OSV bug: invalid parsing of fixed versions and affected versions. #2066
Description
Parsing of introduced version in OSV not working as expected. See the example below:
This bug was discovered by @keshav-space . at #2017 (review)
See the example below:
In [1]: from vulnerabilities.importers import osv
In [2]: raw_data = {
...: "schema_version": "1.4.0",
...: "id": "GHSA-2hjr-vmf3-xwvp",
...: "aliases": [
...: "CVE-2023-49921"
...: ],
...: "summary": "summary",
...: "details": "details",
...: "severity": [],
...: "affected": [
...: {
...: "package": { "ecosystem": "Maven", "name": "org.elasticsearch:elasticsearch" },
...: "ranges": [
...: {
...: "type": "ECOSYSTEM",
...: "events": [
...: {"introduced": "0"},
...: {"fixed": "7.17.16"}
...: ]
...: }
...: ]
...: },
...: {
...: "package": { "ecosystem": "Maven", "name": "org.elasticsearch:elasticsearch" },
...: "ranges": [
...: { "type": "ECOSYSTEM",
...: "events": [
...: { "introduced": "8.0.0" },
...: { "fixed": "8.11.2" }
...: ]
...: }
...: ]
...: }
...: ],
...: "references": []
...: }
In [3]: advisory_url ="https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/G
...: HSA-2hjr-vmf3-xwvp/GHSA-2hjr-vmf3-xwvp.json"
In [4]: supported_ecosystems= ["maven"]
In [5]: advisory_text=""
In [6]: adv=osv.parse_advisory_data_v2(raw_data,supported_ecosystems,advisory_url,advisory_text)
In [7]: len(adv.affected_packages)
Out[7]: 2
In [8]: af1=adv.affected_packages[0]
In [9]: af2=adv.affected_packages[1]
In [10]: str(af1.affected_version_range)
Out[10]: 'None'
In [11]: str(af1.fixed_version_range)
Out[11]: 'vers:maven/7.17.16'
In [12]:
In [12]: str(af2.affected_version_range)
Out[12]: 'None'
In [13]: str(af2.fixed_version_range)
Out[13]: 'vers:maven/8.11.2'
In the above example af2.affected_version_range shouldn't be none we are completely missing 8.0.0.
Additionally, we should process fixed versions individually, either ingesting them or skipping only the invalid entries instead of discarding the entire list.
@TG1999 Reference: #2017 (comment)
> `Invalid VersionRange for affected_pkg: ['0.8', '0.9', '0.9.3', '0.9.4', '0.9.5', '0.9.6', '0.9.7', '0.9.8', '0.9.9', '2.0.1', '2.0.1rc1', '2.0.1rc2-git', '2.0.1rc3', '2.0.1rc4', '2.0.2', '2.0.3', '2.0.4', '2.0.5', '2.0b4', '2.0b5', '2.0b6', '2.0b7', '2.0b8', '2.0b9', '3.0.0', '3.0.0b1', '3.0.0b2', '3.0.1', '3.0.2', '3.0.3', '3.0.4', '3.0.5', '3.1', '3.2', '3.2.1', '3.2.2', '3.2.3', '3.2.4', '3.2.5', '3.3', '3.4', '3.4.1', '3.4.2', '3.4.3', '3.4.4', '3.4.5', '3.5', '3.5b1', '3.6', '3.6.1', '3.6.2', '3.6.3', '3.6.4'] for OSV id: 'PYSEC-2021-859': error:InvalidVersion("'2.0.1rc2-git' is not a valid <class 'univers.versions.PypiVersion'>")`
>
> One of the list might not be a valid version, but all others are valid, are we ingesting them or skipping whole list if we can't ingest one.
Metadata
Metadata
Assignees
Labels
No labels
Type
Projects
Status