fix: ensure that affected entries are in order before comparing (#198)

G-Rath · web-flow · commit e20e64232091 · 2023-08-19T12:19:05.000+12:00
* fix: ensure that affected entries are sorted before comparing

* fix: sort "introduced 0" events before any other version
diff --git a/pkg/database/osv.go b/pkg/database/osv.go
@@ -8,6 +8,7 @@ import (
 	"github.com/g-rath/osv-detector/pkg/semantic"
 	"os"
 	"regexp"
+	"sort"
 	"strings"
 	"time"
 	"unicode"
@@ -58,6 +59,22 @@ type AffectsRange struct {
 	Events []RangeEvent     `json:"events"`
 }
 
+func (e RangeEvent) version() string {
+	if e.Introduced != "" {
+		return e.Introduced
+	}
+
+	if e.Fixed != "" {
+		return e.Fixed
+	}
+
+	if e.LastAffected != "" {
+		return e.LastAffected
+	}
+
+	return ""
+}
+
 func (ar AffectsRange) containsVersion(pkg internal.PackageDetails) bool {
 	if ar.Type != TypeEcosystem && ar.Type != TypeSemver {
 		return false
@@ -69,6 +86,21 @@ func (ar AffectsRange) containsVersion(pkg internal.PackageDetails) bool {
 
 	vp := semantic.MustParse(pkg.Version, pkg.CompareAs)
 
+	sort.Slice(ar.Events, func(i, j int) bool {
+		a := ar.Events[i]
+		b := ar.Events[j]
+
+		if a.Introduced == "0" {
+			return true
+		}
+
+		if b.Introduced == "0" {
+			return false
+		}
+
+		return semantic.MustParse(a.version(), pkg.CompareAs).CompareStr(b.version()) < 0
+	})
+
 	var affected bool
 	for _, e := range ar.Events {
 		if affected {
diff --git a/pkg/database/osv_test.go b/pkg/database/osv_test.go
@@ -27,6 +27,10 @@ func expectIsAffected(t *testing.T, osv database.OSV, version string, expectAffe
 	}
 
 	if osv.IsAffected(pkg) != expectAffected {
+		if version == "" {
+			version = "<empty>"
+		}
+
 		if expectAffected {
 			t.Errorf("Expected OSV to affect package version %s but it did not", version)
 		} else {
@@ -280,6 +284,40 @@ func TestOSV_IsAffected_AffectsWithEcosystem_SingleAffected(t *testing.T) {
 	// an empty version should always be treated as affected
 	expectIsAffected(t, osv, "", true)
 
+	// multiple fixes and introduced, shuffled
+	osv = buildOSVWithAffected(
+		database.Affected{
+			Package: database.Package{Ecosystem: lockfile.NpmEcosystem, Name: "my-package"},
+			Ranges: []database.AffectsRange{
+				buildEcosystemAffectsRange(
+					database.RangeEvent{Introduced: "0"},
+					database.RangeEvent{Introduced: "2.1.0"},
+					database.RangeEvent{Fixed: "3.2.0"},
+					database.RangeEvent{Fixed: "1"},
+				),
+			},
+		},
+	)
+
+	for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} {
+		expectIsAffected(t, osv, v, true)
+	}
+
+	for _, v := range []string{"1.0.0", "1.1.0", "2.0.0rc2", "2.0.1"} {
+		expectIsAffected(t, osv, v, false)
+	}
+
+	for _, v := range []string{"2.1.1", "2.3.4", "3.0.0", "3.0.0-rc"} {
+		expectIsAffected(t, osv, v, true)
+	}
+
+	for _, v := range []string{"3.2.0", "3.2.1", "4.0.0"} {
+		expectIsAffected(t, osv, v, false)
+	}
+
+	// an empty version should always be treated as affected
+	expectIsAffected(t, osv, "", true)
+
 	// "LastAffected: 1" means all versions after this are not vulnerable
 	osv = buildOSVWithAffected(
 		database.Affected{
@@ -337,6 +375,40 @@ func TestOSV_IsAffected_AffectsWithEcosystem_SingleAffected(t *testing.T) {
 
 	// an empty version should always be treated as affected
 	expectIsAffected(t, osv, "", true)
+
+	// mix of fixes, last_known_affected, and introduced, shuffled
+	osv = buildOSVWithAffected(
+		database.Affected{
+			Package: database.Package{Ecosystem: lockfile.NpmEcosystem, Name: "my-package"},
+			Ranges: []database.AffectsRange{
+				buildEcosystemAffectsRange(
+					database.RangeEvent{Introduced: "0"},
+					database.RangeEvent{Introduced: "2.1.0"},
+					database.RangeEvent{Fixed: "1"},
+					database.RangeEvent{LastAffected: "3.1.9"},
+				),
+			},
+		},
+	)
+
+	for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} {
+		expectIsAffected(t, osv, v, true)
+	}
+
+	for _, v := range []string{"1.0.0", "1.1.0", "2.0.0rc2", "2.0.1"} {
+		expectIsAffected(t, osv, v, false)
+	}
+
+	for _, v := range []string{"2.1.1", "2.3.4", "3.0.0", "3.0.0-rc", "3.1.9"} {
+		expectIsAffected(t, osv, v, true)
+	}
+
+	for _, v := range []string{"3.2.0", "3.2.1", "4.0.0"} {
+		expectIsAffected(t, osv, v, false)
+	}
+
+	// an empty version should always be treated as affected
+	expectIsAffected(t, osv, "", true)
 }
 
 func TestOSV_IsAffected_AffectsWithEcosystem_MultipleAffected(t *testing.T) {
@@ -394,6 +466,95 @@ func TestOSV_IsAffected_AffectsWithEcosystem_MultipleAffected(t *testing.T) {
 
 	// an empty version should always be treated as affected
 	expectIsAffected(t, osv, "", true)
+
+	// shuffled
+	osv = buildOSVWithAffected(
+		database.Affected{
+			Package: database.Package{Ecosystem: lockfile.NpmEcosystem, Name: "my-package"},
+			Ranges: []database.AffectsRange{
+				buildEcosystemAffectsRange(
+					database.RangeEvent{Fixed: "1"},
+					database.RangeEvent{Introduced: "0"},
+				),
+			},
+		},
+		database.Affected{
+			Package: database.Package{Ecosystem: lockfile.NpmEcosystem, Name: "my-package"},
+			Ranges: []database.AffectsRange{
+				buildEcosystemAffectsRange(
+					database.RangeEvent{Fixed: "3.2.0"},
+					database.RangeEvent{Introduced: "2.1.0"},
+				),
+			},
+		},
+		database.Affected{
+			Package: database.Package{Ecosystem: lockfile.NpmEcosystem, Name: "my-package"},
+			Ranges: []database.AffectsRange{
+				buildEcosystemAffectsRange(
+					database.RangeEvent{LastAffected: "3.5.0"},
+					database.RangeEvent{Introduced: "3.3.0"},
+				),
+			},
+		},
+	)
+
+	for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} {
+		expectIsAffected(t, osv, v, true)
+	}
+
+	for _, v := range []string{"1.0.0", "1.1.0", "2.0.0rc2", "2.0.1"} {
+		expectIsAffected(t, osv, v, false)
+	}
+
+	for _, v := range []string{"2.1.1", "2.3.4", "3.0.0", "3.0.0-rc"} {
+		expectIsAffected(t, osv, v, true)
+	}
+
+	for _, v := range []string{"3.2.0", "3.2.1", "4.0.0"} {
+		expectIsAffected(t, osv, v, false)
+	}
+
+	for _, v := range []string{"3.3.1", "3.4.5"} {
+		expectIsAffected(t, osv, v, true)
+	}
+
+	// an empty version should always be treated as affected
+	expectIsAffected(t, osv, "", true)
+
+	// zeros with build strings
+	osv = buildOSVWithAffected(
+		database.Affected{
+			// golang.org/x/sys
+			Package: database.Package{Ecosystem: lockfile.NpmEcosystem, Name: "my-package"},
+			Ranges: []database.AffectsRange{
+				buildEcosystemAffectsRange(
+					database.RangeEvent{Fixed: "0.0.0-20220412211240-33da011f77ad"},
+					database.RangeEvent{Introduced: "0"},
+				),
+			},
+		},
+		database.Affected{
+			// golang.org/x/net
+			Package: database.Package{Ecosystem: lockfile.NpmEcosystem, Name: "my-package"},
+			Ranges: []database.AffectsRange{
+				buildEcosystemAffectsRange(
+					database.RangeEvent{Introduced: "0.0.0-20180925071336-cf3bd585ca2a"},
+					database.RangeEvent{Fixed: "0"},
+				),
+			},
+		},
+	)
+
+	for _, v := range []string{"0.0.0", "0.14.0"} {
+		expectIsAffected(t, osv, v, false)
+	}
+
+	for _, v := range []string{"0.0.0-20180925071336-cf3bd585ca2a"} {
+		expectIsAffected(t, osv, v, true)
+	}
+
+	// an empty version should always be treated as affected
+	expectIsAffected(t, osv, "", true)
 }
 
 func TestOSV_IsAffected_AffectsWithEcosystem_PipNamesAreNormalised(t *testing.T) {
@@ -540,6 +701,40 @@ func TestOSV_IsAffected_AffectsWithSemver_SingleAffected(t *testing.T) {
 	// an empty version should always be treated as affected
 	expectIsAffected(t, osv, "", true)
 
+	// multiple fixes and introduced, shuffled
+	osv = buildOSVWithAffected(
+		database.Affected{
+			Package: database.Package{Ecosystem: lockfile.NpmEcosystem, Name: "my-package"},
+			Ranges: []database.AffectsRange{
+				buildSemverAffectsRange(
+					database.RangeEvent{Fixed: "1"},
+					database.RangeEvent{Fixed: "3.2.0"},
+					database.RangeEvent{Introduced: "0"},
+					database.RangeEvent{Introduced: "2.1.0"},
+				),
+			},
+		},
+	)
+
+	for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} {
+		expectIsAffected(t, osv, v, true)
+	}
+
+	for _, v := range []string{"1.0.0", "1.1.0", "2.0.0rc2", "2.0.1"} {
+		expectIsAffected(t, osv, v, false)
+	}
+
+	for _, v := range []string{"2.1.1", "2.3.4", "3.0.0", "3.0.0-rc"} {
+		expectIsAffected(t, osv, v, true)
+	}
+
+	for _, v := range []string{"3.2.0", "3.2.1", "4.0.0"} {
+		expectIsAffected(t, osv, v, false)
+	}
+
+	// an empty version should always be treated as affected
+	expectIsAffected(t, osv, "", true)
+
 	// "LastAffected: 1" means all versions after this are not vulnerable
 	osv = buildOSVWithAffected(
 		database.Affected{
@@ -594,6 +789,40 @@ func TestOSV_IsAffected_AffectsWithSemver_SingleAffected(t *testing.T) {
 
 	// an empty version should always be treated as affected
 	expectIsAffected(t, osv, "", true)
+
+	// mix of fixes, last_known_affected, and introduced, shuffled
+	osv = buildOSVWithAffected(
+		database.Affected{
+			Package: database.Package{Ecosystem: lockfile.NpmEcosystem, Name: "my-package"},
+			Ranges: []database.AffectsRange{
+				buildSemverAffectsRange(
+					database.RangeEvent{Introduced: "2.1.0"},
+					database.RangeEvent{Introduced: "0"},
+					database.RangeEvent{LastAffected: "3.1.9"},
+					database.RangeEvent{Fixed: "1"},
+				),
+			},
+		},
+	)
+
+	for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} {
+		expectIsAffected(t, osv, v, true)
+	}
+
+	for _, v := range []string{"1.0.0", "1.1.0", "2.0.0rc2", "2.0.1"} {
+		expectIsAffected(t, osv, v, false)
+	}
+
+	for _, v := range []string{"2.1.1", "2.3.4", "3.0.0", "3.0.0-rc"} {
+		expectIsAffected(t, osv, v, true)
+	}
+
+	for _, v := range []string{"3.2.0", "3.2.1", "4.0.0"} {
+		expectIsAffected(t, osv, v, false)
+	}
+
+	// an empty version should always be treated as affected
+	expectIsAffected(t, osv, "", true)
 }
 
 func TestOSV_IsAffected_AffectsWithSemver_MultipleAffected(t *testing.T) {
