diff --git a/vulnerabilities/pipelines/enhance_with_exploitdb.py b/vulnerabilities/pipelines/enhance_with_exploitdb.py index 70f7b4886..038215dc1 100644 --- a/vulnerabilities/pipelines/enhance_with_exploitdb.py +++ b/vulnerabilities/pipelines/enhance_with_exploitdb.py @@ -128,13 +128,19 @@ def add_exploit_references(ref_id, direct_url, path, vul_id, logger): "direct_url": direct_url, } + MAX_REF_LEN = 200 + if ref_id and len(ref_id) > MAX_REF_LEN: + safe_ref_id = ref_id[:MAX_REF_LEN] + "..." + else: + safe_ref_id = ref_id + for key, url in url_map.items(): if url: try: ref, created = VulnerabilityReference.objects.update_or_create( url=url, defaults={ - "reference_id": ref_id, + "reference_id": safe_ref_id, "reference_type": VulnerabilityReference.EXPLOIT, }, ) diff --git a/vulnerabilities/tests/pipelines/test_enhance_with_exploitdb.py b/vulnerabilities/tests/pipelines/test_enhance_with_exploitdb.py index 1b47591ba..1919b6bc6 100644 --- a/vulnerabilities/tests/pipelines/test_enhance_with_exploitdb.py +++ b/vulnerabilities/tests/pipelines/test_enhance_with_exploitdb.py @@ -60,3 +60,29 @@ def test_invalid_exploit_db_improver(mock_get): status, _ = improver.execute() assert status == 0 assert Exploit.objects.count() == 0 +@pytest.mark.django_db +@mock.patch("requests.get") +def test_reference_id_is_truncated_with_ellipsis(mock_get): + mock_response = Mock(status_code=200) + + with open(TEST_DATA, "r") as f: + data = f.read() + + # make long exploit id/reference text + data = data.replace("CVE-2009-3699", "A" * 300) + + mock_response.text = data + mock_get.return_value = mock_response + + v1 = Vulnerability.objects.create(vulnerability_id="VCIO-123-2002") + v1.save() + + Alias.objects.create(alias="A" * 300, vulnerability=v1) + + improver = ExploitDBImproverPipeline() + improver.execute() + + exploit = Exploit.objects.first() + assert exploit is not None + assert len(exploit.reference_id) <= 200 + assert exploit.reference_id.endswith("...") \ No newline at end of file