Skip to content

Add Liferay Importer (Fixes #1410) #2027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add Liferay Importer (Fixes #1410) #2027

wants to merge 3 commits into from
+293 −0

Conversation

@paarthbhatt
Copy link

@paarthbhatt paarthbhatt commented Nov 21, 2025

Fixes #1410

Hey, this PR adds a new importer for Liferay security advisories. It crawls the Liferay security page to fetch CVEs, severity scores, and affected versions.

I've also added tests to verify the parsing logic. Let me know if anything needs changing!

@paarthbhatt
Add Liferay Importer (Fixes aboutcode-org#1410)
5bf9f26 
Signed-off-by: Parth Bhatt <paarthbhatt37@gmail.com>
@TG1999
Copy link
Contributor

TG1999 commented Nov 21, 2025

@paarthbhatt thank you so much for this PR.

https://github.com/aboutcode-org/vulnerablecode/tree/main/vulnerabilities/pipelines/v2_importers We are using these type of importer pipelines now. Can you adjust/migrate your code accordingly. Also see:

If you need any help, let us know. Thanks!

Also please run the importer on your system once and provide us logs. Thanks!

@paarthbhatt
Migrate Liferay importer to V2 pipeline
fbb92c0 
Signed-off-by: Parth Bhatt <paarthbhatt37@gmail.com>
@paarthbhatt
Copy link
Author

paarthbhatt commented Nov 21, 2025

Hey @TG1999 , thanks for the feedback!

I've updated the code to use the new V2 pipeline architecture as requested. I also ran the importer locally to make sure it's working, and it successfully started collecting advisories.

Here's a snippet from my local logs:
INFO 2025-11-21 13:15:46.003014 UTC Collecting 1 advisories

I've also signed off on the commits to fix the DCO check. Let me know if you spot anything else!

TG1999
TG1999 requested changes Nov 21, 2025
View reviewed changes
Copy link
Contributor

@TG1999 TG1999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some reviews for your consideration!

@paarthbhatt
Address PR review feedback
cbceb88 
- Implement proper advisories_count with release link caching
- Remove redundant CVE ID from aliases field (advisory_id already contains it)
- Add URL cleaning comment with example
- Update tests to match corrected behavior

Signed-off-by: Parth Bhatt <paarthbhatt37@gmail.com>
@paarthbhatt
Copy link
Author

paarthbhatt commented Nov 21, 2025
edited
Loading

Hey @TG1999,

Sorry about those errors - you're absolutely right. I rushed through the initial implementation and didn't properly review the code before submitting. I've fixed all three issues now and pushed the changes. Tests are passing. Thanks for catching these and for your patience!

@paarthbhatt paarthbhatt requested a review from TG1999 November 21, 2025 17:45
@paarthbhatt
Copy link
Author

paarthbhatt commented Nov 22, 2025

Hi @TG1999, I'm facing bit of a problem here. My importer is working - it's successfully scraping and storing 59 advisories with CVE IDs, descriptions, severities, and references. The issue is just that the affected package version information isn't being converted to PackageV2 objects due to the version range format issue.
When I check the database after running the importer:
AdvisoryV2.objects.count() = 59
PackageV2.objects.count() = 0
This means the packages don't show up in search results on the web interface.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TG1999 TG1999 Awaiting requested review from TG1999

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Liferay advisories

2 participants

@paarthbhatt @TG1999