Correct a bug with AddPkgInfo commit event assembly (#2280)

andrewpollock · web-flow · commit 27429d73e01e · 2024-06-05T17:59:16.000+10:00
While investigating an unexpected false positive for CVE-2019-14248 it was discovered that commit event ranges were being incorrectly assembled, and all of the events were being inserted into a single element, rather than one per element, i.e. ``` { "ranges": [ { "type": "GIT", "repo": "https://github.com/netwide-assembler/nasm", "events": [ { "introduced": "9a1216a1efa0ccb48e5df97acc763ea3de71e0ce", "last_affected": "74246c499ea4313fb8837977dc0c135fc50567c0" } ] } ] } ``` instead of: ``` { "ranges": [ { "type": "GIT", "repo": "https://github.com/netwide-assembler/nasm", "events": [ { "introduced": "9a1216a1efa0ccb48e5df97acc763ea3de71e0ce", }, { "last_affected": "74246c499ea4313fb8837977dc0c135fc50567c0" } ] } ] } ``` which produced an invalid OSV record.
diff --git a/vulnfeeds/cves/versions.go b/vulnfeeds/cves/versions.go
@@ -150,6 +150,15 @@ func (vi *VersionInfo) HasLastAffectedCommits(repo string) bool {
 	return false
 }
 
+func (vi *VersionInfo) HasLimitCommits(repo string) bool {
+	for _, ac := range vi.AffectedCommits {
+		if strings.EqualFold(ac.Repo, repo) && ac.Limit != "" {
+			return true
+		}
+	}
+	return false
+}
+
 func (vi *VersionInfo) FixedCommits(repo string) (FixedCommits []string) {
 	for _, ac := range vi.AffectedCommits {
 		if strings.EqualFold(ac.Repo, repo) && ac.Fixed != "" {
diff --git a/vulnfeeds/vulns/vulns.go b/vulnfeeds/vulns/vulns.go
@@ -249,14 +249,18 @@ func (v *Vulnerability) AddPkgInfo(pkgInfo PackageInfo) {
 				hasAddedZeroIntroduced[ac.Repo] = true
 			}
 
-			entry.Events = append(entry.Events,
-				Event{
-					Introduced:   ac.Introduced,
-					Fixed:        ac.Fixed,
-					LastAffected: ac.LastAffected,
-					Limit:        ac.Limit,
-				},
-			)
+			if pkgInfo.VersionInfo.HasIntroducedCommits(ac.Repo) {
+				entry.Events = append(entry.Events, Event{Introduced: ac.Introduced})
+			}
+			if pkgInfo.VersionInfo.HasFixedCommits(ac.Repo) {
+				entry.Events = append(entry.Events, Event{Fixed: ac.Fixed})
+			}
+			if pkgInfo.VersionInfo.HasLastAffectedCommits(ac.Repo) {
+				entry.Events = append(entry.Events, Event{LastAffected: ac.LastAffected})
+			}
+			if pkgInfo.VersionInfo.HasLimitCommits(ac.Repo) {
+				entry.Events = append(entry.Events, Event{Limit: ac.Limit})
+			}
 			gitCommitRangesByRepo[ac.Repo] = entry
 		}
 
@@ -274,12 +278,20 @@ func (v *Vulnerability) AddPkgInfo(pkgInfo PackageInfo) {
 		for _, av := range pkgInfo.VersionInfo.AffectedVersions {
 			if av.Introduced != "" {
 				hasIntroduced = true
+				versionRange.Events = append(versionRange.Events, Event{
+					Introduced: av.Introduced,
+				})
+			}
+			if av.Fixed != "" {
+				versionRange.Events = append(versionRange.Events, Event{
+					Fixed: av.Fixed,
+				})
+			}
+			if av.LastAffected != "" {
+				versionRange.Events = append(versionRange.Events, Event{
+					LastAffected: av.LastAffected,
+				})
 			}
-			versionRange.Events = append(versionRange.Events, Event{
-				Introduced:   av.Introduced,
-				Fixed:        av.Fixed,
-				LastAffected: av.LastAffected,
-			})
 		}
 
 		if !hasIntroduced {
diff --git a/vulnfeeds/vulns/vulns_test.go b/vulnfeeds/vulns/vulns_test.go
@@ -192,10 +192,37 @@ func TestAddPkgInfo(t *testing.T) {
 			},
 		},
 	}
-	vuln.AddPkgInfo(testPkgInfoNameEco)
-	vuln.AddPkgInfo(testPkgInfoPURL)
-	vuln.AddPkgInfo(testPkgInfoCommits)
-	vuln.AddPkgInfo(testPkgInfoHybrid)
+	testPkgInfoCommitsMultiple := PackageInfo{
+		VersionInfo: cves.VersionInfo{
+			AffectedCommits: []cves.AffectedCommit{
+				{
+					Introduced: "0xdeadbeef",
+					Fixed:      "dsafwefwfe370a9e65d68d62ef37345597e4100b0e87021dfb",
+					Repo:       "github.com/foo/bar",
+				},
+			},
+		},
+	}
+	testPkgInfoEcoMultiple := PackageInfo{
+		PkgName:   "TestNameWithIntroduced",
+		Ecosystem: "TestEco",
+		VersionInfo: cves.VersionInfo{
+			AffectedVersions: []cves.AffectedVersion{
+				{
+					Introduced: "1.0.0-1",
+					Fixed: "1.2.3-4",
+				},
+			},
+		},
+	}
+	vuln.AddPkgInfo(testPkgInfoNameEco)         // This will end up in vuln.Affected[0]
+	vuln.AddPkgInfo(testPkgInfoPURL)            // This will end up in vuln.Affected[1]
+	vuln.AddPkgInfo(testPkgInfoCommits)         // This will end up in vuln.Affected[2]
+	vuln.AddPkgInfo(testPkgInfoHybrid)          // This will end up in vuln.Affected[3]
+	vuln.AddPkgInfo(testPkgInfoCommitsMultiple) // This will end up in vuln.Affected[4]
+	vuln.AddPkgInfo(testPkgInfoEcoMultiple) 	// This will end up in vuln.Affected[5]
+
+	t.Logf("Resulting vuln: %+v", vuln)
 
 	// testPkgInfoNameEco vvvvvvvvvvvvvvv
 	if vuln.Affected[0].Package.Name != testPkgInfoNameEco.PkgName {
@@ -213,6 +240,10 @@ func TestAddPkgInfo(t *testing.T) {
 	if vuln.Affected[0].Ranges[0].Events[1].Fixed != testPkgInfoNameEco.VersionInfo.AffectedVersions[0].Fixed {
 		t.Errorf("AddPkgInfo has not correctly added ranges fixed.")
 	}
+
+	if vuln.Affected[0].Ranges[0].Events[0].Introduced != "0" {
+		t.Errorf("AddPkgInfo has not correctly added zero introduced commit.")
+	}
 	// testPkgInfoNameEco ^^^^^^^^^^^^^^^
 
 	// testPkgInfoPURL vvvvvvvvvvvvvvv
@@ -251,6 +282,19 @@ func TestAddPkgInfo(t *testing.T) {
 	}
 	// testPkgInfoCommits ^^^^^^^^^^^^^^^
 
+	// testPkgInfoCommitsMultiple vvvvvvvvvvvvv
+	if len(vuln.Affected[4].Ranges[0].Events) != 2 {
+		t.Errorf("AddPkgInfo has not correctly added distinct range events from commits: %+v", vuln.Affected[4].Ranges)
+	}
+	// testPkgInfoCommitsMultiple ^^^^^^^^^^^^^
+
+	// testPkgInfoEcoMultiple vvvvvvvvvvvvv
+	if len(vuln.Affected[5].Ranges[0].Events) != 2 {
+		t.Errorf("AddPkgInfo has not correctly added distinct range events from versions: %+v", vuln.Affected[5].Ranges)
+	}
+	// testPkgInfoEcoMultiple ^^^^^^^^^^^^^
+
+
 	for _, a := range vuln.Affected {
 		perRepoZeroIntroducedCommitHashCount := make(map[string]int)
 		for _, r := range a.Ranges {
