Include notes in the CVEs text field search (#158)

canonical · Jun 27, 2024 · 0b9485a · 0b9485a
1 parent a93d5e4
commit 0b9485a
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 6 deletions.
diff --git a/scripts/generate-sample-security-data.py b/scripts/generate-sample-security-data.py
@@ -41,7 +41,7 @@
                 published=datetime.now(),
                 description="",
                 ubuntu_description="",
-                notes={},
+                notes=[],
                 priority="unknown",
                 cvss3=2.3,
                 mitigation="",

diff --git a/scripts/payloads/cves.json b/scripts/payloads/cves.json
@@ -27,7 +27,6 @@
                 "impactScore": 5.9
             }
         },
-        "notes": [],
         "packages": [
             {
                 "debian": "https://tracker.debian.org/pkg/chromium-browser",

diff --git a/tests/fixtures/models.py b/tests/fixtures/models.py
@@ -28,7 +28,12 @@ def make_models():
         published=datetime.now(),
         description="",
         ubuntu_description="",
-        notes={},
+        notes=[
+            {
+                "author": "mysql",
+                "note": "mysql-1.2 is not affected by this CVE",
+            }
+        ],
         priority="critical",
         cvss3=2.3,
         impact={},

diff --git a/tests/test_routes.py b/tests/test_routes.py
@@ -1083,6 +1083,18 @@ def test_delete_release(self):
         )
         assert response.status_code == 200
 
+    def test_cves_query_notes(self):
+        """
+        Query text field should include notes
+        """
+        # Act
+        response = self.client.get("/security/cves.json?q=sql")
+
+        # Assert
+        assert response.status_code == 200
+        assert response.json["total_results"] == 1
+        assert len(response.json["cves"]) == 1
+
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/webapp/models.py b/webapp/models.py
@@ -57,7 +57,7 @@ class CVE(db.Model):
     updated_at = Column(
         DateTime(timezone=True), server_default=func.now(), onupdate=func.now()
     )
-    notes = Column(JSON)
+    notes = Column(JSON)  # JSON array
     codename = Column(String)
     priority = Column(
         Enum(

diff --git a/webapp/views.py b/webapp/views.py
@@ -1,13 +1,13 @@
+import dateutil
 from collections import defaultdict
 from datetime import datetime
 from distutils.util import strtobool
 
 from flask import make_response, jsonify, request
 from flask_apispec import marshal_with, use_kwargs
-from sqlalchemy import desc, or_, and_, case, asc
+from sqlalchemy import desc, or_, and_, case, asc, text
 from sqlalchemy.exc import DataError, IntegrityError
 from sqlalchemy.orm import load_only, selectinload, Query
-import dateutil
 
 from webapp.app import db
 from webapp.auth import authorization_required
@@ -115,6 +115,16 @@ def get_cves(**kwargs):
                 CVE.ubuntu_description.ilike(f"%{query}%"),
                 CVE.codename.ilike(f"%{query}%"),
                 CVE.mitigation.ilike(f"%{query}%"),
+                # search through notes
+                text(
+                    """
+                    EXISTS (
+                      SELECT 1 FROM json_array_elements(notes) AS note
+                      WHERE note->>'note' ilike :query
+                      OR note->>'author' ilike :query
+                    )
+                    """
+                ).params(query=f"%{query}%"),
             )
         )