fix: source vulnerability version ranges from Socket field names

Author: flowstate

socketsecurity/fossa_compat.py

@@ -132,26 +132,19 @@ def _extract_string_list(*values: Any) -> list[str]:
 
 
 def _build_remediation(props: dict[str, Any]) -> dict[str, Any]:
-    partial_fix = _first_non_empty(
+    fix = _first_non_empty(
+        props.get("firstPatchedVersionIdentifier"),
         props.get("partialFix"),
-        props.get("fixedVersion"),
-        props.get("fixed_version"),
-        props.get("patchedVersion"),
-        props.get("patched_version"),
-        props.get("range"),
-    )
-    complete_fix = _first_non_empty(
         props.get("completeFix"),
         props.get("fixedVersion"),
         props.get("fixed_version"),
         props.get("patchedVersion"),
         props.get("patched_version"),
-        props.get("range"),
     )
     return {
-        "partialFix": partial_fix,
+        "partialFix": fix,
         "partialFixDistance": props.get("partialFixDistance"),
-        "completeFix": complete_fix,
+        "completeFix": fix,
         "completeFixDistance": props.get("completeFixDistance"),
     }
 
@@ -230,8 +223,16 @@ def _build_vulnerability_entry(
         "cveStatus": props.get("cveStatus"),
         "cwes": _extract_string_list(props.get("cwes"), props.get("cwe")),
         "published": props.get("published"),
-        "affectedVersionRanges": _extract_string_list(props.get("affectedVersionRanges"), props.get("affected_versions")),
-        "patchedVersionRanges": _extract_string_list(props.get("patchedVersionRanges"), props.get("patched_versions")),
+        "affectedVersionRanges": _extract_string_list(
+            props.get("affectedVersionRanges"),
+            props.get("vulnerableVersionRange"),
+            props.get("affected_versions"),
+        ),
+        "patchedVersionRanges": _extract_string_list(
+            props.get("patchedVersionRanges"),
+            props.get("firstPatchedVersionIdentifier"),
+            props.get("patched_versions"),
+        ),
         "references": _extract_references(issue, props),
         "cvssVector": props.get("cvssVector"),
         "exploitability": props.get("exploitability"),

tests/unit/test_fossa_compat.py

@@ -235,3 +235,39 @@ def test_analyze_payload_empty_diff_yields_empty_arrays():
     assert payload["vulnerability"] == []
     assert payload["licensing"] == []
     assert payload["quality"] == []
+
+
+def test_vulnerability_version_ranges_sourced_from_socket_fields():
+    """affectedVersionRanges/patchedVersionRanges come from Socket's singular fields, wrapped."""
+    from socketsecurity.fossa_compat import _build_vulnerability_entry
+    issue = Issue(
+        type="criticalCVE",
+        severity="high",
+        key="CVE-2024-12345_pip+requests",
+        pkg_type="pypi",
+        pkg_name="requests",
+        pkg_version="2.30.0",
+        props={
+            "ghsaId": "GHSA-aaaa-bbbb-cccc",
+            "cveId": "CVE-2024-12345",
+            "cvss": 7.5,
+            "vulnerableVersionRange": ">=2.0.0,<2.31.1",
+            "firstPatchedVersionIdentifier": "2.31.1",
+            "cwes": ["CWE-200"],
+        },
+    )
+    package = Package(
+        type="pypi",
+        name="requests",
+        version="2.30.0",
+        id="pip+requests$2.30.0",
+        score={},
+        alerts=[],
+        direct=True,
+    )
+    project = {"branch": "main", "id": "acme$x", "project": "acme", "projectId": "acme", "revision": "x", "url": "u"}
+    entry = _build_vulnerability_entry(issue, package, project, index=1)
+    assert entry["affectedVersionRanges"] == [">=2.0.0,<2.31.1"]
+    assert entry["patchedVersionRanges"] == ["2.31.1"]
+    assert entry["remediation"]["partialFix"] == "2.31.1"
+    assert entry["remediation"]["completeFix"] == "2.31.1"