Don't throw an exception when a Trivy JSON file contains vulnerabilit…

…ies without fixed version information.

Fixes #10606.

components/collector/src/source_collectors/trivy/security_warnings.py

@@ -80,7 +80,7 @@ def _parse_json(self, json: JSON, filename: str) -> Entities:
                         level=vulnerability["Severity"],
                         package_name=package_name,
                         installed_version=vulnerability["InstalledVersion"],
-                        fixed_version=vulnerability["FixedVersion"],
+                        fixed_version=vulnerability.get("FixedVersion", ""),
                         url=vulnerability["References"][0],  # Assume the 1st link is at least as relevant as the others
                     ),
                 )

components/collector/tests/source_collectors/trivy/test_security_warnings.py

@@ -45,6 +45,15 @@ def vulnerabilities_json(self, schema_version: int = 1):
                             "https://lists.apache.org/thread.html",
                         ],
                     },
+                    {
+                        "VulnerabilityID": "CVE-2024-5432",
+                        "PkgName": "python",
+                        "InstalledVersion": "3.13.1",
+                        "Title": "Vulnerability without fixed version",
+                        "Description": "This vulnerability has no fixed version field.",
+                        "Severity": "LOW",
+                        "References": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5432"],
+                    },
                 ],
             },
         ]
@@ -77,14 +86,25 @@ def expected_entities(self):
                 "fixed_version": "",
                 "url": "https://curl.haxx.se/docs/CVE-2019-3822.html",
             },
+            {
+                "key": "CVE-2024-5432@python@trivy-ci-test (alpine 3_7_1)",
+                "vulnerability_id": "CVE-2024-5432",
+                "title": "Vulnerability without fixed version",
+                "description": "This vulnerability has no fixed version field.",
+                "level": "LOW",
+                "package_name": "python",
+                "installed_version": "3.13.1",
+                "fixed_version": "",
+                "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5432",
+            },
         ]
 
     async def test_warnings(self):
         """Test the number of security warnings."""
         for schema_version in self.SCHEMA_VERSIONS:
             with self.subTest(schema_version=schema_version):
                 response = await self.collect(get_request_json_return_value=self.vulnerabilities_json(schema_version))
-                self.assert_measurement(response, value="2", entities=self.expected_entities())
+                self.assert_measurement(response, value="3", entities=self.expected_entities())
 
     async def test_warning_levels(self):
         """Test the number of security warnings when specifying a level."""
@@ -108,4 +128,4 @@ async def test_fix_not_available(self):
         for schema_version in self.SCHEMA_VERSIONS:
             with self.subTest(schema_version=schema_version):
                 response = await self.collect(get_request_json_return_value=self.vulnerabilities_json(schema_version))
-                self.assert_measurement(response, value="1", entities=[self.expected_entities()[1]])
+                self.assert_measurement(response, value="2", entities=self.expected_entities()[1:])

docs/src/changelog.md

@@ -14,6 +14,10 @@ If your currently installed *Quality-time* version is not the latest version, pl
 
 ## [Unreleased]
 
+### Fixed
+
+- Don't throw an exception when a Trivy JSON file contains vulnerabilities without fixed version information. Fixes [#10606](https://github.com/ICTU/quality-time/issues/10606).
+
 ### Added
 
 - When measuring missing metrics, make the subject type and the metric type of the missing metrics link to the reference documentation. Closes [#10528](https://github.com/ICTU/quality-time/issues/10528).