve.OrganizationID == 1 {
 			body = fmt.Sprintf(bodyTplx, cveNumber, cvePkg, cve.CveVersion, scoreType, nveScore, nveVector,
 				cve.Description, cve.RepairTime, updateTime, cve.CveDetailUrl, commentCmd, holeSource(cve.DataSource),
-				cveAnalysis, openEulerScore, affectedVersion, abiVersion)
+				genPatchInfo(cve.CveNum), cveAnalysis, openEulerScore, affectedVersion, abiVersion)
 		} else {
 			body = fmt.Sprintf(bodyTplx, cveNumber, cveRepo, cve.CveVersion, scoreType, nveScore, nveVector,
 				cve.Description, cve.RepairTime, updateTime, cve.CveDetailUrl, commentCmd, holeSource(cve.DataSource),
-				cveAnalysis, openEulerScore, affectedVersion)
+				genPatchInfo(cve.CveNum), cveAnalysis, openEulerScore, affectedVersion)
 		}
 		requestBody = fmt.Sprintf(`{
 			"access_token": "%s",
@@ -1025,16 +1044,16 @@ func CreateIssueBody(accessToken, owner, path, assignee string,
 			if its.Status == 3 && len(its.SecLink) > 3 && cve.OrganizationID == 1 {
 				body = fmt.Sprintf(bodySecLinkTpl, cveNumber, cvePkg, cve.CveVersion, scoreType, nveScore, nveVector,
 					cve.Description, cve.RepairTime, updateTime, cve.CveDetailUrl, commentCmd, holeSource(cve.DataSource),
-					cveAnalysis, openEulerScore, oVector, affectedVersion, abiVersion, its.SecLink)
+					genPatchInfo(cve.CveNum), cveAnalysis, openEulerScore, oVector, affectedVersion, abiVersion, its.SecLink)
 			} else {
 				if cve.OrganizationID == 1 {
 					body = fmt.Sprintf(bodyUpTplx, cveNumber, cvePkg, cve.CveVersion, scoreType, nveScore, nveVector,
 						cve.Description, cve.RepairTime, updateTime, cve.CveDetailUrl, commentCmd, holeSource(cve.DataSource),
-						cveAnalysis, openEulerScore, oVector, affectedVersion, abiVersion)
+						genPatchInfo(cve.CveNum), cveAnalysis, openEulerScore, oVector, affectedVersion, abiVersion)
 				} else {
 					body = fmt.Sprintf(bodyUpTplx, cveNumber, cveRepo, cve.CveVersion, scoreType, nveScore, nveVector,
 						cve.Description, cve.RepairTime, updateTime, cve.CveDetailUrl, commentCmd, holeSource(cve.DataSource),
-						cveAnalysis, openEulerScore, oVector, affectedVersion)
+						genPatchInfo(cve.CveNum), cveAnalysis, openEulerScore, oVector, affectedVersion)
 				}
 			}
 			requestBody = fmt.Sprintf(`{
@@ -1055,11 +1074,11 @@ func CreateIssueBody(accessToken, owner, path, assignee string,
 			if cve.OrganizationID == 1 {
 				body = fmt.Sprintf(bodyTplx, cveNumber, cvePkg, cve.CveVersion, scoreType, nveScore, nveVector,
 					cve.Description, cve.RepairTime, updateTime, cve.CveDetailUrl, commentCmd, holeSource(cve.DataSource),
-					cveAnalysis, openEulerScore, affectedVersion, abiVersion)
+					genPatchInfo(cve.CveNum), cveAnalysis, openEulerScore, affectedVersion, abiVersion)
 			} else {
 				body = fmt.Sprintf(bodyTplx, cveNumber, cveRepo, cve.CveVersion, scoreType, nveScore, nveVector,
 					cve.Description, cve.RepairTime, updateTime, cve.CveDetailUrl, commentCmd, holeSource(cve.DataSource),
-					cveAnalysis, openEulerScore, affectedVersion)
+					genPatchInfo(cve.CveNum), cveAnalysis, openEulerScore, affectedVersion)
 			}
 			requestBody = fmt.Sprintf(`{
 			"access_token": "%s",
@@ -1084,6 +1103,42 @@ func holeSource(sourceCode int8) string {
 	return "其它"
 }
 
+func genPatchInfo(cveNum string) string {
+	tpl := `<details>
+<summary>详情</summary>
+
+%s
+</details>`
+
+	info, err := models.QueryCveOriginPatchInfo(cveNum)
+	if err != nil {
+		logs.Error("QueryCveOriginPatchInfo error: ", err)
+	}
+
+	content := genPathInfoContent(info)
+
+	return fmt.Sprintf(tpl, content)
+}
+
+func genPathInfoContent(info []models.OriginUpstreamPatch) string {
+	if len(info) == 0 {
+		return "无"
+	}
+
+	th := `| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
+| ------- | -------- | ------- | -------- | --------- |
+`
+	tc := `| %s | %s | %s | %s | %s |
+`
+
+	table := th
+	for _, v := range info {
+		table = table + fmt.Sprintf(tc, v.Package, v.FixVersion, v.FixPatch, v.BreakPatch, v.Source)
+	}
+
+	return table
+}
+
 func AffectVersion(affectedVersion string) int {
 	affectBranchsxList := make([]string, 0)
 	affectValue := make([]string, 0)
-- 
Gitee


From e5755b803c2aeeb4b837bc098bdcc19d9871746b Mon Sep 17 00:00:00 2001
From: xwzQmxx <1499273991@qq.com>
Date: Tue, 17 May 2022 09:57:51 +0800
Subject: [PATCH 2/2] fix review

---
 cve-vulner-manager/controllers/upload.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cve-vulner-manager/controllers/upload.go b/cve-vulner-manager/controllers/upload.go
index 35c40eb..48e9fac 100644
--- a/cve-vulner-manager/controllers/upload.go
+++ b/cve-vulner-manager/controllers/upload.go
@@ -164,7 +164,7 @@ func (u *UserUploadController) Post() {
 		return
 	}
 	//Judge whether it is legal
-	/*if uploaddata.Token == "" {
+	if uploaddata.Token == "" {
 		resp["errno"] = errcode.RecodeSessionErr
 		resp["errmsg"] = errcode.RecodeText(errcode.RecodeSessionErr)
 		resp["body"] = []ResultData{}
@@ -182,7 +182,7 @@ func (u *UserUploadController) Post() {
 			u.RetData(resp)
 			return
 		}
-	}*/
+	}
 	if uploaddata.CveData == nil || len(uploaddata.CveData) == 0 {
 		resp["errno"] = errcode.RecodeNodata
 		resp["errmsg"] = errcode.RecodeText(errcode.RecodeNodata)
-- 
Gitee