Skip to content

Commit ff51a79

Browse files
committed
refactor: move CVSSv4 test from ghsa to osv package
CVSS_V4 is a standard OSV severity type, not unique to GHSA. Move the test and test data to the osv package where the parsing logic lives.
1 parent f45a37e commit ff51a79

File tree

3 files changed

+46
-68
lines changed

3 files changed

+46
-68
lines changed

pkg/vulnsrc/ghsa/ghsa_test.go

Lines changed: 0 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -443,62 +443,6 @@ func TestVulnSrc_Update(t *testing.T) {
443443
},
444444
Value: map[string]any{},
445445
},
446-
// CVSSv4: Werkzeug advisory with both V3 and V4
447-
{
448-
Key: []string{
449-
"data-source",
450-
"pip::GitHub Security Advisory pip",
451-
},
452-
Value: types.DataSource{
453-
ID: vulnerability.GHSA,
454-
Name: "GitHub Security Advisory pip",
455-
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip",
456-
},
457-
},
458-
{
459-
Key: []string{
460-
"advisory-detail",
461-
"CVE-2026-21860",
462-
"pip::GitHub Security Advisory pip",
463-
"werkzeug",
464-
},
465-
Value: types.Advisory{
466-
VendorIDs: []string{
467-
"GHSA-87hc-h4r5-73f7",
468-
},
469-
PatchedVersions: []string{"3.1.5"},
470-
VulnerableVersions: []string{"<3.1.5"},
471-
},
472-
},
473-
{
474-
Key: []string{
475-
"vulnerability-detail",
476-
"CVE-2026-21860",
477-
"ghsa",
478-
},
479-
Value: types.VulnerabilityDetail{
480-
Title: "Werkzeug safe_join() allows Windows special device names with compound extensions",
481-
Description: "Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces.",
482-
References: []string{
483-
"https://github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7",
484-
"https://nvd.nist.gov/vuln/detail/CVE-2026-21860",
485-
},
486-
Severity: types.SeverityMedium,
487-
CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
488-
CvssScoreV3: 5.3,
489-
CvssVectorV40: "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
490-
CvssScoreV40: 6.3,
491-
LastModifiedDate: utils.MustTimeParse("2026-02-02T19:57:31Z"),
492-
PublishedDate: utils.MustTimeParse("2026-01-08T19:51:21Z"),
493-
},
494-
},
495-
{
496-
Key: []string{
497-
"vulnerability-id",
498-
"CVE-2026-21860",
499-
},
500-
Value: map[string]any{},
501-
},
502446
// NuGet: store original and lowercased package names
503447
{
504448
Key: []string{

pkg/vulnsrc/osv/osv_test.go

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -101,6 +101,50 @@ func TestVulnSrc_Update(t *testing.T) {
101101
},
102102
},
103103
},
104+
// CVSSv4: advisory with both V3 and V4
105+
{
106+
Key: []string{
107+
"advisory-detail",
108+
"CVE-2026-21860",
109+
"pip::Python Packaging Advisory Database",
110+
"werkzeug",
111+
},
112+
Value: types.Advisory{
113+
VendorIDs: []string{
114+
"PYSEC-2026-1",
115+
},
116+
PatchedVersions: []string{"3.1.5"},
117+
VulnerableVersions: []string{"<3.1.5"},
118+
},
119+
},
120+
{
121+
Key: []string{
122+
"vulnerability-detail",
123+
"CVE-2026-21860",
124+
string(vulnerability.OSV),
125+
},
126+
Value: types.VulnerabilityDetail{
127+
Title: "Werkzeug safe_join() allows Windows special device names with compound extensions",
128+
Description: "Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces.",
129+
CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
130+
CvssScoreV3: 5.3,
131+
CvssVectorV40: "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
132+
CvssScoreV40: 6.3,
133+
References: []string{
134+
"https://github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7",
135+
"https://nvd.nist.gov/vuln/detail/CVE-2026-21860",
136+
},
137+
LastModifiedDate: utils.MustTimeParse("2026-02-02T19:57:31Z"),
138+
PublishedDate: utils.MustTimeParse("2026-01-08T19:51:21Z"),
139+
},
140+
},
141+
{
142+
Key: []string{
143+
"vulnerability-id",
144+
"CVE-2026-21860",
145+
},
146+
Value: map[string]any{},
147+
},
104148
},
105149
noBuckets: [][]string{
106150
// skip withdrawn

pkg/vulnsrc/ghsa/testdata/happy/ghsa/advisories/github-reviewed/2026/01/GHSA-87hc-h4r5-73f7/GHSA-87hc-h4r5-73f7.json renamed to pkg/vulnsrc/osv/testdata/happy/vuln-list/osv/python/PYSEC-2026-1.json

Lines changed: 2 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,5 @@
11
{
2-
"schema_version": "1.4.0",
3-
"id": "GHSA-87hc-h4r5-73f7",
2+
"id": "PYSEC-2026-1",
43
"modified": "2026-02-02T19:57:31Z",
54
"published": "2026-01-08T19:51:21Z",
65
"aliases": [
@@ -48,14 +47,5 @@
4847
"type": "ADVISORY",
4948
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21860"
5049
}
51-
],
52-
"database_specific": {
53-
"cwe_ids": [
54-
"CWE-67"
55-
],
56-
"severity": "MODERATE",
57-
"github_reviewed": true,
58-
"github_reviewed_at": "2026-01-08T19:51:21Z",
59-
"nvd_published_at": "2026-01-08T19:15:59Z"
60-
}
50+
]
6151
}

0 commit comments

Comments
 (0)